Towards explaining implementation and internalization of GDPR compliance practice

Abstract

The purpose of this thesis is to investigate the compliance of GDPR practices in Norwegian organizations. Two dimensions are used to assess compliance: Implementation and internalization. We utilize a cross-sectional research design and collect data by the use of an online survey. After distributing the survey to all DPOs registered at Datatilsynet we ended up with an operating sample of 252 responses for our analysis. The data was analyzed with multiple linear regression models. The results show that value-based communication, the strategic value of data, DPO involvement and being a private organization are positively related to the implementation of compliance with the GDPR. For internalization we found the most important factors to be value-based communication and the strategic value of data. Limitations of this paper include the inability to establish causality due to research design and only having one respondent per organization with questions relying on personal judgement. This makes objective measurements challenging and limits the potential of testing the involvement construct. Future researchers should apply a longitudinal study and collect responses from more than one individual within each organization in order to get a more accurate picture of each organization’s actual comprehension of the GDPR compliance. Keywords: GDPR; adoption of practices; Norwegian organizations; implementation; internalization.