2022

Hirvonen, Pauliina

The aim of this qualitative case study is to examine the initial expectations and assumptions related to General Data Protection Regulation (GDPR) of the European Union from the perspectives of selected Finnish organizations: what were the initial expectations of GDPR, how were they adapted/refined over time, and what was the impact on organizational planning and resourcing. There are no precise earlier studies on the subject. The research question was: What were the organizations’ initial expectations of GDPR - and how have they affected the efforts made? GDPR can be described as an input that forms images, preconceptions and views among other things, through various active and passive communication flows. As the empirical results indicate GDPR has been a legal issue, mainly due to the inadequate and unspecific active, official, communication flows. As a result, organizations have experienced difficulties to scale the necessary GDPR efforts. The results of this research can benefit both privacy and information security managers and personnel responsible for aligning policies and practices, and to evaluate organization-specific actions on GDPR compliance. The results can support regulators and authorities in the future GDPR and other policy work and provide ideas for service providers.