TECHNICAL AND LEGAL ASPECTS OF DATABASE'S SECURITY IN THE LIGHT OF IMPLEMENTATION OF GENERAL DATA PROTECTION REGULATION

  • Paweł Drąg Wrocław University of Science and Technology, Department of Control Systems and Mechatronics
  • Mateusz Szymura University of Wrocław, Faculty of Law, Administration and Economics
DOI: https://doi.org/10.12955/cbup.v6.1294
Keywords: Data Protection Regulation, Database, Security

Abstract

In the modern era, information is not only a valuable commodity, but also a potential source of threat, especially when it comes to personal data. The implementation of the General Data Protection Regulation seeks to unify regulations and safeguards in a same manner across the EU. The following paper surveys how the legal aspects of GDPR influence the existing technical framework of databases containing personal data. In this research we want to show if the already existing technical infrastructure and safeguards implemented in databases containing personal data are sufficient and if not, if implementing new ways of protecting of data will require creating entire new system of databases or only changing of existing framework. Therefore, we combine an analysis of legal texts with a technical analysis of existing and newly implemented safeguards. While the GDPR doesn’t answer what safeguards should be implemented (in the spirit of technological neutrality), the notion of pseudonymisation of the data is strongly advocated through the Regulation. In our paper we tried to show the algorithm, which create a pseudonymisation function that can change personal data into generic data with the possibility to reverse that process ad utilise data after de-pseudonymisation. Implementing safeguards based on the following function create a more safe environment for data safekeeping, while give nearly immediate access to data for authorised person, who can reverse pseudonymisation and transform generic data once more into personal data.

References

Anisetti, M., Ardagna, C., Bellandi, V., Cremonini, M., Frati, F., Damiani, E. (2018). Privacy-aware Big Data Analytics as a service for public health policies in smart cities. Sustainable Cities and Society, vol. 39, pp. 68-77. https://doi.org/10.1016/j.scs.2017.12.019.

Antignac, T., Scandariato, R., Schneider, G. (2016). A privacy-aware conceptual model for handling personal data. In: Margaria T., Steffen B. (eds.), International Symposium on Leveraging Applications of Formal Methods, pp. 942-957, Springer. https://doi.org/10.1007/978-3-319-47166-2_65.

Bauer, C.R.K.D., Ganslandt, T., Baum, B., Christoph, J., Engel, I., Löbe, M., Mate, S., Stäubert, S., Drepper, J., Prokosch, H.-U., Winter, A., Sax, U. (2016). Integrated Data Repository Toolkit (IDRT). A Suite of Programs to Facilitate Health Analytics on Heterogeneous Medical Data. Methods of Information in Medicine, vol. 55, np 2, pp 125-135. https://doi.org/10.3414/ME15-01-0082.

Demir, L., Kumar, A., Cunche, M., Lauradoux, C. (2017). The Pitfalls of Hashing for Privacy. IEEE Communications Surveys and Tutorials, vol. 20, pp 551 - 565. . https://doi.org/10.1109/COMST.2017.2747598.

Duncan, B., Whittington, M. (2017). Creating and Configuring an Immutable Database for Secure Cloud Audit Trail and System Logging. International Journal On Advances in Security, vol.10, no. 3-4, pp. 155-166.

General Data Protection Regulation, GDPR. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Hintze, M. (2016). Viewing the GDPR through a de-identification lens: a tool for compliance, clarification, and consistency. International Data Privacy Law. https://doi.org/10.1093/idpl/ipx020.

Hu, R., Stalla-Bourdillon, S., Yang, M., Schiavo, V., Sassone, V. (2017). Bridging Policy, Regulation, and Practice? A Techno-Legal Analysis of Three Types of Data in the GDPR. Hu, Runshan and Stalla-Bourdillon, Sophie and Yang, Mu and Schiavo, Valeria and Sassone, Vladimiro, Bridging Policy, Regulation, and Practice? A Techno-Legal Analysis of Three Types of Data in the GDPR (September 1, 2017). In: van Brakel, R.L.R., Gutwirth, S., De Hert P. (eds.) Data Protection and Privacy: The Age of Intelligent Machines., Hart Publishing, 2017. https://ssrn.com/abstract=3034261.

Koops, B.-J. (2014). The trouble with European data protection law. International Data Privacy Law, 2014, vol. 4, no. 4, pp. 250-261. https://doi.org/10.1093/idpl/ipu023.

Wallace, S.E. (2016). What Does Anonymization Mean? DataSHIELD and the Need for Consensus on Anonymization Terminology. Biopreservation and biobanking, vol.14, no.3, pp. 224-230. https://doi.org/10.1089/bio.2015.0119

Published
2018-09-25
Issue
Vol 6 (2018): CBU International Conference Proceedings 2018
Section
Natural Sciences and ICT
Copyright (c) 2018 Paweł Drąg, Mateusz Szymura

Copyright information

  1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License (Creative Commons Attribution License 3.0 - CC BY 3.0) that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).

info@iseic.cz, www.iseic.cz, ojs.journals.cz