A systematic study on the impact of GDPR compliance on Organizations
Resumo
Context: To achieve compliance with the General Data Protection Regulation (GDPR), organizational changes need to be made. Problem: To perform these changes, it is necessary to understand the challenges faced by organizations to comply with GDPR, as well as the practices they have been adopting to achieve such compliance. Proposed Solution: To provide a preliminary guide to organizations that have not achieved compliance with GDPR yet, this paper presents the results of a study in the literature seeking to identify the areas impacted by GDPR compliance, as well as the challenges faced and practices adopted by organizations in each of the identified areas. IS Theory: This work was conceived under the aegis of Argumentation Theory, presenting information from selected studies on the topic and evidence regarding the conclusions presented. Method: a Systematic Mapping of the Literature was conducted through automatic search in scientific databases seeking for quality papers published from 2018 to 2022 to answer the main research question regarding the impact of GDPR compliance on organizations. Results: The study has found affected areas, challenges faced by organizations and methods, technologies and practices they used to comply with GDPR. Contributions and impacts to the IS area: The results found can be used by other organizations in the same areas that are in the process of compliance with GDPR. In fact, these organizations can benefit from the lessons learned reported in the selected papers and synthesized in this study.
Palavras-chave:
GDPR, impact, compliance, privacy
Referências
Luca Hernández Acosta and Delphine Reinhardt. 2021. A survey on privacy issues and solutions for Voice-controlled Digital Assistants. Pervasive and Mobile Computing (2021), 101523.
Denise Amram. 2020. Building up the “Accountable Ulysses” model. The impact of GDPR and national implementations, ethics, and health-data research: Comparative remarks. Computer Law & Security Review 37 (2020), 105413.
Eduard Barnoviciu, Veta Ghenescu, Serban-Vasile Carata, Marian Ghenescu, Roxana Mihaescu, and Mihai Chindea. 2019. Gdpr compliance in video surveillance and video processing application. In 2019 International Conference on Speech Technology and Human-Computer Dialogue (SpeD). IEEE, 1–6.
Rafael Vescovi Bassani and Silvio César Cazella. 2021. O alinhamento entre learning analytics e a general data protection regulation: uma revisão sistemática de literatura. ETD: Educaçao Temática Digital 23, 4 (2021), 1022–1040.
Fran Casino, Eugenia Politou, Efthimios Alepis, and Constantinos Patsakis. 2019. Immutability and decentralized storage: An analysis of emerging threats. IEEE Access 8 (2019), 4737–4744.
Intersoft Consulting. 2021. General Data Protection Regulation (GDPR). https://gdpr-info.eu/
Keeley Crockett, Sean Goltz, and Matt Garratt. 2018. GDPR impact on computational intelligence research. In 2018 International Joint Conference on Neural Networks (IJCNN). IEEE, 1–7.
HW Dalrymple. 2021. The general data protection regulation, the clinical trial regulation and some complex interplay in paediatric clinical trials. European Journal of Pediatrics 180, 5 (2021), 1371–1379.
Renata M de Carvalho, Camillo Del Prete, Yod Samuel Martin, Rosa M Araujo Rivero, Melek Önen, Francesco Paolo Schiavo, Ángel Cuevas Rumín, Haralambos Mouratidis, Juan C Yelmo, and Maria N Koukovini. 2020. Protecting citizens’ personal data and privacy: Joint effort from GDPR EU cluster research projects. SN Computer Science 1, 4 (2020), 1–16.
Bob Duncan and Yuan Zhao. 2018. Risk management for cloud compliance with the EU General Data Protection Regulation. In 2018 International Conference on High Performance Computing & Simulation (HPCS). IEEE, 664–671.
Theodora Gazi. 2020. Data to the rescue: how humanitarian aid NGOs should collect information based on the GDPR. Journal of International Humanitarian Action 5, 1 (2020), 1–7.
Raphael Gellert. 2018. Understanding the notion of risk in the General Data Protection Regulation. Computer Law & Security Review 34, 2 (2018), 279–288.
Emanuel Gonçalves, Paulo Teixeira, and Joaquim P Silva. 2020. Development of GDPR-Compliant Software: Document Management System for HR Department. In 2020 15th Iberian Conference on Information Systems and Technologies (CISTI). IEEE, 1–6.
Nils Gruschka, Vasileios Mavroeidis, Kamer Vishi, and Meiko Jensen. 2018. Privacy issues and data protection in big data: a case study analysis under GDPR. In 2018 IEEE International Conference on Big Data (Big Data). IEEE, 5027–5033.
Startup Guide IONOS. 2019. Compliance: guidelines for compliant corporate behaviour. [link]
Patrick Jost and Marisa Lampert. 2020. Two Years After: A Scoping Review of GDPR Effects on Serious Games Research Ethics Reporting. In International Conference on Games and Learning Alliance. Springer, 372–385.
Barbara Kitchenham and Stuart Charters. 2007. Guidelines for performing systematic literature reviews in software engineering. (2007).
Michael Kretschmer, Jan Pennekamp, and Klaus Wehrle. 2021. Cookie banners and privacy policies: Measuring the impact of the GDPR on the web. ACM Transactions on the Web (TWEB) 15, 4 (2021), 1–42.
Ondřej Kročil and Richard Pospíšil. 2020. The influence of GDPR on activities of social enterprises. Mobile Networks and Applications 25, 3 (2020), 860–867.
Christian Kurtz, Martin Semmann, and Tilo Böhmann. 2018. Privacy by design to comply with GDPR: a review on third-party data processors. (2018).
Christian Kurtz, Florian Wittner, Martin Semmann, Wolfgang Schulz, and Tilo Böhmann. 2022. Accountability of platform providers for unlawful personal data processing in their ecosystems–A socio-techno-legal analysis of Facebook and Apple's iOS according to GDPR. Journal of Responsible Technology 9 (2022), 100018.
K Krithiga Lakshmi, Himanshu Gupta, and Jayanthi Ranjan. 2020. Analysis of General Data Protection Regulation Compliance Requirements and Mobile Banking Application Security Challenges. In 2020 8th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)(ICRITO). IEEE, 1028–1032.
Roslyn Layton and Silvia Elaluf-Calderwood. 2019. A social economic analysis of the impact of GDPR on security and privacy practices. In 2019 12th CMI Conference on Cybersecurity and Privacy (CMI). IEEE, 1–6.
Ze Shi Li, Colin Werner, Neil Ernst, and Daniela Damian. 2022. Towards privacy compliance: A design science study in a small organization. Information and Software Technology 146 (2022), 106868.
Isabel Maria Lopes, Teresa Guarda, and Pedro Oliveira. 2020. General data protection regulation in health clinics. Journal of Medical Systems 44, 2 (2020), 1–9.
Vincenzo Mangini, Irina Tal, and Arghir-Nicolae Moldovan. 2020. An empirical study on the impact of GDPR and right to be forgotten-organisations and users perspective. In Proceedings of the 15th international conference on availability, reliability and security. 1–9.
Blanaid Mee, Mary Kirwan, Niamh Clarke, Aoife Tanaka, Lino Manaloto, Emma Halpin, Una Gibbons, Ann Cullen, Sarah McGarrigle, Elisabeth M Connolly, et al. 2021. What GDPR and the Health Research Regulations (HRRs) mean for Ireland: a research perspective. Irish Journal of Medical Science (1971-) 190, 2 (2021), 505–514.
Louise Meijering, Tess Osborne, Esther Hoorn, and Cristina Montagner. 2020. How the GDPR can contribute to improving geographical research. Geoforum 117 (2020), 291–295.
Veronica L Nabbosa and Rehan Iftikhar. 2019. Digital retail challenges within the EU: fulfillment of holistic customer journey post GDPR. In Proceedings of the 2019 3rd International Conference on E-Education, E-Business and E-Technology. 51–58.
Crispin Niebel. 2021. The impact of the general data protection regulation on innovation and the global political economy. Computer Law & Security Review 40 (2021), 105523.
Mark Phillips. 2018. International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR). Human genetics 137, 8 (2018), 575–582.
Filipe Pires, Osvaldo Pacheco, and Ricardo Martins. 2021. Why you should care about GDPR in IoT Enterprises & Solutions. (2021).
Eugenia Politou, Alexandra Michota, Efthimios Alepis, Matthias Pocs, and Constantinos Patsakis. 2018. Backups and the right to be forgotten in the GDPR: An uneasy relationship. Computer Law & Security Review 34, 6 (2018), 1247–1257.
Danaja Fabcic Povse. 2018. It's all fun and games, and some legalese: data protection implications for increasing cyber-skills of employees through games. In Proceedings of the Central European Cybersecurity Conference 2018. 1–5.
Charles D Raab. 2020. Information privacy, impact assessment, and the place of ethics. Computer Law & Security Review 37 (2020), 105404.
Rahime Belen Sağlam, Çağri Burak Aslan, Shujun Li, Lisa Dickson, and Ganna Pogrebna. 2020. A Data-Driven Analysis of Blockchain Systems’ Public Online Communications on GDPR. In 2020 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS). IEEE, 22–31.
Iskander Sanchez-Rola, Matteo Dell'Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. 2019. Can i opt out yet? gdpr and the global illusion of cookie control. In Proceedings of the 2019 ACM Asia conference on computer and communications security. 340–351.
Shayak Sen, Saikat Guha, Anupam Datta, Sriram K Rajamani, Janice Tsai, and Jeannette M Wing. 2014. Bootstrapping privacy compliance in big data systems. In 2014 IEEE Symposium on Security and Privacy. IEEE, 327–342.
Supreeth Shastri, Vinay Banakar, Melissa Wasserman, Arun Kumar, and Vijay Chidambaram. 2019. Understanding and benchmarking the impact of GDPR on database systems. arXiv preprint arXiv:1910.00728 (2019).
Piwik PRO Analytics Suite. 2019. 10 new privacy laws around the world and how they'll affect your analytics. https://piwik.pro/privacy-laws-around-globe
Gonçalo Almeida Teixeira, Miguel Mira da Silva, and Ruben Pereira. 2019. The critical success factors of GDPR implementation: a systematic literature review. Digital Policy, Regulation and Governance 21, 4 (2019), 402–418.
Marco Todde, Marco Beltrame, Sara Marceglia, and Cinzia Spagno. 2020. Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems. Informatics in Medicine Unlocked 19 (2020), 100361.
George Valença, Ralf Kneuper, and Maria Eduarda Rebelo. 2020. Privacy in software ecosystems-an initial analysis of data protection roles and challenges. In 2020 46th Euromicro Conference on Software Engineering and Advanced Applications (SEAA). IEEE, 120–123.
G Gultekin Varkonyi, Attila Kertész, and Sz Varadi. 2019. Privacy-awareness of users in our cloudy smart world. In 2019 Fourth International Conference on Fog and Mobile Edge Computing (FMEC). IEEE, 189–196.
Claes Wohlin, Per Runeson, Martin Höst, Magnus C Ohlsson, Björn Regnell, and Anders Wesslén. 2012. Experimentation in software engineering. Springer Science & Business Media.
Razieh Nokhbeh Zaeem and K Suzanne Barber. 2020. The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems (TMIS) 12, 1 (2020), 1–20.
Denise Amram. 2020. Building up the “Accountable Ulysses” model. The impact of GDPR and national implementations, ethics, and health-data research: Comparative remarks. Computer Law & Security Review 37 (2020), 105413.
Eduard Barnoviciu, Veta Ghenescu, Serban-Vasile Carata, Marian Ghenescu, Roxana Mihaescu, and Mihai Chindea. 2019. Gdpr compliance in video surveillance and video processing application. In 2019 International Conference on Speech Technology and Human-Computer Dialogue (SpeD). IEEE, 1–6.
Rafael Vescovi Bassani and Silvio César Cazella. 2021. O alinhamento entre learning analytics e a general data protection regulation: uma revisão sistemática de literatura. ETD: Educaçao Temática Digital 23, 4 (2021), 1022–1040.
Fran Casino, Eugenia Politou, Efthimios Alepis, and Constantinos Patsakis. 2019. Immutability and decentralized storage: An analysis of emerging threats. IEEE Access 8 (2019), 4737–4744.
Intersoft Consulting. 2021. General Data Protection Regulation (GDPR). https://gdpr-info.eu/
Keeley Crockett, Sean Goltz, and Matt Garratt. 2018. GDPR impact on computational intelligence research. In 2018 International Joint Conference on Neural Networks (IJCNN). IEEE, 1–7.
HW Dalrymple. 2021. The general data protection regulation, the clinical trial regulation and some complex interplay in paediatric clinical trials. European Journal of Pediatrics 180, 5 (2021), 1371–1379.
Renata M de Carvalho, Camillo Del Prete, Yod Samuel Martin, Rosa M Araujo Rivero, Melek Önen, Francesco Paolo Schiavo, Ángel Cuevas Rumín, Haralambos Mouratidis, Juan C Yelmo, and Maria N Koukovini. 2020. Protecting citizens’ personal data and privacy: Joint effort from GDPR EU cluster research projects. SN Computer Science 1, 4 (2020), 1–16.
Bob Duncan and Yuan Zhao. 2018. Risk management for cloud compliance with the EU General Data Protection Regulation. In 2018 International Conference on High Performance Computing & Simulation (HPCS). IEEE, 664–671.
Theodora Gazi. 2020. Data to the rescue: how humanitarian aid NGOs should collect information based on the GDPR. Journal of International Humanitarian Action 5, 1 (2020), 1–7.
Raphael Gellert. 2018. Understanding the notion of risk in the General Data Protection Regulation. Computer Law & Security Review 34, 2 (2018), 279–288.
Emanuel Gonçalves, Paulo Teixeira, and Joaquim P Silva. 2020. Development of GDPR-Compliant Software: Document Management System for HR Department. In 2020 15th Iberian Conference on Information Systems and Technologies (CISTI). IEEE, 1–6.
Nils Gruschka, Vasileios Mavroeidis, Kamer Vishi, and Meiko Jensen. 2018. Privacy issues and data protection in big data: a case study analysis under GDPR. In 2018 IEEE International Conference on Big Data (Big Data). IEEE, 5027–5033.
Startup Guide IONOS. 2019. Compliance: guidelines for compliant corporate behaviour. [link]
Patrick Jost and Marisa Lampert. 2020. Two Years After: A Scoping Review of GDPR Effects on Serious Games Research Ethics Reporting. In International Conference on Games and Learning Alliance. Springer, 372–385.
Barbara Kitchenham and Stuart Charters. 2007. Guidelines for performing systematic literature reviews in software engineering. (2007).
Michael Kretschmer, Jan Pennekamp, and Klaus Wehrle. 2021. Cookie banners and privacy policies: Measuring the impact of the GDPR on the web. ACM Transactions on the Web (TWEB) 15, 4 (2021), 1–42.
Ondřej Kročil and Richard Pospíšil. 2020. The influence of GDPR on activities of social enterprises. Mobile Networks and Applications 25, 3 (2020), 860–867.
Christian Kurtz, Martin Semmann, and Tilo Böhmann. 2018. Privacy by design to comply with GDPR: a review on third-party data processors. (2018).
Christian Kurtz, Florian Wittner, Martin Semmann, Wolfgang Schulz, and Tilo Böhmann. 2022. Accountability of platform providers for unlawful personal data processing in their ecosystems–A socio-techno-legal analysis of Facebook and Apple's iOS according to GDPR. Journal of Responsible Technology 9 (2022), 100018.
K Krithiga Lakshmi, Himanshu Gupta, and Jayanthi Ranjan. 2020. Analysis of General Data Protection Regulation Compliance Requirements and Mobile Banking Application Security Challenges. In 2020 8th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions)(ICRITO). IEEE, 1028–1032.
Roslyn Layton and Silvia Elaluf-Calderwood. 2019. A social economic analysis of the impact of GDPR on security and privacy practices. In 2019 12th CMI Conference on Cybersecurity and Privacy (CMI). IEEE, 1–6.
Ze Shi Li, Colin Werner, Neil Ernst, and Daniela Damian. 2022. Towards privacy compliance: A design science study in a small organization. Information and Software Technology 146 (2022), 106868.
Isabel Maria Lopes, Teresa Guarda, and Pedro Oliveira. 2020. General data protection regulation in health clinics. Journal of Medical Systems 44, 2 (2020), 1–9.
Vincenzo Mangini, Irina Tal, and Arghir-Nicolae Moldovan. 2020. An empirical study on the impact of GDPR and right to be forgotten-organisations and users perspective. In Proceedings of the 15th international conference on availability, reliability and security. 1–9.
Blanaid Mee, Mary Kirwan, Niamh Clarke, Aoife Tanaka, Lino Manaloto, Emma Halpin, Una Gibbons, Ann Cullen, Sarah McGarrigle, Elisabeth M Connolly, et al. 2021. What GDPR and the Health Research Regulations (HRRs) mean for Ireland: a research perspective. Irish Journal of Medical Science (1971-) 190, 2 (2021), 505–514.
Louise Meijering, Tess Osborne, Esther Hoorn, and Cristina Montagner. 2020. How the GDPR can contribute to improving geographical research. Geoforum 117 (2020), 291–295.
Veronica L Nabbosa and Rehan Iftikhar. 2019. Digital retail challenges within the EU: fulfillment of holistic customer journey post GDPR. In Proceedings of the 2019 3rd International Conference on E-Education, E-Business and E-Technology. 51–58.
Crispin Niebel. 2021. The impact of the general data protection regulation on innovation and the global political economy. Computer Law & Security Review 40 (2021), 105523.
Mark Phillips. 2018. International data-sharing norms: from the OECD to the General Data Protection Regulation (GDPR). Human genetics 137, 8 (2018), 575–582.
Filipe Pires, Osvaldo Pacheco, and Ricardo Martins. 2021. Why you should care about GDPR in IoT Enterprises & Solutions. (2021).
Eugenia Politou, Alexandra Michota, Efthimios Alepis, Matthias Pocs, and Constantinos Patsakis. 2018. Backups and the right to be forgotten in the GDPR: An uneasy relationship. Computer Law & Security Review 34, 6 (2018), 1247–1257.
Danaja Fabcic Povse. 2018. It's all fun and games, and some legalese: data protection implications for increasing cyber-skills of employees through games. In Proceedings of the Central European Cybersecurity Conference 2018. 1–5.
Charles D Raab. 2020. Information privacy, impact assessment, and the place of ethics. Computer Law & Security Review 37 (2020), 105404.
Rahime Belen Sağlam, Çağri Burak Aslan, Shujun Li, Lisa Dickson, and Ganna Pogrebna. 2020. A Data-Driven Analysis of Blockchain Systems’ Public Online Communications on GDPR. In 2020 IEEE International Conference on Decentralized Applications and Infrastructures (DAPPS). IEEE, 22–31.
Iskander Sanchez-Rola, Matteo Dell'Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. 2019. Can i opt out yet? gdpr and the global illusion of cookie control. In Proceedings of the 2019 ACM Asia conference on computer and communications security. 340–351.
Shayak Sen, Saikat Guha, Anupam Datta, Sriram K Rajamani, Janice Tsai, and Jeannette M Wing. 2014. Bootstrapping privacy compliance in big data systems. In 2014 IEEE Symposium on Security and Privacy. IEEE, 327–342.
Supreeth Shastri, Vinay Banakar, Melissa Wasserman, Arun Kumar, and Vijay Chidambaram. 2019. Understanding and benchmarking the impact of GDPR on database systems. arXiv preprint arXiv:1910.00728 (2019).
Piwik PRO Analytics Suite. 2019. 10 new privacy laws around the world and how they'll affect your analytics. https://piwik.pro/privacy-laws-around-globe
Gonçalo Almeida Teixeira, Miguel Mira da Silva, and Ruben Pereira. 2019. The critical success factors of GDPR implementation: a systematic literature review. Digital Policy, Regulation and Governance 21, 4 (2019), 402–418.
Marco Todde, Marco Beltrame, Sara Marceglia, and Cinzia Spagno. 2020. Methodology and workflow to perform the Data Protection Impact Assessment in healthcare information systems. Informatics in Medicine Unlocked 19 (2020), 100361.
George Valença, Ralf Kneuper, and Maria Eduarda Rebelo. 2020. Privacy in software ecosystems-an initial analysis of data protection roles and challenges. In 2020 46th Euromicro Conference on Software Engineering and Advanced Applications (SEAA). IEEE, 120–123.
G Gultekin Varkonyi, Attila Kertész, and Sz Varadi. 2019. Privacy-awareness of users in our cloudy smart world. In 2019 Fourth International Conference on Fog and Mobile Edge Computing (FMEC). IEEE, 189–196.
Claes Wohlin, Per Runeson, Martin Höst, Magnus C Ohlsson, Björn Regnell, and Anders Wesslén. 2012. Experimentation in software engineering. Springer Science & Business Media.
Razieh Nokhbeh Zaeem and K Suzanne Barber. 2020. The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems (TMIS) 12, 1 (2020), 1–20.
Publicado
29/05/2023
Como Citar
MACHADO, Pedro; VILELA, Jéssyka; PEIXOTO, Mariana; SILVA, Carla.
A systematic study on the impact of GDPR compliance on Organizations. In: SIMPÓSIO BRASILEIRO DE SISTEMAS DE INFORMAÇÃO (SBSI), 19. , 2023, Maceió/AL.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2023
.
