Abstract/Summary

The existing cybersecurity and data privacy landscape presents a significant challenge to organisations. The volatile technology landscape characterised by innovative technologies such as AI, cloud systems, and enterprise resource systems poses further challenges, and changing regulation exerts complexity to enhance compliance adherence. Despite robust frameworks, policies, and guidelines to address these challenges, issues persist, and organisations need help managing compliance adherence efficiently. With GDPR 2018, the organisation required large-scale changes to meet the requirements, amend processes, develop new procedures, and align with the evolving regulatory standards. A lack of research exists reviewing challenges and issues at various organisational levels holistically due to regulatory change. Research gap with a security perspective also persists in institutional theory and logics. This research aims to verify how data privacy and security regulations are embedded in the organisation, the critical challenges in strategising and forming policies, and their impact on information systems and data processing. The study adopts and investigates governance, security, data protection, privacy and compliance issues in a private organisation as its case. The study contributes by broadly assessing the complexities and concerns within security, legal, management, and technical teams due to regulatory change. The study confers that regulatory change and evolving requirements create complexity, conflicts, and contradictions that affect the organisation internally and its external partners. This study shows that regulations such as GDPR are dynamic and impact logics, routines, behaviours, and ongoing practices. The actors and their material practices, confined identities and experiences are impediments to acceptance and adherence required to stay compliant. However, the evidence also indicates the efforts and opportunities foreseen due to the regulation. Additionally, the organisational actors endeavoured to form norms and policies amidst the challenging corporate variants and the landscape. The study shows the strategic inter-relationship between various business functions, conflicts experienced, and their endeavours to coordinate with governance and compliance. Findings also indicate that new institutional logics evolved, and rather than deinstitutionalisation, regulatory change instigated layers of re-evolved processes. Legitimacy was crucial for the organisation due to GDPR and other Regulatory standards. The study indicates the approach and techniques practised to achieve legitimacy and conflicting logics experienced by the professionals. Additionally, it structures various findings assessed by refining them into aggregate dimensions and themes to help the practitioners with a model to determine comprehensive regulatory and compliance issues.