Umeå University's logo

The General Data Protection Regulation has undoubtedly affected our society, both on anindividual everyday level as well as from the greater perspective of companies, the publicsector, and nations. The purpose of the GDPR is to protect the data of European citizens byputting further responsibility on organizations that store individual data. However, as withevery decision, this has had implications that might not have been predicted or accountedfor and which can disrupt its initial cause. Certain industries have been highly regulatedwhen it comes to data even before the GDPR, one of these is the health-tech industry whichmanages medical data which is perceived to be very sensitive and has for example beenregulated through the Patient Data Act.There is currently a research gap regarding how the GDPR has affected organizations andtheir journey toward compliance. This qualitative study was conducted using a criticalrealism perspective with a critical constructivist approach. The study is done incollaboration with the Swedish Kubernetes platform service provider Elastisys. Byconducting interviews with both the company itself and also with some of their health-techclients, as well as looking into cases where healthcare organizations have been fined underGDPR this thesis aimed towards answering the question of, “What effects have the GDPRlegislation had on the health-tech market and how have the organizations within itadapted?”.The result of this thesis show that the organizations have been able to reach compliance andmanage the process, however the implications have been clearer and more understandableas time has passed. This could be partly explained by the growing number of support-toolsand -organizations available today. Furthermore, due to the strong regulations and changingconditions within this particular industry the organizations are used to rapid transitions.Something that has implicated the general digital development of the industry but also madethem more adaptable to changing conditions. When it comes to the health-tech industrythere have been a higher pressure for compliance for those that work with the public sectorin comparison to those working against end users.Alongside the prohibited digital development, the GDPR has had other implications, suchas a gap between legal and technical expertise and conflicts between legal compliance andgeneral data security. Which, if not handled correctly can lead to less secure solutions.Another interesting implication of the GDPR is the indifference of individuals regardingtheir data. In light of this finding, this thesis also aspires to further elaborate on the currentdebate of digital sovereignty and its importance in the context of national negotiations withforeign powers.