eprintid: 10205245 rev_number: 12 eprint_status: archive userid: 699 dir: disk0/10/20/52/45 datestamp: 2025-03-06 14:35:27 lastmod: 2025-03-06 14:35:27 status_changed: 2025-03-06 14:35:27 type: thesis metadata_visibility: show sword_depositor: 699 creators_name: Buckley, Gerard title: Privacy at the intersection of technology, business and regulation: A case study of the GDPR ispublished: unpub divisions: UCL divisions: B04 divisions: F52 note: Copyright © The Author 2025. Original content in this thesis is licensed under the terms of the Creative Commons Attribution 4.0 International (CC BY 4.0) Licence (https://creativecommons.org/licenses/by/4.0/). Any third-party copyright material present remains the property of its respective owner(s) and is licensed under its existing terms. Access may initially be restricted at the author’s request. abstract: Technological advances have outpaced privacy safeguards, enabling unprecedented corporate and government surveillance that threatens fundamental human rights. Individuals can counter with privacy-enhancing technologies (PETs) and legal options but face an unequal battle. This thesis investigates the effectiveness of the General Data Protection Regulation (GDPR) in redressing this power imbalance by analyzing its impact on key stakeholders since 2018. First, it presents new insights into why business embraced the GDPR. While the benefits to consumers (increased rights) and regulators (stronger powers) are well-documented, the upside for business is less understood. Interviews with senior executives reveal that the threat of fines acted as a catalyst for data infrastructure modernization, strengthening the compliance function and yielding multiple direct and indirect benefits. Second, a consumer survey investigates if those who had worked before, during, and after 2018 in companies that had implemented the GDPR perceived the regulation as beneficial in hindsight. Findings show the regulation sensitized employees to responsible data management within their companies, raising expectations of companies at large. This, in turn, cultivated public support. Third, the research expands our understanding of how regulators are judged. Surveys and interviews with information security executives, digital rights advocates, and regulators unpack subjective effectiveness assessments. A crucial finding is the weak feedback loop: regulators lack robust accountability mechanisms. The thesis proposes standardized reporting practices and Key Performance Indicators (KPIs) to facilitate benchmarking and improve transparency. Finally, new ground is broken by imagining the evolution of the GDPR using future-thinking theory. It identifies four lead indicators to monitor and forecast its positioning and relevance in changing environments. Overall, this thesis deepens our understanding of the success of the GDPR model. It sheds light on the factors underpinning its ongoing support by stakeholders and proposes a framework for evaluating future data protection regulator performance date: 2025-02-28 date_type: published oa_status: green full_text_type: other thesis_class: doctoral_open thesis_award: Ph.D language: eng primo: open primo_central: open_green verified: verified_manual elements_id: 2364324 lyricists_name: Buckley, Gerard lyricists_id: GBUCK23 actors_name: Buckley, Gerard actors_id: GBUCK23 actors_role: owner full_text_status: public pages: 187 institution: UCL (University College London) department: Computer Science thesis_type: Doctoral editors_name: Becker, I editors_name: Caulfield, T citation: Buckley, Gerard; (2025) Privacy at the intersection of technology, business and regulation: A case study of the GDPR. Doctoral thesis (Ph.D), UCL (University College London). Green open access document_url: https://discovery.ucl.ac.uk/id/eprint/10205245/2/GBThesis_Final.pdf