The purpose of this work is to check how companies have been adapted to the General Data Protection Regulation, both in terms of routine work and changes that they have implemented. The work addresses how companies have changed their routines regarding backups of critical business data and routines about the right to be forgotten.
At the end of this work, the GDPR will come into force (25th of May 2018) and therefore all activities should have implemented some form of change in view of the changed legislation that will apply. Since GDPR is a new legislation (which has been up to date in the past 2 years), some work is being done about just GDPR and what business changes should be made. However, no focus has been on how companies should adapt their routines about backups and how businesses should reason about the right to be forgotten. This makes this work very relevant as this is something that many businesses should have changed, thought about and documented.
The method used in this study is a qualitative form, in which interviews have been conducted with representatives from different activities in the development industry. The businesses sell their software and services to customers, and they often handle large amounts of personal information that either passes through the systems or is stored with them. The organizations interviewed have been working for GDPR for a while. In several of the cases a year back to ensure that their actions are in line with the GDPR.
Five interviews were conducted in full. Then a thematic analysis has been conducted on the results ofthe interviews. The interviews focus on whether and what changes the companies have made and how it looks today. Following the analysis, it is clear that companies have made certain changes inthe organization, but to a large extent these changes have only been conducted in terms of checking where information is available and documentation about this and the different routines available at the company.