Impact of personal data protection (PDP) regulations on operations workflow

Abstract

Earlier studies on personal data protection (PDP) have focused on the laws that were passed by the stakeholders or the techniques to mask private data through qualitative analysis and quantitative research or both. There is very little if not there has been no literature written on the impact of personal data protection (PDP) regulations on operational workflow of organizations. This study aims to identify the independent variables of personal data protection (PDP) regulations that impacts operational workflow. The result of the study shows that technology, regulation, types of processes, implementation and company policy impact the operational workflow of organizations in the form of enhanced security, better-quality project deployment, tightly monitored data collection, disclosure and use of data, well-informed employees and solid company policies. These can very well translate to improvement of an organization’s operational workflow.

Keywords

Personal data data protection big data privacy technology regulation process company policy

Dr. Rajiv Aserkar is the Professor and Head of Logistics and Supply Chain Management at SP Jain School of Global Management, Singapore. His e-mail address is E-mail: rajiv.aserkar@spjain.org

Dr. A. Seetharaman is the Dean, Academic Affairs at SP Jain School of Global Management, Singapore. His e-mail address is E-mail: seetha.raman@spjain.org

Joy Ann Macaso Chu is MBA (Executive) graduate from SP Jain School of Global Management. She has more than 10 years of design, consulting and implementation experience for a variety of industries such as Accounting, Logistics and Manufacturing. Her e-mail address is E-mail: joyann.macaso@gmail.com

Veena Jadhav is Assistant Dean- Executive MBA and Assistant Professor of HRM at SP Jain School of Global Management, Singapore. Her e-mail address is E-mail: veena.jadhav@spjain.org

Shivani Inamdar is Research Scholar at Symbiosis International University, Pune, India. She is also working as Research Assistant at Symbiosis Institute of Business Management, Bengaluru, India.

1 Introduction

The establishment of PDP regulations are now more important than ever. Trends in technology, such as Big Data and Cloud computing, have grown exponentially. These technologies can contain vast amounts of personal data for data processing and analysis. As these technological trends continue to develop, individuals grow concerned about how their personal data is used [44]. Thus, data protection regulations have become necessary to control the collection and use of personal data to maintain the individuals’ trust in organizations that manage their data [2].

The privacy topic is not something new. This has been on people’s minds as early as the 19th century, when a paper on “The Right to Privacy” came out. This paper was in response to the technology that flourished then – modern photography and the printing press. The paper argues that people must not be photographed without their permission, hinting against nosy reporters.

Over the course of the years, the focus on privacy has changed, based on technological developments.

Let us first comprehend the definition of personal data that is protected under the PDP regulations. Personal data mentioned in the regulations refer to data from which an individual can be identified or data to which organizations have access.

The PDP regulations control the collection, use, disclosure and care of personal data by private organizations. This acknowledges the rights of individuals to protect their personal data. This also includes their right to have access to their data and to correct their data when necessary, as well as the need for organizations to collect, use or disclose personal data for reasonable purposes [8].

Countries with a well-established legal framework on PDP include but are not limited to members of the European Union [13], US [19], UK, Canada, Hong Kong, New Zealand, Australia [18], Malaysia [20] and Singapore [8].

An organization’s strategic plan and competitive advantage is dependent on its ability to respond to challenges occurring in both internal and external environments [35]. As such, with the PDP regulations in place, organizations need to ensure well-defined security policies and procedures that are a necessary step towards an effective information security programme, and any vulnerability to security must be managed to ensure regaining the confidence of overly concerned investors [23].

The literature review shows that many studies have been conducted on techniques to secure private information and to prevent intruders from getting a hold of such information. Techniques discussed in the studies are Context Management [1], Enterprise Privacy Authorization Language (EPAL) [5], KBA (knowledge-based authentication) [10], Privacy-Preserving Data Policy (PPDP), Singular Value Decomposition (SVD) [49], Bloom Filter [36], Hippocratic Database (HDB) [21], Spatial Cloaking and Location Obstruction [33].

The main emphasis of this paper is to explore the measures that organizations have undertaken to meet the regulations and, more importantly, to discuss the factors to determine a model that focuses on the impact of the PDP regulations on the operational workflow of an organization. This research intends to uncover more insights on how organizations comply with the regulations while increasing flow of data and not slowing it down.

2 Literature review

There is an existing body of literature that examines the impact of personal data protection (PDP) regulation on operational workflow.

The literature review is structured according to the variables considered in this research. The dependent variable is the impact of personal data protection (PDP) regulations. The various independent variables are: (i) technology; (ii) regulation; (iii) types of processes; (iv) implementation; and (v) company policy. Table 1 illustrates the flow of research over the last few years. The added value of this research paper lies in providing greater comprehension of multiple aspects of the Personal Data Protection (PDP) regulations.

3 Research methodology

The research methodology is centred on existing core variables identified through an exhaustive literature survey. A simple direct relationship between five core variables technology, regulation, types of processes, implementation and company policy – and the impact on the personal data protection (PDP) regulations is positioned in the research model.

Information for research was gathered from different sources of secondary data. Most data were collected from ProQuest, National Library eDatabases and ISI Thomson.

3.1 Research framework and definition of variables

From the secondary data collected, the research framework is developed as shown in Fig. 1. The impact of the regulations is the dependent variable. The scope of the research is restricted to comprehending the impact of the Personal Data Protection (PDP) regulations to the operational workflow. This research aims to examine the changes brought about by the regulations to the organizations.

3.1.1 Technology

The digital revolution has changed the way we look at information. Organizations must make great efforts to safeguard privacy and be ready for new threats and changes that are likely to occur culturally [8]. Techniques with the use of technology have been recognized to facilitate the need for keeping private data secure - Context Management [1], EPAL [5], KBA (knowledge-based authentication) [10], Privacy-Preserving Data Policy (PPDP), Singular Value Decomposition (SVD) [49], Bloom Filter [36], Hippocratic Database (DB) [21], Spatial Cloaking and Location Obstruction [33].

Since the internet has become more popular, along with gadgets that gather so much information, the amount of personal data collected has grown to a point where it is pointless to stop the collection. Now technology is also used to address how data are used.

The use of these technologies – data mining, big data and networks – are of great help to organizations with how to grow their business, but organizations must also introduce ways for how to protect themselves from attacks brought about by the mentioned technologies. Organizations can make use of solutions to secure data from being mined, accessed without permission in the cloud and distributed through USBs or hard drives available to employees in the workplace.

3.1.1.1 Data mining. Data mining can reveal private information, and it is the most popular technique to reveal confidential data [28]. The use of this technique is also gaining ground in counterterrorism and homeland security.

The Dependency Detection method is useful in data mining processes where data analysis requirement is high. It allows for processing a high volume of events in to dependency information [11]

For organizations that outsource data-mining tasks to third-party companies, they are in grave risk of exposing private information [36]. There are available technologies that will mask sensitive information resulting from data-mining activities. These are PPDP, SVD [49], Bloom Filter [36], HDB [21].

3.1.1.2 Big data. Big data is one the most popular buzzwords, if not the most popular, lately. Big data contains a large volume of both structured and unstructured data that is growing exponentially. Organizations want to leverage and make sense of the analytics they can get out of it. Given the huge datasets, normal servers are not used to store such data; rather, they are kept in the cloud. A survey conducted by IBM has found that 60% of organizations are prepared to implement cloud computing in the next five years, as they perceive the cloud as a means to gain an edge over the competition [25].

The key challenge for organizations is how to ensure that the cloud can handle user data securely [44]. The advantages of cloud computing are in its ability to scale rapidly, store data remotely and share services in a dynamic environment. The same characteristics also become its disadvantages, in its maintaining a level of privacy assurance [34].

A Gartner survey reveals that CTOs believe the primary reason not to use cloud computing services is due to data security and privacy concerns [7]. The public and business leaders share the same sentiment. They are excited about the possibilities of cloud computing but are worried about security, availability and privacy of their data [44].

3.1.1.3 IT network. Organizations must employ security solutions to cover all bases – networks, data storage and end-points (e.g., USB). Privacy standards must also deal with threats from BYOD (bring your own device), BYOC (bring your own cloud) and storage services (dropbox, cloud) [17]. Importance should also be given to data protection assessment and compliance for OBE (OnBoard Equipment) as this concerns the personal profiles and an individual’s whereabouts based on location data stored in OBE devices [9].

3.1.1.4 Cyber intrusion. As the world moves towards a more virtualized infrastructure, the attacks on government and enterprise data rise [42]. These attacks start small then they progress into more opportunistic attacks [40]. Cyber-intrusion is the most expensive cause of data breaches and the most common one [15]. To protect themselves from malicious attacks, organizations must think like an attacker by identifying the possible paths an attacker might use to penetrate the network and they must identify cost-benefit comparison among remedies to specific attacks [41].

3.1.2 Regulation

The PDP regulations require organizations to look more closely into how third-party vendors handle personal data. This is because the organization still remains liable, and the vendor has very limited responsibility when a breach occurs. Organizations have to strengthen contractual obligations of the third-party vendors by putting the necessary text in the contract.

Compliance with the regulations also results in additional costs and procedural changes to organizations. These are attributed to keeping the employees informed of the regulations and setting up a complaint hotline and a portal. The portal, however, is not a necessary requirement for all organizations.

Countries can follow one or more of the following models to protect privacy:

Comprehensive Laws

Sectoral Laws

Self-Regulation

Technologies of Privacy

The EU adopted Comprehensive Law, whereas the US adopted Sectoral Laws to protect Privacy Industry by Industry and Self-Regulation of companies and industry bodies [14].

The right to privacy and data protection have often been used interchangeably; however, these two are different. Data protection is a narrower concept. The right to privacy is understood as limiting government powers that interfere with reasonable respect for a private life. Data protection, on the other hand, requires an expansion of government powers to monitor compliance of both government and third parties that collect, use or disseminate personal data [8].

3.1.2.1 Compliance. Adherence to privacy regulations is used as criteria for assessing integrity of the business [18].

To be in compliance with the regulations, organizations must implement measures for access and correction requests, consent for collection/use/disclosure of data and ensuring data are accurate and complete [8].

3.1.2.2 Operating costs. Operating costs brought about by the need to comply with the regulations include staff training, online portal for opting out of promotions, use and disclosure of data and obtaining consent from individuals [17].

3.1.2.3 Third party vendors. There is a potential risk of exposing sensitive information for organizations that transfer such information to a third party for further analysis. In the case of data-mining tasks, an authorized third party will perform the association rule; mining based on the dataset transformed by, for instance, Bloom Filters [36]. Taking Singapore as an example, data intermediaries have limited obligation. The obligation to safeguard data still falls on the organization that contracted the intermediary [8].

3.1.2.4 Complaint handling. Complaints of non-compliance by an organization can attract fines or damage to the organization’s reputation. To prevent this, organizations are required to develop processes to deal with complaints [8].

Organizations leave it largely to individuals themselves to pursue complaints and seek remedies. A regulator then needs to judge whether a data subject’s rights outweigh the interests of the data user [37].

3.1.3 Types of processes

Consent is one of the key messages that the PDP regulations send across organizations. Organizations now have to rethink steps on how data are collected and processed. They have to ensure that, no matter what personal data they hold, they have a corresponding consent from the individual and that sensitive data are processed based on its stated purpose.

The PDP regulations have been designed to prevent over-collection of data and to let individuals be aware of how their data are being used and what sort of data the organizations have on them [8].

3.1.3.1 Data collection. Organizations are required to obtain explicit consent from subjects upon collection of their personal data. The privacy and data protection regulations are premised on individual control over information and on principles such as data minimization and purpose limitation [34].

3.1.3.2 Processing sensitive data. Organizations that hold personal data must de-identify the data once immediate use has ceased, delete or amend inaccurate data or retain for later use. For some countries, they allow for further processing of historical data for scientific or research purposes only and only if proper safeguards are in place, meaning that personal data are anonymous or have been encoded [19].

3.1.4 Implementation

The rising number of cyber-attacks has spurred organizations to exhaust their budgets to assure a high level of security [41]. As organizations implement security features, their processes and efficiency can be adversely affected.

To guarantee that personal data remain safe, organizations invest in improving their security of information, if their existing security measures are determined not to meet the requirements of the regulations. In case an organization decides to upgrade or deploy a new security measure, it has to ensure that errors during the implementation, be they human or technical, be minimized or totally eliminated. The organization must review the project management steps thoroughly, so that proper training and documentation are provided to the implementation team, and ensure appropriate and sufficient testing.

3.1.4.1 Investment. Investments in Information Technology (IT) have been associated with organizational productivity, and the impact of these investments is dependent upon how much the organizations invest in non-IT labour as well [22].

Organizations ensure their data remain protected by investing in sophisticated technologies that will not only control who has access to which specific company data, but will also improve their productivity [12].

3.1.4.2 Infrastructure upgrade. Upgrades to existing security features are necessary to keep pace with the advances in security threats. A security feature that has group signature with anonymity/encryption function that delivers anonymity, verifiability and performance [26], HDB (Hippocratic Database) integrated technology [21], changes to software development methodology, like Tropos [30] and Singular Value Decomposition (SVD) method for data distortion [49] are options for upgrade.

3.1.4.3 Minimize human error. The mistakes that are made during deployment of a technology may lead to security vulnerabilities. Human, organizational, cultural and policy factors influence the information security in organizations. Organizational factors include lack of training and lack of proper policy resource management; human factors are configuration errors, lack of proper validation and incorrect access restrictions [43].

3.1.5 Company policy

Organizations are required to develop policies for implementation, including a process to respond to complaints [8].

Organizations must focus on all aspects of handling sensitive information and must ensure that all employees who interact with such information and with the public, implement the organizations’ policies and procedures [49].

The how and for what purpose personal data is collected, and whoever has access to such data has to be included in the organization’s company polices. This information can be reflected in the employment contract for new joiners. For insurance of existing employees, they can click an OK button in an HR portal, signifying consent for data collection and use of data.

Coinciding with the policy change, the organization holds seminars for its employees regarding PDP so that they are effectively informed of the regulations and appreciate to what they are agreeing when they click that OK button in the portal. For organizations to be effective, they should migrate from knowledge sharing to a culture of knowledge creation and to creation of sustained organizational and societal values [46].

3.1.5.1 Staff education. The most focused approach to cyber security includes proactive and automated data protection, written policies, procedures and employee training [15].

Organizations are required to educate and make the employees aware of the regulations as well as set up a team responsible for data protection [31].

Employees are better prepared when they are exposed to experiences of others through observation and if they are given the opportunity to practise their newly gained knowledge [47].

3.1.5.2 Consent. Personal data may only be processed if the user has explicitly given his or her consent (exceptions are for legal and contractual purposes). This practically disallows all types of data collection (except for when required by law) and requires a case-by-case explicit consent by the data subject [8].

Consent from an individual prevents over-collection of information, as this allows the individual to be able to choose what information to disclose. The default position for consent is “opt-in”, or that data will not be shared [8].

However, this puts unnecessary restrictions on processing sensitive data, such as medical information and political or religious beliefs, which do not require explicit consent from subjects [12].

Where the benefits of prospective data use clearly outweighs privacy risks, the legitimacy of processing should be assumed, even if individuals decline consent [45]. For example, caregivers are given the ability to override the patient’s disclosure directives to protect patient safety. Overrides are logged and are subjected to audits to ensure there is no occurrence of abuse [48].

3.1.5.3 Data access. Access to sensitive information must only be given to appropriate users in the organization. To ensure security a step further, an organization can use the data pseudonymization technique, where sensitive data elements are substituted with pseudonyms. Users who access sensitive data will not see the data itself. Only the specific elements of data relevant to an enquiry are returned to the user [6].

4 Discussion, analysis and outcome

4.1 Technological problems and solutions

4.1.1 Application of decision trees to protect privacy

The use of data-mining techniques allows for unrelated data to be assembled into a more coherent set of information. Organizations are able to extract useful information from such massive data, allowing them to make use of it in database marketing, credit card and loan evaluation, medical diagnostics, fraud detection and web usage analysis. Organizations make use of data-mining techniques for the purpose of gaining competitive advantage by being able to gain the knowledge of their customers’ needs and, hence, able to serve their customers better. There has been, however, a growing concern about how data mining can be used to discover personal information. There has been a study conducted in the US, stating that data-mining projects run by federal agencies used personal information, and data-mining projects from the private sectors involved personal information. This has prompted the federal agencies to cancel their counterterrorism projects that retrieve data based on data-mining techniques after a strong opposition coming from the public.

Another example of a data-mining blunder is that of AOL releasing a file on its website on August 2006 containing 20 million search queries for over 650,000 queries. Although the identities of the users were not included in the data, many users in the file could be easily identified. The file was taken down by AOL from their website within a few days, but by then, the file had been downloaded so much that AOL was slapped with complaints and lawsuits. A study states that there is a new victim of identity theft in the U.S. every 3 seconds and the total damage of identity theft is estimated at USD 53 billion annually [4].

These data-mining mistakes have caused great concern about privacy even more. A study of online users reveals that they have refused to give personal information and provided incorrect information when asked about personal habits and preferences. This has resulted in quality and integrity of data being greatly affected.

Researchers proposed a solution to ease the public’s privacy concerns, and that is to make use of decision trees. Decision trees, also known as classification trees, build classifiers based on recursive partitioning of data. Decision trees are widely used for pattern recognition, fraud detection, credit evaluation and other data-mining applications.

This is how it works at a high level and in its simplest form.

An iterative pruning algorithm runs and prunes a branch that has the highest value. This runs until it reaches the root or until a stop criterion is met.

After pruning is complete, a record with the majority class is swapped for a record with a minority class in the same leaf. This swapping is performed over all leaves. Simply put, this swaps out confidential attribute values between the records. Which information is swapped is determined during the iteration; it can be random or based on probability [28].

4.2 Regulatory problems and solutions

4.2.1 Data protection resolutions for data intermediaries

The rise of social networking sites like Facebook has also given rise to the massive collection of personal data, as well as this data’s lawful or unlawful distribution online. Individuals voluntarily share personal information and a lot of identifiable information is collected during sign-up [32]. This information are shared for reasons such as recruitment and professional career development, relationship improvement in distributed work context and interactions with other individuals [39]. However, the pressing matter is not the collection of the data but rather how that data is being used and, in particular, how it is being disseminated to third parties, especially now, with modern information technology practices, where there is an increasing amount of data stored in the cloud [8].

Third parties, or referred to in the PDP regulations as data processors or data intermediaries, are entities that process personal data on behalf of another organization. Data processors have limited obligations to the protection of data. As written in the regulations, data processors must ensure that they do not retain data in a form that can identify particular individuals and data that can no longer serve the purpose for which it was collected. The organization that contracted the data processor remains fully responsible for whatever data is processed on its behalf [8]. The Cloud providers can be seen as “neutral intermediaries” – they host the data but no knowledge of personal data [16].

The security controls employed in the cloud are similar to those in a traditional IT environment. But because of its multi-tenant characteristic and its openness, it is a cause of concern. The cloud is very much scalable. The applications and data in the cloud have no fixed security boundaries. In case a security breach happens, a cloud provider will not have a way of knowing which resource is compromised. The cloud is owned by multiple providers, making it a challenge to deploy unified security measures. With the cloud being multi-tenant and sharing virtualized resources, user data may be accessed by other unauthorized users.

Currently, there are a number of solutions developed by technology companies and data scientists to address the data security and privacy protection concerns. IBM, for instance, has developed an encryption scheme that allows data to be processed without being decrypted. There is one more called Airvat that can prevent data leakage without authorization. NEC Labs has come up with its public data integrity (PDI) solution that can support public data integrity verification. This means the user no longer needs to download the data first to verify its accuracy and then upload the data. A scientist proposed a privacy protection framework based on information accountability (IA). The IA agent can identify the users who are accessing information and the types of information they use. When inappropriate misuse is detected, the agent defines a set of methods to hold the users accountable for misuse.

The organizations and the third party have to work together to safeguard personal data. The organizations must make sure that the third parties are contractually liable for any breaches, and, on the other hand, the third-party must make sure that the data under its care are kept confidential, whether stored in the cloud or in other storage.

4.3 Data processing problems and solutions

4.3.1 Application of proximity and locality for data protection

The organizations collect data about their employees, not only through email or electronic transactions but also through surveillance monitoring. Surveillance happens to individuals on a daily basis as they walk beneath cameras, swipe their cards and surf the internet [29]. Organizations can monitor staff as long as monitoring is not done in areas where employees have a high expectation of privacy (for example, public toilets and an individual’s private office). Organizations are also allowed to access individual email accounts, as long as emails are sent for business purposes, even though this includes personal data and emails that do not involve the workplace but were sent from work emails.

One critic disagrees with the level of control an organization has. He argues that such surveillance can be performed if it is not just a few powerful entities that control such information, but if it is shared among all, where everyone will be watching each other; this, therefore, eliminates fear. But the answer to this lies in the middle. Clearly there has to be a balance of privacy practices and goals of the organization with the autonomy of the individual. An individual must not have that sense of fear that he or she is being watched and, therefore, is unable to act naturally under normal circumstances.

One solution to this technological reality, while still preserving a desirable state of protection, even when this means some form of sociological adjustment, is the principles of proximity and locality [24]. To illustrate, here are some examples:

Proximity – granting that an individual has agreed to surveillance and has given explicit consent to be surveilled by a camera at the pantry but not at the hallway, data collection will only happen if the individual gets near the camera at the pantry. Such a detection mechanism can be achieved through advanced sensors or biometry.

Locality – information that is collected in a building will only stay in a building’s network. This concept resembles privacy protection in a small, rural community, where everybody knows everything about each other and is only too happy to tell. Once someone leaves the boundaries of the village, however, access to information about its inhabitants becomes difficult, if not impossible. Though word of mouth allows information to travel far beyond the originating locality, the information value drastically decreases with increasing distance.

4.4 Implementation problems and solutions

4.4.1 Improvements on project methodology for error reduction

Organizations have been busy setting up security measures to secure information, to protect themselves from malicious attacks. The common approach to preventing vulnerability from attacks is to deploy latest technological tools, but studies suggest that security initiatives should not only be technical, but that human aspects must also be considered during implementation. Examples include protective tools that have been configured poorly (i.e., a poorly configured firewall or use of a weak password). These technology solutions are usually developed for a large variety of customers. When they are deployed to a specific customer, they entail a huge variety of customizations or configurations so that they integrate with the existing security protocol in the organization. The deployments typically involve a large group of people with the majority of them from the vendor or outside of the organization. Once deployment is complete, the vendor or the consultants hand the security controls to the user organization. Unfortunately, the user organization often does not have the knowledge for each and every configuration. This makes it very dependent on the vendor or consultant. This is where the human errors come in. The user organization may play around with the configuration, in case a new requirement arises, and would not want to engage the vendor to save money. It could also be that the user organization trusts that the vendor has properly configured the solution to its need, but this is not the case – the vendor may have overlooked or missed a setting, because he/she is under pressure to complete the deployment on schedule and within budget. Synchronization errors, condition validation errors, configuration errors and number of individuals with super user privileges are just some of the errors that may occur during implementation [43].

Research suggests that to minimize human errors during implementation, an organization must select a set of employees to take part and play an active role in the implementation; comprehensive training must be provided so that these employees are able to take over once the implementation is complete; complete documentation must be available before, during and after the implementation to allow other employees to be able to provide adequate support, even though they were not part of the implementation team; verification or adequate testing must be performed before signing off on the deployment. Organizations can also offer learning rewards to its employees to motivate them to increase knowledge transfer [52]. These steps assure a smooth implementation and the possibility of attacks or data breach can be minimized.

4.5 Company policy problems and solutions

4.5.1 Availability of options to acquire consent

The most common form of explicit consent is still having a written contract, where an individual affixes his or her signature under a piece of text. This way, data collectors can effectively demonstrate that they have received the explicit consent from the data subject. However, obtaining explicit consent for electronic transactions is not as easy as getting the individual to sign a piece of paper.

There is an available technology for this that is a digital signature based on public-key cryptography, but it has not really taken off, and it has not gained widespread usage, making it difficult to perform actual verification and revocation.

Besides, it is also a challenge to prove digital signatures as explicit, because the key of a certain individual may have been entered to sign off on a particular statement without the individual’s knowledge.

Another problem with consent is the requirement of choices – it is either you consent or you do not. There should be more options available to an individual, aside from “take it or leave it”. For example, an individual can choose to decline if, within an office building, his or her position can be tracked or traced. Such choices can also be applied to audio and video recordings during meetings, where those who consent to the recording will be tracked and those who decline will be muted or their videos anonymized. A solution that can be implemented is similar to Georgia Tech’s Classroom project, where classroom recordings have the teacher in focus, while the students are pixelated or anonymized [3].

Research has identified solutions for these problems that include data anonymity and pseudonymity. These two notions ensure that individuals who wish to remain anonymous do so, and it is also important to highlight that collection of data that are anonymized and/or pseudonymized do not require user consent and are not covered by the regulations [27].

The use of anonymity services is widespread, and these services can be free or commercial and can be found on the web. Pseudonymity takes anonymized data one notch higher when it comes to security where an ID is assigned to an individual.

Whether anonymous or pseudonymous, if data cannot be traced back to an individual, the collection and usage of such data poses no threat to the individual’s privacy and also conforms to the PDP regulations.

5 Research implications

There are multiple findings from this research. The key variables in favour of PDP regulations are technology (which takes into account the features of security and privacy) and company policy. These encourage the compliance and adoption of the regulations. Another variable, regulation, requires the immediate attention of regulators across the globe. As more countries structure their own regulations, more organizations will be adopting their processes to the regulations. As more organizations comply with the regulations, there can be improvement in the security of personal data, and this may become a standard throughout the modern world.

6 Limitations and scope for future research

This research looks at the PDP regulations as a whole or general. There is so much more to investigate and explore on this topic, especially on the different regulations across the globe as well as their differences. In addition, further research can narrow the study down to specific industries and/or departments, such as Consumer Goods, where customer data is collected extensively for data analytics or healthcare, which possess patient information and medical records that are highly confidential.

This paper is based on secondary data. The future research can make use of primary data through surveys or interviews.

The PDP regulations are continuously evolving to keep up with the advancements in technology and changes in the society. Also, more and more countries will follow suit and form their own regulations. There is a scope for future research on these topics.

7 Conclusion

The CEO of Sun Microsystems once said that we have to get over it, because we already have zero-privacy anyway. Critics pointed out that he had the facts right but had the wrong attitude; individuals must not “get over it”; they must demand for clear rules on privacy, security and confidentiality.

Reforms on data protection regulations did catch up and were embraced across the world. The driving forces behind the reforms, though, are not the rights of an individual or concerns about privacy. Rather, they are the commercial realities of globalization and the integration of information through technology. Another reason is that changing data processing practices is forcing a reconsideration of basic premises of privacy laws and data protection—n particular, the need to move the focus from limiting the collection of data to regulating their use.

The number of technologies and “smart” devices continues to grow, and these devices come with capabilities that can be obtrusive in our lives. Ron Rivest calls this the “reversal of defaults”: what was private, hard to copy and easily forgotten then is now public, trivial to duplicate and stored forever [24]. It is pretty clear that something has to be done. Organizations play a huge role in making sure that data protection is fulfilled as they manage large amounts of sensitive personal information.

Organizations leverage on technology to allow for data collection and to secure the data at the same time without slowing down the flow of information. Prior to the introduction of the PDP regulations, most of the organizations, if not all, have primed for security measures against unauthorized access. Now, these measures can be upgraded to ensure compliance with the regulations. Implementation of security infrastructures, with the arrival of the PDP regulations, has to be done properly so that human errors are minimized, if not eliminated.

Changes have also been noted on an organization’s company policies. Organizations require explicit consent from the employees for the collection of personal data. This was accomplished by adding an extra clause pertaining to personal data collection, disclosure and use in the employment contract or clicking the OK button in the Human Resource portal or website to signify acceptance of the personal data collection, disclosure and use. Trainings were also conducted to educate the individuals about the PDP regulations.

The PDP regulations, combined with technology, regulations, types of processes, implementation and company policy, are major factors in delivering enhanced security, better-quality project deployment, tightly monitored data collection, disclosure and use of data, well-informed employees and solid company policies. These are the factors for which organizations not only are able to be in compliance with the regulations but also foster trust of its stakeholders and further boost a clean reputation. More than observance with the regulations, organizations are motivated to make the necessary changes to their processes for business reasons. That is, they can do business with any organization across the globe, because they can meet the regulations of the country where the business/trading partners are located. The EU for instance, blocks data transfers from countries with insufficient data protection [40].

As more countries move to follow the lead of the EU and the US and institute their own regulations, more organizations around the world will be obliged to comply. More organizations will learn how to adopt their processes to meet the guidelines. Therefore, this can lead to personal data becoming more secure and to improvements for a smoother operation workflow.

It is important to realize that the regulations can only work with the technological and social realities. As we face these realities, we must accept the fact that data collection will continue to advance and erode privacy. Eventually, society will find a new way of looking at things and be more accepting, just as we have learned to live with the nosy reporters and their intrusive cameras.

References

, Jutla

, Cercone

, Pluempitiwiriyawej

and Wang

, Uncertain inference control in privacy protection. International Journal of Information Security 8(6) (2009), 423–431.

Blanchette

J.F.

and Johnson

D.G.

, Data retention and the panoptic society: The social benefits of forgetfulness. The Information Society 18(1) (2002), 33–45.

Bonneau

and Preibusch

, The privacy jungle: On the market for data protection in social networks. In Economics of information security and privacy 2010 (pp. 121–167). Springer US.

Breebaart

, Busch

, Grave

and Kindt

, A Reference Architecture for Biometric Template Protection based on Pseudo Identities. In BIOSIG 2008 (pp. 25–38).

Byun

J.W.

, Bertino

and Li

, Purpose based access control of complex data for privacy protection. In Proceedings of the tenth ACM symposium on Access control models and technologies 2005 (pp. 102–110). ACM.

Caldwell

, An information superpower. Information World Review (261) (2010), 40–41.

Chen

and Zhao

, Data security and privacy protection issues in cloud computing. In Computer Science and Electronics Engineering (ICCSEE), International Conference on 2012 (2012), (Vol. 1, pp. 647–651). IEEE.

Chesterman

, After privacy: The rise of Facebook, the fall of wikileaks, and Singapore’s personal data protection act 2012. Sing J Legal Stud (2012), 391.

Custers

and Kuiper

, Data on the move–privacy of road pricing. Journal of Navigation 63(01) (2010), 51–59.

10.

Doinea

and Pavel

, Security optimization for distributed applications oriented on very large data sets, Informatica Economica 14(2) (2010), 72.

11.

Dragos

S.S.

, Vaida

M.F.

, Ureche

C.M.

, Suta

L.A.

and Voina

, Detecting dependencies between states of multiple data streams. Acta Technica Napocensis 54(1) (2013), 25.

12.

Goodwin

, Identity protection and patching top IT concerns. Computer Weekly, (2004).

13.

Guo

M.A.

, Comparative study on consumer right to privacy in e-commerce. Modern Economy 3(4) (2012), 402.

14.

Heng-Li

and Chiu

H.K.

, Privacy disclosures of web sites in Taiwan. JITTA: Journal of Information Technology Theory and Application 4(3) (2002), 15.

15.

Hoadley

E.D.

, Deibel

, Kistner

, Rice

and Sokhey

, Seeking best practices in the balancing act between data security and operational effectiveness. International Journal of Management & Information Systems (Online) 16(2) (2012), 183.

16.

Hon

W.K.

, Millard

and Walden

, Who is responsible for ‘personal data ‘in cloud computing?—The cloud of unknowing, Part 2. International Data Privacy Law 2(1) (2012), 3–18.

17.

Hooi

, Data law gives goliaths an edge over the davids. The Business Times (2012).

18.

Hooper

and Vos

, Establishing business integrity in an online environment: An examination of New Zealand web site privacy notices. Online Information Review 33(2) (2009), 343–361.

19.

Iacovino

and Todd

, The long-term preservation of identifiable personal data: A comparative archival perspective on privacy regulatory models in the European Union, Australia, Canada and the United States. Archival Science 7(1) (2007), 107–127.

20.

Ismail

, Selected issues regarding the Malaysian Personal Data Protection Act (PDPA) 2010, International Data Privacy Law 2(2) (2012), 105.

21.

Johnson

C.M.

and Grandison

T.W.

, Compliance with data protection laws using hippocratic database active enforcement and auditing. IBM Systems Journal 46(2) (2007), 255–264.

22.

and Osei-Bryson

K.M.

, Analyzing the impact of information technology investments using regression and data mining techniques. Journal of Enterprise Information Management 19(4) (2006), 403–417.

23.

, Osei-Bryson

K.M.

and Dorantes

, Investigating the impact of publicly announced information security breaches on three performance indicators of the breached firms. Information Resources Management Journal 22(2) (2009), 1.

24.

Langheinrich

, Privacy by design—principles of privacy-aware ubiquitous systems. In International conference on Ubiquitous Computing 2001 (pp. 273–291). Springer Berlin Heidelberg.

25.

Lanois

, Privacy in the age of the cloud. Journal of Internet Law 15(6) (2011), 3–17.

26.

Lee

C.C.

, Ho

P.F.

and Hwang

M.S.

, A secure e-auction scheme based on group signatures. Information Systems Frontiers 11(3) (2009), 335–343.

27.

Customer

, data analytics: Privacy settings for ‘Big Data’business. International Data Privacy Law 4(1) (2014), 53–68.

28.

X.B.

and Sarkar

, Against classification attacks: A decision tree pruning approach to privacy protection in data mining. Operations Research 57(6) (2009), 1496–1509.

29.

Lyon

, Surveillance as social sorting: Privacy, risk, and digital discrimination. Psychology Press; 2003.

30.

Massacci

, Prest

and Zannone

, Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation. Computer Standards & Interfaces 27(5) (2005), 445–455.

31.

Mocydlarz-Adamcewicz

, Practical guidance on implementation of the Personal Data Security Management System in an oncology centre. Wspolczesna Onkologia-Contemporary Oncology 15(5) (2011), 279–285.

32.

Narayanaswamy

and McGrath

, A holistic study of privacy in social networking sites. Academy of Information and Management Sciences Journal 17(1) (2014), 71.

33.

W.W.

, Zheng

J.W.

and Chong

Z.H.

, HilAnchor: Location privacy protection in the presence of users’ preferences. Journal of Computer Science and Technology 27(2) (2012), 413–427.

34.

Pearson

and Charlesworth

, Accountability as a way forward for privacy protection in the cloud. In IEEE International Conference on Cloud Computing 2009 (pp. 131–144). Springer Berlin Heidelberg.

35.

Pentafronimos

, Karantjias

and Polemi

, Collaborative information and knowledge management environments: The ‘what’and ‘how’. OR Insight 25(2) (2012), 105–123.

36.

Qiu

, Li

and Wu

, Protecting business intelligence and customer privacy while outsourcing data mining tasks. Knowledge and Information Systems 17(1) (2008), 99–120.

37.

Raab

C.D.

, The distribution of privacy risks: Who needs protection? The Information Society 14(4) (1998), 263–274.

38.

Ransbotham

and Mitra

, Choice, chance:, A conceptual model of paths to information security compromise. Information Systems Research 20(1) (2009), 121–139.

39.

Richter

, Riemer

P.D.

and vom Brocke

, Internet social networking. Wirtschaftsinformatik 53(2) (2011), 89–103.

40.

Schwartz

P.M.

, European data protection law and restrictions on international data flows. Iowa L Rev 80 (1994), 471.

41.

Shirtz

and Elovici

, Optimizing investment decisions in selecting information security remedies. Information Management & Computer Security 19(2) (2011), 95–112.

42.

Siah

, Standard defences no longer sufficient. The Business Times (2013).

43.

Sommestad

, Ekstedt

, Holm

and Afzal

, Security mistakes in information system deployment projects. Information Management & Computer Security (2011), 80–94.

44.

Song

, Shi

, Fischer

and Shankar

, Cloud data protection for the masses. (2012).

45.

Tene

and Polonetsky

, Privacy in the age of big data: A time for big decisions. Stanford Law Review Online 64 (2012), 63.

46.

Vorakulpipat

and Rezgui

, Value creation: The future of knowledge management. The Knowledge Engineering Review 23(03) (2008), 283–294.

47.

Warkentin

, Johnston

A.C.

and Shropshire

, The influence of the informal social learning environment on information privacy policy compliance efficacy and intention. European Journal of Information Systems 20(3) (2011), 267–284.

48.

Weber-Jahnke

J.H.

and Obry

, Protecting privacy during peer-to-peer exchange of medical documents. Information Systems Frontiers 14(1) (2012), 87–104.

49.

, Zhang

, Han

and Wang

, Singular value decomposition based data distortion strategy for privacy protection. Knowledge and Information Systems 10(3) (2006), 383–397.