Practical evaluation of a reference architecture for the management of privacy level agreements

Vasiliki Diamantopoulou, Haralambos Mouratidis

Research output: Contribution to journalArticleResearchpeer-review

Abstract

Purpose: The enforcement of the General Data Protection Regulation imposes specific privacy- and -security related requirements that any organisation that processes European Union citizens’ personal data must comply with. The application of privacy- and security-by-design principles are assisting organisation in achieving compliance with the Regulation. The purpose of this study is to assist data controllers in their effort to achieve compliance with the new Regulation, by proposing the adoption of the privacy level agreement (PLA). A PLA is considered as a formal way for the data controllers and the data subjects to mutually agree the privacy settings of a service provisioned. A PLA supports privacy management, by analysing privacy threats, vulnerabilities and information systems’ trust relationships. Design/methodology/approach: However, the concept of PLA has only been proposed on a theoretical level. To this aim, two different domains have been selected acting as real-life case studies, the public administration and the health care, where special categories of personal data are processed. Findings: The results of the evaluation of the adoption of the PLA by the data controllers are positive. Furthermore, they indicate that the adoption of such an agreement facilitates data controllers in demonstrating transparency of their processes. Regarding data subjects, the evaluation process revealed that the use of the PLA increases trust levels on data controllers. Originality/value: This paper proposes a novel reference architecture to enable PLA management in practice and reports on the application and evaluation of PLA management.

Original languageEnglish
Pages (from-to)711-730
Number of pages20
JournalInformation and Computer Security
Volume26
Issue number5
DOIs
Publication statusPublished - 19 Aug 2019

Fingerprint

Data privacy
Controllers
Public administration
Health care
Transparency
Information systems
Evaluation
Privacy
Compliance
Controller

Keywords

  • Practical evaluation
  • Privacy level agreement
  • Privacy requirements engineering
  • Security requirements engineering

Cite this

@article{47837eba86f548d5a5593a8f916e489b,
title = "Practical evaluation of a reference architecture for the management of privacy level agreements",
abstract = "Purpose: The enforcement of the General Data Protection Regulation imposes specific privacy- and -security related requirements that any organisation that processes European Union citizens’ personal data must comply with. The application of privacy- and security-by-design principles are assisting organisation in achieving compliance with the Regulation. The purpose of this study is to assist data controllers in their effort to achieve compliance with the new Regulation, by proposing the adoption of the privacy level agreement (PLA). A PLA is considered as a formal way for the data controllers and the data subjects to mutually agree the privacy settings of a service provisioned. A PLA supports privacy management, by analysing privacy threats, vulnerabilities and information systems’ trust relationships. Design/methodology/approach: However, the concept of PLA has only been proposed on a theoretical level. To this aim, two different domains have been selected acting as real-life case studies, the public administration and the health care, where special categories of personal data are processed. Findings: The results of the evaluation of the adoption of the PLA by the data controllers are positive. Furthermore, they indicate that the adoption of such an agreement facilitates data controllers in demonstrating transparency of their processes. Regarding data subjects, the evaluation process revealed that the use of the PLA increases trust levels on data controllers. Originality/value: This paper proposes a novel reference architecture to enable PLA management in practice and reports on the application and evaluation of PLA management.",
keywords = "Practical evaluation, Privacy level agreement, Privacy requirements engineering, Security requirements engineering",
author = "Vasiliki Diamantopoulou and Haralambos Mouratidis",
year = "2019",
month = "8",
day = "19",
doi = "10.1108/ICS-04-2019-0052",
language = "English",
volume = "26",
pages = "711--730",
journal = "Information and Computer Security",
issn = "2056-4961",
number = "5",

}

Practical evaluation of a reference architecture for the management of privacy level agreements. / Diamantopoulou, Vasiliki; Mouratidis, Haralambos.

In: Information and Computer Security, Vol. 26, No. 5, 19.08.2019, p. 711-730.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - Practical evaluation of a reference architecture for the management of privacy level agreements

AU - Diamantopoulou, Vasiliki

AU - Mouratidis, Haralambos

PY - 2019/8/19

Y1 - 2019/8/19

N2 - Purpose: The enforcement of the General Data Protection Regulation imposes specific privacy- and -security related requirements that any organisation that processes European Union citizens’ personal data must comply with. The application of privacy- and security-by-design principles are assisting organisation in achieving compliance with the Regulation. The purpose of this study is to assist data controllers in their effort to achieve compliance with the new Regulation, by proposing the adoption of the privacy level agreement (PLA). A PLA is considered as a formal way for the data controllers and the data subjects to mutually agree the privacy settings of a service provisioned. A PLA supports privacy management, by analysing privacy threats, vulnerabilities and information systems’ trust relationships. Design/methodology/approach: However, the concept of PLA has only been proposed on a theoretical level. To this aim, two different domains have been selected acting as real-life case studies, the public administration and the health care, where special categories of personal data are processed. Findings: The results of the evaluation of the adoption of the PLA by the data controllers are positive. Furthermore, they indicate that the adoption of such an agreement facilitates data controllers in demonstrating transparency of their processes. Regarding data subjects, the evaluation process revealed that the use of the PLA increases trust levels on data controllers. Originality/value: This paper proposes a novel reference architecture to enable PLA management in practice and reports on the application and evaluation of PLA management.

AB - Purpose: The enforcement of the General Data Protection Regulation imposes specific privacy- and -security related requirements that any organisation that processes European Union citizens’ personal data must comply with. The application of privacy- and security-by-design principles are assisting organisation in achieving compliance with the Regulation. The purpose of this study is to assist data controllers in their effort to achieve compliance with the new Regulation, by proposing the adoption of the privacy level agreement (PLA). A PLA is considered as a formal way for the data controllers and the data subjects to mutually agree the privacy settings of a service provisioned. A PLA supports privacy management, by analysing privacy threats, vulnerabilities and information systems’ trust relationships. Design/methodology/approach: However, the concept of PLA has only been proposed on a theoretical level. To this aim, two different domains have been selected acting as real-life case studies, the public administration and the health care, where special categories of personal data are processed. Findings: The results of the evaluation of the adoption of the PLA by the data controllers are positive. Furthermore, they indicate that the adoption of such an agreement facilitates data controllers in demonstrating transparency of their processes. Regarding data subjects, the evaluation process revealed that the use of the PLA increases trust levels on data controllers. Originality/value: This paper proposes a novel reference architecture to enable PLA management in practice and reports on the application and evaluation of PLA management.

KW - Practical evaluation

KW - Privacy level agreement

KW - Privacy requirements engineering

KW - Security requirements engineering

UR - http://www.scopus.com/inward/record.url?scp=85071657047&partnerID=8YFLogxK

U2 - 10.1108/ICS-04-2019-0052

DO - 10.1108/ICS-04-2019-0052

M3 - Article

VL - 26

SP - 711

EP - 730

JO - Information and Computer Security

JF - Information and Computer Security

SN - 2056-4961

IS - 5

ER -