Evaluating the Ownership of Personal data in the Cloud by Optimizing the IT Architecture : Applying a reference architecture to make the ownership of personal data more clear within an organization

Abstract: ​​Cloud computing is an area that many companies use in order to stay in line with technological development. To keep these systems productive and easily managed, a reference architecture can be used as a framework and also as a manual on how to structure an organization to suit its specific needs and goals. The reference architecture can make it easier to divide responsibility as well as working tasks within an organization. One company facing the challenges that comes with cloud based systems is Vattenfall, one of the biggest energy companies in Europe. An organization like Vattenfall handles a great load of customer data which is to be controlled and protected in every way. In order to keep on making sure that these systems are efficient and secure, a reference architecture could be a helpful tool.   ​With the purpose of investigating how a section within Vattenfall’s IT department can use a reference architecture to determine the ownership of customers’ personal data more easily, an interview study was conducted. The interviews focused on evaluation of how employees’ reason when handling customers’ personal data within cloud environments. The reference architecture found most suitable for handling personal data was the international standard ISO/IEC 17789. It describes multiple work roles within cloud computing which can make the process of handling sensitive information clearer and easier. The data collected from the interviews was later applied to this reference architecture in order to see how it can be used in order to more easily divide responsibility. The study could in the end present several recommendations as to how the department should divide responsibilities and raise awareness regarding the topic amongst employees in order to increase data security.   ​Finally, the expected value created from implementing these recommendations and applying the reference architecture to the organization is expected to be high. The thesis concluded that the chosen reference architecture can be applied to the Vattenfall organization. With a few organizational changes, the responsibility regarding customers’ personal data can be divided more easily amongst the employees and the security can be improved. The recommendations presented could benefit the organization and raise awareness of the topic amongst employees.