Beware: Processing of Personal Data—Informed Consent Through Risk Communication

IF 1.6 2区文学 Q2 COMMUNICATION IEEE Transactions on Professional Communication Pub Date : 2024-03-14 DOI:10.1109/TPC.2024.3361328

Lukas Seiling;Rita Gsenger;Filmona Mulugeta;Marte Henningsen;Lena Mischau;Marie Schirmbeck

{"title":"Beware: Processing of Personal Data—Informed Consent Through Risk Communication","authors":"Lukas Seiling;Rita Gsenger;Filmona Mulugeta;Marte Henningsen;Lena Mischau;Marie Schirmbeck","doi":"10.1109/TPC.2024.3361328","DOIUrl":null,"url":null,"abstract":"<bold>Background:\n The General Data Protection Regulation (GDPR) has been applicable since May 2018 and aims to further harmonize data protection law in the European Union. Processing personal data based on individuals’ consent is lawful under the GDPR only if such consent meets certain requirements and is “informed,” in particular. However, complex privacy notice design and individual cognitive limitations challenge data subjects’ ability to make elaborate consent decisions. Risk-based communication may address these issues. \n<bold>Literature review:\n Most research focuses on isolated aspects of risk in processing personal data, such as the actors involved, specific events leading to risk formation, or distinctive (context-dependent) consequences. We propose a model combining these approaches as the basis for context-independent risk communication. \n<bold>Research questions:\n 1. What are relevant information categories for risk communication in the processing of personal data online? 2. Which potentially adverse consequences can arise from specific events in the processing of personal data online? 3. How can consequences in the processing of personal data be avoided or mitigated? \n<bold>Research methodology:\n The GDPR was examined through a systematic qualitative content analysis. The results inform the analysis of 32 interviews with privacy, data protection, and information security experts from academia, Non-Governmental Organizations, the public, and the private sector. \n<bold>Results:\n Risk-relevant information categories, specific consequences, and relations between them are identified, along with strategies for risk mitigation. The study concludes with a specified framework for perceived risk in processing personal data. \n<bold>Conclusion:\n The results provide controllers, regulatory bodies, data subjects, and experts in the field of professional communication with information on risk formation in personal data processing. Based on our analysis, we propose information categories for risk communication, which expand the current regulatory information requirements.","PeriodicalId":46950,"journal":{"name":"IEEE Transactions on Professional Communication","volume":"67 1","pages":"4-25"},"PeriodicalIF":1.6000,"publicationDate":"2024-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10472565","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Professional Communication","FirstCategoryId":"98","ListUrlMain":"https://ieeexplore.ieee.org/document/10472565/","RegionNum":2,"RegionCategory":"文学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMMUNICATION","Score":null,"Total":0}

引用次数: 0

Abstract

Background: The General Data Protection Regulation (GDPR) has been applicable since May 2018 and aims to further harmonize data protection law in the European Union. Processing personal data based on individuals’ consent is lawful under the GDPR only if such consent meets certain requirements and is “informed,” in particular. However, complex privacy notice design and individual cognitive limitations challenge data subjects’ ability to make elaborate consent decisions. Risk-based communication may address these issues. Literature review: Most research focuses on isolated aspects of risk in processing personal data, such as the actors involved, specific events leading to risk formation, or distinctive (context-dependent) consequences. We propose a model combining these approaches as the basis for context-independent risk communication. Research questions: 1. What are relevant information categories for risk communication in the processing of personal data online? 2. Which potentially adverse consequences can arise from specific events in the processing of personal data online? 3. How can consequences in the processing of personal data be avoided or mitigated? Research methodology: The GDPR was examined through a systematic qualitative content analysis. The results inform the analysis of 32 interviews with privacy, data protection, and information security experts from academia, Non-Governmental Organizations, the public, and the private sector. Results: Risk-relevant information categories, specific consequences, and relations between them are identified, along with strategies for risk mitigation. The study concludes with a specified framework for perceived risk in processing personal data. Conclusion: The results provide controllers, regulatory bodies, data subjects, and experts in the field of professional communication with information on risk formation in personal data processing. Based on our analysis, we propose information categories for risk communication, which expand the current regulatory information requirements.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

小心：处理个人数据--通过风险交流获得知情同意

背景：通用数据保护条例》（GDPR）已于 2018 年 5 月开始适用，旨在进一步统一欧盟的数据保护法律。根据 GDPR，只有当个人同意符合某些要求，尤其是 "知情 "同意时，基于个人同意的个人数据处理才是合法的。然而，复杂的隐私通知设计和个人认知能力的限制，对数据主体做出详细同意决定的能力提出了挑战。基于风险的沟通可以解决这些问题。文献回顾：大多数研究侧重于个人数据处理风险的个别方面，如涉及的行为者、导致风险形成的具体事件或独特的（依赖于上下文的）后果。我们提出了一个结合这些方法的模型，作为与情境无关的风险交流的基础。研究问题1.在网上处理个人数据的过程中，哪些是与风险交流相关的信息类别？2.在线个人数据处理中的特定事件会导致哪些潜在的不良后果？3.如何避免或减轻个人数据处理中的后果？研究方法：通过系统的定性内容分析对 GDPR 进行了研究。对来自学术界、非政府组织、公众和私营部门的 32 位隐私、数据保护和信息安全专家的访谈进行了分析，得出了相关结果。结果：确定了与风险相关的信息类别、具体后果和它们之间的关系，以及降低风险的策略。研究最后提出了处理个人数据时感知风险的具体框架。结论：研究结果为控制者、监管机构、数据主体和专业交流领域的专家提供了有关个人数据处理中风险形成的信息。在分析的基础上，我们提出了风险交流的信息类别，扩展了当前的监管信息要求。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Transactions on Professional Communication COMMUNICATION-

CiteScore

3.20

自引率

11.80%

发文量

期刊介绍： The IEEE Transactions on Professional Communication is a peer-reviewed journal devoted to applied research on professional communication—including but not limited to technical and business communication. Papers should address the research interests and needs of technical communicators, engineers, scientists, information designers, editors, linguists, translators, managers, business professionals, and others from around the globe who practice, conduct research on, and teach others about effective professional communication. The Transactions publishes original, empirical research that addresses one of these contexts: The communication practices of technical professionals, such as engineers and scientists The practices of professional communicators who work in technical or business environments Evidence-based methods for teaching and practicing professional and technical communication.

期刊最新文献

Table of Contents IEEE Professional Communication Society Information IEEE Professional Communication Society Information IEEE Transactions on Professional Communication Information for Authors Getting it Wrong: Student Estimations of Time and the Number of Drafts in Linked Computer Science and Technical Communication Courses