FACING LEGAL UNCERTAINTY IN INFORMATION SYSTEM DEVELOPMENT: The role of the project team in achieving compliance

Abstract

With the growing use of personal data, laws and regulations aim to ensure privacy to the user, especially within information systems (IS). These regulations can be difficult to put into practice by developers and so previous research has aimed to use frameworks using privacy by design (PbD) principles to help developers make compliant IS. However, past literature has not focused on the project team at large and their capabilities when faced with legal uncertainty that poses unclear, uncertain requirements, and need for context specific solutions. This study follows a qualitative research approach through a case study based on document analysis and semi-structured interviews with eight participants involved in the digitalisation of the Swedish national tests at Skolverket (the Swedish National Agency of Education). During the development, Skolverket were faced with dealing with the Schrems II ruling, a ruling which created legal uncertainty regarding the processing of personal data. A thematic analysis was conducted to identify key patterns and insights related to agile practices and knowledge sharing when dealing with the ruling. The findings show how external collaboration, engagement with the stakeholder and collaboration between expert roles ensured compliance. The project team had a process-oriented focus where they contextualised the problem involving a social aspect. The study has shown that existing PbD frameworks lack the socio-technical view of compliance, and that through the inclusion of organisational capabilities like agile practices, external collaboration and effective knowledge sharing, project teams can face legal uncertainty.