General Interest

Enterprise API
Security and GDPR
Compliance: Design
and Implementation
Perspective
Fatima Hussain Brett Noye
Royal Bank of Canada Royal Bank of Canada
Rasheed Hussain Salah Sharieh
Innopolis University Royal Bank of Canada

Abstract—With the advancements in enterprise-level business development, the demand

for new applications and services is overwhelming. For the development and delivery of
such applications and services, enterprise businesses rely on Application Programming
Interfaces (APIs). APIs provide interface to enable the communication among different
applications. In essence, API is a double-edged sword; on one hand, API helps in
expanding the business through sharing value and utility, but on the other hand, it raises
security and privacy issues. Since the applications usually use APIs to retrieve important
and critical data, it is extremely important to make sure that effective access control and
security mechanisms are in place so that the data do not fall into wrong hands. In this
context, in this article, we discuss the current state of the enterprise API security and the
role of Machine Learning (ML) in an API security. We also discuss the General Data
Protection Regulation (GDPR) Compliance and its effect on the API security.

& WITH THE ADVANCEMENTS in communication
and computation technologies, there is a plethora
Digital Object Identifier 10.1109/MITP.2020.2973852
Date of current version 11 September 2020.
of applications and services that target consumers
in different sectors, ranging from finance, health,
agriculture, smart industries, smart environment,
and human well being.1 Internet of Things (IoT) is
the best example of such applications and services

September/October 2020 Published by the IEEE Computer Society 1520-9202 ß 2020 IEEE
81
Authorized licensed use limited to: University of Canberra. Downloaded on October 05,2020 at 06:02:46 UTC from IEEE Xplore. Restrictions apply.
 General Interest
realized through the interconnection of smart
objects for different purposes such as, but not lim-
ited to, controlling home appliances remotely,
monitoring a patient’s health, monitoring agricul-
tural land, operating in hostile environments, and
so on. These services are shared across different
platforms with different consumers, vendors, and
other related entities. Therefore, for the manage-
ment of these services and applications, and
expanding them across different domains and con-
sumers, traditional off-the-shelf software develop-
ment solutions will not gracefully scale. In this
context, we need a unified mechanism to make the
applications and services (both macro- and micro-
services depending on the application) easy to
access, secure, able to export, and meet the het-
erogeneous consumer demands. To this end,
Application Programming Interface (API) is a
mechanism that makes it easy, affordable, and
scalable for the services to distribute across differ-
ent domains. API is a set of protocols, functions,
mechanisms, tools, definitions, and attributes to
share and develop new services across different
domains and expand the existing services. APIs
enable service integration, application develop-
ment, and communication among different serv-
ices and products without the need for developing
new infrastructure for each service and product.
For instance, in case of a financial institution, bank-
ing chatbots reduce the operational as well as
management cost through decoupling of the plat-
forms and rejoining through APIs. Furthermore,
agility, enhanced operational efficiency, and avail-
ability of new distribution channels are few of the
benefits of using APIs for banking. Also, banks use
APIs internally to improve the information flow
between various legacy systems.

With the inception of IoT networks, APIs have
emerged as integral business strategy across var-
ious industries. APIhound reported that more
than 50 000 APIs are registered to date. Also, the
number of private APIs is more than public APIs.
This leads to security and privacy challenges
because sensitive data are usually passed over
the web through APIs. Hence, it is essential to
discuss the API security and the current solu-
tions. With new wave of Artificial Intelligence

APIs developed for usage among partners are
https://hackernoon.com/how-to-make-your-product-gdpr-compliant-
396a6c0336c2
82
Authorized licensed use limited to: University of Canberra. Downloaded on October 05,2020 at 06:02:46 UTC from IEEE Xplore. Restrictions apply.
(AI)-driven solutions in almost every industry,
API security is no exception, and in this article,
we focus on AI and Machine Learning (ML)-driven
API security solutions. Furthermore, with the
enforcement of new data regulation and privacy
law known as the General Data Protection Regula-
tion (GDPR), ML-driven security solutions seem
jeopardized. We discuss AI/ML-driven API secu-
rity in relation to GDPR, as well as related chal-
lenges in this regard. More precisely, we discuss
the API security in detail and the current tradi-
tional approaches for API security. Then, we dis-
cuss the limitations and inadequacy of the
current API security solutions and discuss the
AI-/ML-driven API security. We also discuss the
importance of user data privacy and security and
how the evolution of GDPR has changed the para-
digm of user privacy. Finally, we discuss the
effect of GDPR compliance on the AI-/ML-driven
API security and identify the challenges faced in
terms of design, customer satisfaction, and data
transparency by the existing solutions with
GDPR compliance.
API SECURITY
In this section, we focus on the vulnerabilities
of API, traditional API security model, and the
role of ML in API security.
APIs and Their Vulnerabilities
APIs are functionally classified into two catego-
ries, i.e., APIs that are “used to perform an action”
and APIs that “provide access to any object”. In
the former APIs, an application invokes the API
and requests the original software to perform an
action (which is made available through the
invoked API). In the latter type of APIs, an applica-
tion wants to get access to an object through the
API. From the organizational standpoint, APIs can
be divided into following three types.
 Private APIs:
Private APIs are usually intended to be used solely
by the firm developing the software. Companies
develop private APIs for internal software devel-
opment and for enhancing scalability, modularity,
security, and access to expand various services.
 Partner APIs:
known as partner APIs. For instance, a firm
IT Professional
develops a software package for sales and mar-
keting functions, where another partner firm has
a software for accounting. These two softwares
can be connected, and this integration is bridged
through APIs. However, it requires efficient
access control and authorization mechanisms
along with rules and policies of the firms involved
in software development and service delivery.
 Public APIs:
Public APIs are intended to be used by anyone
who wants to access the software. These APIs
have limited capabilities and can be a potential
security threat to the back-end systems. More
precisely, the attackers could launch attacks
camouflaged into the functions and services pro-
vided by the public APIs.
API vulnerabilities APIs give access to the cli-
ents (through access control) and also lure
potential attackers to the back-end systems. The
potential attack surface is significantly increased
by using APIs as granularity boundary is moved
from secure internal tiers to the user devices
(through client application). Therefore, we need
security and protection mechanisms against the
new classes of risks as a result of using APIs. Fur-
thermore, in a typical web page request, a small
amount of information is shared (i.e., in HTTP
address and forms), whereas in case of API calls,
HTTP URLs as well as HTTP header, queries, and
parameters are exposed to the outside world.
As a result, the data sent to APIs may increase
the potential risk and attack surface through
parameter attacks such as URL-based attacks,
query parameters attacks, HTTP header, and/or
post content-based attacks. In the following, we
outline some potential parameters attacks on APIs.
 Script insertions: This refers to the family of
attacks that exploit the systems that inter-
pret the submitted parameter content as a
script (e.g., when a snippet of JavaScript is
submitted into a posting on a web forum).
 SQL injections: This refers to an attack
through query languages, where parameters
that are designed to load a certain input into
a database query are manipulated to change
the intent of an underlying SQL template.
 Bounds or buffer overflow attacks: These attacks
are caused by data beyond the expected types
September/October 2020
Authorized licensed use limited to: University of Canberra. Downloaded on October 05,2020 at 06:02:46 UTC from IEEE Xplore. Restrictions apply.
Figure 1. API security model.
or range, leads to system crash, and offers
access to memory spaces.
In the same spirit, there are few access
related attacks specific to APIs listed below. Con-
ventional access control mechanisms such as
user name and passwords, openID, JWT tokens,
etc., are powerful but leave security gaps in the
API deployment. These techniques require com-
plementary security capabilities to address
threats such as the following:
 API-specific Distributed Denial of Service
(DDoS) attacks: These attacks overload criti-
cal API services (login and session manage-
ment) and disrupt access to these services
by sending large amounts of traffic from mul-
tiple sources.
 Login attacks: These attacks include creden-
tial stuffing (testing lists of previously
breached credentials against a target API to
try to gain access), use of stolen credentials
or tokens, and fuzzing (feeding large amounts
of random data into a program to discover
vulnerabilities).
 Application and data attacks: These attacks
include data theft, data deletion or manipula-
tion, code injection, and application disruption.
Traditional API Security Model
The traditional API security model incorpo-
rates tasks related to authentication, throttling,
and communication security, as shown in Fig. 1.
These are powerful tools but are not considered
as a comprehensive solution for addressing the
specialized API threats such as API-specific DoS,
application, and log-in attacks.2 Therefore, a com-
prehensive API security solution requires anom-
aly detection as well as basic security capabilities.
On the contrary, AI-enabled API security keeps
83
 General Interest
track of a historical trend in the traffic, along with
securing the existing foundational security fea-
tures, and detects malicious behavior as the first
line of defense. Traditional security measures pro-
vided by the content distribution networks, Web
Application Firewall, and API Gateways can be
easily bypassed by fine-tuned attacks on APIs.
API implementations are based on either REp-
resentational State Transfer (REST) or Simple
Object Access Protocol (SOAP) and are secured
in different ways as discussed in the following
sections. Generally speaking, SOAP APIs have
more comprehensive security measures and are
recommended for handling sensitive data.
Access control management Granting or
rejecting an access to APIs is the first line of
defence for the internal resources in an enter-
prise. Similarly, controlling the amount of data
released to the cyber-world is possible by limit-
ing access to specific endpoints or data for indi-
vidual clients. Access management is typically
performed using a “key” to identify applications
calling the APIs as well as the end users. This
key has access to specific endpoints and has
access privileges for certain data limits.
To this end, Open Authorization (OAuth) and
OpenID are used for user authentication and
authorization for the web services. OAuth is the
open standard for access management, and it
enables users to have access to API resources
without sharing passwords. OAuth is compli-
mented with another standard: OpenID Connect.
This is an identity layer on top of the OAuth
framework, and it authenticates users by obtain-
ing the basic profile information.
Communication security Transport Layer
Security (TLS) and the secure socket layer are
used for the communication security of any web
service. TLS standard is used to establish secure
connection between two endpoints (client and
server), and it makes sure that the data sent
between them is encrypted and unaltered. REST
API uses HTTP and is supported by the TLS
encryption. It also uses JavaScript Object Notation
(JSON): a file format used to transfer data securely
and efficiently over web browsers. By using HTTP
and JSON, REST APIs do not need to store or
repackage the data and are considered faster and
84
Authorized licensed use limited to: University of Canberra. Downloaded on October 05,2020 at 06:02:46 UTC from IEEE Xplore. Restrictions apply.
easily manageable than the SOAP APIs. SOAP APIs
use built-in protocols such as web services secu-
rity (WS Security) and use a combination of XML
encryption, XML signatures, and SAML tokens to
verify authentication and authorization.
Client throttling Client throttling enables the
access limits for APIs, i.e., how often an API can
be called and also track its usage over a certain
time period. Carefully crafted throttling rules
can protect APIs from spikes and (D)DoS attacks.
For instance, more calls to an API indicate that it
might be abused, or it might be a programming
mistake, and API is being called in an endless
loop. This information is very useful for identify-
ing and preventing various access related issues.
API gateways security The API gateway is
considered as the core infrastructure unit that
enforces and manages the API security. Enforcing
security through the API gateway is a compara-
tively new concept and serves the API security
better, unlike traditional security measures. API
security management performs message analysis,
access tokens, and authorization parameters
grants, and therefore, API gateway checks authori-
zation of users followed by message parameters
and content checks (sent by the authorized
users). It also ensures that the client data are not
written when usage logs are maintained. Hence,
the API gateway acts like traffic police and ensures
that only legitimate users are allowed access to
APIs. It also encrypts or redacts the confidential
information as well as controls and analyzes the
APIs usage. Essentially, with the help of an API
gateway, we are moving security from the applica-
tion to the organizational infrastructure.
Limitations of Traditional API Security Model
Traditional security mechanisms such as
OAuth and the other aforementioned techniques
focus only on the visible aspects of the security
such as authentication, access control, and autho-
rization. However, with the growth in API develop-
ment and the emergence of new APIs, the risk of
sensitive data exposure beyond the business
boundaries also increases. The traditional
approach of “limiting access to the API” instead of
mitigating the attacks has not been so encourag-
ing. Furthermore, every new API brings along a
IT Professional
Figure 2. General data protection regulation (GDPR).4

new attack vector associated with it. Therefore, it filling the security gaps such as addressing new
is challenging to address the security attacks on cyber-threats and making predictions on the
APIs through a singular traditional approach such basis of existing patterns to manage the API secu-
as access control. Similarly, the stolen or shared rity. A more detailed discussion about ML-based
credentials may also result in catastrophic attacks API security, available techniques, and platforms
on APIs. The traditional injection, data stealing, can be found in the work by Hussain et al.2
and manipulation attacks are still possible on APIs.
To this end, the traditional APIs may not be able to
GENERAL DATA PROTECTION
mitigate these types of attacks. Therefore, a more
REGULATION
versatile, variable, context-aware, and intelligent
The European Union parliament approved a
security mechanism is needed for API security.
revolutionary regulation on personal data protec-
tion in April 2016, and it has been functional since
Machine Learning (ML) and API Security May 2015. GDPR emphasizes on personal data pro-
Smart API security must be an integral part of
tection, transparency, and data ownership rights
the API operations. ML can be used not only to
for individual users. In addition to this, it also gives
identify the malicious intent in data transactions
right and access to users: how they wish to get
across platforms, but it also helps evolving the
their data treated as shown in Fig. 2. Personal data
security practices in the wake of current security
in GDPR are defined as any information that can
practices. To date, ML has been widely used in the
identify any individual directly or indirectly, and
security of systems and networks, for instance,
“personal data processing” is defined as the set of
context-aware authentication, authorization, intr-
automated and manual operations performed on
usion detection, malware analysis, and so on.3
the personal data.5 These operations include data
In the context of API security, ML is primarily
collection, recording, organization, structuring,
leveraged to learn the patterns of normal behav-
storage, adaptation or alteration, retrieval, consul-
ior incorporating the contextual information for
tation, use, disclosure by transmission, dissemina-
each API. The identified patterns are then used
tion, alignment or combination, restriction,
to identify and block the potential cyber attacks
erasure or destruction,y,z etc.
on the APIs. Continuous learning capabilities are
From enterprise perspective, GDPR requires
added to the system and APIs, through which
the following:
anomalous behavior can be identified. In short,
ML can extend the API security beyond access y
https://gdpr.eu//
z
control and communication security and help https://gdpr-info.eu/art-21-gdpr/

September/October 2020
85
Authorized licensed use limited to: University of Canberra. Downloaded on October 05,2020 at 06:02:46 UTC from IEEE Xplore. Restrictions apply.
 General Interest
 Transparency: Clear policies must be defined
for data protection, data processing, and data
portability of the customer related information.
 Access control: Enterprises must possess
proper security tools as well as processes for
the protection of the customers private data.
 Personal privacy and right to be forgotten: A cus-
tomer older than 16 years of age has full right
to dictate what type of data an enterprise can
collect about that customer. Furthermore, the
customer has full right to demand his/her
data to be deleted after usage.
Some of the works carried out related to
understanding and interpretation of GDPR can be
found in the work by Sirur et al.6,7 In Tesfay et al.,8
the authors presented a PrivacyGuide, a privacy
policy summarization tool inspired by ML and
natural language processing techniques to clas-
sify the privacy policy content.
Activities Related to the GDPR Compliance
According to GDPR, the cost of noncompli-
ance is very high, and companies are at the risk
of losing customers and global revenue. Further-
more, potential fines of up to EUR 20 million can
be imposed on the companies violating the regu-
lations. Nevertheless, the challenges posed due
to the restriction of GDPR compliance also pro-
vide an opportunity for organizations to take
concrete and smart decisions for data privacy
governance and compliance.
Several companies such as Informatica,9
Greenhouse (Greenhouse support),10 McKin-
sey 11, and Lever12 provide data privacy gover-
nance solutions for GDPR. In the same spirit, the
Interactive Advertising Bureau of Canada (IAB
Canada), being the national voice and thought
leader of the Canadian interactive marketing and
advertising industry, provides the compliance
steps for GDPR.13 Canadian digital media and
industry offering goods and services to EU indi-
viduals or monitoring their behaviors (which
may include tracking for behavioral advertising
purposes) must comply and follow the defined
IAB rules.
Contradiction of GDPR Rules With ML
GDPR grants three important rights to the
owner (data subject) of personal data: right of
86
Authorized licensed use limited to: University of Canberra. Downloaded on October 05,2020 at 06:02:46 UTC from IEEE Xplore. Restrictions apply.
nondiscrimination, right to explanation, and the
right to be forgotten.
Feature engineering and nondiscrimination
right Personal data processing rules are the pillars
of GDPR, i.e., revealing racial/ethnic origin, political
opinions, religious beliefs, biometric data used for
identification purposes, health data, data related
to sexual orientation, and the processing of genetic
data are protected by the GDPR. For instance,
these data points are incredibly valuable in genetic
research and are being used for predictive model-
ing in different domains. However, explicit consent
is required by the data subjects for opting in for
such model training as well as for ongoing model
retraining to improve model accuracy.
Modeling, prediction, and right to
explanation Clients, customers, and/or users
have the right to understand the processing logic
and reasons for any potential decisions made for
or on behalf of them. Therefore, the processors
(enterprises) are bound to provide meaningful
information about the decision logic and justifica-
tion of any prediction and envisaged consequen-
ces of this processing for the data owner.
Model retaining, updates, and the right to
be forgotten This right permits data owners to
dictate processors (enterprises) to erase all per-
sonal data associated with them. Apparently, it
seems very straightforward to delete corre-
sponding accounts and related data. However, it
poses lots of technical challenges for ML models,
if retraining and regular update of ML model is
required, which in turn requires availability of
one’s data. To date, the right to authenticate first
whether their data are used to retrain the predic-
tive model or not, how the ML model will be
retrained without data, where the line should be
drawn in terms of amount of data to be retained
and to be forgotten are essential to consider.
API SECURITY AND COMPLIANCE
WITH GDPR
In this section, we discuss the effect of GDPR
on ML-driven security as a whole and, specifi-
cally, API security.
IT Professional
ML-Driven Security and GDPR
GDPR has a significant effect on ML-enabled
security as the GDPR imposes restriction on the
use of automated decision making, including
profiling (Article 22).14 This leads to an impres-
sion that further development of ML-enabled
decisions are hampered. Specifically, in this era
of cyber-physical systems and big data in which
automated decisions and predictive analysis are
a norm, GDPR compliance with ML-enabled solu-
tions seems unacceptable and unadaptable. Nev-
ertheless, it is easier to avoid decisions that
directly affect individuals. However, it is unclear
to signify the types of harmful profiling. For
instance, it is hard to say whether advertise-
ments sent by Google and Facebook have nega-
tive effect or not. In fact, detailed clarification
and classification are required to distinguish
among various automated decisions, essentially
being procedural or substantive, rule-based, or
law-based.15
Does GDPR Affect the ML-Driven API Security?
GDPR will significantly affect the ML-driven
security solutions. Consumers routinely inter-
acting with ML-enabled services, such as per-
sonal assistants, chatbots, and roboadvisors,
will be significantly affected. Furthermore, GDPR
restrictions will increase the cost of ML-driven
solutions directly or indirectly. For instance, the
requirement to explain the details of algorithmic
decisions to a human is not only complex but
also time consuming. The right of data portabil-
ity does not directly affect the ML-driven serv-
ices, but it increases the cost indirectly. It
restricts the companies to create and maintain
large and complex datasets in reusable formats,
such that data are readily available on user
request.16 Also, there is a tradeoff between algo-
rithmic transparency and accuracy. Therefore,
more transparent and less accurate algorithms
are developed to explain the algorithmic deci-
sions to consumers, and it might lead to unfair
decision making. Similarly, prohibition on solely
automated decisions might lead to humans mak-
ing unfair and unreasonable decisions. This will
also prohibit the use of rational algorithms,
which are adaptable to modification in data and
can be adjusted over time to account for the
unintended biases.17
September/October 2020
Authorized licensed use limited to: University of Canberra. Downloaded on October 05,2020 at 06:02:46 UTC from IEEE Xplore. Restrictions apply.
Moreover, right of data erasure (given to data
subject) without any undue delay (Article 17(1)
of the GDPR) can be problematic for ML-driven
services because some ML algorithms need to
keep the data used in the training. By removing
this data, the algorithm’s effectiveness can be
impacted. These algorithms tend to use the his-
torical data (for generating new rules) for future
data processing for self-improvement.
Data and Computational Transparency
Automated decision making is defined as the
decisions made without human intervention and
is prohibited in GDPR. As the personal data of an
individual are used in any decision making, it is
needed that is should be transparent to users
and the questions “how and why any decisions
are made (Article 13,14)” should be answered.
However, many challenges are associated with
realizing this level of transparency. Here, we dis-
cuss some of the associated challenges.
Technical challenges According to the
GDPR, a controller using user data for some auto-
mated decision making is obliged to provide
meaningful information about logic used in mak-
ing such decisions. This enables users to express
their opinion about these decisions and also
have the right to challenge them. Questions such
as what exactly is needed to be revealed to the
owner,’ how algorithms (used for decision mak-
ing) can be explained, and how the complexity of
an algorithm can be simplified to be explained to
the owner, should be answered. However, there
are many technical obstacles in explaining the
algorithms. For instance, simple tree-based algo-
rithms are easy to explain, as compared to neural
networks, which are almost impossible to
explain. Neural networks, ML, and deep learning
are considered “Black Boxes,” and it is very diffi-
cult to explain or identify a potential point of fail-
ure. As these complex algorithms are opaque
even for developers; therefore, it becomes very
challenging to educate nontechnical users.
Intellectual property Algorithmic transpar-
ency can lead to the exposure of intellectual
property to the public, which will not only jeopar-
dize the privacy of the computational secret but
can also endanger the policies of the authorities.
87
 General Interest
For instance, tax authorities will never like to
reveal algorithms used to select tax payers for
secondary and detailed review. Similarly, a finan-
cial institution will not disclose the ML model
used for mortgage percentage and interest rates.
Similarly, IP-related issues also hinder the data
transparency. According to trade-related aspects
of intellectual property rights agreement and
world intellectual property organization copy-
right treaty, software programs are protected by
the copyright act. In this situation, concrete
measures should be taken to keep the algorithm
transparency as well as maintaining copyright
acts. This means that GDPR’s required transpar-
ency can be achieved only by sharing “logic
behind decisions,” and not the algorithm itself.
Data Portability and Storage
Traditionally, there are three types of data
portability approaches, i.e., jurisdiction-to-
jurisdiction, organization-to-organization, and
the data localization approaches.18 The jurisdic-
tion-to-jurisdiction approach governs transbor-
der data flows based on adequate and equivalent
national data protection laws. An organization-
to-organization approach put this responsibility
on individual data controllers for meeting data
protection’ standards. Finally, data localization
approach depends on public policy efforts to
store personal data within a particular juris-
diction’s boundaries. GDPR is in accordance with
the third approach of data localization.
In light of GDPR and data localization, major
changes are required in the entire ecosystem.
New cloud infrastructures are required across
the EU as well as across the globe to accommo-
date the GDPR laws. Moreover, a major paradigm
shift is expected in the data storage systems and
in-house storage. In this context, in-house proc-
essing and storage of personal data seem to be a
more appropriate solution as compared to stor-
age on the public cloud. This is due to the fact
that it is very difficult to provide transparency of
personal data in public clouds. To keep the
GDPR compliance, an organization can only
transfer data to an external processor by ensur-
ing adequate levels of data protection and pri-
vacy. If there are security doubts about any
particular destination, controller, or processor,
the data cannot travel there.19
88
Authorized licensed use limited to: University of Canberra. Downloaded on October 05,2020 at 06:02:46 UTC from IEEE Xplore. Restrictions apply.
Also, as per GDPR, data processing is
restricted to the consent of the data subject. It is
also worth mentioning that the corporate cus-
tomer and employee data might be scattered as
structured or unstructured data across the
cloud or on local/distributed file systems. There-
fore, remote controlling (deletion, processing,
transfer with subject’s consent or intention) of
personal data, stored in the file systems and pro-
prietary cloud, will be complex. Therefore, it will
be a challenging task to obtain a comprehensive
view of the personal data across an enterprise.
CONCLUSION
GDPR strictly advocates for “privacy by
design,” i.e., data protection and computational
explainability should be included during system
development rather than adding it later. Similarly,
businesses should practice privacy-preserving
analytic methods, business models, and techni-
ques such as differential privacy, homomorphic
encryption, and federated learning. For existing
ML-enabled API security solutions, the automated
decisions made by intelligent softwares (or
machines) must be explained to meet the GDPR
requirements. For instance, Quantitative Input
Influence (QII)20 is used to achieve algorithmic
transparency. QII is developed to clarify and
explain the ML algorithm (and related factors),
which were used in any automated decision mak-
ing. In a nutshell, it is imperative to investigate the
effect of ML-enabled API security mechanisms on
the GDPR.
& REFERENCES
1. A. L. Fernando, J. Costa, B. Barbosa, A. Monti, and
N. Rettenmaier, “Environmental impact assessment of
perennial crops cultivation on marginal soils in the
mediterranean region,” Biomass Bioenergy, vol. 111,
pp. 174–186, 2018.
2. F. Hussain, B. Noye, and S. Sharieh, “Current state of
API security and machine learning,” 2019. [Online].
Available: https://bit.ly/36NEMf0
3. D. Ucci, L. Aniello, and R. Baldoni, “Survey of machine
learning techniques for malware analysis,” Comput.
Secur., vol. 81, pp. 123–147, 2019.
4. “How to make your product GDPR compliant,” 2018.
[Online]. Available: https://bit.ly/3b25HHm
IT Professional
 5. J. Wong and T. Henderson, “How portable is
portable?: Exercising the GDPR’s right to data
portability,” in Proc. ACM Int. Joint Conf. Int. Symp.
Pervasive Ubiquitous Comput. Wearable Comput.,
2018, pp. 911–920.
6. S. Sirur, J. R. Nurse, and H. Webb, “Are we there yet?:
Understanding the challenges faced in complying with
the general data protection regulation (GDPR),” in
Proc. 2nd Int. Workshop Multimedia Privacy Secur.,
2018, pp. 88–95.
7. M. R. I. Nekvi and N. H. Madhavji, “Impediments to
regulatory compliance of requirements in contractual
systems engineering projects: A case study,” ACM
Trans. Manage. Inf. Syst., vol. 5, no. 3, pp. 15:1–15:35,
Dec. 2014.
8. W. B. Tesfay, P. Hofmann, T. Nakamura, S. Kiyomoto,
and J. Serna, “Privacyguide: Towards an
implementation of the EU GDPR on internet privacy
policy evaluation,” in Proc. 4th ACM Int. Workshop
Secur. Privacy Analytics, 2018, pp. 15–21.
9. Informaticia, “Comply with GDPR,” 2019. [Online].
Available: https://infa.media/2SdyJLQ
10. Greenhouse Support, “Greenhouse, EU compliance,
and the general data protection regulation (GDPR),”
2018. [Online]. Available: https://bit.ly/2tTHrqt
11. McKinsey and Company, “Tackling GDPR compliance
before time runs out,” 2018. [Online]. Available:
https://mck.co/38QeytR
12. K. Dhillon, “How is lever supporting our customers
GDPR compliance efforts?” 2018. [Online]. Available:
https://bit.ly/315fKH8
13. iab.Canada, “GDPR compliance steps,” 2018.
[Online]. Available: https://www.iabcanada.com/
resource/gdpr-update-february-2018-13-key-com
pliance-steps/
14. Intersoft Consulting, “Rights of the data subject,” 2018.
[Online]. Available: https://gdpr-info.eu/art-21-gdpr/
15. M. Brkan, “AI-supported decision-making under the
general data protection regulation,” in Proc. 16th Ed.
Int. Conf. Artif. Intell. Law, 2017, pp. 3–8.
16. European Commission Justice and Consumer,
“Guidelines on automated individual decision-making
and profiling for the purposes of regulation,” 2018.
[Online]. Available: https://ec.europa.eu/newsroom/
article29/item-detail.cfm?item_id=612053
September/October 2020
Authorized licensed use limited to: University of Canberra. Downloaded on October 05,2020 at 06:02:46 UTC from IEEE Xplore. Restrictions apply.
17. T. Zarsky, “The trouble with algorithmic decisions: An
analytic road map to examine efficiency and fairness
in automated and opaque decision making,” in Sci.,
Technol., Human Values, vol. 41, pp. 118–132,
Oct. 2015.
18. J. Selby, “Data localization laws: Trade barriers or
legitimate responses to cyber security risks, or both?”
in Proc. Int. J. Law Inf. Technol., vol. 25, pp. 213–232,
Jul. 2017.
19. D. Kamarinou, C. Millard, and J. Singh, “Machine
learning with personal data,” in Queen Mary School of
Law Legal Studies Research, Nov. 2016. [Online].
Available: https://papers.ssrn.com/sol3/papers.cfm?
abstract_id=2865811
20. A. Datta, S. Sen, and Y. Zick, “Algorithmic
transparency via quantitative input influence: Theory
and experiments with learning systems,” in Proc. IEEE
Symp. Secur. Privacy, May 2016, pp. 598–617.
Fatima Hussain is a security analyst in API Secu-
rity and Governance squad, Royal Bank of Canada
(RBC), Toronto, ON, Canada. She is leading the
development and promotion of new APIs, along with
API security and governance duties. She is also an
Adjunct Professor at Ryerson University, Toronto.
Contact her at [email protected].
Rasheed Hussain is currently an Associate Pro-
fessor with Innopolis University, Innopolis, Russia. His
research interests include information security, cyber-
security, privacy, vehicular networks, blockchain, and
future Internet. Contact him at [email protected].
Brett Noye is the director, responsible for the
API security within RBCs API Platforms team. His
27 years of IT experience spans CableTV Brokerage,
market data, and banking sectors across multiple
roles, platforms, and technologies. Contact him at
[email protected].
Salah Sharieh is the head of digital transformation
at RBC Toronto, Toronto, ON, Canada, having 25 years
of experience in business, technology, and digital
transformation. He is also an adjunct professor at
Ryerson University, Toronto. Contact him at salah.
[email protected].
89