Experiential case study audit of three popular period trackers using General Data Protection Regulation (GDPR) and intimate privacy assessment criteria.

The new obligations imposed by the General Data Protection Regulation (GDPR) do not prohibit the use of personal data for analytics or other beneficial secondary uses. But they do require the adoption of new technical and organizational measures to protect that data. The GDPR explicitly points to pseudonymizing as one such measure that can help meet the requirements of several of its provisions. The GDPR further recognizes differing levels of de-identi cation in a way that provides incentives for organizations to adopt the optimal type and level of de-identification that can help them use personal data for bene cial purposes while meeting their compliance obligations and protecting the privacy of individuals. By enabling the use of “Controlled Linkable Data” (as described in this White Paper) that retains the utility of personal data while helping to meet organizations’ compliance obligations and to significantly reduce their risk of liability, Anonos® BigPrivacy® technology can help organizations navigate and meet these new GDPR requirements. Thus, Anonos BigPrivacy technology can ease regulatory burdens and be a key component of an overall GDPR compliance program. The body of this paper describes in detail the regulatory background, technological innovations, and practical applications of Controlled Linkable Data, leading to the maximization of data value and individual privacy in a GDPR-compliant manner. First, in Section III, we introduce the concept of Controlled Linkable Data in the context of the GDPR. Next, in Section IV, we describe the GDPR’s new requirements, focusing on the distinction between privacy by design and data protection by default, and noting that the former is merely a subset of the latter, making it insuf cient to satisfy the GDPR’s stringency. We also introduce the essential concept of Controlled Linkable Data. In Section V, we explain how Controlled Linkable Data enables a more powerful form of de-identification, one encouraged by the GDPR, but which has previously not been achievable by technical methods. This leads to the conclusion that “data protection over the full lifecycle of data by leveraging technical and organizational measures, including pseudonymisation, [ensures] that, by default, personal data are not made accessible without the individual’s intervention to an inde nite number of natural persons.” Next, Section VI analyzes numerous relevant sections of the GDPR (speci cally, Articles 5, 6, 11(2), 12(2), 15-22, 32-36, 40, 42, 82 and 88), showing how Controlled Linkable Data helps satisfy the specific GDPR requirements. Last, in light of this understanding of the requirements, limitations, exclusions and overall principles of the GDPR, Section VII explains the technical basis of Anonos BigPrivacy technology, how it implements Controlled Linkable Data, and how this solution addresses GDPR compliance concerns for all parties: data controllers, regulators and data subjects. Global firms that gather, use or store GDPR personal data should consider the possibility that Controlled Linkable Data as described in this White Paper enables secondary uses of data while ensuring compliance with GDPR requirements.

The purpose of the study is to analyze the existing requirements for personal data security and assess the impact of these requirements on the enterprises security in the Russian Federation. Research method: the problem of ensuring the security of personal data in accordance with the requirements of the Federal law of the Russian Federation FZ-152 and the international General Data Protection Regulation is investigated. The article analyzes the possible risks of interrupting the normal activities of enterprises in the Russian Federation due to violations of these requirements for personal data protection and the imposition of significant fines by international regulators. Numerical relationships are estimated between the amount of fines for violations of established requirements, including General Data Protection Regulation, and the cost of creating an effectiveness personal data protection system. Estimates of the permissible degree of influence of the General Data Protection Regulation requirements on the enterprises security in the Russian Federation are obtained. Research result: a study and comparison of possible penalties for violation of compliance with the requirements of the Federal law of the Russian Federation FZ-152 and the international General Data Protection Regulation was performed. Risk assessments of sanctions for violation of the established requirements for personal data protection were obtained. The analysis of the cost of preparing a personal data protection system for compliance with the requirements of the General Data Protection Regulation was performed. Based on the data obtained, examples of calculating the degree of maturity of the security system are presented – based on the ratio of the share of the budget allocated for security in relation to the cost of creating an effectiveness personal data protection system and based on the ratio of the amount of the fine for violation of the established requirements. The importance of accounting for the costs of personal data security to ensure the security of enterprises in the Russian Federation, taking into account the requirements of the General Data Protection Regulation, is shown

BackgroundConcerns about privacy and personal data protection resulted in reforms of the existing legislation in the European Union (EU). The General Data Protection Regulation (GDPR) aims to reform the existing directive on the topic of personal data protection of EU citizens with a strong emphasis on more control of the citizens over their data and in the establishment of rules for the processing of personal data. OpenEHR is a standard that embodies many principles of interoperable and secure software for electronic health records (EHRs) and has been advocated as the best approach for the development of hospital information systems.ObjectiveThis study aimed to understand to what extent the openEHR standard can help in the compliance of EHR systems to the GDPR requirements.MethodsA list of requirements for an EHR to support GDPR compliance and also a list of the openEHR design principles were made. The requirements were categorized and compared with the principles by experts on openEHR and GDPR.ResultsA total of 50 GDPR requirements and 8 openEHR design principles were identified. The openEHR principles conformed to 30% (15/50) of GDPR requirements. All the openEHR principles were aligned with GDPR requirements.ConclusionsThis study showed that the openEHR principles conform well to GDPR, underlining the common wisdom that truly realizing security and privacy requires it to be built in from the start. By using an openEHR-based EHR, the institutions are closer to becoming compliant with GDPR while safeguarding the medical data.

PurposeThis paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended to adequately meet, data protection requirements set by the General Data Protection Regulation (GDPR); it also indicates security management actions an organisation needs to perform to fulfil GDPR requirements. Thus, ISO/IEC 27001:2013 compliant organisations, can use this paper as a basis for extending the already existing security control modules towards data protection; and as guidance for reaching compliance with the regulation.Design/methodology/approachThis study has followed a two-step approach; first, synergies between ISO/IEC 27001:2013 modules and GDPR requirements were identified, by analysing all 14 control modules of the ISO/IEC 27001:2013 and proposing the appropriate actions towards the satisfaction of data protection requirements. Second, this paper identified GDPR requirements not addressed by ISO/IEC 27001:2013.FindingsThe findings of this work include the identification of the common ground between the security controls that ISO/IEC 27001:2013 includes and the requirements that the GDPR imposes; the actions that need to be performed based on these security controls to adequately meet the data protection requirements that the GDPR imposes; and the identification of the remaining actions an ISO/IEC 27001 compliant organisation needs to perform to be able to adhere with the GDPR.Originality/valueThis paper provides a gap analysis and a further steps identification regarding the additional actions that need to be performed to allow an ISO/IEC 27001:2013 certified organisation to be compliant with the GDPR.

The evolution of personal data protection in Albania reflects an effort to align domestic legislation with European Union standards, particularly with the General Data Protection Regulation (GDPR). The new law on personal data protection introduces significant changes compared to the previous law, strengthening transparency, accountability, and individuals' rights over their data. Through this law, the aim is to ensure more effective protection against the challenges of the digital age. The purpose of this paper is to analyze the key differences between the new and the old personal data protection law in Albania, as well as to assess the compliance of these changes with GDPR requirements. In particular, it will review how the new law improves mechanisms for protecting personal data and the rights of data subjects, including new concepts of transparency, data control, and oversight by relevant authorities. The paper also addresses practical challenges in implementing the new law, including the lack of public awareness, the institutional capacities needed for effective supervision, and the adaptation of the private sector to the new obligations. A comparison with the GDPR will help identify potential gaps and the steps needed for a more comprehensive harmonization with European standards. In the end, the paper offers recommendations to enhance the enforceability of the new law, including strengthening institutional oversight, increasing awareness of rights and obligations related to personal data, training key actors in the public and private sectors, and adapting the legal framework to technological developments. These measures will enhance personal data protection and ensure closer alignment with international standards. Received: 20 April 2025 / Accepted: 8 June 2025 / Published: 25 June 2025

The General Data Protection Regulation (GDPR) was widely seen as a significant step towards enhancing data protection and privacy. Unlike previous legislation, adherence to GDPR required organizations to assume greater responsibility for cybersecurity with respect to data processing. This shift represented a profound transformation in how businesses retain, use, manage, and protect data. However, despite these innovative aspects, the actual implementation of the GDPR security side poses some challenges. This paper attempts to identify positive and negative aspects of GDPR requirements and presents a new framework for analyzing them from a security point of view. Firstly, it provides an overview of the most significant scholarly perspectives on GDPR and cybersecurity. Secondly, it presents a systematic roadmap analysis and discussion of the requirements of GDPR in relation to cybersecurity. Results show that some of the GDPR security controls, such as the Data Protection Impact Assessments (DPIA), records on processing, and the appointment of a Data Protection Officer (DPO), are some of the most critical from a security viewpoint. Finally, it provides recommendations for tackling these challenges in the evolving compliance landscape.

The advent of the European General Data Protection Regulation (GDPR) imposes organizations to cope with radical changes concerning user data protection paradigms. GDPR, by promoting a Privacy by Design approach, obliges organizations to drastically change their methods regarding user data acquisition, management, processing, as well as data breaches monitoring, notification and preparation of prevention plans. This enforces data subjects (e.g., citizens, customers) rights by enabling them to have more information regarding usage of their data, and to take decisions (e.g., revoking usage permissions). Moreover, organizations are required to trace precisely their activities on user data, enabling authorities to monitor and sanction more easily. Indeed, since GDPR has been introduced, authorities have heavily sanctioned companies found as not GDPR compliant. GDPR is difficult to apply also for its length, complexity, covering many aspects, and not providing details concerning technical and organizational security measures to apply. This calls for tools and methods able to support organizations in achieving GDPR compliance. From the industry and the literature, there are many tools and prototypes fulfilling specific/isolated GDPR aspects, however there is not a comprehensive platform able to support organizations in being compliant regarding all GDPR requirements. In this paper, we propose the design of an architecture for such a platform, able to reuse and integrate peculiarities of those heterogeneous tools, and to support organizations in achieving GDPR compliance. We describe the architecture, designed within the DEFeND EU project, and discuss challenges and preliminary benefits in applying it to the healthcare and energy domains.

COVID-19 has had a major influence on the educational system. Since March 2020, the majority of teaching and learning has taken place online, including in the adult education sector. At the same time, the speedy transformation to the online mode has raised various legal issues, particularly regarding data protection, intellectual property rights, and compliance with the national legal framework. This article aims to analyse the compliance of online learning and teaching in adult education programmes with the General Data Protection Regulation (GDPR) and, on the basis of that, make recommendations to adult education entities that offer online teaching and learning process. To achieve the aim, the author uses the following research methods: a doctrinal research method, a scientific literature review, and a survey. As a result, the author identifies various legal issues regarding personal data protection during recording online teaching and learning, such as compliance with the GDPR requirements during online lecturing, compliance of e-platform providers with the GDPR, unauthorised access, data loss, and cyberattacks.

The EU General Data Protection Regulation (GDPR) recognizes the data subject’s consent as one of the legal grounds for data processing. Targeted advertising, based on personal data processing, is a central source of revenue for data controllers such as Google and Facebook. At present, the implementation of consent mechanisms for such advertisements are often not well developed in practice and their compliance with the GDPR requirements can be questioned. The absence of consent may mean an unlawful data processing and a lack of control of the user (data subject) on his personal data. However, consent mechanisms that do not fully satisfy GDPR requirements can give users a false sense of control, encouraging them to allow the processing of more personal data than they would have otherwise. In this paper, we identify the features, originating from GDPR requirements, of consent mechanisms. For example, the GDPR specifies that a consent must be informed and freely given, among other requirements. We then examine the Ad Consent Mechanism of Facebook that is based on processing of user activity data off Facebook Company Products provided by third parties with respect to these features. We discuss to what extent this consent mechanism respects these features. To the best of our knowledge, our evaluation of Facebook’s Ad Consent Mechanism is the first of its kind.

In July 2023, the United States and the European Union introduced the Data Privacy Framework (DPF), introducing the third generation of cross-border data transfer agreements constituting adequacy with respect to personal data transfers under the General Data Protection Regulation (GDPR) between the European Union (EU) and the US. This framework may be used in cross-border healthcare and research relationships, which are highly desirable and increasingly essential to innovative health technology development and health services deployment. A reliable model meeting EU adequacy requirements could enhance the transfer of patient and research participant data. While the DPF might present a familiar terrain for US organizations, it also brings unique challenges. A notable concern is the ability of individual EU Member States to establish individual and additional requirements for health data that are more restrictive than GDPR requirements, which are not anticipated by the DPF. This article highlights the DPF's potential impact on the healthcare and research sectors, finding that the DPF may not provide the degree of lawful health data transfer desirable for healthcare entities. We examine the DPF against a background of existing Health Insurance Portability and Accountability Act obligations and other GDPR transfer tools to offer alternatives that can improve the likelihood of reliable, lawful health data transfer between the US and EU.

Large Language Models (LLMs) have revolutionized natural language processing but present significant technical and legal challenges when confronted with the General Data Protection Regulation (GDPR). This paper examines the complexities involved in reconciling the design and operation of LLMs with GDPR requirements. In particular, we analyze how key GDPR provisions—including the Right to Erasure, Right of Access, Right to Rectification, and restrictions on Automated Decision-Making—are challenged by the opaque and distributed nature of LLMs. We discuss issues such as the transformation of personal data into non-interpretable model parameters, difficulties in ensuring transparency and accountability, and the risks of bias and data over-collection. Moreover, the paper explores potential technical solutions such as machine unlearning, explainable AI (XAI), differential privacy, and federated learning, alongside strategies for embedding privacy-by-design principles and automated compliance tools into LLM development. The analysis is further enriched by considering the implications of emerging regulations like the EU’s Artificial Intelligence Act. In addition, we propose a four-layer governance framework that addresses data governance, technical privacy enhancements, continuous compliance monitoring, and explainability and oversight, thereby offering a practical roadmap for GDPR alignment in LLM systems. Through this comprehensive examination, we aim to bridge the gap between the technical capabilities of LLMs and the stringent data protection standards mandated by GDPR, ultimately contributing to more responsible and ethical AI practices.

With the enforcement of the General Data Protection Regulation (GDPR) in EU, organisations must make adjustments in their business processes and apply appropriate technical and organisational measures to ensure the protection of the personal data they process. Further, organisations need to demonstrate compliance with GDPR. Organisational compliance demands a lot of effort both from a technical and from an organisational perspective. Nonetheless, organisations that have already applied ISO27k standards and employ an Information Security Management System and respective security controls need considerably less effort to comply with GDPR requirements. To this end, this paper aims to identify the controls provisioned in ISO/IEC 27001:2013 and ISO/IEC 27002:2013 that need to be extended in order to adequately meet, if/where possible, the data protection requirements that the GDPR imposes. Thus, an organisation that already follows ISO/IEC 27001:2013, can use this work as a basis for compliance with the GDPR.

Systematic observation is a promising unobtrusive method of assessing human behavior in urban environments without many issues typically associated with self-report measures (e.g., recall bias, low response rates). Improvements in video camera technologies make it more feasible for researchers to conduct systematic observation, which could reduce the time, labor, and cost to facilitate high-quality observational research in urban environments at scale. However, there are important ethical and information governance challenges driven by data protection laws, which discourage many researchers from using camera-based observation methods. The European Union General Data Protection Regulation is a leading global standard for data protection. Drawing on our experiences of conducting three studies using video cameras in public spaces, we discuss how to conduct this kind of research in line with General Data Protection Regulation requirements. The paper outlines issues concerning data protection, privacy, informed consent, and confidentiality, and how we addressed them. In doing this, the paper provides support for responsible use of camera-based observation methods, which will be of value to researchers, ethics committees, and funders. Outlining how to use video cameras responsibly will enable more research to be conducted that, in turn, will build the case for its benefits to researchers and society.

Mergers and acquisitions (M&A) involving business unit transfers present significant data protection challenges, requiring compliance with the General Data Protection Regulation (GDPR) and national laws. This paper examines the practical obligations of data controllers transferring business units in Italy, considering Italian Civil Code and GDPR requirements. The paper provides a structured approach to ensuring compliance in business transfers, covering key obligations such as data minimisation, privacy notice requirements, legal basis identification, legitimate interest assessments, data processing agreements (DPAs) and security measures for data transfers. The analysis integrates key decisions from the Italian Data Protection Authority along with practical business cases from the banking sector, offering insights into regulatory expectations and enforcement trends. By bridging legal principles with practical implementation, this paper serves as a strategic guide for businesses, legal professionals and policy makers navigating data protection in M&A transactions. The paper concludes with recommendations for best practices in handling personal data during corporate restructuring and acquisitions, ensuring compliance while mitigating legal and operational risks. This article is also included in The Business & Management Collection which can be accessed at https://hstalks.com/business/.

The General Data Protection Regulation (GDPR), enacted in the European Union in 2018, has significantly transformed the landscape of personal data management and protection. This article provides an overview of GDPR's impact, focusing on its applicability, fundamental principles and influence on data management practices, particularly within the European Society of Thoracic Surgeons (ESTS) database. GDPR's reach extends to all entities collecting and processing personal data of European Union residents, regardless of their location. It encompasses various data types, emphasizing meticulous handling and protection of identifiable information. Special categories of data, such as health and sensitive attributes, require even more stringent protection. The regulation sets legal, fair and transparent data processing principles, emphasizing accuracy, purpose limitation and data minimization. It also stresses accountability, leading to the appointment of Data Protection Officers and significant penalties for non-compliance. The ESTS database, designed to enhance thoracic surgical research and care, collects data on European procedures. It follows GDPR principles by pseudonymizing data, ensuring secure data transmission and providing clear instructions for data submission. The database contributes to research, policymaking and practice improvement in thoracic surgery by offering a comprehensive dataset for analysis. Here, we aim to shed light on the complexities of GDPR implementation and emphasize the need for comprehensive data management strategies to ensure compliance and enhance privacy protection with the contribution to the ESTS database. GDPR compliance comes with challenges, including potential human dignity and privacy rights violations. Data breaches can result in unauthorized disclosures, and non-compliance can lead to substantial fines and reputational damage. The implementation of GDPR encourages organizations to prioritize ethical data practices, security measures and transparent data handling. In conclusion, GDPR has revolutionized personal data protection by emphasizing accountability, transparency and individual rights. It has impacted organizations globally, promoting responsible data management practices. Adhering to GDPR ensures privacy protection, trust-building and overall enhancement of data management in today's data-driven environment.