C. D. Sutherland

C. D. Sutherland is a B-52 pilot turned novelist with his THE CHRONICLES OF SUSAH series, which established the antediluvian steampunk literary movement. Born in Virginia, to the son of a coal-miner, who escaped a life in the dark Appalachian mines by joining the U.S. military, C. D. Sutherland also joined the military. After high school, he served in the Air Force for thirty-two years, seeing much of the world and doing things most men have only dreamed about doing.

Saturday, May 26, 2018

3rd Annual ACFW Louisiana Writers Workshop

Are you an aspiring writer? Do you have a story to tell? If you're going to be near the Shreveport/Bossier area the first weekend in June, you should come hear six local authors share their short story writing journey. You can even get started writing your own short story. Bring something to take notes with and bring a sack lunch.

The American Christian Fiction Writers (AFCW) Louisiana hosts an annual workshop in northern Louisiana. This year's theme is Celebrating the Short Story. In preparation for the workshop, a team of six authors collaborated on an anthology using the workshop's theme for a title. The eBook Celebrating the Short Story was published April 21, 2018, and can be downloaded for free at iBooks, Barnes & Noble, Smashwords, and several other sites online. A printed edition can be had from Amazon for $5.99.

The writing styles used in short stories can be somewhat unusual or surprising to its readers, sometimes their writers use literary techniques which might wear a reader down if employed through the length of a novel. Short stories make the perfect fodder to create anthologies. You will discover the seven short stories contained in this Celebrating of the Short Story are as diverse in technique and theme as one could hope for. Nevertheless, they are united in the fact that they are each in and of themselves short stories. Celebrating the Short Story takes you on seven diverse journeys. Go along with Delores Strong to what might be the end of the world in C. D. Sutherland's Roll Call. Experience a special Christmas celebration between a daughter and her mother in Beverly Flander's The Stroke of Christmas. See a widow solve a case of a missing prize rose in Judy Burford's The Theft. Follow a sister's adventure of discovery in Carole Lehr Johnson's Edge of the Sea. Discover how an entire clan was saved to alter history in Tammy Kirk's Saving the McKinnon. See how a young girl's life was changed because someone cared in Eileen K. Copeland's A Christmas Feral. Finally, experience a launch into space in Eileen K. Copeland's A Dream of Snow.

The workshop will discussion ACFW, Christian Fiction, and the nature of the short story. Each of six authors will share their short story journey with attendees. In keeping with the nature of a workshop, the authors will lead attendees in a series of writing exercises designed to help them organize and create a short story of their own.

The workshop is Saturday, June 2, from 9:30AM to 4:30PM at Bossier Parrish Community College, Building F, Room 203.

The event is free, but remember to bring something to take notes with and a sack lunch. You'll be glad you did.

Thursday, May 3, 2018

D-I-K-A for Fiction Writers

On May 1, Barnes & Noble released their monthly plug for the best novels (Skilton, 2018). Six of them have compelling female protagonists taking on the world around them. One is a comedic mystery thriller set in 1664. Another is a bildungsroman set in London shortly after WWII. One is a dystopian-horror satire set in 2018 America, where the country is carved up by special interest groups. Finally, the list ends with a social novel tying the effects of slavery to the segregation and endemic violence of the 1950s. Such an array of subjects, though slanted toward women’s fiction, can leave an aspiring fiction writer wondering what sort of writing on which would be the best to focus. The D-I-K-A model is a useful tool for educating budding authors and for explaining to those interested as to how fiction authors came up with subjects.

D-I-K-A

Clampitt (2018) explains that data (D) is uncensored facts, figures, & details. It is important to keep in mind that a portion of the data will most likely contain errors. After the available data is filtered and focused on relevant data, it is transformed into Information (I). The stakeholders use that information with their knowledge (K), which includes the skill sets and doctrinal expertise to enable them to not only explain but also predict the outcomes of possible actions. The stakeholders use those predictions with communications to come to decisions and manage their behavior, which is called action (A). Throughout the entire process, feedback is continuous, and under some circumstances, the stakeholder will need to reset the process to stay on the desired path.

Fiction Writers and D-I-K-A

Data: Fiction writers live, read, and learn. They have the option of using not merely their own experiences and imaginations to create a story, but also every piece of data in every library in the world, the entirety of the internet, and any timeline that ever existed in the past or might exist in the future. There are no limits to fiction; however, that much data is obviously too much for a single book.

Information: Fiction writers have to limit the data available to them. Using focused research, they select specific data to populate the story elements for characters, setting, plot, conflict, and resolution. Paula McLain selected the data specific to Martha Gellhorn, Hemingway’s third wife, to tell her story of a journalist and a novelist set during the Spanish Civil War. She takes established historical events, couples them with what is know about the two lovers, and fills in the gaps with her imagination. Contrast that against Chuck Palahniuk’s dystopian satire of the end of the United States. Using the energy of modern political discourse, he imagines special interest groups setting up independent countries where those in charge persecute via the power of the state, that is the barrel of a gun, anyone who does not agree with their particular flavor of intolerance. While fiction has no limits, a single book must have a focus to succeed.

Knowledge: Authors create, muse, and organize potential books by synthesizing theme, a point of view (POV), style, and tone with the approved information. Kevin Powers, a retired army veteran, who has established himself as a respected writer of military stories, uses that skill with a backdrop of the Civil War and the effects of slavery on life a hundred years later. It takes some time to develop adequate skills in those areas, but without them, fiction authors will not succeed.

Action: Eventually the writer has to write. After making decisions about story structure the task that remains is to write, hopefully, the next best-selling novel.

Feedback: At any step, a writer might discover they have strayed from a successful path. We do not have the untold stories of the ten authors selected by Barnes & Noble as the best 10 of 2018, but it is entirely possible they had to refocus and restart their paths. Since anything is possible with fiction, a viable focus of the potentially best novel of 2019 might be to tell that story for them.

Read the World's First Antediluvian Steampunk Novel (For Free)

Summary

The D-K-I-A model is used throughout the business world, but this paper has explained that it works for fiction writers, too. The reason for that is writing fiction is a business. Unless the books stay forever under the writer’s bed, or hidden in the closet, or stored in perpetuity on a thumb drive hidden in a dusty drawer, good fiction stories are destined to be published.

References

Clampitt, P. G. (2017). Communicating for managerial effectiveness, 6^thed. Thousand Oak, CA: Sage Publication, Inc.

Skilton, S. (May 1, 2018). May’s Best Novels New Fiction. Barnes & Noble Reads.Retrieved from https://www.barnesandnoble.com/blog/mays-best-new-fiction-2018/

Read 2018's Best Free Christian Fiction Anthology

Friday, March 23, 2018

General Data Protection Regulation (GDPR)

Does GDPR Impact Long-Term Strategies of Organizations in the EU Market?

by: C. D. Sutherland

Abstract

The safeguarding of personal data has made a significant course correction. Any organization that handles personal data of EU residents must comply with a series of six, new individual rights or face draconian fines of up to 20 million Euros or more. Those new rights were written in the General Data Protection Regulation (GDPR), effective summer of 2018. While similar to the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule and the GDPR, there are enough differences to create serious conflict. This paper focused on developments in personal privacy over the last two decades, the rights of data subjects, solutions for compliance, and possible outcomes. Voigt & Bussche (2017) provided a virtual handbook of compliance techniques in their guide on the GDPR. As the EU courts and Big Data will no doubt clash over the details of compliance, the struggle will be to change not only the long-term strategies of the EU in dealing with data security but also of the rest of the world (Zarsky, 2010). While most authors referenced in this paper believe the GDPR forced massive changes on organizations, some believe it did not go far enough, arguing that unless individuals have access to the automated or AI decision-making events, individual privacy has not been achieved (Mittal, 2017). The potential for pseudonymization to become the workaround solution of much of the GDPR requirements has yet to be determined (Goddard, 2017). Likewise, conflicts of interests between the EU and state-owned and large revenue companies are yet to be played out.

Keywords: GDPR, Big Data, rights, compliance, non-compliance, pseudonymization

--------------------------------------------------

This paper began with a discussion of the changes that the GDPR requires of organizations operating in the EU market. Analysis of relevant literature was discussed, and recommendations and observations were made for adapting data handling processes for organizations to become compliant with GDPR. Such adaptation will impact long-term strategies of any organizations functioning in the EU market.

Read the First Antediluvian Steampunk Novel (for free)

Introduction

Organizations doing business in the EU market will be forced to either comply with the General Data Protection Regulation (GDPR) beginning May 25, 2018 or face draconian fines. The GDPR’s two-year phase-in period is ending and has already replaced the obsolete 1995 Data Protection Directive (DPR) along with multiple regional regulations within the EU market. The GDPR provisions were designed to protect individual rights, and they conflict with standard practices used by Big Data. Noncompliance will be dealt with harshly. Organizations that violate GDPR face potential fines up to 20 million Euros or 4% of worldwide revenues, whichever is more.

Literature Review

Since the 1995 Data Protection Directive (DPR) was enacted, technology changed and will most likely continue to increase data processing capabilities. To compensate for the changing environment, EU member states introduced regional requirements. In the process, data legislation became fragmented across the EU, creating a legal minefield for regional interpretations of data protection (Tankard, 2016). For example, France was relatively lenient with little consequence for organizations that violated requirements, while Spain dealt harshly with those that failed to follow their rules. The GDPR will provide uniform, broad-reaching data protection rules for the entire EU. Penalties for non-compliance are not only uniform but also costly, up to 20 million euros or 4% of the organization’s worldwide revenues, whichever is more. Compliance with the GDPR will be time consuming and expensive. Organizations will need to adjust their short and long-term data processing structures and processes (Voigt & Bussche, 2017).

Personal Data Privacy History

The EU and the US use different approaches to personal data protection and data privacy. Americans consider privacy as a property right whereas, in the EU, it is a fundamental right, which must be provided by the government (Ciriani, 2015). In 1995, the EU adopted the Data Protection Directive (DPR) to harmonize the protection of fundamental rights of the individual concerning data processing activities and ensure the free flow of data among EU member states. Since the DPR was enacted, technology changed. Data legislation became fragmented across the EU, creating a legal minefield for regional interpretations of data protection (Tankard, 2016). As technology enabled new capabilities, the age of Big Data emerged, and the handling of data was monetized.

Big Data refers to the practice of creating and analyzing vast datasets, which indirectly involves myriad individuals. Much of Big Data's capabilities matured after the GDPR was initially discussed then drafted. During that period, Big Data voiced their concerns about the technologies that were emerging, but such arguments were received more like science fiction rather than fact. Since then, Big Data's new capabilities have become manifest and provide considerable advantages to businesses everywhere. GDPR will undermine the ability to exercise data analysis, and at the same time, Big Data technologies undermine some of the measures and distinctions of GDPR (Zarsky, 2017). The GDPR will hold controllers and regulators responsible for unfair or discriminatory data practices (Buttarelli, 2017).

Rights of Data Subjects

The GDPR requires organizations to increase their data protection efforts to comply with the data subject’s rights. These rights are mentioned in detail in the 99 articles of the GDPR and include the right to access, the right to erasure, rectification and restriction, the right to be forgotten, the right to restriction of processing, the right to data portability, and the right to object (Voigt & Bussche, 2017).

The law covers the personal data of all EU residents, regardless of the location of that processing. The information protected includes personal data that can directly or indirectly identify an individual. Online data that identifies such things as IP addresses, cookies, location data, and more are affected by wider regulation than US privacy laws (Goddard, 2017).

The right to portability gives individuals the right to have a copy of the data a controller has of them. In the UK, individuals already have some data portability rights. Though resisted by many companies, mostly because machine-readable formats hardly existed when requirements were enacted. Since then, energy companies and banks have taken the effort to produce files. Companies naturally resist providing data on their customers. Their data makes up a large portion of their competitive advance (Mitchell, 2017). GDPR allows data, subject to change for the service providers, and grants more economic flexibility for consumers to move, copy, or transmit personal data from one IT environment to another. While it empowers consumers, depending on the scope of the applications, it could also put business secrets and practices of controls at risk (Voigt & Bussche, 2017).

As much as the GDPR appears to favor the individual over the data controllers, not everyone agrees the rights will be sufficiently protected. Technology has enabled the movement of data across geographical barriers, along with it the capability to outsource data processing jobs to countries outside the EU. Some of the provisions of GDPR remain generically similar to the outdated Data Protection Directive; however, GDPR has incorporated some new provisions. Even though GDPR’s ‘right to be forgotten, legitimizing the role of consent, providing data protection by design and default, increasing accountability of data controllers and expanding the scope of provision of the directive to extraterritorial jurisdiction, it remains to be seen whether GDPR is nothing more than an old wine with the new label or something else in a wine bottle (Mittal, 2017).

According to Mittal, organizations still have enough room to violate the fundamental right of privacy by EU citizens. One area of concern is “the missing right to explanation” wherein an automatic or artificial intelligence algorithm will be legally mandated. When that happens, the individual is not guaranteed transparent and accurate decision-making, and there is no legally binding right to explanation in the GDPR. Because new capabilities are emerging, the details of how data will be exploited are not fully known to data controllers. Providing the algorithms that drive automated decisions to individuals would have little utility, except to minimize one controller’s competitive advantage over another.

Databases have so much information, which can be processed quickly. The output of that processing can provide analysis that was not even considered when the data was initially collected. The technology performs data-crunching when human operators do not know where to start (Zarsky, 2017).

One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation, and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals from a new beginning so as to determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection (Rodrigues, Barnard-Wills, De Hert, & Papakonstantinou, 2016).

HIPPA Privacy Rule versus GDPR

Despite the different approaches between the US and the EU, some similarities exist between the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule and the GDPR. At the same time, there are enough differences to create serious conflict. The US federal Department of Health and Human Services (HHS) and the EU are similar concerning maintaining the confidentiality and privacy of personal data and protected health information. The major differences between the two practices ranged from the narrow focus on the health industry with the HHS and the broad scope of the EU on data controllers. The HIPAA Privacy Rule is more detailed and directive in nature than the GDPR; however, the GDPR has greater regulatory inflexibility with regards to the ease of consent withdrawal, including the concepts of authorization and consent, the rights of amendment and rectification and the right to erasure (Tovino, 2017).

US Federal and state health laws require retention of medical, billing, compliance, and other records for at least five years, if not longer. Without such records, how could adverse drug reactions, allergic reactions, and other injuries be referenced? Without records, how could preexisting health conditions be known? Records are essential for dealing with fraud and abuse, detecting privacy violations, and to detect problematic prescription patterns. The contrast between data erasure provisions in HIPPA and GDPR make the two incompatible; this is an opportunity for global partnerships to work out the enabling compromises (Buttarelli, 2017).

Solution for Compliance

GDPR is already a regulation, which was developed to mitigate the disparity of regional issues associated with the limitations of DPR. Member nations of the EU will add volumes to the 99 articles of this broad-reaching, transnational regulation. To avoid impending fines, companies should reorganize their internal data protection procedures to accommodate the GDPR. Ten steps are recommended (Voigt & Bussche, 2017).

Controllers and processes need records of processing activities to prove compliance. Such records must be thoroughly maintained, providing proof of compliance with the GDPR. Records must contain, among other things, information on the purposes of processing, the categories of data affected and a description of the technical and organizational purpose of the records.

Private entities are obliged to designate a Data Protection Officer if their business strategy consists of regular monitoring of data subjects or personal data on a large scale. Several groups of such undertakings may have a single Data Protection Officers.

If processing activities are likely to result in high risk to data subjects, organizations must conduct preventive Data Protection Impact Assessments for risk mitigation. If the results of the assessment do not enable the entity to determine which safeguards could be applied, it will have to consult with the Supervisory Authorities

As the obligation to develop and implement such concepts is directly enforceable, entities should address the concepts of Privacy by Design and Privacy by Default. The GDPR emphasizes preventive data protection concepts.

Data processors must implement technical and organizational measures to guarantee the safeguard of personal data. The appropriate data protection level must be determined based on the risk potential inherent to the entity’s processing activities on a case-by-case basis.

Individuals will have comprehensive information and other rights against data processors. Organizations will have to proactively fulfill many obligations towards the data subjects, such as granting information on processing, erasing personal data or rectifying incomplete personal data. Especially, the data subjects’ right to data portability may challenge entities as they will have to provide datasets to their customers upon request.

The GDPR introduces a general reporting duty of the controller towards the Supervisory Authorities in case of a personal data breach. Such breach might occur by way of a technical or physical incident. The notification has to take place within a 72-hour time frame after becoming aware of the breach. In case of an incident with a high risk for the rights and freedoms of the data subjects concerned, the controller will have to communicate the breach also to them. In such a case, assistance from the Supervisory Authority will be available to the controller.

Where feasible based on an entity’s budget and resources, compliance with the GDPR might be implemented and monitored by way of a Data Protection Management System. It is an internal compliance system that will monitor the fulfillment of the data-protection-related and safety-related requirements.

Organizations that fall within the scope of application of the GDPR without having an establishment in the EU are obliged to appoint an EU-located representative. The EU representative will serve as a contact point for data subjects and the supervisory authorities.

Finally, while not mandatory, a self-regulation mechanism, such as Codes of Conduct and Certifications, will have higher practical relevance under the GDPR. Whereas Codes of Conduct specify the obligations under the GDPR for a certain sector or technology, Certifications will prove compliance with the certified activities with the GDPR. The use of these internal guidance instruments will facilitate the burden of proof for compliance towards the Supervisory Authorities.

The solution to becoming GDPR compliant is obviously a reorganization of grand scale. With the right precautions in place, organizations should have little to fear. Tankard (2016) insists the time and effort required to achieve compliance will vary significantly from one organization to another, but it would be well worth the effort and expense.

Some have suggested that pseudonymization will become the default for all research projects. Done right, the data record can be disassociated with actual people; however, it also provides a future pitfall and costly punitive actions for organizations that maintain decoders for re-identification (Goddard, 2017).

Potential Outcomes

GDPR is the reality for organizations in the EU market. The impending clash among global partners, Big Data, and the EU suggest three potential futures: One where the EU leads the world into a new age of protecting individual data, another where the world rejects the EU and leaves it behind politically and economically, and a third future where many compromises must be made (Zarsky, 2017). Whatever the outcome, the EU courts will be the final decision-makers for the EU market. The effort to protect individual rights is a noble one, but solutions that negate Big Data and place the EU in a non-competitive situation with the rest of the world would have a long-term impact on the economy of its member states.

Companies with less than 500 million euros of annual worldwide revenues will significantly change their long-term strategies to comply with GDPR unless they make the unlikely decision to withdraw from the EU market. State-owned and high revenue companies may employ political and economic instruments of power to influence EU decision-makers that favor their long-term strategies regarding GDPR.

US-based companies that have not entered the EU market need to consider the requirements of GDPR as they establish and update their data control systems. The serious differences between HIPPA and GDPR suggest there are years before a worldwide system of regulation will be uniform; however, common logic suggests a growing global economy will eventually find a way for individual privacy rights to be guaranteed while still providing a viable and profitable market for business.

Conclusions

As technology has enabled Big Data and organizations that thrive on the services they provide to monetize their activities, the GDPR data security requires processes to change. The primacy of the individual rights over the data put the data handlers in a comply or be punished scenario. Organizations that operate in the EU market have had two years to reorganize and adapt their data processing procedures, so some think the clash between the courts and the organizations is imminent. The solutions to compliance are readily available (Voigt & Bussche, 2017). The EU effort to protect individual rights is a noble one, but some concerns over the impact on Big Data are yet to be resolved (Zarsky, 2017).

Future Research

This paper focused on the speculation about the impact GDPR was expected to have on organizations operating in the EU market. Beginning with the summer of 2018, challenges to the GDPR are most likely to become available in the public domain. A viable source of information should be open-source news data as companies found out of compliance are brought into the EU courts. A ubiquitous source might be the absence of large and state-owned companies that are not penalized by the EU. While interviewing companies with EU customers may produce useful information, the front line of the EU court system may be a better source. Ultimately, the changes organizations make based on the actual enforcement of the GDPR should be researched and considered.

References

Buttarelli, G. (2016). The EU GDPR as a clarion call for a new global digital gold standard. International Data Privacy Law, 6(2), 77-78. http://dx.doi.org.ezproxy.libproxy.db.erau.edu/10.1093/idpl/ipw006

Ciriani, S. (2015). The economic impact of the European reform of data protection. Communications & Strategies, (97), 41-58,153. Retrieved from http://search.proquest.com.ezproxy.libproxy.db.erau.edu/docview/1678885971?accountid=27203

Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6) 3. doi:10.2501/IJMR-2017-050

Mitchell, A. (2016). GDPR: Evolutionary or revolutionary? Journal of Direct, Data and Digital Marketing Practice, 17(4), 217-221. http://dx.doi.org.ezproxy.libproxy.db.erau.edu/10.1057/s41263-016-0006-9

Mittal, S. (2017). Old wine with a new label: Rights of data subjects under GDPR. International Journal of Advanced Research in Computer Science, 8(7) Retrieved from http://search.proquest.com.ezproxy.libproxy.db.erau.edu/docview/1931130276?accountid=27203

Rodrigues, R., Barnard-Wills, D., De Hert, P. & Papakonstantinou, V. (2016). The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR. International Review of Law, Computers & Technology 30(3) doi: 10.1080/13600869.2016.1189737

Tankard, C. (2016). What the GDPR means for businesses. Network security, 6, 5-8. https://doi.org/10.1016/S1353-4858(16)30056-3

Tovino, S. (2017) The HIPAA Privacy Rule and the EU GDPR: Illustrative Comparisons, 47 Seton Hall L. Rev. 47(4) 973 Retrieved from https://advance-lexis-com.ezproxy.libproxy.db.erau.edu/api/permalink/860d5901-b1fd-425b-92a2-3124046f6932/?context=1516831

Voigt, P. & Bussche, A. (2017). The EU General Data Protection Regulation (GDPR) A Practical Guide. Cham, Switzerland: Springer International Publishing.

Zarsky, T. (2017). Incompatible: The GDPR in the Age of Big Data, Seton Hall L. Rev. 47(4) 995 Retrieved from https://advance-lexis-com.ezproxy.libproxy.db.erau.edu/api/permalink/55b06ec3-fb3f-41bd-ae9c-7fd57496b3e0/?context=1516831