Abstract
The General Data Protection Regulation (GDPR) was widely seen as a significant step towards enhancing data protection and privacy. Unlike previous legislation, adherence to GDPR required organizations to assume greater responsibility for cybersecurity with respect to data processing. This shift represented a profound transformation in how businesses retain, use, manage, and protect data. However, despite these innovative aspects, the actual implementation of the GDPR security side poses some challenges. This paper attempts to identify positive and negative aspects of GDPR requirements and presents a new framework for analyzing them from a security point of view. Firstly, it provides an overview of the most significant scholarly perspectives on GDPR and cybersecurity. Secondly, it presents a systematic roadmap analysis and discussion of the requirements of GDPR in relation to cybersecurity. Results show that some of the GDPR security controls, such as the Data Protection Impact Assessments (DPIA), records on processing, and the appointment of a Data Protection Officer (DPO), are some of the most critical from a security viewpoint. Finally, it provides recommendations for tackling these challenges in the evolving compliance landscape.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Case Study #5: Understanding the Compliance Forces that Influence Cybersecurity in the Banking Sector, especially in the UK.
- 2.
The mapping methodology is a research-based method for recording qualitative information, analyzing its distribution, and prioritizing relevant information in relation to a specific topic or research issue.
- 3.
The desirable compliance goal of a GDPR requirement established by the Regulation.
- 4.
Real impact of a GDPR requirement on cybersecurity practices, processes, and behaviors in an organization.
- 5.
The variables can assume the following values: Low = 1, Medium = 2, High = 3, Very High = 4.
- 6.
The GDPR ensures the implementation of three principles of the “CIA triad” (confidentiality, integrity, and availability).
- 7.
According to Article 39, the DPO “shall in the performance of his or her tasks have due regard to the risk associated with processing operations,” including security risk.
- 8.
For example, loss of sensitive personal data, such as medical records, email address, IP address or images.
References
The European Parliament and the Council of the European Union: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (2016)
ICO Security outcomes | ICO. In: ico.org.uk. https://ico.org.uk/for-organisations/security-outcomes/. Accessed 25 Mar 2021
Madnick, S.E., Marotta, A., Novaes Neto, N., Powers, K.: Research Plan to Analyze the Role of Compliance in Influencing Cybersecurity in Organizations (2020)
Marotta, A., Madnick, S.E.: Analyzing the interplay between regulatory compliance and cybersecurity (revised). SSRN Electron. J. (2020). https://doi.org/10.2139/ssrn.3569902
Marotta, A., Madnick, S.: Perspectives on the relationship between compliance and cybersecurity. J. Inf. Syst. Secur. 16, 27 (2021)
Marotta, A., Madnick, S.: Issues in information systems convergence and divergence of regulatory compliance and cybersecurity. 22, 10–50 (2021). https://doi.org/10.48009/1_iis_2021_10-50
Zerlang, J.: GDPR: a milestone in convergence for cyber-security and compliance. Netw. Secur. 2017, 8–11 (2017). https://doi.org/10.1016/S1353-4858(17)30060-0
Tsohou, A., Magkos, E., Mouratidis, H., et al.: Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform. Inf. Comput. Secur. 28, 531–553 (2020). https://doi.org/10.1108/ICS-01-2020-0002
Poritskiy, N., Oliveira, F., Almeida, F.: The benefits and challenges of general data protection regulation for the information technology sector. Digit. Policy Regul. Gov. 21, 510–524 (2019). https://doi.org/10.1108/DPRG-05-2019-0039
Horák, M., Stupka, V., Husák, M.: GDPR compliance in cybersecurity software: a case study of DPIA in information sharing platform. In: ACM International Conference Proceeding Series, pp. 1–8. Association for Computing Machinery, New York (2019)
Lachaud, E.: The General Data Protection Regulation and the rise of certification as a regulatory instrument (2018)
Saqib, N., Germanos, V., Zeng, W., Maglaras, L.: Mapping of the security requirements of GDPR and NISD. ICST Trans. Secur. Saf. 166283 (2018). https://doi.org/10.4108/eai.30-6-2020.166283
Diamantopoulou, V., Tsohou, A., Karyda, M.: General Data protection regulation and ISO/IEC 27001:2013: synergies of activities towards organisations’ compliance. In: Gritzalis, S., Weippl, E.R., Katsikas, S.K., Anderst-Kotsis, G., Tjoa, A.M., Khalil, I. (eds.) TrustBus 2019. LNCS, vol. 11711, pp. 94–109. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-27813-7_7
Diamantopoulou, V., Tsohou, A., Karyda, M.: From ISO/IEC 27002:2013 information security controls to personal data protection controls: guidelines for GDPR compliance. In: Katsikas, S., et al. (eds.) CyberICPS. LNCS, vol. 11980, pp. 238–257. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-42048-2_16
Lopes, I.M., Guarda, T., Oliveira, P.: How ISO 27001 can help achieve GDPR compliance. In: Iberian Conference on Information Systems and Technologies, CISTI. IEEE Computer Society (2019)
Chivot, E., Castro, D.: What the Evidence Shows About the Impact of the GDPR After One Year. Cent. DATA Innov (2019). http://www2.datainnovation.org/2019-gdpr-one-year.pdf. Accessed 25 Mar 2021
GOV.UK. Data protection - GOV.UK. Gov.uk (2014). https://www.gov.uk/data-protection/the-data-protection-act. Accessed 25 Mar 2021
Sutherland, S., Katz, S.: Concept mapping methodology: a catalyst for organizational learning. Eval. Program. Plan. 28, 257–269 (2005). https://doi.org/10.1016/j.evalprogplan.2005.04.017
IAPP, Ernst, Young: IAPP-EY Annual Governance Report 2019 (2019)
Neto, N.N., Madnick, S., Paula, A.M.G.D., Borges, N.M.: Developing a global data breach database and the challenges encountered. J. Data Inf. Qual. 13, 1–33 (2021). https://doi.org/10.1145/3439873
ICO. Information Commissioner’s Annual Report and Financial Statements. ICO (2019)
Marotta, A., Martinelli, F.: GDPR survey: an analysis of the tools used for assessing GDPR compliance. Technical report (IIT B4-05/2020) - IIT CNR (2020)
Vinet, L., Zhedanov, A.: A “missing” family of classical orthogonal polynomials (2011)
Isaak, J., Hanna, M.J.: User data privacy: Facebook, Cambridge analytica, and privacy protection. Comput. (Long Beach Calif.) 51, 56–59 (2018). https://doi.org/10.1109/MC.2018.3191268
Acknowledgements
The research reported herein was supported in part by the Cybersecurity at MIT Sloan initiative, which is funded by a consortium of organizations, and a gift from C6 bank.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Marotta, A., Madnick, S. (2021). A Framework for Investigating GDPR Compliance Through the Lens of Security. In: Bentahar, J., Awan, I., Younas, M., Grønli, TM. (eds) Mobile Web and Intelligent Information Systems. MobiWIS 2021. Lecture Notes in Computer Science(), vol 12814. Springer, Cham. https://doi.org/10.1007/978-3-030-83164-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-83164-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-83163-9
Online ISBN: 978-3-030-83164-6
eBook Packages: Computer ScienceComputer Science (R0)