Running head: THE IMPACT OF GDPR IN IT POLICY 1
THE IMPACT OF GDPR IN IT POLICY 8
The Impact of GDPR In IT Policy
Submitted To
Dr. Donnie Grimes
University of the Cumberland’s
Submitted in Fulfillment of Research Paper
Information Technology in Global Economy (ITS-832-22)
Submitted By
Group # 7
Amarender Reddy Chada
Ramu Chilukuri
Mittal Patel
Manoj Kumar Peddarapu
Abstract
The current rapid transformation within the world of I.T., is posing a threat not only to personal information but all sectors associated with I.T. Managing management of essential data is the factor that organizations, business firms, and government agencies are struggling with daily. As the organizations strive to ensure that there is complete protection of data during the storage and sharing process, hackers are also working around the globe to create new ways through which they can breach the data protection servers. The dis-collusion of vital data from one point to another is a systematic process that must be regulated at all costs because if the data gets compromised, the outcomes are severe. This paper analyses all the impacts of GDPR on impacted I.T. policy around the world through an evaluation of several peer-reviewed articles on GDPR.
Keywords: GDPR, Privacy, Cybersecurity, emerging technologies.
Introduction
The process of disclosing data from various agencies ought to point the purpose of the data, state the duration for data use. When sharing critical data with a third party, it is vital to assess the channels through which the data follows. Business firms and public authorities that actively operate by systematic processing of data have to use DPO (data protection officer). Having control of personal data key in ensuring that the data is shared only with the relevant people. With the rising cases of cyber threat and selling of personal data through dark webs, keeping track of your personal information is your full responsibility. Relevant authorities only come in to assist when the case that is compromising data I critical and poses a security threat to other sectors. The primary obligation of GDPR is to ensure that people have control of their most essential data. GDPR achieves control of data by facilitating the crucial environmental data regulation environment.
Articles analysis on GDPR
In the article (Cornock, 2018), Cornock systematically analyzes the primary impacts of GDPR on various research institutions and the actual research activities within various sectors, such as the I.T. and medical sectors. According to the article, there are still several debates on how GDPR is going to affect research in various sectors, starting with the I.T. sectors to the business and marketing sectors on just with the European Union but around the globe. Most of the arguments on GDRP look at the regulation as a potential obstacle to a world of free information sharing. Many people are still not aware of the actual implications that both the E.U. and the world ...
Running head THE IMPACT OF GDPR IN IT POLICY1THE IMPACT OF GDP.docx
1. Running head: THE IMPACT OF GDPR IN IT POLICY 1
THE IMPACT OF GDPR IN IT POLICY 8
The Impact of GDPR In IT Policy
Submitted To
Dr. Donnie Grimes
University of the Cumberland’s
Submitted in Fulfillment of Research Paper
Information Technology in Global Economy (ITS-832-22)
Submitted By
Group # 7
Amarender Reddy Chada
Ramu Chilukuri
Mittal Patel
Manoj Kumar Peddarapu
Abstract
The current rapid transformation within the world of I.T., is
posing a threat not only to personal information but all sectors
associated with I.T. Managing management of essential data is
the factor that organizations, business firms, and government
agencies are struggling with daily. As the organizations strive
to ensure that there is complete protection of data during the
storage and sharing process, hackers are also working around
the globe to create new ways through which they can breach the
data protection servers. The dis-collusion of vital data from one
point to another is a systematic process that must be regulated
at all costs because if the data gets compromised, the outcomes
are severe. This paper analyses all the impacts of GDPR on
2. impacted I.T. policy around the world through an evaluation of
several peer-reviewed articles on GDPR.
Keywords: GDPR, Privacy, Cybersecurity, emerging
technologies.
Introduction
The process of disclosing data from various agencies ought to
point the purpose of the data, state the duration for data use.
When sharing critical data with a third party, it is vital to assess
the channels through which the data follows. Business firms and
public authorities that actively operate by systematic processing
of data have to use DPO (data protection officer). Having
control of personal data key in ensuring that the data is shared
only with the relevant people. With the rising cases of cyber
threat and selling of personal data through dark webs, keeping
track of your personal information is your full responsibility.
Relevant authorities only come in to assist when the case that is
compromising data I critical and poses a security threat to other
sectors. The primary obligation of GDPR is to ensure that
people have control of their most essential data. GDPR achieves
control of data by facilitating the crucial environmental data
regulation environment.
Articles analysis on GDPR
In the article (Cornock, 2018), Cornock systematically analyzes
the primary impacts of GDPR on various research institutions
and the actual research activities within various sectors, such as
the I.T. and medical sectors. According to the article, there are
still several debates on how GDPR is going to affect research in
various sectors, starting with the I.T. sectors to the business and
marketing sectors on just with the European Union but around
the globe. Most of the arguments on GDRP look at the
regulation as a potential obstacle to a world of free information
sharing. Many people are still not aware of the actual
implications that both the E.U. and the world in general will
faces with the complete implementation of GDPR.
Although the regulation directly affects the E.U.'s member
3. state, the rest of the world is expected to be modified in one
way or another. According to the article, the regulations
outlined in provides a two-year transition period from the DPD
(data protection directive) if there is a need for change. The
primary concern of GDPR is to work practically in handling
data including in the manner in which the data is shared. The
fundamental rights that people will have with regards to the
GDPR are the chances of being forgotten, and this factor
implies that requesting for any data has to be companied by a
data deletion after the use of data. The regulations also outline
criteria for data transfer outside the non-member states of E.U.
These regulations are aimed at ensuring that the rights of
individuals are protected from cases of reduction by any other
laws within the countries that are receiving the data.
This article evaluates all the possible impacts of GDPR on
technology across the globe. According to the authors, GDPR
requires significant protection data. The regulations also pose
several challenges and the potential opportunities that
organizations will enjoy across the I.T. sector on the
international market. Organizations across the globe still
haven't prepared adequately to comply with the regulations. As
a way of minimizing the liability that organizations might face,
organizations have to make drastic transformations in order to
fully comply with the rules. This article also evaluates how U.S.
and China, which are the world's economic super-powers strive
to respond to critical challenges and the opportunities that
GDPR is bringing into the world of technology and data
protection (Li, 2019).
Implementation of GDPR
The comprehensive implementation of the GDPR came into
effect on 25th May 2018. The regulations aim at laying down
precise guidelines for processing, managing, and storing data
from citizens of the E.U. member states. The regulations also
aim at strengthening data protection within the E.U. member
states as a way of meeting data privacy challenges that are
arising from the rapid development of digital technology.
4. Although the regulations primarily protect citizens of the E.U.
member states, it is going to have a significant impact on the
global nature regarding technology and data sharing.
Organizations targeting European market in terms of products
and service delivery in identification of information. As a result
of the implementation of GDPR, consumers have high chances
of controlling data which includes; right to withdraw any form
of consent as provided for in (Art.7) and the right to be
forgotten as provided for in (Art. 17). On the other hand, the
regulation outlines high standards for the data processors and
controllers, which include data protecting based on the data
design as outlined in (Art 25). Recording of significant
processing activity (Art. 30). This requires that organizations
get the consent of the user before collecting data and
implementing the right technical mechanism, including the
measures taken as a way of protecting private data of all E.U.
member states (Kaushik & Wang, 2018).
GDPR holds all organizations that handle all forms of data that
directly affect E.U. members accountable for any kind of non-
compliance with the GDPR. At stated early, the regulations
provide both challenges and opportunities to the technology
firms, the data center provider, cloud services provider, and
data markers who must first adopt all the necessary strict
measures, ways of data protection, standards and the process of
managing all private data. Failing to comply with the
regulations means that the data handlers will incur significant
fines. According to GDPR, personal data is anything used in
identifying a person. Therefore, personal data includes
personally recognizable details such as I.P. addresses, names,
social security details, emails, location data, telephone numbers,
and dates of birth.
Personal data also includes information related to economic,
genetic, social, and cultural identity. The worlds' leading
technology firms such as Facebook, Amazon, and Google have
thoroughly updated their data privacy practices and policies as a
way of complying with all the regulations outlined by GDPR.
5. Complying with the GDPR gives firms a competitive advantage
on the international market as compared to other firms that have
not yet complied with the regulations.
The impacts of GDPR on Technology platforms
The implementation of GDPR is having significant impacts on
technology platforms and the data infrastructures that collect,
manage, and store all forms of private data (Mackay, 2017).
Based on the fact that the requirements outlined in GDPR are
high regarding data collection and processing, all the controllers
and processors have a primary obligation of handling private
data, which also means that they have the full responsibility of
protecting data by default infrastructures or the designed
infrastructures. They also have the responsibility of recording
all the essential activities related to the data. Organizations
have the mandate of conducting though assessments for the
technology platforms and the data infrastructures, including the
information systems, databases, websites, the data warehouse,
and all the processing platforms as a way of understanding the
kind of data collected in situations where all private data exists.
Internal assessments make organizations implement the relevant
changes on the technology platforms and the data
infrastructures as a way of meeting the requirements outlined by
GDPR. In other cases, the process of re-engineering of the
existing information systems/ platforms is necessary for
reducing the threats of non-compliance. The user has the liberty
to request all the relevant information concerning the kind of
data collected, including what the data is to be used for.
Organizations handling the private data have the responsibility
of providing the information on good time upon the user's
requisitions. The possibilities of large firms, such as Alibaba
and Amazon, have the highest chances of receiving requests
from millions of their customers across the globe. The two firms
handle large volumes of data daily, and in cases where
customers don't get satisfied with how a firm is using his/her
personal information, he/she has the liberty to request the firm
or organization to completely delete the data.
6. Organizations with employees from the E.U. or living in the
E.U. must also handle the personal data of the employees, which
includes the bank details, photos, pension information, tax,
medical records, safety reports, C.V.s, and salary information in
the best manners (Beacham, 2018). A way of meeting the
request of both customers and employees concerning the
efficiency of accessing personal data, or the removal of
personal information from the I.T. systems, firms must refine
their current I.T. systems and platforms. The primary starting
point for companies is identifying the private data that is related
to customers or the employees from the I.T. systems such as the
customer relationship data managing systems, the H.R. systems,
the databases, and the I.T. archives.
The second step is for firms to implement the most holistic tools
that search information across all the I.T. systems, platforms,
archives, and infrastructures as a way of identifying and
extracting all the private data (Mackay, 2017). Without using
the holistic search tools, the chances for companies to ensure
that there is complete accountability in handling personal data
are minimal. For companies to meet the primary requirements
outlined by the GDPR, firms have to invest a lot in human
resource and the necessary upgrading of the technology
platforms, update the privacy policy, change/regulate the
advertising methods, and adjust the data storage and processing
mechanisms. The impacts of GDPR on the U.S. and Chinese
firms are significant. The two countries, which are the world's
super economic states, have many companies that carry out
business activities with the European Union.
According to a survey by Price water houses Coopers, almost
68% of U.S. firms will spend between $ 1 million to $10 million
as a way of meeting the regulations outlined by GDPR; 9 % of
the companies will pay more than $ 10 million (PwC, 2017).
The high cost is likely to be transferred to the consumers, a
factor that will weaken the competitive advantages that
American and chines firms enjoy. Furthermore, GDPR is
becoming a tool for the European commissions to appropriately
7. accuse the non-EU firms, including the American and Chinese
firms that have challenges with data protection and, in one way
or another, block the firms from investing and merging.
Several U.S. and Chinese firms try to comply with the
regulations, and the firms include Huawei, which is a Chinese
telecommunication giant, which has appointed a data protection
personnel and You-Tube, which stopped supporting any form a
third-party advert on the services that are specifically reserved
for Europe.
However, despite the efforts that some firms across the globe
are putting in the way of managing the technology platforms,
their unlikely events that are happening, a good example is the
announcement by Yee-light which is one of the sizeable smart
light devices company to cut its services to the European users.
After the enforcement of GDPR, Facebook, and its allies i.e.,
Instagram and WhatsApp, and Google were sued as a result of
"forced consent," the case reflects that picture that any foreign
company's business with E.U. is highly influenced by the
GDPR.
The impacts on Cybersecurity
With the implementation of GDPR, the cybersecurity policies
are expected to change based on the fact that the regulations
require firms to implement the most suitable data protection
mechanisms as a way to protect private consumer information
against the cases of data loss or the breach, which may lead to
the data being exposed. According to article five of the
regulation, the essential privacy and the data protection
regulations include full consent of the subject for any form of
data processing, any form of anonymized collection of data in
protecting data, providing any form of data breach notification
and safe handling of data during the process of transferring the
data from one system to another. Firms must appoint the data
protection officer who is then mandated to oversee that the
firms comply with the GDPR outlines.
Based on the past cases of cyber breaches on vital data. GDPR
requires that all data controllers notify the super authorities
8. about any case of a breach on personal without delay, and the
latest time is within 72 hours after becoming aware of the
breach. This factor, therefore, means that firms have to improve
their cybersecurity efforts as a way of ensuring that there is
complete protection of personal data against any form of
breaches and threats. Firms most also strive to minimize the
liabilities under regulations outlined in GDPR. GDPR further
increases the demands for the cybersecurity experts and the data
protection personnel. In efforts towards addressing the current
shortage of skills in cybersecurity and data protection experts,
governments and the technology firms are investing a lot in
cybersecurity training and other I.T. education programs
(Whitney, 2018)
The requirement to provide robust security for personal data
comes with several opportunities for firms. The issues of
security and privacy are accompanied by the trust of the users, a
factor that is essential in business, especially in the current
highly competitive global market that is controlled by digital
market platforms. There has been a rise in cases are associated
to the vulnerability of security on personal data, in cases where
companies have failed to properly handle personal information
and selling of the information collected from consumers have
raised a number of concerns leading to negative impacts on the
trust of consumers (Midha. 2012). According to the Capgemini
report, 39 % of consumers spend more after being convinced
that organizations protect their private data (Cap Gemini
Research Institute, 2018). This factor means the process of
gaining the trust of customers concerning the privacy of data
security may lead to improved sales translating to competition
advantage (Conroy, Narula, Milano, & Singhal, 2014).
The U.S. and Chins firms need to make use of the opportunities
that GDPR is providing in enhancing the ability to protect
personal data as a way of minimizing the legal liabilities of
GDPR and at the same time win the trust of consumer across the
global market which will help the firms in creating unique
competition advantages over thousands of firms that can't
9. comply with GDPR.
The impacts of GDPR on the emerging technology
The implementation of GDPR has a significant impact on
developing technologies. The emerging of technologies such as
A.I., cloud computing, and blockchains, which are among the
most effective means in boosting productivity and performance
in other sectors of the economy. The actual application and
development of the emerging technology are vital in promoting
other aspects of the economies are the technologies are
becoming one of the robust competitive domains among
countries across the globe. It is vital to note that emerging
technologies only deliver value by using massive data and a
very high-quality algorithm. The strict regulations on the way
data are supposed to be handled and processed is inhibiting the
development of new I.T. policies and technologies. At the same
time, the use of emerging technologies is under strict
regulations increasing the actual cost of developing the new
technologies.
The implementation of GDPR is profoundly impacting the
development of A.I. applications by raising the development
expenses while at the same time limiting the actual application
scope of Artificial Intelligence. According to articles 13 and
articles 22 of the GDPR, several algorithm decisions must go
through a severe reviewing process and be explained by
humanity; the restrictions are likely going to increase the actual
labor expenses. This factor will also break the balance that exist
between transparency and accuracy. According to article 17 of
the regulations, users are provided with an opportunity to delete
private data without delaying a factor that is gradually
destroying primary rules that underpin the Artificial
Intelligence systems leading to a decrease in efficiency and the
actual accuracy of the A.I. algorithms.
Looking at the blockchains, it is challenging when it comes to
the identification of data controllers and hard in requiring the
node that performs strict roles (Wallace & Castro, 2018). As the
10. data of every node of any blockchain impacts the subsequent
records, is at all the blockchain user has the authority to delete
or change data, the effectiveness and efficiency of blockchains
stop existing. Looking at cloud computing, the GDPR develops
several duties of cloud platforms service provider, that are
required to provide information on all the processing of data
which is in relation to article 13 and 14 of GDPR, this factor
definitely brings operational challenges and increases the
expenses of operating any cloud platform, based on the fact that
efficiency of any cloud computing is generated by optimal
resources allocated which are determined by tasks and can't be
entirely determined by data collection times.
Although several firms in the U.S. and China have the
responsibility of complying with the regulations and other
countries across the globe, firms within the European Unions
are still affected within the fields of the emerging technologies
based on the facts that they deal with private data most of the
time and most of the information belongs to the E.U. residents.
If in any way the emerging technology within the E.U. industry
fails to effectively also the challenging associated with cloud
computing, blockchain, and Artificial Intelligence by using the
appropriate technological upgrading, a factor that is likely to be
long term, the actual application and developing of the
emerging technologies within the European Union is going to
slow down. Several industries such as the e-commerce, credit
cards, and intelligent manufacturing, which are crucial
industries supported by the emerging technologies, will also be
affected significantly. Other firms in countries such as the U.S.
and China will have high chances of improving and using
emerging technologies more than firms within the European
Union. Several firms in China and the U.S. have chances of
creating products that effectively serve the domestic needs of
consumers, which means that as time progress, firms in the U.S.
and China have the ability f developing robust competitive
advantages as compared to firs in E.U.
GDPR is basically designed as a mechanism of ensuring that all
11. the necessary precautions are put in place as a way of ensuring
that there is a comprehensive protection of any form of personal
data. Various threats that are going to have a possible risks
control through the GDPR include.
Espionage: many still think that Espionage is not an act of war,
but the fact it causes tension among countries. It is a form of
cyber-attack that involves abstaining confidential data without
the consent of the owner of the information (Kafol & Bregar,
2017). Examples of Espionage is the massive act of spying on
other countries by the American government as an ICT hacker
Edward Snowden revealed.
Sabotage: this form of cyber-attack involves using computer and
satellites system to coordinate and run operations leading to a
severe disruption of other networks, including the military
systems like C4ISTAR that run and control communications. As
a cyber-attack, Sabotage leads to the interception of crucial
communication or malicious replacement of the intended
transmission. Other things that get affected by a Sabotage attack
are; water, transportation, power, and fuel infrastructures.
Propaganda: a cyber-propaganda refers to efforts by one nation
to control another nation's information in any way possible and
use the information in managing the general public opinion
(Goswami, 2018). To a high degree, cyber propaganda is
psychological warfare; the only difference is that it uses
websites that run fake news, social media platforms, and other
internet platforms. Jowett & Donnell (2018) state that
"propaganda is the deliberate, systematic attempt to shape
perceptions, manipulate cognitions, and direct behavior to
achieve a response that furthers the desired intent of the
propagandist" (p. 7).
Economic disruption: this form of cyber-attack targets economic
infrastructures such as manufacturing companies, processing
industry, and other aspects of the economy. An excellent
example of economic disruption is the Wanna-Cry attacks that
affected Ukraine and U.K., s N.H.S, Merck pharmaceuticals,
Maersk shipping, and other organizations globally. Economic
12. disruption is a cyber-crime and financial crime in particular.
Surprise Cyber Attacks: this kind of attack involves using
malware such as antivirus to attack communications systems,
information systems, and other software that is operated by a
particular organization.
On the other the various methods of cyber threats that are likely
to e controlled include;
Denial-of-service (DoS): this method of Cyber Attack
overpowers the computer system affecting the responding speed.
Making it unable to respond to requests during operations. The
attack launched from a significant number of hosting systems
affected by malicious software that is controlled by attackers
(Abawajy, 2014). Attackers that initiate this kind of attack don't
gain direct benefits; in cases where the attack launched into
computer systems of business firms, the attackers are likely to
enjoy some benefits. The Dos also aims at taking off the
operation system online as a way of launching other attacks.
The common types of DoS attacks are teardrop attacks, botnets,
smurf attacks, TCP SYN, and flood attacks.
The MitM (Man-in-the-Middle) attack: this kind of attack takes
place in cases where hackers come in between the
communication servers of the clients and the communication
server of a particular government agency (Thomas,
Vijayaraghavan & Emmanuel, 2020). The common types of
MitM include; session hijacking; this where hackers hijack
communication sessions between trusted clients and network
servers. During this attack, the hacker's computer system
replaces the client's I.P. address with its own and continuous
with the communication session. The original server
manipulated into thinking that it is communication with the
client's computer system.
Two common points of entry for MitM attacks:
1. On unsecured public Wi-Fi, attackers can insert themselves
between a visitor's device and the network. Without knowing,
the visitor passes all information through the attacker.
2. Once the malware has breached a device, an attacker can
13. install software to process all of the victim's information."
The phishing and spear-phishing attack: phishing attack
involves the transmission of manipulated emails that seems to
come from a computer system's trusted source to get personal
data/influence the system users to carry out an activity that they
are not aware. The attack runs by social engineering and a
technical trick, and in some cases, it involves attaching an email
that generates malware onto the computer. The attack also links
the system to illegitimate websites, which can lead the system
into downloading malware/ hand over personal data. On the
other hand, spear phishing is a precise kind of phishing as the
attacker researches the potential target, after which they create
private messages.
The SQL injection attack: this is an attack executed by a
malefactor that carries out an SQL inquiry to the system's
database though the client's input data. The SQL command put
into the DPI (data-plane input) controls the system's login
process. Any successful SQL attack can read crucial
information from the server, change the database information,
run administration operations, content recovery, command the
system to run automatically.
The Drive-in attack: the method is highly used in spreading
malware, though this method, hackers identify the insecure
websites after which they plant malicious scripts into the
PHP/HTTP codes. The planted scripts install malware into the
computer when the sites are visited. In other cases, the texts
direct the networks to the hacker's sites. This attack does not
depend on the user to carry out any activity that actively runs
the offense, meaning the attack runs automatically the moment
the user visits the sites with planted scripts codes.
The password attack: the attack though this method targets
users' passwords, is executed by plugging in a connection then
acquiring passwords as encryptions. The attack is though social
engineering, accessing the password database, or just guessing
though a random approach or systematically.
Malware attack: this method used in cyber-attack involves the
14. installation of unwanted software into a computer system
without the user's consent. The malicious software gets installed
by attaching itself to the computer's legitimates codes then
propagate itself across the network. The common types of
malicious software are; macro virus (affect Microsoft
Word/Excel), the file infectors, the system record infectors,
polymorphic virus, the stealth virus, Trojans, the Logic bombs,
worms, the Droppers, and the Ransomware. Malware is the most
common and most dangerous type of cyber-attack. Malware can
be of many types, and they are sent by hackers intending to
block and change network keys or settings, damage information
from a computer or a network of computers, Sabotage, and,
most importantly, disable a system.
The Eavesdropping attack: the method of attack executed by
intercepting the network traffic. Through this method, the
attacker can access passwords, the credit card number, and any
confidential information sent through the network. The
technique acts in two forms which are; the passive
eavesdropping where the system hacker detects information
through listening to the information transmissions. On the other
hand, the hacker uses the active approach, where the hacker
actively takes information by posing as a friend of the network
transmitting the information.
Conclusion
Base on the fact that the I.T. sector is facing is that GDPR is
having a massive impact on all aspects of technology and the
application of technology in the protection of personal
information. "Although this editorial has discussed many
potential challenges of GDPR, we encourage companies to think
of compliance with GDPR as a strategic opportunity for gaining
a competitive edge in this data-driven world. Technology
companies that target global markets recommended to step up
their efforts to secure their data, systems, products, and services
for compliance with GDPR. We also encourage scholars and
practitioners to study issues related to the implementation and
15. compliance of GDPR and share insights" (Wright, 2017).
References
Beacham, J. (2018). Is your practice GDPR ready? In Practice,
40(3), 124–125.
Cap Gemini Research Institute. (2018). seizing the GDPR
advantage: From mandate to high-value opportunity
Conroy, P., Narula, A., Milano, F.,
& Singhal, R. (2014). Building consumer trust - Protecting
personal data in the consumer product industry.
Cornock, M. (2018). General Data Protection Regulation
(GDPR) and implications for research. Maturities, 111, A1:
European Union. (2016) General data protection regulation. Off
J Eur Union 49: L119
Kaushik, S., & Wang, Y. (2018, December 20). Data privacy:
Demystifying the GDPR.
Li, H., Yu, L., & He, W. (2019). The impact of GDPR on global
technology development.
Mackay, D. (2017). The impact of GDPR from a technology
perspective – is your platform ready?
Public Administration and Information
Technology
Volume 10
Series Editor
Christopher G. Reddick
San Antonio, Texas, USA
More information about this series at
16. http://www.springer.com/series/10796
Marijn Janssen • Maria A. Wimmer
Ameneh Deljoo
Editors
Policy Practice and Digital
Science
Integrating Complex Systems, Social
Simulation and Public Administration
in Policy Research
2123
Editors
Marijn Janssen Ameneh Deljoo
Faculty of Technology, Policy, and Faculty of Technology,
Policy, and
Management Management
Delft University of Technology Delft University of Technology
Delft Delft
The Netherlands The Netherlands
Maria A. Wimmer
Institute for Information Systems Research
University of Koblenz-Landau
Koblenz
Germany
ISBN 978-3-319-12783-5 ISBN 978-3-319-12784-2 (eBook)
Public Administration and Information Technology
18. Preface
The last economic and financial crisis has heavily threatened
European and other
economies around the globe. Also, the Eurozone crisis, the
energy and climate
change crises, challenges of demographic change with high
unemployment rates,
and the most recent conflicts in the Ukraine and the near East or
the Ebola virus
disease in Africa threaten the wealth of our societies in
different ways. The inability
to predict or rapidly deal with dramatic changes and negative
trends in our economies
and societies can seriously hamper the wealth and prosperity of
the European Union
and its Member States as well as the global networks. These
societal and economic
challenges demonstrate an urgent need for more effective and
efficient processes of
governance and policymaking, therewith specifically addressing
crisis management
and economic/welfare impact reduction.
Therefore, investing in the exploitation of innovative
information and commu-
nication technology (ICT) in the support of good governance
and policy modeling
has become a major effort of the European Union to position
itself and its Member
States well in the global digital economy. In this realm, the
European Union has
laid out clear strategic policy objectives for 2020 in the Europe
2020 strategy1: In
a changing world, we want the EU to become a smart,
sustainable, and inclusive
19. economy. These three mutually reinforcing priorities should
help the EU and the
Member States deliver high levels of employment, productivity,
and social cohesion.
Concretely, the Union has set five ambitious objectives—on
employment, innovation,
education, social inclusion, and climate/energy—to be reached
by 2020. Along with
this, Europe 2020 has established four priority areas—smart
growth, sustainable
growth, inclusive growth, and later added: A strong and
effective system of eco-
nomic governance—designed to help Europe emerge from the
crisis stronger and to
coordinate policy actions between the EU and national levels.
To specifically support European research in strengthening
capacities, in overcom-
ing fragmented research in the field of policymaking, and in
advancing solutions for
1 Europe 2020 http://ec.europa.eu/europe2020/index_en.htm
v
vi Preface
ICT supported governance and policy modeling, the European
Commission has co-
funded an international support action called eGovPoliNet2. The
overall objective
of eGovPoliNet was to create an international, cross-
disciplinary community of re-
searchers working on ICT solutions for governance and policy
20. modeling. In turn,
the aim of this community was to advance and sustain research
and to share the
insights gleaned from experiences in Europe and globally. To
achieve this, eGovPo-
liNet established a dialogue, brought together experts from
distinct disciplines, and
collected and analyzed knowledge assets (i.e., theories,
concepts, solutions, findings,
and lessons on ICT solutions in the field) from different
research disciplines. It built
on case material accumulated by leading actors coming from
distinct disciplinary
backgrounds and brought together the innovative knowledge in
the field. Tools, meth-
ods, and cases were drawn from the academic community, the
ICT sector, specialized
policy consulting firms as well as from policymakers and
governance experts. These
results were assembled in a knowledge base and analyzed in
order to produce com-
parative analyses and descriptions of cases, tools, and scientific
approaches to enrich
a common knowledge base accessible via www.policy-
community.eu.
This book, entitled “Policy Practice and Digital Science—
Integrating Complex
Systems, Social Simulation, and Public Administration in Policy
Research,” is one
of the exciting results of the activities of eGovPoliNet—fusing
community building
activities and activities of knowledge analysis. It documents
findings of comparative
analyses and brings in experiences of experts from academia
and from case descrip-
21. tions from all over the globe. Specifically, it demonstrates how
the explosive growth
in data, computational power, and social media creates new
opportunities for policy-
making and research. The book provides a first comprehensive
look on how to take
advantage of the development in the digital world with new
approaches, concepts,
instruments, and methods to deal with societal and
computational complexity. This
requires the knowledge traditionally found in different
disciplines including public
administration, policy analyses, information systems, complex
systems, and com-
puter science to work together in a multidisciplinary fashion
and to share approaches.
This book provides the foundation for strongly multidisciplinary
research, in which
the various developments and disciplines work together from a
comprehensive and
holistic policymaking perspective. A wide range of aspects for
social and professional
networking and multidisciplinary constituency building along
the axes of technol-
ogy, participative processes, governance, policy modeling,
social simulation, and
visualization are tackled in the 19 papers.
With this book, the project makes an effective contribution to
the overall objec-
tives of the Europe 2020 strategy by providing a better
understanding of different
approaches to ICT enabled governance and policy modeling, and
by overcoming the
fragmented research of the past. This book provides impressive
insights into various
22. theories, concepts, and solutions of ICT supported policy
modeling and how stake-
holders can be more actively engaged in public policymaking. It
draws conclusions
2 eGovPoliNet is cofunded under FP 7, Call identifier FP7-ICT-
2011-7, URL: www.policy-
community.eu
Preface vii
of how joint multidisciplinary research can bring more effective
and resilient find-
ings for better predicting dramatic changes and negative trends
in our economies and
societies.
It is my great pleasure to provide the preface to the book
resulting from the
eGovPoliNet project. This book presents stimulating research by
researchers coming
from all over Europe and beyond. Congratulations to the project
partners and to the
authors!—Enjoy reading!
Thanassis Chrissafis
Project officer of eGovPoliNet
European Commission
DG CNECT, Excellence in Science, Digital Science
Contents
23. 1 Introduction to Policy-Making in the Digital Age . . . . . . . . . .
. . . . . . . 1
Marijn Janssen and Maria A. Wimmer
2 Educating Public Managers and Policy Analysts
in an Era of Informatics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 15
Christopher Koliba and Asim Zia
3 The Quality of Social Simulation: An Example from Research
Policy Modelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 35
Petra Ahrweiler and Nigel Gilbert
4 Policy Making and Modelling in a Complex World . . . . . . . .
. . . . . . . . 57
Wander Jager and Bruce Edmonds
5 From Building a Model to Adaptive Robust Decision Making
Using Systems Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 75
Erik Pruyt
6 Features and Added Value of Simulation Models Using
Different
Modelling Approaches Supporting Policy-Making: A
Comparative
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . 95
Dragana Majstorovic, Maria A.Wimmer, Roy Lay-Yee, Peter
Davis
and Petra Ahrweiler
7 A Comparative Analysis of Tools and Technologies
for Policy Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 125
24. Eleni Kamateri, Eleni Panopoulou, Efthimios Tambouris,
Konstantinos Tarabanis, Adegboyega Ojo, Deirdre Lee
and David Price
8 Value Sensitive Design of Complex Product Systems . . . . . . .
. . . . . . . . 157
Andreas Ligtvoet, Geerten van de Kaa, Theo Fens, Cees van
Beers,
Paulier Herder and Jeroen van den Hoven
ix
x Contents
9 Stakeholder Engagement in Policy Development: Observations
and Lessons from International Experience . . . . . . . . . . . . . . . .
. . . . . . 177
Natalie Helbig, Sharon Dawes, Zamira Dzhusupova, Bram
Klievink
and Catherine Gerald Mkude
10 Values in Computational Models Revalued . . . . . . . . . . . . .
. . . . . . . . . . 205
Rebecca Moody and Lasse Gerrits
11 The Psychological Drivers of Bureaucracy: Protecting
the Societal Goals of an Organization . . . . . . . . . . . . . . . . . . .
. . . . . . . . . 221
Tjeerd C. Andringa
12 Active and Passive Crowdsourcing in Government . . . . . . . .
. . . . . . . . 261
Euripidis Loukis and Yannis Charalabidis
25. 13 Management of Complex Systems: Toward Agent-Based
Gaming for Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 291
Wander Jager and Gerben van der Vegt
14 The Role of Microsimulation in the Development of Public
Policy . . . 305
Roy Lay-Yee and Gerry Cotterell
15 Visual Decision Support for Policy Making: Advancing
Policy
Analysis with Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 321
Tobias Ruppert, Jens Dambruch, Michel Krämer, Tina Balke,
Marco
Gavanelli, Stefano Bragaglia, Federico Chesani, Michela
Milano
and Jörn Kohlhammer
16 Analysis of Five Policy Cases in the Field of Energy Policy .
. . . . . . . . 355
Dominik Bär, Maria A.Wimmer, Jozef Glova, Anastasia
Papazafeiropoulou and Laurence Brooks
17 Challenges to Policy-Making in Developing Countries
and the Roles of Emerging Tools, Methods and Instruments:
Experiences from Saint Petersburg . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . 379
Dmitrii Trutnev, Lyudmila Vidyasova and Andrei Chugunov
18 Sustainable Urban Development, Governance and Policy:
A Comparative Overview of EU Policies and Projects . . . . . . . .
. . . . . 393
Diego Navarra and Simona Milio
19 eParticipation, Simulation Exercise and Leadership Training
26. in Nigeria: Bridging the Digital Divide . . . . . . . . . . . . . . . . . .
. . . . . . . . . 417
Tanko Ahmed
Contributors
Tanko Ahmed National Institute for Policy and Strategic Studies
(NIPSS), Jos,
Nigeria
Petra Ahrweiler EA European Academy of Technology and
Innovation Assess-
ment GmbH, Bad Neuenahr-Ahrweiler, Germany
Tjeerd C. Andringa University College Groningen, Institute of
Artificial In-
telligence and Cognitive Engineering (ALICE), University of
Groningen, AB,
Groningen, the Netherlands
Tina Balke University of Surrey, Surrey, UK
Dominik Bär University of Koblenz-Landau, Koblenz, Germany
Cees van Beers Faculty of Technology, Policy, and
Management, Delft University
of Technology, Delft, The Netherlands
Stefano Bragaglia University of Bologna, Bologna, Italy
Laurence Brooks Brunel University, Uxbridge, UK
Yannis Charalabidis University of the Aegean, Samos, Greece
27. Federico Chesani University of Bologna, Bologna, Italy
Andrei Chugunov ITMO University, St. Petersburg, Russia
Gerry Cotterell Centre of Methods and Policy Application in the
Social Sciences
(COMPASS Research Centre), University of Auckland,
Auckland, New Zealand
Jens Dambruch Fraunhofer Institute for Computer Graphics
Research, Darmstadt,
Germany
Peter Davis Centre of Methods and Policy Application in the
Social Sciences
(COMPASS Research Centre), University of Auckland,
Auckland, New Zealand
Sharon Dawes Center for Technology in Government,
University at Albany,
Albany, New York, USA
xi
xii Contributors
Zamira Dzhusupova Department of Public Administration and
Development Man-
agement, United Nations Department of Economic and Social
Affairs (UNDESA),
NewYork, USA
Bruce Edmonds Manchester Metropolitan University,
Manchester, UK
28. Theo Fens Faculty of Technology, Policy, and Management,
Delft University of
Technology, Delft, The Netherlands
Marco Gavanelli University of Ferrara, Ferrara, Italy
Lasse Gerrits Department of Public Administration, Erasmus
University
Rotterdam, Rotterdam, The Netherlands
Nigel Gilbert University of Surrey, Guildford, UK
Jozef Glova Technical University Kosice, Kosice, Slovakia
Natalie Helbig Center for Technology in Government,
University at Albany,
Albany, New York, USA
Paulier Herder Faculty of Technology, Policy, and Management,
Delft University
of Technology, Delft, The Netherlands
Jeroen van den Hoven Faculty of Technology, Policy, and
Management, Delft
University of Technology, Delft, The Netherlands
Wander Jager Groningen Center of Social Complexity Studies,
University of
Groningen, Groningen, The Netherlands
Marijn Janssen Faculty of Technology, Policy, and
Management, Delft University
of Technology, Delft, The Netherlands
Geerten van de Kaa Faculty of Technology, Policy, and
29. Management, Delft
University of Technology, Delft, The Netherlands
Eleni Kamateri Information Technologies Institute, Centre for
Research &
Technology—Hellas, Thessaloniki, Greece
Bram Klievink Faculty of Technology, Policy and Management,
Delft University
of Technology, Delft, The Netherlands
Jörn Kohlhammer GRIS, TU Darmstadt & Fraunhofer IGD,
Darmstadt, Germany
Christopher Koliba University of Vermont, Burlington, VT,
USA
Michel Krämer Fraunhofer Institute for Computer Graphics
Research, Darmstadt,
Germany
Roy Lay-Yee Centre of Methods and Policy Application in the
Social Sciences
(COMPASS Research Centre), University of Auckland,
Auckland, New Zealand
Deirdre Lee INSIGHT Centre for Data Analytics, NUIG,
Galway, Ireland
Contributors xiii
Andreas Ligtvoet Faculty of Technology, Policy, and
Management, Delft Univer-
sity of Technology, Delft, The Netherlands
30. Euripidis Loukis University of the Aegean, Samos, Greece
Dragana Majstorovic University of Koblenz-Landau, Koblenz,
Germany
Michela Milano University of Bologna, Bologna, Italy
Simona Milio London School of Economics, Houghton Street,
London, UK
Catherine Gerald Mkude Institute for IS Research, University of
Koblenz-Landau,
Koblenz, Germany
Rebecca Moody Department of Public Administration, Erasmus
University
Rotterdam, Rotterdam, The Netherlands
Diego Navarra Studio Navarra, London, UK
Adegboyega Ojo INSIGHT Centre for Data Analytics, NUIG,
Galway, Ireland
Eleni Panopoulou Information Technologies Institute, Centre
for Research &
Technology—Hellas, Thessaloniki, Greece
Anastasia Papazafeiropoulou Brunel University, Uxbridge, UK
David Price Thoughtgraph Ltd, Somerset, UK
Erik Pruyt Faculty of Technology, Policy, and Management,
Delft University of
Technology, Delft, The Netherlands; Netherlands Institute for
Advanced Study,
31. Wassenaar, The Netherlands
Tobias Ruppert Fraunhofer Institute for Computer Graphics
Research, Darmstadt,
Germany
Efthimios Tambouris Information Technologies Institute, Centre
for Research &
Technology—Hellas, Thessaloniki, Greece; University of
Macedonia, Thessaloniki,
Greece
Konstantinos Tarabanis Information Technologies Institute,
Centre for Research
& Technology—Hellas, Thessaloniki, Greece; University of
Macedonia, Thessa-
loniki, Greece
Dmitrii Trutnev ITMO University, St. Petersburg, Russia
Gerben van der Vegt Faculty of Economics and Business,
University of Groningen,
Groningen, The Netherlands
Lyudmila Vidyasova ITMO University, St. Petersburg, Russia
Maria A. Wimmer University of Koblenz-Landau, Koblenz,
Germany
Asim Zia University of Vermont, Burlington, VT, USA
Chapter 1
Introduction to Policy-Making in the Digital Age
32. Marijn Janssen and Maria A. Wimmer
We are running the 21st century using 20th century systems on
top of 19th century political structures. . . .
John Pollock, contributing editor MIT technology review
Abstract The explosive growth in data, computational power,
and social media
creates new opportunities for innovating governance and policy-
making. These in-
formation and communications technology (ICT) developments
affect all parts of
the policy-making cycle and result in drastic changes in the way
policies are devel-
oped. To take advantage of these developments in the digital
world, new approaches,
concepts, instruments, and methods are needed, which are able
to deal with so-
cietal complexity and uncertainty. This field of research is
sometimes depicted
as e-government policy, e-policy, policy informatics, or data
science. Advancing
our knowledge demands that different scientific communities
collaborate to create
practice-driven knowledge. For policy-making in the digital age
disciplines such as
complex systems, social simulation, and public administration
need to be combined.
1.1 Introduction
Policy-making and its subsequent implementation is necessary
to deal with societal
problems. Policy interventions can be costly, have long-term
implications, affect
groups of citizens or even the whole country and cannot be
34. computer science. All
these knowledge areas are needed for policy-making in the
digital age. The aim of
this book is to provide a foundation for this new
interdisciplinary field in which
various traditional disciplines are blended.
Both policy-makers and those in charge of policy
implementations acknowledge
that ICT is becoming more and more important and is changing
the policy-making
process, resulting in a next generation policy-making based on
ICT support. The field
of policy-making is changing driven by developments such as
open data, computa-
tional methods for processing data, opinion mining, simulation,
and visualization of
rich data sets, all combined with public engagement, social
media, and participatory
tools. In this respect Web 2.0 and even Web 3.0 point to the
specific applications of
social networks and semantically enriched and linked data
which are important for
policy-making. In policy-making vast amount of data are used
for making predictions
and forecasts. This should result in improving the outcomes of
policy-making.
Policy-making is confronted with an increasing complexity and
uncertainty of the
outcomes which results in a need for developing policy models
that are able to deal
with this. To improve the validity of the models policy-makers
are harvesting data to
generate evidence. Furthermore, they are improving their
models to capture complex
35. phenomena and dealing with uncertainty and limited and
incomplete information.
Despite all these efforts, there remains often uncertainty
concerning the outcomes of
policy interventions. Given the uncertainty, often multiple
scenarios are developed
to show alternative outcomes and impact. A condition for this is
the visualization of
policy alternatives and its impact. Visualization can ensure
involvement of nonexpert
and to communicate alternatives. Furthermore, games can be
used to let people gain
insight in what can happen, given a certain scenario. Games
allow persons to interact
and to experience what happens in the future based on their
interventions.
Policy-makers are often faced with conflicting solutions to
complex problems,
thus making it necessary for them to test out their assumptions,
interventions, and
resolutions. For this reason policy-making organizations
introduce platforms facili-
tating policy-making and citizens engagements and enabling the
processing of large
volumes of data. There are various participative platforms
developed by government
agencies (e.g., De Reuver et al. 2013; Slaviero et al. 2010;
Welch 2012). Platforms
can be viewed as a kind of regulated environment that enable
developers, users, and
others to interact with each other, share data, services, and
applications, enable gov-
ernments to more easily monitor what is happening and
facilitate the development
of innovative solutions (Janssen and Estevez 2013). Platforms
36. should provide not
only support for complex policy deliberations with citizens but
should also bring to-
gether policy-modelers, developers, policy-makers, and other
stakeholders involved
in policy-making. In this way platforms provide an information-
rich, interactive
1 Introduction to Policy-Making in the Digital Age 3
environment that brings together relevant stakeholders and in
which complex phe-
nomena can be modeled, simulated, visualized, discussed, and
even the playing of
games can be facilitated.
1.2 Complexity and Uncertainty in Policy-Making
Policy-making is driven by the need to solve societal problems
and should result in
interventions to solve these societal problems. Examples of
societal problems are
unemployment, pollution, water quality, safety, criminality,
well-being, health, and
immigration. Policy-making is an ongoing process in which
issues are recognized
as a problem, alternative courses of actions are formulated,
policies are affected,
implemented, executed, and evaluated (Stewart et al. 2007).
Figure 1.1 shows the
typical stages of policy formulation, implementation, execution,
enforcement, and
evaluation. This process should not be viewed as linear as many
interactions are
37. necessary as well as interactions with all kind of stakeholders.
In policy-making
processes a vast amount of stakeholders are always involved,
which makes policy-
making complex.
Once a societal need is identified, a policy has to be formulated.
Politicians,
members of parliament, executive branches, courts, and interest
groups may be
involved in these formulations. Often contradictory proposals
are made, and the
impact of a proposal is difficult to determine as data is missing,
models cannot
citizen
s
Policy formulation
Policy
implementation
Policy
execution
Policy
enforcement and
evaluation
politicians
Policy-
makers
38. Administrative
organizations
b
u
sin
esses
Inspection and
enforcement agencies
experts
Fig. 1.1 Overview of policy cycle and stakeholders
4 M. Janssen and M. A. Wimmer
capture the complexity, and the results of policy models are
difficult to interpret and
even might be interpreted in an opposing way. This is further
complicated as some
proposals might be good but cannot be implemented or are too
costly to implement.
There is a large uncertainty concerning the outcomes.
Policy implementation is done by organizations other than those
that formulated
the policy. They often have to interpret the policy and have to
make implemen-
tation decisions. Sometimes IT can block quick implementation
as systems have
to be changed. Although policy-making is the domain of the
government, private
39. organizations can be involved to some extent, in particular in
the execution of policies.
Once all things are ready and decisions are made, policies need
to be executed.
During the execution small changes are typically made to fine
tune the policy formu-
lation, implementation decisions might be more difficult to
realize, policies might
bring other benefits than intended, execution costs might be
higher and so on. Typ-
ically, execution is continually changing. Evaluation is part of
the policy-making
process as it is necessary to ensure that the policy-execution
solved the initial so-
cietal problem. Policies might become obsolete, might not work,
have unintended
affects (like creating bureaucracy) or might lose its support
among elected officials,
or other alternatives might pop up that are better.
Policy-making is a complex process in which many stakeholders
play a role. In
the various phases of policy-making different actors are
dominant and play a role.
Figure 1.1 shows only some actors that might be involved, and
many of them are not
included in this figure. The involvement of so many actors
results in fragmentation
and often actors are even not aware of the decisions made by
other actors. This makes
it difficult to manage a policy-making process as each actor has
other goals and might
be self-interested.
Public values (PVs) are a way to try to manage complexity and
40. give some guidance.
Most policies are made to adhere to certain values. Public value
management (PVM)
represents the paradigm of achieving PVs as being the primary
objective (Stoker
2006). PVM refers to the continuous assessment of the actions
performed by public
officials to ensure that these actions result in the creation of PV
(Moore 1995). Public
servants are not only responsible for following the right
procedure, but they also have
to ensure that PVs are realized. For example, civil servants
should ensure that garbage
is collected. The procedure that one a week garbage is collected
is secondary. If it is
necessary to collect garbage more (or less) frequently to ensure
a healthy environment
then this should be done. The role of managers is not only to
ensure that procedures
are followed but they should be custodians of public assets and
maximize a PV.
There exist a wide variety of PVs (Jørgensen and Bozeman
2007). PVs can be
long-lasting or might be driven by contemporary politics. For
example, equal access
is a typical long-lasting value, whereas providing support for
students at universities
is contemporary, as politicians might give more, less, or no
support to students. PVs
differ over times, but also the emphasis on values is different in
the policy-making
cycle as shown in Fig. 1.2. In this figure some of the values
presented by Jørgensen
and Bozeman (2007) are mapped onto the four policy-making
stages. Dependent on
41. the problem at hand other values might play a role that is not
included in this figure.
1 Introduction to Policy-Making in the Digital Age 5
Policy
formulation
Policy
implementation
Policy
execution
Policy
enforcement
and evaluation
efficiency
efficiency
accountability
transparancy
responsiveness
public interest
will of the people
listening
42. citizen involvement
evidence-based
protection of
individual rights
accountability
transparancy
evidence-based
equal access
balancing of interests
robust
honesty
fair
timelessness
reliable
flexible
fair
Fig. 1.2 Public values in the policy cycle
Policy is often formulated by politicians in consultation with
experts. In the PVM
paradigm, public administrations aim at creating PVs for society
43. and citizens. This
suggests a shift from talking about what citizens expect in
creating a PV. In this view
public officials should focus on collaborating and creating a
dialogue with citizens
in order to determine what constitutes a PV.
1.3 Developments
There is an infusion of technology that changes policy processes
at both the individual
and group level. There are a number of developments that
influence the traditional
way of policy-making, including social media as a means to
interact with the public
(Bertot et al. …