TY - UNPB N1 - Copyright © The Author 2025. Original content in this thesis is licensed under the terms of the Creative Commons Attribution 4.0 International (CC BY 4.0) Licence (https://creativecommons.org/licenses/by/4.0/). Any third-party copyright material present remains the property of its respective owner(s) and is licensed under its existing terms. Access may initially be restricted at the author?s request. AV - public Y1 - 2025/02/28/ EP - 187 TI - Privacy at the intersection of technology, business and regulation: A case study of the GDPR A1 - Buckley, Gerard M1 - Doctoral PB - UCL (University College London) UR - https://discovery.ucl.ac.uk/id/eprint/10205245/ N2 - Technological advances have outpaced privacy safeguards, enabling unprecedented corporate and government surveillance that threatens fundamental human rights. Individuals can counter with privacy-enhancing technologies (PETs) and legal options but face an unequal battle. This thesis investigates the effectiveness of the General Data Protection Regulation (GDPR) in redressing this power imbalance by analyzing its impact on key stakeholders since 2018. First, it presents new insights into why business embraced the GDPR. While the benefits to consumers (increased rights) and regulators (stronger powers) are well-documented, the upside for business is less understood. Interviews with senior executives reveal that the threat of fines acted as a catalyst for data infrastructure modernization, strengthening the compliance function and yielding multiple direct and indirect benefits. Second, a consumer survey investigates if those who had worked before, during, and after 2018 in companies that had implemented the GDPR perceived the regulation as beneficial in hindsight. Findings show the regulation sensitized employees to responsible data management within their companies, raising expectations of companies at large. This, in turn, cultivated public support. Third, the research expands our understanding of how regulators are judged. Surveys and interviews with information security executives, digital rights advocates, and regulators unpack subjective effectiveness assessments. A crucial finding is the weak feedback loop: regulators lack robust accountability mechanisms. The thesis proposes standardized reporting practices and Key Performance Indicators (KPIs) to facilitate benchmarking and improve transparency. Finally, new ground is broken by imagining the evolution of the GDPR using future-thinking theory. It identifies four lead indicators to monitor and forecast its positioning and relevance in changing environments. Overall, this thesis deepens our understanding of the success of the GDPR model. It sheds light on the factors underpinning its ongoing support by stakeholders and proposes a framework for evaluating future data protection regulator performance ID - discovery10205245 ER -