skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Data Flow Maps - Increasing Data Processing Transparency and Privacy Compliance in the Enterprise
In recent years, well-known cyber breaches have placed growing pressure on organizations to implement proper privacy and data protection standards. Attacks involving the theft of employee and customer personal information have damaged the reputations of well-known brands, resulting in significant financial costs. As a result, governments across the globe are actively examining and strengthening laws to better protect the personal data of its citizens. The General Data Protection Regulation (GDPR) updates European privacy law with an array of provisions that better protect consumers and require organizations to focus on accounting for privacy in their business processes through “privacy-by-design” and “privacy by default” principles. In the US, the National Privacy Research Strategy (NPRS), makes several recommendations that reinforce the need for organizations to better protect data. In response to these rapid developments in privacy compliance, data flow mapping has emerged as a valuable tool. Data flow mapping depicts the flow of data through a system or process, enumerating specific data elements handled, while identifying the risks at different stages of the data lifecycle. This Article explains the critical features of a data flow map and discusses how mapping may improve the transparency of the data lifecycle, while recognizing the limitations in building out data flow maps and the difficulties of maintaining updated maps. The Article then explores how data flow mapping may support data collection, transfer, storage, and destruction practices pursuant to various privacy regulations. Finally, a hypothetical case study is presented to show how data flow mapping was used by an organization to stay compliant with privacy rules and to improve the transparency of information flows  more » « less
Award ID(s):
1654085
PAR ID:
10039657
Author(s) / Creator(s):
; ;
Date Published:
Journal Name:
Washington and Lee law review
Volume:
73
Issue:
2
ISSN:
0043-0463
Page Range / eLocation ID:
802-828
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. (, The ADMI 2021 Symposium)
    null (Ed.)
    Security and privacy, regardless of the instance, are preponderating topics for most organizations. Bioinformatics and the study of computational biology are no exception. The premise of this report is to discuss the many different privacy concerns as it pertains to the field of bioinformatics, as well as the usage and storage of personal biodata. With the varying threats that target average users of technology, is the capability and infrastructure currently in place to protect users against a leakage or breach in personal data? This study discusses the different concerns surrounding the field of bioinformatics, how the data and personal information is currently stored, and will make recommendations on how to mitigate the risks associated with the usage and storage of personal biodata. This study includes interviews from bioinformaticians and industry professionals, a survey of adults who have the potential for impact, and current legislature that exists to address personal data protection. 
    more » « less
  2. ; (, Washington and Lee law review)
    To prepare for the age of the intelligent, highly connected, and autonomous vehicle, a new approach to concepts of granting consent, managing privacy, and dealing with the need to interact quickly and meaningfully is needed. Additionally, in an environment where personal data is rapidly shared with a multitude of independent parties, there exists a need to reduce the information asymmetry that currently exists between the user and data collecting entities. This Article rethinks the traditional notice and consent model in the context of real-time communication between vehicles or vehicles and infrastructure or vehicles and other surroundings and proposes a re-engineering of current privacy concepts to prepare for a rapidly approaching digital future. In this future, multiple independent actors such as vehicles or other machines may seek personal information at a rate that makes the traditional informed consent model untenable. This Article proposes a two-step approach: As an attempt to meet and balance user needs for a seamless experience while preserving their rights to privacy, the first step is a less static consent paradigm able to better support personal data in systems which use machine based real time communication and automation. In addition, the article proposes a radical re-thinking of the current privacy protection system by sharing the vision of “Privacy as a Service” as a second step, which is an independently managed method of granular technical privacy control that can better protect individual privacy while at the same time facilitating high-frequency communication in a machine-to-machine environment. 
    more » « less
  3. ; (, Journal of international and comparative law)
    Johnson, Kristin N.; Reyes, Carla L. (Ed.)
    Privacy regulation has traditionally been the remit of consumer protection, and privacy harm is cast as a contractual harm arising from the interpersonal exchanges between data subjects and data collectors. This frames surveillance of people by companies as primarily a consumer harm. In this article, we argue that the modern economy of personal data is better understood as an extension of the financial system. The data economy intersects with capital markets in ways that may increase systemic and systematic financial risks. We contribute a new regulatory approach to privacy harms: as a source of risk correlated across households, firms and the economy as a whole. We consider adapting tools from macroprudential regulations designed to mitigate financial crises to the market for personal data. We identify both promises and pitfalls to viewing individual privacy through the lens of the financial system. 
    more » « less
  4. ; (, Cryptography)
    An essential requirement of any information management system is to protect data and resources against breach or improper modifications, while at the same time ensuring data access to legitimate users. Systems handling personal data are mandated to track its flow to comply with data protection regulations. We have built a novel framework that integrates semantically rich data privacy knowledge graph with Hyperledger Fabric blockchain technology, to develop an automated access-control and audit mechanism that enforces users' data privacy policies while sharing their data with third parties. Our blockchain based data-sharing solution addresses two of the most critical challenges: transaction verification and permissioned data obfuscation. Our solution ensures accountability for data sharing in the cloud by incorporating a secure and efficient system for End-to-End provenance. In this paper, we describe this framework along with the comprehensive semantically rich knowledge graph that we have developed to capture rules embedded in data privacy policy documents. Our framework can be used by organizations to automate compliance of their Cloud datasets. 
    more » « less
  5. (, Frontiers in artificial intelligence and applications)
    Villata, S. (Ed.)
    The European Union’s General Data Protection Regulation (GDPR) has compelled businesses and other organizations to update their privacy policies to state specific information about their data practices. Simultaneously, researchers in natural language processing (NLP) have developed corpora and annotation schemes for extracting salient information from privacy policies, often independently of specific laws. To connect existing NLP research on privacy policies with the GDPR, we introduce a mapping from GDPR provisions to the OPP-115 annotation scheme, which serves as the basis for a growing number of projects to automatically classify privacy policy text. We show that assumptions made in the annotation scheme about the essential topics for a privacy policy reflect many of the same topics that the GDPR requires in these documents. This suggests that OPP-115 continues to be representative of the anatomy of a legally compliant privacy policy, and that the legal assumptions behind it represent the elements of data processing that ought to be disclosed within a policy for transparency. The correspondences we show between OPP-115 and the GDPR suggest the feasibility of bridging existing computational and legal research on privacy policies, benefiting both areas. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email