UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

GDPR and the indefinable effectiveness of privacy regulators: Can performance assessment be improved?

Buckley, Gerard; Caulfield, Tristan; Becker, Ingolf; (2024) GDPR and the indefinable effectiveness of privacy regulators: Can performance assessment be improved? Journal of Cybersecurity (In press). Green open access

[thumbnail of buckley_GDPR_2024.pdf]
Preview
Text
buckley_GDPR_2024.pdf - Accepted Version

Download (458kB) | Preview

Abstract

Data protection regulations like the GDPR are increasingly important in securing individuals’ privacy as society goes digital. The success of any regulation, however good, ultimately depends on how well it is executed. Existing literature fails to answer what good execution means in this context. We research what practitioners think are the objectives of data protection regulators and how they evaluate their effectiveness. We explore novel ways to assess regulator performance more systematically. We surveyed 70 Chief Information Security Officers (CISO) and conducted 23 structured interviews. The interviewees included informed business executives, lawyers, digital rights activists and 4 national regulators. We supplement it with an analysis of diverse enforcement databases. Our findings indicate a mismatch between the broad presumed objectives attributed to regulators and the narrow criteria used to judge them in practice. Perception of the regulator’s effectiveness is subjective, sanctions-focused and influenced by one’s role and responsibilities. Moreover, the independence of regulators, intentionally designed to insulate them from daily politics, raises serious questions of accountability. We examine the historical, cultural and organisational motivations behind the current byzantine complexity of the GDPR regime. Lastly, we contribute a series of key performance indicators and make structural suggestions around centralised and standardised reporting of cases to deliver improved learning, legitimacy, transparency and comparability. We believe our findings have important implications for the future development of regulator assessment and accountability in Europe and in the growing number of GDPR-like regimes outside Europe.

Type: Article
Title: GDPR and the indefinable effectiveness of privacy regulators: Can performance assessment be improved?
Open access status: An open access version is available from UCL Discovery
Language: English
Additional information: © The Authors 2024. This Author Accepted Manuscript is licensed under a Creative Commons Attribution 4.0 International License.
Keywords: GDPR, data protection, privacy, regulation, regulator effectiveness
UCL classification: UCL
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science
URI: https://discovery.ucl.ac.uk/id/eprint/10195151
Downloads since deposit
55Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item