Privacy Enforcement at a Large Scale for GDPR Compliance

Khaitzin, Ety; Shlomo, Roee; Anderson, Maya

doi:10.1145/3211890.3211913

Cited by 2 publications

(1 citation statement)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In 2020, Li et al [27] operationalized parts of the GDPR and developed a tool that tests for specific privacy requirements. Khaitzin et al [15] presented a way to make privacy more usable for "Big Data companies" by optimizing performance using intermediate representations, thus providing an alternative or at least a mitigation for privacy/performance trade-offs. Furthermore, Chander et al [7] reviewed the compliance costs and evaluated the feasibility of data protection enforcement.…”

Section: Gdpr Implementation Supportmentioning

confidence: 99%

Investigating GDPR Fines in the Light of Data Flows

Saemann

Theis²,

Urban³

et al. 2022

PoPETs

View full text Add to dashboard Cite

While GDPR related fines to big companies like Amazon or Google have seen widespread media attention, data protection authorities have issued several hundred more penalties since 2018. This work analyzes 856 fines and their summaries provided by the CMS Law GDPR Enforcement Tracker. We extend the methodology of previous work that evaluated GDPR fines and, in particular, explore the fines in the light of data flows and we perform a detailed categorization. Our analysis shows that it is a combination of technical and organizational issues that are involved when a fine is imposed. Moreover, data protection authorities more often react to data subjects’ complaints when data breaches become public and when health-related data is involved. We further show that the root causes for fined data processing lie in the early data life cycle phases (e.g., data collection). Here, organizational problems are more prevalent (601 fines) than technical issues (314 fines), while technical issues are mentioned more often in later life cycle phases (e.g., retention, access and usage). Especially mistakes in the early phases of the data collection process (e.g., lacking a legal basis) and unauthorized disclosure in later phases are fined. We cluster the most frequent words and analyze relations to understand where data controllers put personal data at risk. The results confirm that access management is a common problem that results in the unintended disclosure of data.

show abstract

Section: Gdpr Implementation Supportmentioning

confidence: 99%