143 Seiten, Note: 1,3
Table of content
Structure of the Thesis
2. Foundations of Data Protection – Protecting and securing data
2.1 Origin of Data Protection
2.2 Approaches to Data Protection
2.2.1 Comprehensive Laws
2.2.2 Sectoral Laws
2.2.4 Regulation through technology
2.3 Implication for Businesses: legal certainty or maneuverability
2.4 Data Protection in the European Union
2.4.1 European Data Protection Framework
2.4.4 European Data Protection Directive
2.4.5 General Data Protection Regulation
2.6 Practical Application: Data Driven Business implies Data Protection
2.7 Implication for Businesses: Transnational applicability and comprehensive framework of requirements
3. The economic relevance of Data Protection
3.1 Market analysis
3.1.1 Sociological Variables
3.1.2 Technological Variables
3.1.3 Economic Variables
3.1.4 Political and Legal Variables
3.2 Business Environment – Porter’s Five Forces
3.2.1 Barriers to Entry
3.2.2 Bargaining Power of Buyers
3.2.3 Bargaining Power of Suppliers
3.2.4 Industry Competitors
3.2.5 Threat of Substitute Products
3.3 Economics of Cybercrime
3.4 Influential market developments
3.4.1 Digitalization and hyper-connectivity
3.4.2 Digitalization as a Management Issue
3.4.3 Big Data and Data Analytics
3.5 Practical Application: International transfer of personal identifiable data as foundation for business cases
3.6 Implication for Businesses: Compliance with legal standards can be a unique selling point
4. Product or Service Development
4.1 Legal Grounds for processing and transfer
4.1.1 Personal Data
4.1.4 Lawful Processing of Personal Data
4.1.5 Offering goods or services
4.2 Processes of Data Protection Management
4.2.1 Risk based approach
4.2.2 Data Protection Officer
4.2.3 Accountability, Documentation and Actualization
4.3 Practical Application: Data Flow Mapping
4.4 Implication for Businesses: Comprehensive framework of requirements
5. Organizational Change
5.1 Organizational Dynamics
5.2 Organizational culture and barriers
5.3 Practical Application: Data Driven Organizations
5.5 Implication for Businesses: Transformational leadership in Data Protection
6. Strategy Development
6.1 International influence: Globalization
6.2 Potentials in a globalized world: digitalization, hyper-connectivity, and cyber-crime
6.3 Legal Framework for globalized activities in data driven business models
6.3.1. GDPR and Rome I and II Regulations
6.3.2. GDPR and Brussels I
6.5 Market Place Principle – development of strategies in a globalized data market
6.5.1. International Strategy
6.5.2. Localized or Multi-Domestic Strategy
6.5.3. Global (Standardization) Strategy
6.5.4. Transnational Strategy
6.5.5. Localization as an indicator for maturity
6.6. Practical Application: strategy Development
6.6.1. XY Strategy Development
6.6.2. Potential Markets
6.6.3. XY’s strategic outlook
6.7. Implication for Businesses: Worldwide application of the GDPR
7. Competencies necessary for Data Protection Management
7.1. Competencies and Personality Development
7.1.1. Personality – A definition
7.1.2. Personality – different concepts
7.1.3. Intercultural Communication
7.2. Practical Application: Author’s Personal Development
7.2.1. The author’s personality profile and development
7.2.2. Current status regarding the 16 competencies of the SCA
7.2.3. Leadership Development
7.2.5. Project Performance
7.2.6. Career Goals
7.3. Implication for Businesses: Competencies required for Data Protection
Appendix I – Data Protection Framework of the EU
1. The European Convention on Human Rights
2. Council of Europe Convention 108
3. European Union data protection law
3.1. Principles of European Union Law
3.2. The Charter of Fundamental Rights of the European Union
3.3. Directive on privacy and electronic communications
3.4. E-Commerce Directive
3.5. Database Directive
4. European Data Protection Directive
4.2. Material Scope
4.3. Territorial Scope
5. General Data Protection Regulation
5.1. Material Scope
5.2. Territorial scope
Appendix II – Data Protection Directive and Rome I and II Regulations
1. Differentiation by nature and scope
2. Lex Specialis
Appendix III – Solutions for the international transfer of personal identifiable data
1. Adequacy Decision and accepted treaty
2. Contractual Clauses
3. Binding Corporate Rules
Appendix IV – Obligation to protect the right of the individual
1. Right of erasure (right to be forgotten) - Article 17 GDPR
2. Right to restrict processing - Article 18 GDPR
3. Right to data transferability (data portability) - Article 20 GDPR
4.4. Processing of employee data
Appendix V – Transfer of data between the EU and the US
1. Safe Harbor
2. EU-U.S. Privacy Shield
Appendix VI – Legal Framework for globalized activities in data driven business models
1. Rome I
1.1. Territorial Scope
2. Rome II
2.1. Territorial Scope
3. Brussels I Regulation
3.1. Territorial Scope
Appendix VII – Stakeholder Analysis
Appendix VIII – Strategy Analysis of XY Consulting
1. XY as an Organization
2. Vision, Mission and Challenges
3. Summary of Internal Asset Assessment
3.1. XY Stakeholder Analysis
3.2. Core Competencies
4. Summary of External Environment Factors
4.1. Sociological Variables
4.2. Technological Variables
4.3. Economic Variables
4.4. Political and Legal Variables
5. Assessment of Industry Competitiveness
5.1. Barriers to Entry
5.2. Bargaining Power of Buyers
5.3. Bargaining Power of Suppliers
5.4. Industry Competitors
5.5. Threat of Substitute Products
6. Summary of Opportunities and Identified Key Challenges
7. SWOT Matrix
8. XY Strategy Plan
8.1. Summary of analyses
8.2. Grand Strategy
Appendix IX – SCA I-III
Appendix XI – Project Schedule
Appendix XII – Curriculum Vitae Jan Alexander Linxweiler
Certifications, qualifications and trainings
Scholarships and prices
Working in a Data (Protection) Driven Environment - The impact of Data Protection Management on organizations, business cases and leadership
Within the current business as well as administrative environment on date is currently being dreaded more than any other date: the 25th of May 2018. On this date the General Data Protection Directive (GDPR) is entering into force, bringing with its applicability various implications for business models and operations alike. Thus, the topic of data protection became a crucial factor for business, public reception and security.
Since the Snowden incident, the Safe Harbor Ruling of the European Court of Justice and ultimately the introduction of the GDPR the potential for threat scenarios increased significantly and now requires responsive actions on the respective management level. While the importance of data protections is now an omnipresent and a commonly known issue, it is still a rather neglected topic. It often bears the stigma of nuisance and implies costly implementation of measures and processes.
Nonetheless, businesses and governmental agencies have to adhere to data protection regulations, the demands of the digitalization and social pressure. Therefore, the compliance with Data Protection Law both in organizational operations and product/service development has incrementally gained a more essential role within company’s and administration’s structures during the last years. This is especially true for transnational contexts. Here, Data Protection Management encompasses privacy compliance and organizational privacy management as part of the information security risk management as well. Essentially the objective and responsibility of Data Protection Management is based in a complex legal framework and builds up to interconnected business models and organizational structures.
This Master’s Thesis focuses on the implications of the GDPR on modern business environments – the organization as well as the products. Here, the scope of the thesis is determined by the connected Management Project and thusly focuses on the establishment of data protection as part of the business service portfolio of the author’s former employer. The following thesis will demonstrate the findings of the Management Project in a bottom-up structure – starting with the foundation of data protection management, analyzing product or service development and organizational change, and finally building up to Strategy Development.
Therefore, the thesis is divided into eight chapters.
The first chapter encompasses the introduction and presentation of the research question for the Master Thesis.
The second chapter introduces data protection traditions and different approaches to data protection. Here, an overview over the data protection system of the European Union is given and supplemented by an analysis of the different regulations.
The third chapter is concerned with the economic relevance of data protection. Here, the thesis will establish the economic value of data protection endeavors within organizations based upon an economic analysis. Furthermore, the impact of digitalization, hyper-connectivity, big data analytics as well as the cyber-crime market are indicated.
The fourth chapter is concerned with the implications of data protection in product or service development. Here, the legal grounds for processing and transferring personal data are established and their implications for transnational data flows and subsequent business models analyzed.
The fifth chapter addresses the issue of organizational change in context of applicable law and conflict-of-law. Here, the Rome I Regulation, Rome II Regulation and Brussels I Regulation are contextualized with the GDPR.
The sixth chapter is concerned with strategy development. Here, the influence of globalization and the legal framework for globalized markets are brought into context. The focus is the assessment and development of an international strategy..
The seventh chapter encompasses the personality and competency development necessary to face Data Protection issues and the impact of the GDPR.
Finally, the eight chapter summarizes the findings and offers a conclusion.
The Master’s Thesis aims to answer the Research Question: “How does Data Protection Management in light of the European General Data Protection Regulation impact organizations, business cases and leadership?”
Subsequently, the thesis endeavors to answer the following sub-questions:
- How does the European Data Protection Framework and especially the GDPR influence the development of products or services, the organizational change and the strategic outlook of an organization?
- How are organizations impacted by the changes in environments, processes and legal obligations by the GDPR?
- How does Data Protection Management influence the choice of an International Strategy?
- What are the specific considerations for entering the US-Data Protection Market?
The introduction of GDPR forces modern and established organizations alike to rethink their data protection approaches. To build upon the evident need for (transnational) solutions in data protection and cyber-security, it is therefore necessary to identify the legal implications and processes of data protection.
The origin of data protection in its various appearances dates back more than a century. It was as early as 1890, that Warren and Brandeis already contextualized the advancing technological changes with the Right to Privacy or as they called it the right “to be let alone” (Warren/Brandeis, 1890:2).
The Right to Privacy is widely considered one of the cornerstones of democratic societies due to the safeguarding function regarding fundamental principles like honor and personal dignity. It encompasses all aspects of personal and family life as well as individual, religious, sexual, political and social preferences or beliefs. Furthermore, it protects personnel communication and data. Therefore, data protection is and has been a fundamental part of the Right to Privacy.
On the level of International Public Law, this protection is codified in Art.12 United Nations Declaration of Human Rights of 1948. Additionally, the Right to Privacy is reflected in Article 17 of the International Covenant on Social and Political Rights as well as Article 16 of the United Nations Convention on the Rights of the Child.
In a latest attempt to further the Right to Privacy the General Assembly passed a resolution for “The right to privacy in the digital age” (Human Rights Council, 2014). Within this resolution, the Member States reaffirm the right to privacy and deems it necessary of protection within a wider scope.
The implementation of these rights to privacy and data protection fostered various approaches to data protection on the transnational and national level. The transformation of these approaches into national legislation occurs in a variety of combinations – seldom has a legislator solely relied on only one protective approach and often the approaches differ between national legislations. The design, chosen by the individual legislator, is greatly influenced by the perception and interpretation of privacy and data protection. This influences lead to the following four approaches to data protection (Linxweiler, 2017).
First of all, there is the protection through comprehensive laws: Within this approach, laws are used to create a comprehensive legislative framework for collecting, processing, and using personnel data. Additionally, official institutions are bestowed with the purpose of enforcing the compliance with the set framework (Charlesworth, 2000; Linxweiler, 2012).
The protection through comprehensive laws is fundamentally different from the protection through sectoral laws. While the first is to be considered a proactive one, protection through sectoral laws is more of a reactive approach. It deals with specialized or problematic singular aspects of privacy and data protection through individual legislative acts (Charlesworth, 2000; Linxweiler, 2012).
Another very prominent approach is the protection through industrial self-regulation. It is considered the most flexible and opportunistic approach. The reason for that is the self-imposition of rules by members of the economic system (Charlesworth, 2000; Linxweiler, 2012).
Finally, privacy-enhancing technologies are considered an approach for themselves. They encompass cryptographic encoding, digital currencies as well as similar technologies (Long/Pang Quek, 2002; Linxweiler, 2012).
The presented approaches fundamentally differ from each other and pose different challenges for business or organizational environments. In general, businesses might both benefit from and are pressured by individual approaches.
While comprehensive laws offer a very clear frame of regulatory reference and regulatory zeal of authorities, they also restrict the development and implementation of products and solutions through the provisions of their laws. This approach increases the complexity while providing transparency (Linxweiler, 2017).
Sectoral laws provide businesses with a lot of maneuverability regarding product and service development. However, sectoral laws offer transparency only for the implemented provisions. Legal certainty is not always granted, especially if the new development of a business deviates from the precedent (Linxweiler, 2017).
Self-regulation and regulation through technology offers by far the most flexibility regarding product and service development or provision. However, while these approaches are often industry standards or accredited standards of technology, this approach does not offer legal certainty and is mostly regulated through ex-post-facto sanctioning (Linxweiler, 2017).
The current differences in the data protection regimes strongly impact international data transfers and connected business models.
Within the European Union the impact of legal provisions is manifested in a comprehensive legal framework governing data protection and transnational data flows. The EU framework for Data Protection heavily relies upon the construct provided by the United Nation Declaration on Human Rights (UDHR). The Art.12 UDHR constitutes the “right to protection of an individual’s private sphere against intrusion from others” (Council of Europe, 2014). As previously indicated, this Right to Privacy is a fundamental influence for the construction of data protection laws.
Building upon this foundation, the EU comprised a comprehensive legal framework (see Appendix I – ).
Abbildung in dieser Leseprobe nicht enthalten
Figure 1: European Data Protection Framework (own graphic)
The first pillar of the data protection framework within the European Union is Article 8 of the European Convention on Human Rights (ECHR). It is concerned with “right to protection of personal data” and offers protection regarding the right to respect for private and family life, home and correspondence, and conditions for restricting the rights granted under Article 8 ECHR. Subsequent decisions of the ECtHR focused upon on data protection issues that were concerned with interception of communication (ECHR, Copland v. the United Kingdom, No. 62617/00, 3 April 2007), communication surveillance (ECHR, Klass and Others v. Germany, No. 5029/71, 6 September 1978) and storage of data (ECHR, S. and Marper v. the United Kingdom, Nos. 30562/04 and 30566/04, 4 December 2008).
Another instrument of Data Protection that not originated within the EU legal framework but was subsequently included, is the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Council of Europe, CETS No. 108, 1981), commonly called Convention 108. The Convention 108 focuses on the “protection of individuals with regard to the automatic processing of personal data”. Its material scope encompasses “all data processing carried out by both the private and public sector, such as data processing by the judiciary and law enforcement authorities” (Council of Europe, 2014). Thus, it focuses on the protection regarding the automated data collection, processing, transferal and storage. It also introduced the common principles of Data Protection: the definition of sensitive data, the right to self-information, and the principle of free flow of data (Linxweiler, 2017).
In an effort to implement the issue of Human Rights further into the European Union Law, the Charter of Fundamental Rights of the European Union was implemented (Council of Europe, 2014). Based in the competency to issue EU primary law in accordance with Article 16 of the TFEU the Charter of fundamental Rights of the EU encompasses data protection. Article 7 (“private and family life”) and Article 8 (“right to data protection”) of the Charter directly address matters of privacy and data protection.
Additionally, the Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications or ePrivacy Directive) focuses on electronic communication. The European Commission currently endeavors to replace the ePrivacy Directive with a regulation. The current proposal aims for the imposition of privacy regulatory obligations for corporation conducting business in the EU via the Internet. Thus, it shall encompass the processing of communications content and metadata, the use of Wi-Fi and Bluetooth tracking for internet-based services and technology providers. The goal is to create a regulation complementing the GDPR.
The Directive 2000/31/EC on the other hand has to be differentiated from the GDPR. It imposes legislation for information society services in the Internal Market of the EU. The focus is on electronic commerce and aims for the empowerment of the free movement of services through cross-border online services. Thus, it provides rules for the responsibilities and liabilities of intermediaries.
Similar to the aforementioned directives the Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (Database Directive) focuses on particular aspects that intersect with data protection issues. The Database Directive introduces conflict-of-law issues in context to data protection legislation. It focuses on the protection of the content of databases. This can encompass personal identifiable data.
Within the scope of European Union Law, the Data Protection Directive established and until the 25th May 2018 will still establish the explicit basis for data protection.
Material Scope The material scope of the Data Protection Directive is limited to matters of the Internal Market of the European Union. Its scope focuses on the processing of personal data by so called controllers and processors through the use of equipment, Arts. 2(a), (d), (e), 4 (1). The definitions of these terms are vital – especially in respect to the rule-of law.
Territorial Scope The territorial scope of the application of the Directive 95/46 is stipulated in Article 4. These provisions center on the data controller’s place of establishment. Subsequently, the actual data processing is less important in determining the applicable law. However, the data has to be processed in the context of establishment’s activities according to Art. 4 (1) (a). Given these conditions, the law of the respective Member State transposing the directive applies (Barkan, 2016:325; Linxweiler, 2017).
Furthermore, if the controller is not established within the EU, the respective law of the Member State transposing the directive applies through public international law, Art. 4 (1) (b). Another alternative would be that the controller “makes use of equipment” within the respective Member State Art. 4 (1) (c). Essentially, this conflict-of-law provision of Art. 4 determines when the law of a Member State transposing the directive is applied as opposed to the law of a third country (Barkan, 2016:326). Furthermore, Art. 4 “determines the law of which Member State will be applicable within the European Union” (ibid).
On the 25th of May 2018 the GDPR will enter into force. A different legal instrument, the regulation does not have to be implemented into national law, but is directly applicable within the Member States.
Material Scope Unlike the Directive 95/46, the material scope of the GDPR is more encompassing than the immediate Internal Market. Thus the, GDPR is even applicable when the controller and/or the processor are not established in the EU, as long as the data subject an EU citizen (Art.3(2) GDPR).
Essentially, Art3(2) stipulates the applicability of the GDPR, whenever personal data is processed in connection to the offering of goods or services in the EU or the behavior of data subjects in the EU is monitored (Malcom, 2017:143).
Territorial scope The territorial scope of the GDPR is goes beyond the Data Protection Directive. In Art. 3(1) GDPR the applicability is linked “to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”, Art. 3(1) GDPR. Thus, any endeavor of an organization that encompasses the processing of personal data of an EU citizen falls automatically under the jurisdiction of the EU (Wybitul, 2016).
These foundations of data protection law are relevant for the Management Project on multiple levels. In general, the Management Project is concerned with the author’s personal development within the organization of employment: XY Consulting Nord GmbH (name is deliberately changed).
XY Consulting Nord GmbH is a subsidiary of XY Consulting AG. XY Consulting, in general, is a Management and Technology Consultancy. Within the corporate structure XY Consulting Nord GmbH focuses on consulting opportunities for the Public Sector. It consists of consultants of different educational backgrounds (from IT to Medicine).
These consultants are divided into different career levels: Associate, Consultant, Senior Consultant, Management Consultant and Partner. Additionally, Senior Consultants or higher can be assigned Team or Unit responsibility. Individually, in Project Teams or the designated Team- or Unit-structures these consultants are advising their clients from the public as well as private sector in all topics linked to technology and organizational development. Thus, the scope of activities ranges from drawing up a plan for a secure data center to increasing process efficiency in automotive development plants.
This comprehensive business portfolio as well as the different business case related issues put the organization into close proximity to data protection related issues. As modern business models are commonly data driven, the consulting services offered by XY Consulting are linked to data transfers, implications of individual rights to privacy or data that is commonly privileged information.
Furthermore, the character as a technology consultancy introduces applications of modern communication and information technology. All of the aforementioned provisions are commonly part of the XY working and business environment. Subsequently, XY Consulting faces a legally indicated need to address data protection management in its service provision as well as organizational and service development.
This necessity is, however, not limited to the author’s employer. The supranational system and thus system of harmonization (Charlesworth, 2010) of the EU focus its policy on uniformity of data protection frameworks throughout Europe. This provides businesses and organizations with comprehensive and detailed guidelines to adapt to the data protection regimes (Linxweiler, 2017). It is a consequence of the principle of free movement of goods, capital, services and people within the internal market. This free movement necessarily is based upon the free flow of data within modern society. The harmonization of Data Protection Standards leads to a level of predictability and comparability. However, it also sets a rigid and inflexible standard that has to be abided by (Linxweiler, 2017). As a result, business and especially multinational organizations face high entrance barriers to the European Market.
To achieve this, the EU makes use of comprehensive laws within a legislative framework with the GDPR at its core. This leads to a strongly proactive approach that extends the reach and impact of European Data Protection Law both in the material as well as territorial scope. The GDPR strengthens the protection of the natural person and the right for privacy (Linxweiler, 2017). Furthermore, the GDPR establishes a better correlation and cooperation with other instruments of European Law. For example, the close link and explicit reference to legal consequences in the E-Commerce directive ensures a comprehensive data protection framework and helps to minimize legal uncertainty (Van Alsenoy, 2016).
The European approach offers comprehensive protection for data subject and especially the data subject in his/her role as consumer. At the same time, it also increase the obligations and responsibilities of organizations. The GDPR is characterized by increased obligations in documentation, adaptation of processes and responsibilities regarding consumer protection (Linxweiler, 2017). The transnational transfer of data is comprehensively regulated and forces business models to incorporate legal compliance already in processes, products and solutions.
While the regulatory nature of data protection law was just demonstrated, these regulations also directly impact business environments. In light of modern technologies, the digitalization and hyper connectivity of modern society, these business cases encompass transnational as well as international data transfers.
The market analysis encompasses four variables: Sociological, technological, economic and political/legal (Antoo et. alt., 2015). This approach follows the analysis framework of the STEP analysis.
The sociological implications for the Data Protection Management Market focus on the problematic of data leaks. These phenomenon describes the involuntary drain of data through poor security, programming errors, theft or similar. Most prominent among these activities would be governmental surveillance like it was reported in the Snowden Incident. At the same time, the demand for personal data through mobile applications and for technological advancement has reached an all-time high.
Abbildung in dieser Leseprobe nicht enthalten
Figure 2: Data Leak Cases (Informationisbueatiful, n.d.)
These rapid technological improvements open up new business models and more efficient usage of current technologies. The technological advancement prompted the development of eSolutions. eMobility and these again hold implications for Data Protection that derived from this phenomenon (e.g. within the electric car market: Accenture, 2014). It also opened up new and emerging revenue streams. Additionally, the newly developed technologies allow for a more efficient usage of resources and synergy effect throughout industries (Accenture, 2014) while the implications for personal data usage coincided.
Thus, public awareness reached a point that demands of businesses as well as governments the protection of personal data. Thus companies are now facing three problems. The first problem is the structure of regulatory zeal. Companies have to adhere to various laws and regulations. The convolute of these regulations has to be understood, implemented, documented and audited. It seems reasonable to either utilize external expertise or to foster it in-house.
The second problem is directly connected to the first one. Due to the ruling of the European Court of Justice a significant part of the regulation ceased to exist. The resulting void in regulations provides tremendous difficulties for businesses. These concentrate greatly on the aspects of legal implications and liability.
Abbildung in dieser Leseprobe nicht enthalten
Figure 3: Liabilities (own graphic)
The third problem is the promotion of the product or service these companies are offering. They have to ensure their costumer’s safety in regards to Data Protection or they are at risk to lose market share and profits.
The resulting environment is a very heterogeneous one: First of all, there are various companies and government agencies that are hiring and educating in-house Data Protection Officer. But at the same time these positions are rather costly. Aspects like sickness, holiday and constant education are taking weighing heavily on the budget. Start-Up companies more often cannot afford to hire internal DPOs and even bigger cooperation are facing massive increases in cost. At the same time due to the Lisbon II Treaty Data Protection is considered part of risk management and therefore relevant for investment decisions (insufficient risk management = no financial aid in form of bank loans, etc.).
The political environment is characterized by two connected major incidents. The first is of course the “Snowden incident”. The information Edward Snowden revealed regarding the espionage and surveillance habits of US agencies were alarming and caused instant uproar all across the global society. While companies at this point were aware of the value of personal data, the protection of this data was not as a high priority. This changed significantly with the rising awareness of the broader internet community and even world society.
Abbildung in dieser Leseprobe nicht enthalten
Figure 4: Legal Environment (own graphic)
As a result, the recent Safe Harbor Ruling of the European Court of Justice left a void in the current regulatory environment. This regulatory void results in uncertainty and a lack of security within society. Thus the political elites are under pressure to bring secure measures into existence. The revised data protection directive and an international agreement with the USA has to be reached.
In addition the awareness of consumers regarding the degree of processed personal data increased significantly. Thus the demand for security does not stop at the state or country level, businesses are caught in the focus now as well. For an analysis of the legal environment the framework structure of data protection law is vital. Here we find three levels: the national, transnational or European and the international level. To understand the interdependencies of this structure the nature of each level has to be described.
The international level is characterized through treaties and International Organizations. The head figure would be the United Nations. Here the internationally agreed upon Data Protection aspects are discussed or uncovered. Incidentally, Data Protection is an aspect of the right to privacy and personal data. These are incorporated in article 17 of the International Covenant on Civil and Political Rights as well as in article 16 of the International Covenant on the Rights of the Child and finally the guidelines for the regulation of computerized personal data files. While these treaties and guidelines are rather important on a political as well as legislative level, the problems are the scope and the enforceability. Additionally these are the least common denominators of all state’s interests.
The transnational or European level encompasses the EU law relating to data protection. Here the existing and the revised data protection directive, the failed data protection treaty with the US as well as the rulings of the European Court of Justice are to be taken into consideration. Especially the latest Safe Harbor Ruling has a direct impact on legislative and practical processes. Here the significant degree of influence of the EU law on the national laws has to be taken into considerations. Directives and regulations are influencing the scope of German laws.
Finally, on the national level the federal data protection act as well as the state data protection act are of course of vital importance. Additionally, guidelines provided by the Bundesamt für Sicherheit in der Informationstechnik (BSI) as well as statements of the supervisory agency for data protection are to be taken into consideration.
The approach of Porter’s Five Forces is a micro-economic approach that analysis a given market. An overview of the analysis is given in Appendix IV – Porter’s Five Forces.
Abbildung in dieser Leseprobe nicht enthalten
Figure 4: Porter’s Five Forces (own graphic)
A medium level capital investment and economies of scale pose fundamental barriers for entry and limit entrants into the market. The Data Protection Management Market is characterized by high entry barriers. These are established by high capital requirement, large economies of scale, and ultimately the high costs of education, training a liability. This is most prominently represented in the cases of Stuxnet, the Sony Playstation Network, Myspace and similar. These cases illuminate the necessity to ensure high capital investments as well as large economies of scale. New entrants that cannot provide these features are unable to enter the market permanently.
The continuous investment in competence development and specialized training in addressed technologies are necessary to maintain market share. Furthermore, the ability to address individual needs of clients is vital. This ability is shared by mid-sized to larger corporations.
Buyers’ power is greatly influenced by the public reception of Data Protection. On the one hand Data Protection is considered a nuisance that hinders customer satisfaction and complicates processes. Thus, Data Protection is considered to be a hindrance far efficiency and innovation. On the other hand the prominent Data Leak cases as well as the Snowden Incident foster a climate of fear. Customers, clients and activists call for more and comprehensive protection of civil rights.
This duplicity fosters a need for protection for innovative processes and economies of scale within the Security sector.
Supplier power reduced to medium bargaining power through the need of diversification. Suppliers of security tools are impacted by the demands of the Data Protection Market. Currently, few security tools offer a comprehensive Data Protection reporting, monitoring and analysis. Thus, they are confronted with a need for diversification. The leading suppliers themselves are engaged in competitive pricing.
High educational cost in the context of a very condensed and specialized field of expertise that impacts the organization as a whole nonetheless leads to a highly competitive environment. Due to political, social, and legal implications the industry is projected a fast growth scenario. This leads to the necessity of economies of scale.
Currently Data Protection Management as a system is provided by either the internal Data Protection Officer, an external Data Protection Officer or by an internal Data Protection Officer supported by an external consultant for Data Protection Management. Substitution through automated processes is rather limited to impossible at the current technological development stage.
Thus the market pressure falls upon the Data Protection Officers.
A modern example of this economically efficient behavior can be found in the market of cybercrime. Cybercrime is a growing industry and byproduct of the digitalization. Internet based crime comes varies and evolved into a lucrative business (Li et alteri, 2006).
One of the prominent forms of cybercrime are distributed denial of service attacks (DDoS Attacks). These rely on the existence of botnets (Li et alteri, 2006). Botnets are comprised of high-jacked computer systems, the so called “slaves” (Li et alteri, 2006). These form a “net” that is controlled by an individual, called the “master” (Seguera & Lahuerta, 2010). The master offers the botnet to interested parties, the “attacker” (Seguera & Lahuerta, 2010). These use botnets to initiate DDoS Attacks.
An attack is performed by simultaneously accessing a website or a secure gateway. The sheer number of access will overload the computational capabilities of the gateways and in the worst case crash the website (ibid). The attacker can generate profit DDoS Attacks through extortion (ibid) or the “ripple effects”, e.g. break-down in sales, damage to perception or image, and similar.
Essentially, the use of botnets to launch DDoS Attacks constitutes different criminal offences depending on the target and the outcome.
The first overall indicator that there is a market and thus economical motivation for botnets is provided by the study of Li et alteri (2006). The study has shown through “basic” market research that botnets are rentable on underground markets (ibid). The mere existence of such a rental market is an indicator as for the application of economic principles.
Within such a market economic principles dictate the existence of costs and benefits. These determine the profitability of any endeavor (Eide et al., 2006). Essentially, individuals will not allocate time and effort to an activity “until marginal benefits equal marginal costs” (Eide et al., 2006). As in every market benefits and costs are individually decided. The costs to enter or exit a market (opportunity costs) must be considered. The same is true of criminal activities. In the case of cybercrime, the benefits encompass monetary gain through extortion as well as individual satisfaction. The costs, on the other hand, encompasses everything from equipment to individual feelings of anxiety or guilt (Eide et al., 2006). It is, however, important to realize, why the deviation from law-abiding behavior can be considered lucrative.
This deviation can only be considered favorable if the individual opportunity costs are low enough. The opportunity costs of criminal behavior can be calculated through the net benefit “of the legal activity forgone while planning, performing and concealing the criminal act” (Eide et al., 2006). This implies that any criminal activity that promises to be more profitable (gross benefits minus costs) than any lawful activity is economically more efficient. Additionally, it indicates that “[the] lower an individual’s level of income [is], the lower is his opportunity cost of engaging in illegal activity” (Eide et al., 2006).
These aspects are directly reflected in the cases studied and simulated by Segura & Lahuerta. They found that in a target group of online gambling sites the extorted profits “ranged from 10 000$ to 40 000$ depending on their annual revenues” (Segura & Lahuerta, 2006). Additionally, they simulated different extortion scenarios based upon the cost-benefit principle (profits equal benefits minus costs) and thusly able to identify the economic incentive through the stated equation (Segura & Lahuerta, 2006).
While these arguments strongly indicate the applicability of rational choice in criminal activities, opposing lines of argumentation often focus on punishment as a factor of deterrence (Li et al, 2010). This can also be considered for the multiple offences a DDoS Attack would encompass. Punishment for criminal offences ranges from fines to incarceration depending on the legal framework. However, the deterring factor of these punishments can be impaired by the “individual rate of discount” (Eide et al., 2006). The rate of discount illustrates the time gap between the reward of the crime committed and the respective punishment. Additionally, the factor of risk aversion has to be factored in. Furthermore, it has to be considered that the rate of recidivism and thus future deterrence is not guaranteed to decrease after an inflicted punishment (ibid). In a rational choice environment an individual will repeat the criminal act as long as his/her individual preferences as well as opportunity costs remain the same (Eide et al., 2006). Thus, punishment can – individually – lose any deterring factor.
Such a deterring factor might increase however if cybercrime would not be based in economic principles and rational choice. It is often argued that cybercrime originated from political activism (Li et al., 2006). While this might be true, the indications of an existing market for – in particular botnets – is evident through media coverage as well as the study of Segura & Lahuerta. Thus, even if the origin of cybercrime was political activism, it is now a global market.
In conclusion, cybercrime, and in particular botnets are part of an economic system governed by rational choice. Criminal behavior follows similar principles and provisions as the legal market. The deterring factor of punishment is factored into the cost calculation and is dependent on individual characteristics. Thus, the economic efficiency of criminal behavior, can be calculated.
As a result, it is possible to create models and approaches to encounter criminal behavior. These models can disrupt the economic efficiency of botnets and render them virtually inefficient. Furthermore, they make a “counter-market” for cyber security necessary. Thus, while the Digitalization leads to the emergent market for cybercrime, it subsequently leads to the need for a market to protect from cyber criminality – encompassing Data Protection (here: Data security).
The emerging market for cyber-crime and its counter market for cyber security is spurred on and fostered greatly by influential developments in the environments of these markets. Most prominent among these developments are digitalization and hyper-connectivity as well as Big Data and Data Analytics.
Due to the technical advancement, it is possible for individuals to create, access, transfer, and delete more and more amounts of data through various devices and platforms. This poses a challenge for the businesses.
The challenge and subsequent key issue arises, in part, through the introduction of hyper-connectivity. Hyper-connectivity is defined as the use of multiple means of communication (Wellmann, 2001). It is concerned with the accumulation and exchange of information via different media, encompassing but not limited to: email, instant messaging, phone, and Web 2.0 information services (Wellmann, 2001). This also encompasses traditional communication via face-to-face communication. In all instances, this might encompass international data transfers via modern means of communication.
Hyper-connectivity introduced new ways of communication, extended its reach through mobile technologies and in recent years through the introduction of the Internet of Things (Wellmann, 2001). Now it is possibility to communicate from person to person, person to machine, and machine to machine, resulting in an immense network of communication that harbors immense data capacities.
Not only leads the digitalization to the formation of new markets, it is also a key influence in managing organizations. According to a study conducted by the top itservice AG, Digitalization is understood as a challenge by most organizations. Especially the internal structures of an organization experiences various changes. As such, 60.2% of all employees identify Digital Transformation as a general responsibility within the company. However, the implementation of the subsequent process is slow. The same study shows that this is often due to disparity in perception of the management and the employees: It finds that 52.9% of the management believe they involve employees in the relevant decision-making processes with respect to sensible Digital transformation. This estimate, however, is shared by only 18.2% of all employees across all sectors. This proves to show that there is an inherent disparity in perception in regards to effective cross-departmental collaboration in digital transformation, gaps in networking and deficits in internal communication (top itservices Ag, 2016).
Thus, the digitalization created new capacities to accumulated and use data. These capacities for information are commonly called Big Data. The focus of Data Protection Management Systems (DPMS) in particular are on possible uses of Big Data. As such, the issue of Big Data and data analytics can be used both as a tool as well as being subject to the Data Protection Management.
The use of Big Data approaches, which use data analytics to extract valuable information from the accumulated data, is subject to complex algorithm development and application.
Resulting from the aforementioned technological developments and practical implication, data protection management is heavily impacted by the development in business environments. Technological advancement, regulatory hurdles and innovative entrepreneurship are going to be the defining factors. This thesis will briefly focus on a scenario for business case during the author’s Management Project.
Current projects concerned with medical data are often focused on storing medical data. Subsequently, data protection has to be guaranteed by establishing an effective Data Protection Management System.
The future of medical data and corresponding Data Protection Management Systems lie within the exchange of medical data between medical professionals and patients. While this might be called the future of medical data, respective projects are currently undertaken. These medical data are evidently personal data in accordance with Art. 9 (2) (i) GDPR.
Solutions utilizing for example cloud solutions are part of an eHealth approach. The abbreviation eHealth stands for electronic health. Essentially, it describes the use of information and communication technologies (ICT) within the scope of the health sector. This considers the different applications, functions and facets of the whole sector (Callens, 2010). The idea behind these projects can be to centralize all the relevant medical data accessible for the public use within a National Health Cloud of a country via an application. Thus, the targeted end users are medical professionals as well as patients. These users are able to upload medical data of their patients in the National Health Cloud. This data is uploaded via an application that ensures the anonymization of the personal data of the patient.
The cloud technology will open the door for private practices to have access the application without the need for a local host instance on-site. The patient as a user of the applications will be able to download the application from the online mobile stores, add their demographics and upload them to the National Health Cloud. The medical professional as a user, then, can request an online portal access to access the application or to view details of her respective / participating patient.
Abbildung in dieser Leseprobe nicht enthalten
Figure 5: Business Case for Medical Cloud Solutions (own graphic)
The collected data will – at a later point in time – be available for the generation of reports and statistics of the individual patient file. Additionally, anonymized data sets can be used for statistical analysis or research and hence be shared.
Currently, these projects face concern regarding the type of data sets, their generation and their usage. These implications are directly linked to the legal implication and restrictions of data protection in the different National Health Clouds.
The use of such data is highly regulated and holds integral data protection implications. Additionally, legal authorities have to “provide a framework in which any failure to implement the duties that arise from those ethical principles may be addressed” (Callens, 2010). Essentially, the goal of legislation in healthcare is to ensure legal certainty and the provision and protection of public healthcare systems. To achieve this goal, rules to ensure the protection of privacy and data protection are in place. The underlying concepts are universally applied, subsequently they are also utilized in the eHealth sector (WHO,2012).
It is evident that the technological development of the digitalization, hyper-connectivity as well as subsequent tools put businesses under pressure to develop new business models.
These business models naturally are concerned with transnational data transfer and personal (identifiable) information as modern businesses are acting within a globalized society and market.
Data protection is a crucial part of (legal) compliance. Compliance on the other hand is like Bird & Park put it “a core concern for corporate governance” (Bird & Park, 2017). The compliance with normative and regulatory mandates focuses and binds resources in business environments.
While this compliance might increase spending, create barriers for implementation (Bird & Park, 2017) or in product/service design and development, data protection and compliance also offer a unique opportunity for businesses to incorporate security as a feature in their product, services and processes. This is especially supported by the Art. 25 GDPR.
As explained in the following paragraphs, the GDPR offers potential for including data protection consideration deep within the business case itself. The obligation is, thus, also a unique selling point.
The issue of creating a unique selling point also has to be considered in product or service development. To decide upon the most beneficial and thus suitable, the product’s key features and benefits should be considered. Essentially, the question is: In which way does the product or service create a need/want for the consumer? The realization of a need is a “problem recognition” (Clow & Baack, 2015:55-56). If the consumer realizes that there is a status that deviates from the status quo and is desirable, the balance is shifted. Bruner characterizes this as the departure from homeostasis (Bruner, 1988:41f.). The product has to shift the reception of the consumer.
In various ways, legal implications and compliance are constraints that influence the consumer’s reception of a product or service. By reassuring the security and continued care for personal data, an organization is able to gain a competitive edge. However, this competitive edge can only be achieved by adhering to the legal grounds for processing.
At the very center of data processing is the term “personal data”. It is defined in Art. 2(a) GDPR as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity” (Art. 2(a)). This implies both direct and indirect identifiability: While an individual might be directly identified by a data set, an indirect identification is formed by the combination of auxiliary data. Art. 2(a) encompasses both approaches (see also Sumroy & Cousin, 2016:2).
Additionally, Article 4(1) GDPR introduces the identifiable natural person (i.e. the data subject) as “is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Thus, only the natural person can be a data subject. While this stipulation limits the material scope of the GDPR, it is important for transnational business models that in accordance with recital 2 to the processing of personal data of natural persons is encompassed regardless of their nationality or place of residence. The Article 29 Working Party even indicated in this context that the GDPR cannot “reduce the scope of protection to persons residing in the EU, since the fundamental right to protection of personal data is enjoyed regardless of nationality or residence” (Article 29 Data Protection Working Party, Opinion 8/2010). Therefore, it is according to Art. 3 (2) GDPR sufficient that the natural person is physically present in the EU (Jay, 2017:74).
It is arguable if the term data subject can be used synonymously to the term consumer. The term consumer is protected by Consumer Law (e.g. the E-Commerce Directive). According to Rauhofer both the data subject and the consumer are the party worthy of protection in a transaction (Rauhofer, 2013). Rauhofer additionally argues that the only difference between a data subject and a consumer is the method of payment: money for the consumer and personal data for the data subject (Rauhofer, 2013). The impact on the business environment of these considerations is that Data Protection is part of the canon for Consumer Protection and thus, part of the product or service development. This is further supported by the stipulations in Art. 25 GDPR regarding privacy by design and default.
Another vital term is defined in Art. 2(d): The “controller”. A controller is a “natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data” (Art. 2(d)). In accordance with Art. 2(d) the controller is characterized by the actual exercise of control rather than the allocation of control – as determined in a contractual obligation (Bygrave, 2000:5).
Different from the controller, the “processor” is defined as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of” a controller” (Art. 2(e) GDPR). Any processor is in accordance with the Art. 17 subjected to the supervision of the controller (ibid). In the case of misconduct, the controller is liable for the actions of his/her processor (Art.17(2), 23 GDPR). Not encompassed in the material scope of the GDPR are processing activities by a natural person for personal or household activity (Art. 2 (2) (c) GDPR). The activities must offer a commercial implication.
The focus of the GDPR is the lawful processing of personal data, Art. 4, 6-9 GDPR. It is only allowed to process data if a data subject gave its consent, a legal obligation is enforced upon the processor or it is permitted by law. This furthermore implies that an objection to processing negates the processing of personal identifiable data, Art. 21 GDPR. Based upon this principle, it is only allowed to process data for a predefined purpose and only for the duration of this purpose. This implies that a multinational organization is only allowed to collect the data it actually needs for conducting business. The purpose of collection, the manner of processing and the duration of storage must be documented. The data must be protected through technical and organizational measures (“TOM”). The GDPR stipulates even higher standards for the processing and safeguard of sensitive personal data and personality profiles. Additionally, the rights of the individual must be secured. This encompasses especially the right to rectification (Art. 16 GDPR), the right to erasure (Art. 17 GDPR), the right to restriction of processing (Art. 18 GDPR), and the rules on data portability (Art. 20 GDPR) and profiling (Art. 22 GDPR). Any organization should review and document their processing. The GDPR indicates that this should be a part of a Data Protection Management System (Bitkom, 2016).
The lawful processing that is associated commonly with transnational data flows is processing related to the offering of goods or services. The GDPR itself does not define the terms “goods” or “services”. Similar to the E-Commerce directive the Directive 2011/83/EU on Consumer Rights (Consumer Directive) consulted and radiates to the GDPR. Art. 2 (3) Consumer Directive defines goods as “any tangible movable items, with the exception of items sold by way of execution or otherwise by authority of law; water, gas and electricity shall be considered as goods within the meaning of this Directive where they are put up for sale in a limited volume or a set quantity”.
The offering of goods and services has to encompass the processing of personal data. The GDPR does, however, not discriminates between typologies or categories of goods or services. Therefore, the GDPR encompasses all goods and services notwithstanding the fact that they are offered on a regular basis or occasionally (Jay, 2017:75).
Targeting The offering of goods and services often makes it necessary to target a certain group. Product markets in general can be differentiated into different buyer or consumer groups. The process of this differentiation in groups and sub-groups is called segmentation (Clow & Baack, 2015:94f.). It essentially differentiated between different consumer demand functions (Dickson & Ginter, 1987:1f.). The created segments are characterized by their consumer’s responsiveness to particular strategies in product positioning. Within their endeavor to provide goods and services, corporations often address or target these segments through advertising campaigns, marketing, websites or direct communication. As a result, “business activity needs to be intended to have effects within the territory of the state which is asserting jurisdiction” (Taka, 2017).
Profiling Besides targeting activities, profiling is a very common activity in the modern business world. Especially in the field of social media, the economic efficiency is based on the ability to profile. A fundamental endeavor for social media provider is ultimately the make the individual economically accessible. The individual is defined as the target market (Clow & Baack, 2015:94f.). This reduction of the target group / target group goes hand in hand with the need to individualize services. The individual's own interests have to be addressed or even influenced in favor of a product or a solution (Clow & Baack, 2015:94f.).
In the implementation of such marketing strategies different methods are used. The most prominent method seems to be social profiling. Social profiling aims to build a personality profile based on data collected about a person's traits, actions, effects and preferences. Although the goal always remains the same, there are different approaches in the implementation of social profiling. In many cases, however, specially created software solutions or analysis tools are used, e.g. cookies or data analytics solutions on websites (Linxweiler, 2016).
On a next level, the personality profiles created in this way will be used. The so-called social engineering leads to a conscious influence. The best example of this are individualized banner ads or offer emails, the target person to be moved to a specific action. This can be the purchase of certain products or the further disclosure of information (Linxweiler, 2016).
In addition, however, it is also possible to pursue criminal purposes with this data collection. For example, social hacking can use a social engineering approach to enable penetration into computer systems or the seizure of confidential data. This approach - although not a procedural model for companies - is of entrepreneurial relevance. Corporate management needs to be aware that their employees may become vulnerable to everyday social media use, potentially exposing themselves to potential social hacking attacks (Linxweiler, 2017). An open communication culture as well as training and sensitization with regard to danger potentials and problem areas can counteract this with knowledgeable or unknowing industrial espionage and secret dissemination (Linxweiler, 2016).
This kind of endeavors are addressed in the GDPR und the term profiling. Art.4(4) GDPR defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
Monitoring Different from profiling activities, monitoring is not explicitly defined in the GDPR. However, the GDPR encompasses all manors of processing of personal data as long as the data subjects is either an EU citizen or resides physically in the EU. Therefore, the GDPR also encompasses activities by a controller or processor that are concerned with the monitoring of the behavior of data subjects. While there is no definition of monitoring, the term is used in Art.35(3) (c) GDPR as well as Art.37(1) (b) GDPR. Art.35 (3) (c) GDPR is concerned with systematic monitoring. Art. 37(1) (b) GDPR is concerned with regular and systematic monitoring. Finally, the implication of monitoring is stipulated in recital 24:
“The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behavior of such data subjects in so far as their behavior takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”
Der GRIN Verlag hat sich seit 1998 auf die Veröffentlichung akademischer eBooks und Bücher spezialisiert. Der GRIN Verlag steht damit als erstes Unternehmen für User Generated Quality Content. Die Verlagsseiten GRIN.com, Hausarbeiten.de und Diplomarbeiten24 bieten für Hochschullehrer, Absolventen und Studenten die ideale Plattform, wissenschaftliche Texte wie Hausarbeiten, Referate, Bachelorarbeiten, Masterarbeiten, Diplomarbeiten, Dissertationen und wissenschaftliche Aufsätze einem breiten Publikum zu präsentieren.
Kostenfreie Veröffentlichung: Hausarbeit, Bachelorarbeit, Diplomarbeit, Dissertation, Masterarbeit, Interpretation oder Referat jetzt veröffentlichen!