A Data Privacy Governance Model: The Integration of the General Data Protection Regulation Into Standard Based Management Systems

A Data Privacy Governance Model: The Integration of the General Data Protection Regulation Into Standard Based Management Systems

Margareth Stoll (Independent Researcher, Italy)
Copyright: © 2019 |Pages: 20
DOI: 10.4018/IJITBAG.2019010105
OnDemand PDF Download:
No Current Special Offers


The importance of data privacy, information availability and integrity are increasingly recognized. The new EU general data protection regulation 679/2016 obligates stringent legal requirements with high sanctions for noncompliance. Most organizations worldwide are affected directly or indirectly. It requires overall a risk and evidence-based data privacy management as part of corporate governance. More than 1.6 million organizations worldwide are implementing a standard-based management system, such as ISO 9001 or others. To implement the new data protection regulation in an effective, efficient and sustainable way, the author provides design-oriented guidelines on how to integrate the legal requirements into standard based management systems. The holistic data privacy governance model integrates different information security governance frameworks with standard based management systems in order to comply the regulation. In that way data privacy is part of all strategic, tactical and operational business processes, promotes corporate governance, legal compliance and living data protection.
Article Preview


Data privacy is a principal statutory right of the European Union and most countries all over the world. Due to increasing digitalization, interconnected, mobile and virtualized business, artificial intelligence, big data and customer tracking larger volumes of data are produced, analyzed and exposed to threats and misuse. Data and information systems are faced with increasing privacy threats from a wide range of sources, such as human curiosity, employees’ actions, computer-assisted fraud, cyberattacks, phishing, sabotage, theft, fire or infrastructure incidents. Ponemon surveyed an increasing likelihood of data breaches and estimates that an organization will have with 27.7% probability a data breach in the next two years (Ponemon, 2017). A data breach may result in physical, material and/or non-material damage, such as damage to reputation, loss of customer (Martin, Borah & Palmatier, 2017), cost of mitigating and recovery, reduction of share price, discrimination for the person concerned and other significant economic or social disadvantages. Thus investors, boards and customers, as well as laws and authorities demand ongoing a higher level of data privacy. The clients of 90% of participants in a worldwide survey are concerned about the privacy of their data (Harvard Business Review Analytic Services, 2017). Most modern corporate governance guidelines make the board and specifically the CEO responsible for the well-being of the organization.

The new EU General Data Protection Regulation (GDPR) 679/216, (EU, 2016) obligates stringent legal requirements with administrative sanctions for noncompliance up to the greater of 4% of the total worldwide annual turnover or €20 million. It offers also great opportunities for enterprises by harmonizing a major part of the data privacy laws in the different EU countries, by driving new needs for services, IT systems and digitized products in order to fulfill the enhanced data privacy requirement, and others. The EU estimates €2.3 billion economic benefits of having one harmonized law (http://ec.europa.eu/justice/smedataprotect/index_en.htm). It affects after May 25, 2018 any enterprise doing business in Europe with their suppliers over all levels and all organizations worldwide which process data that can be used to identify directly or indirectly natural persons in Europe. 85% of responding organizations in a worldwide survey expect to be affected and 42% expect significant impacts (Harvard Business Review Analytic Services, 2017). Thus, data privacy and security for 81% of surveyed organizations has become a high priority (Harvard Business Review Analytic Services, 2017). Data privacy, the availability of all essential assets, confidentiality, data integrity and legal and regulatory compliance are central for organizations’ success (Bélanger & Crossler, 2011; Da Veiga & Eloff, 2007; Sowa, Tsinas & Gabriel, 2009; von Solms & Solms, 2009;). This poses great challenges for small and medium sized organizations. They need a very efficient and functional approach, which can be smoothly integrated in their daily business.

More than 1.6 million organizations worldwide are implementing a standard based management system based on international standards (e.g. quality ISO 9001, or environment ISO 14001, information security ISO 27001, IT service management ISO 22000 and others) (ISO, 2017a). In order to promote an efficient integration of different standards, the International Standard Organization [ISO] released a common structure for all management systems’ standards, the Annex SL of the ISO/IEC Directives (ISO, 2013c).

Complete Article List

Search this Journal:
Open Access Articles: Forthcoming
Volume 10: 2 Issues (2019)
Volume 9: 2 Issues (2018)
Volume 8: 2 Issues (2017)
Volume 7: 2 Issues (2016)
Volume 6: 2 Issues (2015)
Volume 5: 2 Issues (2014)
Volume 4: 2 Issues (2013)
Volume 3: 2 Issues (2012)
Volume 2: 2 Issues (2011)
Volume 1: 4 Issues (2010)
View Complete Journal Contents Listing