Data-Stories
Measuring GDPR Effectiveness - Project Outline
https://medium.com/1plusx/eu-general-data-protection-regulation-gdpr-2018-will-be-different-a25bcdef2efe
Project Summary
Nearly one year after its enforcement, General Data Protection Regulation, GDPR, legislation demonstrates that government guidance can successfully direct how public governments and private industry use and store digital information and personal identifiable information (PII). GDPR should encourage citizens, both in the EU and abroad, to take a more active interest in protection mechanisms for their online data and information.
Project Structure
Between 2004-2017 there were over 250 publicly disclosed breaches, these cyberattacks disclosed sensitive information including: PII, passwords, usernames, health information, and credit card banking information. Prior to 2018, there was legislation requiring government and private enterprise to protect health and credit card information, yet there was no legislation requiring governments and enterprise to disclose a breach to the citizens’ affected, and to disclose how personal digital information is stored and used.
In 2017 the EU Data Protection Supervisor (EUDPS) published its annual report highlighting how formal complaints concerning digital privacy have driven its GDPR legislation to protect individuals’ onlines privacy and security. On April 14, 2016 EU parliament approved GDPR legislation, and on May 25, 2018 the legislation became enforceable. Since May 25,2018, GDPR has resulted in over 59,000 pubicly disclosed breaches across the EU and UK and over 91 fines.
These 59,000 publicly-disclosed breaches represent the initial step in ensuring that citizens are provided with transparent, timely, and accurate information regarding online privacy and security.
Data
The final project will include a Kaggle database with the details of over 250 data breaches disclosed between 2004-2017. This database includes the entity’s Name, Year, Records Lost, Sector, Methods of Leak, Source of the Leak. This Kaggle dataset provides evidence towards the level of personal privacy that citizens all over the world have lost due to data breaches and unauthorized information disclosures, and it will be compared to the complaints listed in the EUDPS 2017 Annual Report. The EUDPS 2017 Annual Report data included in this report has been gleaned to reflect EU citizens’ most common complaints in 2017, one year prior to the enforcement of EUDPS GDPR legislation. The Kaggle and EUDPS datasets will be compared to a survey commissioned by DLA Piper Global Law Firm that highlights the publicly disclosed breaches and locations from May 25,2018 - present. The survey will demonstrate how GDPR legislation represents a successful government response to citizens’ data privacy concerns.
2004-2017 Kaggle Data Breach Dataset
European Data Protection Supervisor
February 2019 DLA PIPER Data Breach Survey
Method & Medium
GDPR legislation was designed to ensure that citizens have the right to know when their data may be compromised, and how governments and private enterprises use and store data. Using data from Kaggle and the EUDPS 2017 Annual Report, I will demonstrate how the severity of data breaches is reflected in the EU citizens’ discontent with the lack of transparency surrounding data procurement, usage, and storage. The Kaggle dataset is a quantifiable measure of the volume of personal information disclosed over the past fifteen years, this dataset will be complemented by the EUDPS’s 2017 Annual Report, which provides a qualitative measure of citizens’ concerns in response to data breaches.
The Kaggle dataset and EUDPS 2017 Annual Report will be compared against DLA Piper Global Law Firm’s GDPR Data Breach survey, while only enforceable for 8 months, the survey results demonstrate how GDPR is successfully forcing governments and private enterprise to be accountable for securing personal information.
I will use Shorthand to demonstrate the progression of data breaches from 2004-2017, citizens’ response to the data breaches, and the current measureable effect of GDPR legislation. The storyboard will display the linear progression of over 10 years of data breaches, citizen response, and how GDPR legislation demonstrates a quantifiable response to citizens’ concerns.
Measuring the GDPR with Storyboards
Part I Diagramming the Data
Part II User Research Protocol
My data centers upon initial GDPR data which confirms that GDPR legislation has increased the number of disclosed breaches for consumer awareness. My target audience is American citizens who may not be familiar with how GDPR’s legislation can provide citizens with more awareness about how their information is used, stored, and deleted.
In order to gain a sample of this target audience, I chose to interview individuals who do not have prior experience or studies in policy or privacy. Interviewees included a doctor from UPMC, a Masters in Liberal Arts student at Stanford, and a football coach from Ohio. None of these interviewees had previous studies in privacy, or the GDPR legislation. For each individual, I asked them what my wireframe sketches represented and what information the graphs presented. Next I asked the interviewees what information they didn’t understand, and what action they would take after seeing this dataset.
Interviewee Responses
All three users had confusion about why the US wasn’t present in the bottom graph. The bottom graph lacked labels so they were confused about what the breaches represented. They questioned what companies were breached, and why that information wasn’t present in any of the graphs. They didn’t understand how the pie graph of user complaints fit into the dataset.
As the author of the page, I recognized that the data was disjointed, and not clearly synced in a concise argument. I want the reader to see where data breaches were previously disclosed, read users’ complaints about data privacy, then see how the passing of the GDPR resulted in a significant increase in breach disclosures across the EU. For my final project, I plan to accomplish that by displaying previous breaches on a map, using a color scheme to highlight the number from the EU. I will compare those numbers with the current EU breach disclosures from 2018-2019. Both datasets will be displaced on maps, with only the EU countries highlighted in color. The complaints will introduce the second map as the impetus for the change that resulted in GDPR legislation.
Final Project Wireframes
Part I.
The below map will replace the bar chart to better highlight the number of publicly disclosed breaches in the EU between 2004-2017
Part II.
The EU citizen complaints will be represented by 8 individuals of different sizes that correspond to the percent of complaints recieved by the EUDPS.
Part III.
The below graph will show how GDPR legislation has effectively increased the number of breach disclosures in the EU; those disclosures provide EU citizens with more awareness about their digital data security.
Final Data Story Background
Intended Audience
The intended audience of this story map are non-security professionals. I am currently studying Information Security at Carnegie Mellon University’s Heinz College, and one of the primary obstacles to ensure and maintain digital information security is the lack of user awareness and understanding of security principles. The goal of this storyboard is for non-security professionals to review the information, learn what a security breach means, and understand that GDPR is effectively increasing the number of breach disclosures in the EU.
In order to effectively reach that intended audience, I conducted numerous interviews with the interview subjects from Part II. None of the interview subjects had any prior knowledge of information security, GDPR, or data policy. In addition, none of my interview subjects had taken prior courses in data visualization. After each draft of my final presentation, I showed the three interviewees, and asked them what they understood from the data, and what confused them. Due to their feedback, I included brief definitions and explanations before each chart or map.
GDPR is an extensive subject, and my data story contained three different data sources. The user feedback was instrumental in helping me focus the story on a particular component of the data to ensure that users will find value from the presented information. During my final draft stage, all three interviewees concurred that they learned something from the data and were interested in learning more about data breach notification legislation.
Work Flow
After the enforcement of GDPR there was much debate about whether companies would comply with the regulations. GDPR is the most extensive piece of privacy legislation, and as a student of security, I am very interested in watching if it’s success will result in other nations’ to pass similar legislation. The data in my story reflects the first points of data from GDPR; although the regulations and data is less than 1 year old, I do believe that it is evidence that GDPR will direct and influence how consumer data is stored and used, and may influence how other country’s regulate the use and storage of personal data.
In order to tell a story from the GDPR data, I designed numerous wire frames attempting to simplify the data in order to tell a story that displayed how the legislation drastically affected how and when companies notified consumers of a data breach. Ultimately, it was user feedback that directed my drafts to ensure that my users could understand and follow the story’s content.
Looking back on the process, I recognize how difficult it was to compress the data and background into a brief yet meaningful presentation. In addition, sometimes the tools that I wanted to use didn’t include the functionality that I envisioned, so I made numerous charts and graphs on different tools, comparing them for aesthetics and usabilty. Ultimately, my final draft utilizes Shorthand, Infogram, and Datawrapper.
Final Data Story
https://carnegiemellon.shorthandstories.com/cmoynaha/index.html