Privacy in the small

The advent of the General Data Protection Regulation (GDPR) and analogous global data protection laws has profoundly influenced organizations' socio-technical structures, mandating compliance with stringent personal data processing standards. These laws compel entities to critically understand their socio-technical systems, encompassing the complex interplay between legal, managerial, and technical components. This thesis addresses the challenge of ensuring compliance through empirical methodologies and field studies, enhancing both theoretical understanding and practical application. Chapter 2 explores the multifaceted role of Data Protection Officers (DPOs) as mediators between compliance auditors and organizational management. It highlights the tension inherent in their dual role and the socio-technical risks DPOs navigate in diverse operational contexts. Chapter 3 focuses on user understanding of privacy policies across linguistic boundaries, proposing a methodology for creating cross-language comparable corpora. Using English and Italian privacy policies, it showcases how language and cultural adaptations influence user comprehension of technical terms and offers a replicable approach for cross-language research. Chapter 4 extends this work by refining tools for analyzing cross-language privacy policies. By mapping technical terms and assessing their frequency and relevance, it identifies the limitations of automated methods and underscores the importance of manual intervention for nuanced cross-lingual analyses. Chapter 5 examines GDPR implementation in resource-constrained settings, such as schools, revealing gaps between theoretical compliance and practical execution. A risk-based approach is proposed, advocating feasible and continuously improvable data protection practices over rigid adherence to legal stipulations. The conclusions (Chapter 6) summarizes the findings for cross-language privacy research and practical insights for improving compliance in socio-technical systems.