Research Paper: Dissertation Chapter 2

profilemkumar9911
TheImpactofGDPRInITPolicyGroupPaperITS833-22.docx

Running head: THE IMPACT OF GDPR IN IT POLICY 1

THE IMPACT OF GDPR IN IT POLICY 8

The Impact of GDPR In IT Policy

Submitted To

Dr. Donnie Grimes

University of the Cumberland’s

Submitted in Fulfillment of Research Paper

Information Technology in Global Economy (ITS-832-22)

Submitted By

Group # 7

Amarender Reddy Chada

Ramu Chilukuri

Mittal Patel

Manoj Kumar Peddarapu

Abstract

The current rapid transformation within the world of I.T., is posing a threat not only to personal information but all sectors associated with I.T. Managing management of essential data is the factor that organizations, business firms, and government agencies are struggling with daily. As the organizations strive to ensure that there is complete protection of data during the storage and sharing process, hackers are also working around the globe to create new ways through which they can breach the data protection servers. The dis-collusion of vital data from one point to another is a systematic process that must be regulated at all costs because if the data gets compromised, the outcomes are severe. This paper analyses all the impacts of GDPR on impacted I.T. policy around the world through an evaluation of several peer-reviewed articles on GDPR.

Keywords: GDPR, Privacy, Cybersecurity, emerging technologies.

Introduction

The process of disclosing data from various agencies ought to point the purpose of the data, state the duration for data use. When sharing critical data with a third party, it is vital to assess the channels through which the data follows. Business firms and public authorities that actively operate by systematic processing of data have to use DPO (data protection officer). Having control of personal data key in ensuring that the data is shared only with the relevant people. With the rising cases of cyber threat and selling of personal data through dark webs, keeping track of your personal information is your full responsibility. Relevant authorities only come in to assist when the case that is compromising data I critical and poses a security threat to other sectors. The primary obligation of GDPR is to ensure that people have control of their most essential data. GDPR achieves control of data by facilitating the crucial environmental data regulation environment.

Articles analysis on GDPR

In the article (Cornock, 2018), Cornock systematically analyzes the primary impacts of GDPR on various research institutions and the actual research activities within various sectors, such as the I.T. and medical sectors. According to the article, there are still several debates on how GDPR is going to affect research in various sectors, starting with the I.T. sectors to the business and marketing sectors on just with the European Union but around the globe. Most of the arguments on GDRP look at the regulation as a potential obstacle to a world of free information sharing. Many people are still not aware of the actual implications that both the E.U. and the world in general will faces with the complete implementation of GDPR.  

Although the regulation directly affects the E.U.'s member state, the rest of the world is expected to be modified in one way or another. According to the article, the regulations outlined in provides a two-year transition period from the DPD (data protection directive) if there is a need for change. The primary concern of GDPR is to work practically in handling data including in the manner in which the data is shared. The fundamental rights that people will have with regards to the GDPR are the chances of being forgotten, and this factor implies that requesting for any data has to be companied by a data deletion after the use of data. The regulations also outline criteria for data transfer outside the non-member states of E.U. These regulations are aimed at ensuring that the rights of individuals are protected from cases of reduction by any other laws within the countries that are receiving the data.  

This article evaluates all the possible impacts of GDPR on technology across the globe. According to the authors, GDPR requires significant protection data. The regulations also pose several challenges and the potential opportunities that organizations will enjoy across the I.T. sector on the international market. Organizations across the globe still haven't prepared adequately to comply with the regulations. As a way of minimizing the liability that organizations might face, organizations have to make drastic transformations in order to fully comply with the rules. This article also evaluates how U.S. and China, which are the world's economic super-powers strive to respond to critical challenges and the opportunities that GDPR is bringing into the world of technology and data protection (Li, 2019).   

Implementation of GDPR

The comprehensive implementation of the GDPR came into effect on 25th May 2018. The regulations aim at laying down precise guidelines for processing, managing, and storing data from citizens of the E.U. member states. The regulations also aim at strengthening data protection within the E.U. member states as a way of meeting data privacy challenges that are arising from the rapid development of digital technology. Although the regulations primarily protect citizens of the E.U. member states, it is going to have a significant impact on the global nature regarding technology and data sharing. Organizations targeting European market in terms of products and service delivery in identification of information. As a result of the implementation of GDPR, consumers have high chances of controlling data which includes; right to withdraw any form of consent as provided for in (Art.7) and the right to be forgotten as provided for in (Art. 17). On the other hand, the regulation outlines high standards for the data processors and controllers, which include data protecting based on the data design as outlined in (Art 25). Recording of significant processing activity (Art. 30). This requires that organizations get the consent of the user before collecting data and implementing the right technical mechanism, including the measures taken as a way of protecting private data of all E.U. member states (Kaushik & Wang, 2018). 

GDPR holds all organizations that handle all forms of data that directly affect E.U. members accountable for any kind of non-compliance with the GDPR. At stated early, the regulations provide both challenges and opportunities to the technology firms, the data center provider, cloud services provider, and data markers who must first adopt all the necessary strict measures, ways of data protection, standards and the process of managing all private data. Failing to comply with the regulations means that the data handlers will incur significant fines. According to GDPR, personal data is anything used in identifying a person. Therefore, personal data includes personally recognizable details such as I.P. addresses, names, social security details, emails, location data, telephone numbers, and dates of birth. 

Personal data also includes information related to economic, genetic, social, and cultural identity. The worlds' leading technology firms such as Facebook, Amazon, and Google have thoroughly updated their data privacy practices and policies as a way of complying with all the regulations outlined by GDPR. Complying with the GDPR gives firms a competitive advantage on the international market as compared to other firms that have not yet complied with the regulations.

The impacts of GDPR on Technology platforms

The implementation of GDPR is having significant impacts on technology platforms and the data infrastructures that collect, manage, and store all forms of private data (Mackay, 2017). Based on the fact that the requirements outlined in GDPR are high regarding data collection and processing, all the controllers and processors have a primary obligation of handling private data, which also means that they have the full responsibility of protecting data by default infrastructures or the designed infrastructures. They also have the responsibility of recording all the essential activities related to the data. Organizations have the mandate of conducting though assessments for the technology platforms and the data infrastructures, including the information systems, databases, websites, the data warehouse, and all the processing platforms as a way of understanding the kind of data collected in situations where all private data exists.

Internal assessments make organizations implement the relevant changes on the technology platforms and the data infrastructures as a way of meeting the requirements outlined by GDPR. In other cases, the process of re-engineering of the existing information systems/ platforms is necessary for reducing the threats of non-compliance. The user has the liberty to request all the relevant information concerning the kind of data collected, including what the data is to be used for. Organizations handling the private data have the responsibility of providing the information on good time upon the user's requisitions. The possibilities of large firms, such as Alibaba and Amazon, have the highest chances of receiving requests from millions of their customers across the globe. The two firms handle large volumes of data daily, and in cases where customers don't get satisfied with how a firm is using his/her personal information, he/she has the liberty to request the firm or organization to completely delete the data.

Organizations with employees from the E.U. or living in the E.U. must also handle the personal data of the employees, which includes the bank details, photos, pension information, tax, medical records, safety reports, C.V.s, and salary information in the best manners (Beacham, 2018). A way of meeting the request of both customers and employees concerning the efficiency of accessing personal data, or the removal of personal information from the I.T. systems, firms must refine their current I.T. systems and platforms. The primary starting point for companies is identifying the private data that is related to customers or the employees from the I.T. systems such as the customer relationship data managing systems, the H.R. systems, the databases, and the I.T. archives. 

The second step is for firms to implement the most holistic tools that search information across all the I.T. systems, platforms, archives, and infrastructures as a way of identifying and extracting all the private data (Mackay, 2017). Without using the holistic search tools, the chances for companies to ensure that there is complete accountability in handling personal data are minimal. For companies to meet the primary requirements outlined by the GDPR, firms have to invest a lot in human resource and the necessary upgrading of the technology platforms, update the privacy policy, change/regulate the advertising methods, and adjust the data storage and processing mechanisms. The impacts of GDPR on the U.S. and Chinese firms are significant. The two countries, which are the world's super economic states, have many companies that carry out business activities with the European Union.

According to a survey by Price water houses Coopers, almost 68% of U.S. firms will spend between $ 1 million to $10 million as a way of meeting the regulations outlined by GDPR; 9 % of the companies will pay more than $ 10 million (PwC, 2017). The high cost is likely to be transferred to the consumers, a factor that will weaken the competitive advantages that American and chines firms enjoy. Furthermore, GDPR is becoming a tool for the European commissions to appropriately accuse the non-EU firms, including the American and Chinese firms that have challenges with data protection and, in one way or another, block the firms from investing and merging. 

Several U.S. and Chinese firms try to comply with the regulations, and the firms include Huawei, which is a Chinese telecommunication giant, which has appointed a data protection personnel and You-Tube, which stopped supporting any form a third-party advert on the services that are specifically reserved for Europe. 

However, despite the efforts that some firms across the globe are putting in the way of managing the technology platforms, their unlikely events that are happening, a good example is the announcement by Yee-light which is one of the sizeable smart light devices company to cut its services to the European users. After the enforcement of GDPR, Facebook, and its allies i.e., Instagram and WhatsApp, and Google were sued as a result of "forced consent," the case reflects that picture that any foreign company's business with E.U. is highly influenced by the GDPR.

The impacts on Cybersecurity

With the implementation of GDPR, the cybersecurity policies are expected to change based on the fact that the regulations require firms to implement the most suitable data protection mechanisms as a way to protect private consumer information against the cases of data loss or the breach, which may lead to the data being exposed. According to article five of the regulation, the essential privacy and the data protection regulations include full consent of the subject for any form of data processing, any form of anonymized collection of data in protecting data, providing any form of data breach notification and safe handling of data during the process of transferring the data from one system to another. Firms must appoint the data protection officer who is then mandated to oversee that the firms comply with the GDPR outlines. 

Based on the past cases of cyber breaches on vital data. GDPR requires that all data controllers notify the super authorities about any case of a breach on personal without delay, and the latest time is within 72 hours after becoming aware of the breach. This factor, therefore, means that firms have to improve their cybersecurity efforts as a way of ensuring that there is complete protection of personal data against any form of breaches and threats. Firms most also strive to minimize the liabilities under regulations outlined in GDPR. GDPR further increases the demands for the cybersecurity experts and the data protection personnel. In efforts towards addressing the current shortage of skills in cybersecurity and data protection experts, governments and the technology firms are investing a lot in cybersecurity training and other I.T. education programs (Whitney, 2018) 

The requirement to provide robust security for personal data comes with several opportunities for firms. The issues of security and privacy are accompanied by the trust of the users, a factor that is essential in business, especially in the current highly competitive global market that is controlled by digital market platforms. There has been a rise in cases are associated to the vulnerability of security on personal data, in cases where companies have failed to properly handle personal information and selling of the information collected from consumers have raised a number of concerns leading to negative impacts on the trust of consumers (Midha. 2012). According to the Capgemini report, 39 % of consumers spend more after being convinced that organizations protect their private data (Cap Gemini Research Institute, 2018). This factor means the process of gaining the trust of customers concerning the privacy of data security may lead to improved sales translating to competition advantage (Conroy, Narula, Milano, & Singhal, 2014).

The U.S. and Chins firms need to make use of the opportunities that GDPR is providing in enhancing the ability to protect personal data as a way of minimizing the legal liabilities of GDPR and at the same time win the trust of consumer across the global market which will help the firms in creating unique competition advantages over thousands of firms that can't comply with GDPR.

The impacts of GDPR on the emerging technology

The implementation of GDPR has a significant impact on developing technologies. The emerging of technologies such as A.I., cloud computing, and blockchains, which are among the most effective means in boosting productivity and performance in other sectors of the economy. The actual application and development of the emerging technology are vital in promoting other aspects of the economies are the technologies are becoming one of the robust competitive domains among countries across the globe. It is vital to note that emerging technologies only deliver value by using massive data and a very high-quality algorithm. The strict regulations on the way data are supposed to be handled and processed is inhibiting the development of new I.T. policies and technologies. At the same time, the use of emerging technologies is under strict regulations increasing the actual cost of developing the new technologies.

The implementation of GDPR is profoundly impacting the development of A.I. applications by raising the development expenses while at the same time limiting the actual application scope of Artificial Intelligence. According to articles 13 and articles 22 of the GDPR, several algorithm decisions must go through a severe reviewing process and be explained by humanity; the restrictions are likely going to increase the actual labor expenses. This factor will also break the balance that exist between transparency and accuracy. According to article 17 of the regulations, users are provided with an opportunity to delete private data without delaying a factor that is gradually destroying primary rules that underpin the Artificial Intelligence systems leading to a decrease in efficiency and the actual accuracy of the A.I. algorithms.  

Looking at the blockchains, it is challenging when it comes to the identification of data controllers and hard in requiring the node that performs strict roles (Wallace & Castro, 2018). As the data of every node of any blockchain impacts the subsequent records, is at all the blockchain user has the authority to delete or change data, the effectiveness and efficiency of blockchains stop existing. Looking at cloud computing, the GDPR develops several duties of cloud platforms service provider, that are required to provide information on all the processing of data which is in relation to article 13 and 14 of GDPR, this factor definitely brings operational challenges and increases the expenses of operating any cloud platform, based on the fact that efficiency of any cloud computing is generated by optimal resources allocated which are determined by tasks and can't be entirely determined by data collection times.

Although several firms in the U.S. and China have the responsibility of complying with the regulations and other countries across the globe, firms within the European Unions are still affected within the fields of the emerging technologies based on the facts that they deal with private data most of the time and most of the information belongs to the E.U. residents. If in any way the emerging technology within the E.U. industry fails to effectively also the challenging associated with cloud computing, blockchain, and Artificial Intelligence by using the appropriate technological upgrading, a factor that is likely to be long term, the actual application and developing of the emerging technologies within the European Union is going to slow down. Several industries such as the e-commerce, credit cards, and intelligent manufacturing, which are crucial industries supported by the emerging technologies, will also be affected significantly. Other firms in countries such as the U.S. and China will have high chances of improving and using emerging technologies more than firms within the European Union. Several firms in China and the U.S. have chances of creating products that effectively serve the domestic needs of consumers, which means that as time progress, firms in the U.S. and China have the ability f developing robust competitive advantages as compared to firs in E.U.

GDPR is basically designed as a mechanism of ensuring that all the necessary precautions are put in place as a way of ensuring that there is a comprehensive protection of any form of personal data. Various threats that are going to have a possible risks control through the GDPR include.

Espionage: many still think that Espionage is not an act of war, but the fact it causes tension among countries. It is a form of cyber-attack that involves abstaining confidential data without the consent of the owner of the information (Kafol & Bregar, 2017). Examples of Espionage is the massive act of spying on other countries by the American government as an ICT hacker Edward Snowden revealed.

Sabotage: this form of cyber-attack involves using computer and satellites system to coordinate and run operations leading to a severe disruption of other networks, including the military systems like C4ISTAR that run and control communications. As a cyber-attack, Sabotage leads to the interception of crucial communication or malicious replacement of the intended transmission. Other things that get affected by a Sabotage attack are; water, transportation, power, and fuel infrastructures.

Propaganda: a cyber-propaganda refers to efforts by one nation to control another nation's information in any way possible and use the information in managing the general public opinion (Goswami, 2018). To a high degree, cyber propaganda is psychological warfare; the only difference is that it uses websites that run fake news, social media platforms, and other internet platforms. Jowett & Donnell (2018) state that "propaganda is the deliberate, systematic attempt to shape perceptions, manipulate cognitions, and direct behavior to achieve a response that furthers the desired intent of the propagandist" (p. 7).

Economic disruption: this form of cyber-attack targets economic infrastructures such as manufacturing companies, processing industry, and other aspects of the economy. An excellent example of economic disruption is the Wanna-Cry attacks that affected Ukraine and U.K., s N.H.S, Merck pharmaceuticals, Maersk shipping, and other organizations globally. Economic disruption is a cyber-crime and financial crime in particular. 

Surprise Cyber Attacks: this kind of attack involves using malware such as antivirus to attack communications systems, information systems, and other software that is operated by a particular organization.

On the other the various methods of cyber threats that are likely to e controlled include; 

Denial-of-service (DoS): this method of Cyber Attack overpowers the computer system affecting the responding speed. Making it unable to respond to requests during operations. The attack launched from a significant number of hosting systems affected by malicious software that is controlled by attackers (Abawajy, 2014). Attackers that initiate this kind of attack don't gain direct benefits; in cases where the attack launched into computer systems of business firms, the attackers are likely to enjoy some benefits. The Dos also aims at taking off the operation system online as a way of launching other attacks. The common types of DoS attacks are teardrop attacks, botnets, smurf attacks, TCP SYN, and flood attacks.

The MitM (Man-in-the-Middle) attack: this kind of attack takes place in cases where hackers come in between the communication servers of the clients and the communication server of a particular government agency (Thomas, Vijayaraghavan & Emmanuel, 2020). The common types of MitM include; session hijacking; this where hackers hijack communication sessions between trusted clients and network servers. During this attack, the hacker's computer system replaces the client's I.P. address with its own and continuous with the communication session. The original server manipulated into thinking that it is communication with the client's computer system.

Two common points of entry for MitM attacks:

1. On unsecured public Wi-Fi, attackers can insert themselves between a visitor's device and the network. Without knowing, the visitor passes all information through the attacker.

2. Once the malware has breached a device, an attacker can install software to process all of the victim's information." 

The phishing and spear-phishing attack: phishing attack involves the transmission of manipulated emails that seems to come from a computer system's trusted source to get personal data/influence the system users to carry out an activity that they are not aware. The attack runs by social engineering and a technical trick, and in some cases, it involves attaching an email that generates malware onto the computer. The attack also links the system to illegitimate websites, which can lead the system into downloading malware/ hand over personal data. On the other hand, spear phishing is a precise kind of phishing as the attacker researches the potential target, after which they create private messages.

The SQL injection attack: this is an attack executed by a malefactor that carries out an SQL inquiry to the system's database though the client's input data. The SQL command put into the DPI (data-plane input) controls the system's login process. Any successful SQL attack can read crucial information from the server, change the database information, run administration operations, content recovery, command the system to run automatically. 

The Drive-in attack: the method is highly used in spreading malware, though this method, hackers identify the insecure websites after which they plant malicious scripts into the PHP/HTTP codes. The planted scripts install malware into the computer when the sites are visited. In other cases, the texts direct the networks to the hacker's sites. This attack does not depend on the user to carry out any activity that actively runs the offense, meaning the attack runs automatically the moment the user visits the sites with planted scripts codes.

The password attack: the attack though this method targets users' passwords, is executed by plugging in a connection then acquiring passwords as encryptions. The attack is though social engineering, accessing the password database, or just guessing though a random approach or systematically.

Malware attack: this method used in cyber-attack involves the installation of unwanted software into a computer system without the user's consent. The malicious software gets installed by attaching itself to the computer's legitimates codes then propagate itself across the network. The common types of malicious software are; macro virus (affect Microsoft Word/Excel), the file infectors, the system record infectors, polymorphic virus, the stealth virus, Trojans, the Logic bombs, worms, the Droppers, and the Ransomware. Malware is the most common and most dangerous type of cyber-attack. Malware can be of many types, and they are sent by hackers intending to block and change network keys or settings, damage information from a computer or a network of computers, Sabotage, and, most importantly, disable a system.

The Eavesdropping attack: the method of attack executed by intercepting the network traffic. Through this method, the attacker can access passwords, the credit card number, and any confidential information sent through the network. The technique acts in two forms which are; the passive eavesdropping where the system hacker detects information through listening to the information transmissions. On the other hand, the hacker uses the active approach, where the hacker actively takes information by posing as a friend of the network transmitting the information. 

Conclusion

Base on the fact that the I.T. sector is facing is that GDPR is having a massive impact on all aspects of technology and the application of technology in the protection of personal information. "Although this editorial has discussed many potential challenges of GDPR, we encourage companies to think of compliance with GDPR as a strategic opportunity for gaining a competitive edge in this data-driven world. Technology companies that target global markets recommended to step up their efforts to secure their data, systems, products, and services for compliance with GDPR. We also encourage scholars and practitioners to study issues related to the implementation and compliance of GDPR and share insights" (Wright, 2017).

References

Beacham, J. (2018). Is your practice GDPR ready? In Practice, 40(3), 124–125. 

Cap Gemini Research Institute. (2018). seizing the GDPR advantage: From mandate to high-value opportunity

Conroy, P., Narula, A., Milano, F., & Singhal, R. (2014). Building consumer trust - Protecting personal data in the consumer product industry. 

Cornock, M. (2018). General Data Protection Regulation (GDPR) and implications for research. Maturities111, A1:

European Union. (2016) General data protection regulation. Off J Eur Union 49: L119

Kaushik, S., & Wang, Y. (2018, December 20). Data privacy: Demystifying the GDPR.

Li, H., Yu, L., & He, W. (2019). The impact of GDPR on global technology development.

Mackay, D. (2017). The impact of GDPR from a technology perspective – is your platform ready?