Buckley, Gerard;
Caulfield, Tristan;
Becker, Ingolf;
(2024)
GDPR and the indefinable effectiveness of privacy regulators: Can performance assessment be improved?
Journal of Cybersecurity
(In press).
Preview |
Text
buckley_GDPR_2024.pdf - Accepted Version Download (458kB) | Preview |
Abstract
Data protection regulations like the GDPR are increasingly important in securing individuals’ privacy as society goes digital. The success of any regulation, however good, ultimately depends on how well it is executed. Existing literature fails to answer what good execution means in this context. We research what practitioners think are the objectives of data protection regulators and how they evaluate their effectiveness. We explore novel ways to assess regulator performance more systematically. We surveyed 70 Chief Information Security Officers (CISO) and conducted 23 structured interviews. The interviewees included informed business executives, lawyers, digital rights activists and 4 national regulators. We supplement it with an analysis of diverse enforcement databases. Our findings indicate a mismatch between the broad presumed objectives attributed to regulators and the narrow criteria used to judge them in practice. Perception of the regulator’s effectiveness is subjective, sanctions-focused and influenced by one’s role and responsibilities. Moreover, the independence of regulators, intentionally designed to insulate them from daily politics, raises serious questions of accountability. We examine the historical, cultural and organisational motivations behind the current byzantine complexity of the GDPR regime. Lastly, we contribute a series of key performance indicators and make structural suggestions around centralised and standardised reporting of cases to deliver improved learning, legitimacy, transparency and comparability. We believe our findings have important implications for the future development of regulator assessment and accountability in Europe and in the growing number of GDPR-like regimes outside Europe.
Type: | Article |
---|---|
Title: | GDPR and the indefinable effectiveness of privacy regulators: Can performance assessment be improved? |
Open access status: | An open access version is available from UCL Discovery |
Language: | English |
Additional information: | © The Authors 2024. This Author Accepted Manuscript is licensed under a Creative Commons Attribution 4.0 International License. |
Keywords: | GDPR, data protection, privacy, regulation, regulator effectiveness |
UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science |
URI: | https://discovery.ucl.ac.uk/id/eprint/10195151 |
Archive Staff Only
View Item |