Privacy-aware Linked Widgets

Fernandez Garcia, Javier D., Ekaputra, Fajar J., Aryan, Peb Ruswono, Azzam, Amr, Kiesling, Elmar

January 2019

The European General Data Protection Regulation (GDPR) brings new challenges for companies, who must demonstrate that their systems and business processes comply with usage constraints specified by data subjects. However, due to the lack of standards, tools, and best practices, many organizations struggle to adapt their infrastructure and processes to ensure and demonstrate that all data processing is in compliance with users' given consent. The SPECIAL EU H2020 project has developed vocabularies that can formally describe data subjects' given consent as well as methods that use this description to automatically determine whether processing of the data according to a given policy is compliant with the given consent. Whereas this makes it possible to determine whether processing was compliant or not, integration of the approach into existing line of business applications and ex-ante compliance checking remains an open challenge. In this short paper, we demonstrate how the SPECIAL consent and compliance framework can be integrated into Linked Widgets, a mashup platform, in order to support privacy-aware ad-hoc integration of personal data. The resulting environment makes it possible to create data integration and processing workflows out of components that inherently respect usage policies of the data that is being processed and are able to demonstrate compliance. We provide an overview of the necessary meta data and orchestration towards a privacy-aware linked data mashup platform that automatically respects subjects' given consents. The evaluation results show the potential of our approach for ex-ante usage policy compliance checking within the Linked Widgets Platforms and beyond.

Privacy; GDPR; Compliance; Linked Data

GDPR - Are We Ready? A Comparative and Explorative Study of the Changes in Personal Data Privacy and Its Impact on ICT Companies

Therése Nielsen, Johannes Wind

January 2018

Personlig data genomsyrar hela vårt samhälle och hanteras digitalt via informationsteknologi. Detta försvårar för individer att ha kontroll över den personliga data som hanteras av företag. Den 25 maj 2018 ersätts den svenska Personuppgiftslagen (PuL) med den nya Dataskyddsförordningen GDPR. Förordningen är utformad för att sätta en enhetlig standard gällande hur vi samlar in, hanterar och delar europeiska medborgares personliga data. Den här forskningen är uppdelad i två steg. I det första steget genomförs en komparativ undersökning av de två lagtexterna för att identifiera de nya lagkraven som Dataskyddsförordningen medför. I det andra steget används resultatet från den komparativa jämförelsen som grund för en explorativ undersökning av hur ICT-företag förbereder sig inför de nya lagkraven. Vårt resultat visar att de deltagande ICT-företagen förbereder sig genom att implementera nya processer och åtgärder för att följa förordningen. Inga av de deltagande företagen är vid tiden av denna undersökning fullständigt kompatibla med de krav den nya förordningen ställer. Vår forskning visar att svårigheterna med att bli fullständigt kompatibel ligger i bristen på resurser och tvetydigheten i tolkningen av förordningen. / Personal data flows through our entire society in the shape of technological processing. This makes it difficult for individuals to have control over their personal data being processed by companies. On the 25th of May 2018 the Swedish Personal Data Act (PuL) is replaced by the General Data Protection Regulation (GDPR). The regulation is designed to set a uniform standard with regards to the way we collect, use and share personal data of European citizens. This research uses a two-step research approach. The first step is to perform a comparative legal research to identify the new requirements that comes with the upcoming Regulation in relation to the current Swedish legislation. The second step is to use the findings of the comparative legal research as a foundation for an explorative survey of how ICT companies are preparing for the new requirements of the GDPR. Our result shows that the participating ICT companies are preparing by implementing new processes and measures in order to comply with the Regulation. Additionally, all of the participating companies are at the time of our research not fully compliant with the Regulation. Our research concludes that the difficulties in achieving full compliance lies in the lack of resources and ambiguities of the interpretation of the Regulation.

GDPR

PuL

Personal Data

Privacy Protection

GDPR-compliance

ICT Companies

Engineering and Technology

Teknik och teknologier

The GDPR Compliance of Blockchain : A qualitative study on regulating innovative technology

Melin, Karin

January 2019

This thesis aims to explore the compliance of blockchain technology and the GDPR. The GDPR was implemented for the EU member states in May 2018 with the purpose of harmonizing data protection regulation. However, the regulation is based on the notion that data is stored and processed in a centralized system. This causes an issue when it comes to distributed networks, and in particular with the distributed ledger technology (DLT), the underlying technology of blockchain. For this thesis, a literature review has been conducted to investigate the problems of GDPR compliance for blockchain projects, and what technical solutions exist to make a blockchain solution more GDPR compliant. In addition, interviews have been conducted to investigate the technical and legal perspectives on the current and future situations of regulation and technology. Compatibility problems mainly concern the immutability and transparency of a blockchain and examples of technical solutions that handle those problems can be found in the literature. Nevertheless, none of the discussed solutions are yet to guarantee full GDPR compliance. The technical and legal perspectives share ideas of the main compliance issues. However, differences such as interpretation of technical details can be identified, indicating problems to arise when regulating blockchains in the future. Further interdisciplinary work on guidelines for the GDPR is necessary for blockchain projects to be successful in complying with the regulation as well as to strengthen the technology neutrality of the GDPR.

Blockchain

GDPR compliance

regulating technology

interdisciplinary perspectives

distributed ledger technology

compatibility

Blockkedjor

GDPR

reglera teknik

tvärvetenskapliga perspektiv

distribuerad decentraliserad databas

kompatibilitet

Computer and Information Sciences

Data- och informationsvetenskap