CRITICAL SUCCESS FACTORS AND BARRIERS AFFECTING THE SUCCESSFUL IMPLEMENTATION OF THE GENERAL DATA PROTECTION REGULATION: A multiple case study of three companies operating in the banking and insurance industry

Abstract

Purpose: This master thesis aims to identify the most important critical success factors (CSFs) and barriers when implementing the GDPR, as well as how these impacted the implementation in three companies within the banking and insurance industry. Design/methodology/approach: Multiple case study of three banking and insurance companies. A total of 11 key participants was interviewed, in addition to a survey with 30 respondents, where all were from the three companies. Additional documents was provided by the companies. Findings: The most important CSFs found were: Top management support, sufficient resources put into the project, employees with sufficient competence on the subject, having a core team that shares their expertise and recommendations, starting early, and information and awareness regarding the GDPR and the project. The most important barriers found were: complex issues and solutions, gap between those who understand the law and those who are going to execute the law, time pressure, difficulties with interpreting the regulation, and lack of understanding the regulation and what it means for the business. How these impacted the implementation of the GDPR was also discovered. Implications: This research highlights three practical implications: first, it was more important to focus on the barriers than the CSFs. Second, the CSFs and barriers depend on each other by being intertwined due to the complex nature of the project to ensure a successful implementation of GDPR. Third, which CSFs and barriers the companies consider as important when implementing the project, as well as when they are important, depend on what the companies consider as their implementation process. This thesis also provides theoretical implications by uncovering two CSFs and four barriers for GDPR implementation not identified in previous research which provides extensive knowledge to this field. Future research: Future research should focus on whether the identified CSFs and barriers in this study differ between projects and industries, as well as rank them in terms of importance. Moreover, future research should use other research methods when investigating the findings in different contexts. Key words: General Data Protection Regulation (GDPR), project implementation, project success, critical success factors (CSFs), barriers, barriers for implementation, CSFs to project implementation, project management, banking, insurance.