GDPR in Small Business: The Antecedents of Compliance

GDPR in Small Business:

The Antecedents of Compliance

Master Thesis

MSc Business Administration – Small Business and Entrepreneurship

University of Groningen Faculty of Economics & Business

January 2019

Written by: Dex Hartman

S2425610

Supervisor: Dr. O. Belousova Co-assessor: Dr. E.P.M. Croonen

2

Abstract

The introduction of the General Data Protection Regulation (GDPR) in 2018, has caught many small business owners by surprise. The compliance of these small firms to the GDPR has been estimated and many firms were not ready on the effective date. Several months prospects of compliance rates remain negative.

This study aims to contribute to the understanding of GDPR compliance in small business. It also contributes to the literature on regulation compliance and application of the Theory of Planned Behaviour (TPB) by Ajzen (1985; 1991). The research focusses on the intention to comply with the GDPR regulation amongst small businesses.

New regulations like the GDPR require an additional effort from most companies, negatively affecting their financial health. This makes the insights of this study important for policymakers, concerned with compliance rates in small businesses, allowing for a better understanding of the obstacles, faced by these small firms.

For this thesis, we build on three streams of literature. First, the proposed antecedents are sourced from the literature on the TPB, including attitude, subjective norms and perceived behavioural control (PBC). An additional antecedent from the literature on extensions of the TPB is included, namely perceived moral obligation. Finally, literature on the compliance and legitimacy relation, indicated the importance of distributive and procedural justice.

The study used the responses from 52 small companies, on a questionnaire about GDPR compliance. The results indicate that subjective norms and legitimacy positively influence intentions. Attitude, perceived behavioural control and perceived moral obligation do not directly affect intentions to comply. The effects of legitimacy, attitude and PBC are mediated by subjective norms, where both positively affect subjective norms and resulting in an indirect effect on intentions. Perceived moral obligation is mediated by legitimacy and subsequently by subjective norms, with a resulting indirect effect on intention to comply. The implication for policymakers is that legitimacy and subjective norms play an important role in determining compliance intentions. Because legitimacy can be influenced by policymakers during the development, it’s important to consider procedural and distributive justice, when compliance by small businesses is desirable.

3

Table of content

1 Introduction ... 4

2 Literature review ... 6

2.1 The GDPR ... 6

2.2 Regulatory compliance in small businesses ... 7

2.3 Intention Models ... 7

2.4 Theory of planned behaviour ... 8

2.5 Extension of the Theory of planned behaviour ... 12

3 Method ... 14

3.1 Sample ... 15

3.2 Measurements ... 16

3.2.1 Dependent variable: Intention to comply with the GDPR ... 16

3.2.2 Independent variables ... 17 3.2.3 Control variables... 18 3.3 Data Analysis ... 19 3.3.1 Open-Question analysis ... 20 4 Results ... 21 4.1 Hypothesis testing ... 21 4.2 Additional analyses ... 26 4.3 Hypothesis results ... 27

5 Discussion, conclusions and implications ... 28

5.1 Discussion ... 28

5.2 Conclusions ... 30

5.3 Implications ... 31

6 Limitations and future research ... 31

7 Appendix ... 37

7.1 Appendix I – Questionnaire and question sources... 37

7.1.1 Questionnaire ... 37

7.1.2 Question sources ... 39

7.2 Appendix II – Man-Whitney U test ... 40

4

1 Introduction

In order to regulate personal data collection and storage, the European Commission has introduced the General Data Protection Regulation (GDPR), effectuated on the 25th _{of May 2018. Since the} introduction of the regulation and its effective date, academics and research companies have tried to estimate the readiness of companies across the globe, concluding that many companies did not expect to be and were not compliant on the effective date of the GDPR (Iannopollo, 2018; Gartner, 2017; Ponemon, 2018). The research by Ponemon (2018) estimated the readiness in different contexts, including company size and industry. Their research indicates that it’s the smaller

companies that were least certain about their compliance (Ponemon Institute LLC, 2018). Research on regulation compliance of small business points to a comparative resource disadvantage of small companies as a general cause of poor compliance rates (Fletcher, 2001; Gunningham, 2002). Brexit is an example of a complication for business owners with regards to the GDPR, where a no-deal

situation would lead to the UK being considered a ‘third country’, meaning data transfer to the UK becomes more complicated (Moerel and Tigner, 2016).

There exists a body of research on personal data and privacy concerns (Malhotra, Kim & Agarwal, 2004). At the centre of the attention are corporations like Facebook and Google, who have been collecting data on a large scale for a while (Curran, Graham and Temple, 2011). In 2018, Facebook and its CEO, Mark Zuckerberg were confronted with multiple digital privacy breaches, including the scandal surrounding the US elections in 2016 and a large-scale data leak in 2018. Data breaches have been common, and privacy of users has been violated (Edwards, Hofmeyr and Forrest, 2016). The threat of privacy breaches is however not limited to the data, held by these larger companies. Information about previous breaches are publicly available online (haveibeenpwned.com, 2018). The collected information contains details from different hacks and breaches. The lists not only contains companies and platforms of varying sizes. The cost of data storage and processing is constantly decreasing, and smaller businesses see the value of customer data and start using it for marketing purposes (Russom, 2011). Anyone who deals with personal information is responsible for that data and should thus control and secure it properly (Russom, 2011). Efforts are thus required to ensure sufficient security and adequate practices surrounding personal data. Aside from secure storage and transfer, other practices like data mining, obtaining personal information from public sources, are another privacy risk (Al-Saggaf & Islam, 2015).

5

storage, processing and analysis of personal data from EU citizens, within or outside the European Union.

In this thesis, we investigate compliance in small companies, since the regulation of small companies is often challenging and requires special attention from policymakers (Gunningham, 2002;

Poutziouris and Chittenden, 2003). According to Poutziouris and Chittenden (2003), the impact from regulation of often more severe for SME’s, because of the complexities of the regulation and inability to spread the costs. Small businesses have a large influence in countries like The Netherlands, where SME’s earn 61% of GDP in 2013 (CBS, 2015). For policymakers it’s thus important to incorporate the small businesses and their difficulties in the adaptation to new regulations. Because of the recent implementation of the regulation, a thorough and quality assessment of the situation for small companies specifically has not yet been executed and published. In an earlier master thesis, Faradina (2017) analysed GDPR compliance, before the effective date of the regulation, using a reduced version of the Theory of Planned Behaviour (TPB) to characterize the companies’ motivations and intentions. In her study she investigated the antecedents in larger companies. This current research is timed shortly after the effective date and contributes to the by focussing specifically on small

companies.

The lack of confidence and seemingly poor compliances rate of companies and specifically of smaller companies has led to the following research question:

o “What factors influence the compliance of small companies with the GDPR?”.

The Theory of Planned Behaviour by Ajzen (1985, 1991) can help us find antecedents of intentions and behaviour and identify potential obstacles for compliance in small companies. In their meta-analysis on the efficacy of the TPB, Armitage and Conner found the TPB to explain 27% of behaviour variance and 39% of intention variance. The applicability of the TPB in entrepreneurship research has been proven by researchers, like Krueger and Carsrud (1993). Their research corresponds with Bird (1988) and Katz and Gartner (1988), who argue that entrepreneurship behaviour is characterized by intentionality.

When it comes to regulatory compliance Sutinen and Kuperan (1999) and Sunshine and Tyler (2003) argue that procedural justice and the legitimacy of the authority influences compliance. Murphy, Tyler and Curtis (2009) add that laws are to be deemed legitimate, before procedural justice

influences compliance behaviour. Based on research by Sutinen and Kuperan (1999) and Tyler (2006), I expect legitimacy of the GDPR and the authority as an antecedent of intentions. The current

6

An extension of the TPB, with perceived moral obligation as an additional antecedent was introduced by Ajzen (1991) and Beck and Ajzen (1991) and is included in this thesis.

From the field of law and regulation, the concept of legitimacy is introduced to the model. A large body of research has focussed on the effect of legitimacy on regulatory compliance, suggesting increasing compliance, following higher perceived legitimacy (Sutinen and Kuperan, 1999; Murphy, Tyler and Curtis , 2009; Tyler, 2001). For this thesis, legitimacy relates to the perceived fairness of the GDPR regulation and whether the authority uses fair procedures, according to the small businesses. The aim of this thesis is to investigate what drives small businesses to potential compliance, looking at manager intentions through the extended TPB and theories on legitimacy. It investigates the willingness and ability of small companies – by adjusting their business practices and processes - to comply and tries to identify possible obstacles. An advice for policymakers is developed, by

determining potential room for improvement regarding the implementation the GDPR in small businesses.

2 Literature review

2.1 The GDPR

The GDPR is EU legislation that went into effect on the 25th _{of May 2018, replacing the data} protection directive (European Commission, 2018). It concerns privacy of EU citizens and any party that use and store this private information, whether they are based in-, or outside of the European Union (European Commission, 2018).

As a framework law, it introduces principles and rules for handling personal data, linked to the European Union’s market (Albrecht, 2016). Because these principles and rules are context specific and require interpretation different levels of compliance are possible. This continuum of compliance allows some room for interpretation. The regulation says that all -but not limited to- small businesses in the Netherlands need to comply with the regulation, meaning the business processes of a

company should be conform with the rules and principles.

7

reports, detailing which data they hold on that individual, they are obliged to notify authorities and affected individuals in case of a breach and in some situations are required to appoint DPO’s (data protection officers). The previously mentioned aspects are examples of the aspects that are relevant and require attention from small business owners. Due to its nature as a frame work law, firms have to identify business practices, which incorporate private data, potentially adapt these practices and document its policies.

2.2 Regulatory compliance in small businesses

Motivations for compliance are likely to be different in SME’s when compared with large

corporations (Gunningham, 2002), due to limited financial resources, management capabilities and the knowledge and skills of staff (Jaquemin, 2009; Fletcher, 2001).

It is expected that this relative knowledge disadvantage in small businesses translates to the field of privacy and data protection. A more financially constrained small business has less room for

investment in adaptations, to comply with the GDPR, largely because of the inability of spreading costs (Poutziouris and Chittenden, 2003). Furthermore, due a less diverse working force and thus less specialization within the firm, I expect that small business - managers and staff combined - have less knowledge regarding the privacy law than larger firms (Fletcher, 2001). This current lack of

knowledge, combined with complexity of regulation, increases the difficulties faced by small companies (Poutziouris and Chittenden 2003), and potentially increase the required investments even further.

Another complicating factor is that enforcement of regulation for small businesses in itself is another source of difficulty for the authorities (Gunningham, 2002). Due to this difficulty, if the authorities mainly focus on larger players, the perceived risks are expected to decrease for small companies. This lower perceived risk and the large fines would be an example of the neoclassical deterrence model, as previously defined (Sutinen and Kuperan, 1999). Taken these aspects together, it’s expected that small businesses are less motivated than larger firms to invest in GDPR compliance, especially when this regulation is still in an early phase of implementation.

2.3 Intention Models

In order to explain behaviour, studies have shown the explanatory power of intention models, like the TPB and Shapero’s model of Entrepreneurial Event (SEE) (Krueger, Reilly and Carsrud, 2000). The underlying concept of these models is the influence of intentions on target behaviour and

8

Compared to the TPB, SEE has a volatile component of ‘propensity to act’, which is related to ‘learned optimism’ and depends on the locus of control (Krueger, et al., 2000).

Krueger, et al. (2000) tested the TPB and SEE models in an entrepreneurial context and found that intentions are the best predictor for any planned behaviour, they found that personal and situational variables usually influence entrepreneurship indirectly and they generally concluded that the tested intention models were versatile and robust.

Krueger, et al. (2000) find the SEE model to be fully significant, whilst the subjective norms construct in the TPB is not. One explanation is by Reitan (1997) who argues that subjective norms would mediate attitudes. With regards to the insignificance of subjective norms in the study by Krueger, et al. (2000), one could argue that privacy rights are controversial and different groups of people have opposing or conflicting opinions on the matter, making the separate subjective norms component of the TPB a concept of interest for this thesis. The model choice for this thesis, the TPB, results from the contextual difference of this thesis about the privacy regulation, compared to the study of Krueger, et al. (2000) and because the main application of the SEE involves entrepreneurial intent.

2.4 Theory of planned behaviour

Theory of planned behaviour, proposed and developed by Ajzen, lends itself to investigate personal motives and willingness in relation to changes (Krueger and Carsrud, 1993). According to Ajzen (1991) behaviour can be predicted by intentions, which subsequently can be predicted by attitudes, subjective norms and perceived behavioural control. Intentions to comply with the GDPR are expected to result in adaptations in the processes and systems in small businesses.

9

This study on GDPR compliance looks at the ‘intention to comply with the GDPR regulation’, which implies that compliant companies went through some process of becoming compliant. The assumption is that, by default, a company will have to at least put limited effort into becoming compliant or confirming compliance. Limited effort could for instance be the correct documentation of existing compatible practices.

Attitude

Attitude relates to the personal desirability of performing the behaviour and related consequences (Krueger, et al., 2000). The attitude construct thus measures the global evaluation of target behaviour (Armitage and Conner, 2001) and motivational factors (Ajzen, 1991). According to the TPB (Ajzen, 1985; 1991), positive attitude towards the behaviour is positively related to intentions towards target behaviour.

Bagozzi and Kimmel (1995) have argued that the attitude – intention relation is mediated desire towards the behaviour outcomes. Inclusion of information with regards to desires can thus strengthen the a TPB model. For this thesis however, I would argue that the desire to safely manage personal data is less relevant because a company does not need to comply with the GDPR to safeguard someone’s data.

We would argue that, in case of the GDPR, attitude is most relevant when considering the adaptations and investments that are required for compliance. Due to complexity of the regulation, adaptations can be complex as well and attitude likely result from the perceived efforts it requires and required. Whether attitude will influence intentions towards GDPR compliance, depends on whether an entrepreneur perceives to have a choice with regards to compliance (Ajzen, 1991). One may argue that - the GDPR being a national regulation - any entrepreneur has to fully comply. In that case, attitude should have no effect on intention, as the entrepreneur’s attitude doesn’t matter for the outcome.

Because the GDPR is a framework law however, allowing some interpretation and room for the entrepreneur to choose a level of compliance, opportunistic behaviour may occur in small companies, by taking a risk and opting for a minimum or low level of compliance. In that case, attitude would be expected to influence the position of the company on the compliance continuum.

The expected relation between attitude and intention towards compliance behaviour is ambiguous and depends on the perceived choice ability in small companies.

10

Subjective Norms

The aspect of subjective norms relates to the perceived desirability of behaviour or behaviour consequences for others that are important or related to the person (Rivis and Sheeran, 2003). According to the TPB, subjective norms are expected to be positively related to intentions (Ajzen, 1985; 1991).

Armitage and Conner have recognized low predictive power of subjective norms in their meta-analysis, however they attribute this weak performance to single-item measurement of the construct. An important distinction between injunctive norms (what others think) and descriptive norms (what others do) is made by Rivis and Sheeran (2003). The researchers propose descriptive norms to be included as a separate predictor of intentions, arguing it adds significantly to the overall TPB (Rivis and Sheeran, 2003). Ajzen (2002) and Francis et al. (2004) include measurement of injunctive and descriptive subjective norms questions in their manuals, in correspondence with Rivis and Sheeran (2003). The construct of subjective norms is then a combination of injunctive and descriptive norms. In their research, Poulter, Chapman, Bibby, Clarke and Crundall (2008) have applied the TPB in case of regulatory compliance, in the domain of driving behaviour. For this thesis, we argue that their result is relevant, because of their appropriation of the construct of subjective norms, which focusses on regulatory compliance, rather than influence of negative outcomes of bad driving behaviour. They found a direct and positive relation between subjective norms and intention to comply (Poulter, et al. 2008).

With regards to GDPR compliance, subjective norms can relate to the norms for regulation compliance and norms about privacy and the protection of privacy. Subjective norms can stem from business relations or clients, who share information with the company. When a company perceives pressure to carefully manage data, this company may be motivated to comply with the GDPR. For instance, when an entrepreneur can communicate the security of personal data at the company, through documentation on privacy protection (required by the GDPR) this may signal a high privacy standard. It is thus expected that, when an entrepreneur experiences more pressure towards either general compliance with regulation or with protection of data within their company, intentions to comply with the GDPR increase.

11

Perceived Behavioural Control

Ajzen describes the aspect of perceived behavioural control (PBC) “the perceived control over performance of a behaviour” (Ajzen, 2002, p. 668). Ajzen (1991; 2002) argues the concept of PBC is most compatible with Bandura’s (1998) definition of efficacy. In this article, Bandura defines self-efficacy as ‘’beliefs in one’s capabilities to organize and execute the courses of action required to produce given levels of attainments”. De Vries, Dijkstra and Kuhlman (1988) use self-efficacy as the ‘third’ factor, explaining intentions next to subjective norms and attitude.

PBC however is more focussed on control of performance, rather than control over outcomes (Ajzen, 2002). For this reason, Ajzen (2002) introduced controllability is a second aspect which is captured by PBC. He describes controllability as the extent to which an actor can control the performance of target behaviour, as is thus partially responsible for it (Ajzen, 2002). In correspondence with Ajzen (2002) the concept of self-efficacy and controllability together will be used to define PBC.

Aside from its proposed relation with attitudes, Ajzen (1991) argues that PBC has a direct relation with target behaviour, together with attitude. Aside from an argument of confidence influencing perseverance in performing target behaviour, he argues that perceived behavioural control and actual behavioural control are often directly related (Ajzen, 1991).

Related to the implementation of the GDPR, the self-efficacy construct of PBC indicates whether a manager or business believes the company has or can acquire the knowledge and skills and use it effectively to become compliant with the introduced regulation, for instance by making changes to certain business practices. In this thesis, we expect that small business owners perceive the law as relatively complex and thus, actual resource restrictions may translate partially into perceived resource restrictions, since the companies base themselves on expectations with regards to the required costs and effort.

12

resources and potentially dependent on other companies and lack control, perceived behavioural control is expected to positively impact intentions to comply, aside from potentially having a direct relation with target behaviour.

• H3: Higher perceived behavioural control leads to higher intentions to comply with the GDPR regulation.

TPB-model in GDPR context

Taken these core concepts of the Theory of Planned Behaviour, the discussed TPB model is depicted in figure 1. The target behaviour is defined as compliance of the business or business practices with the principles of the GDPR. The relation between PBC and compliance behaviour is not measured in this study. The cross-sectional study design does not allow for measurement of behaviour outcomes, which requires a longitudinal design. Model 1 will include the three antecedents and their relation with intention towards compliance behaviour. Aside from the relations with intention, the antecedents are expected to correlate with each other, reflected by the relations between them (Ajzen, 1991).

Figure 1 – GDPR compliance model of the Theory of Planned Behaviour

2.5 Extension of the Theory of planned behaviour

Perceived moral obligation

13

Ortberg, 1983; Beck and Ajzen, 1991). The role of ethics becomes prevalent when considering big data and the commercial value of data (Richards and King, 2014). In line with a potential moral obligation to respect someone’s privacy, to limit the collection and commercialization of data, some key principles of the GDPR are purpose limitation and data minimization (European Commission, 2018). Because of this moral component of the GDPR, I expect the moral obligation of privacy protection to positively influence the willingness to invest in GDPR compliance.

H4: Higher perceived moral obligation related to privacy protection leads to higher intentions to comply with the GDPR regulation.

Legitimacy

As a potential antecedent of regulatory compliance, Sutinen and Kuperan (1999) propose legitimacy of the authority as a factor in determining PMO and subjective norms. The researchers argue that legitimacy can be seen as loyalty towards the regulation and a regulative authority (Sutinen and Kuperan, 1999). Tyler (2006) defined legitimacy as “a psychological property of an authority, institution, or social arrangement that leads those connected to it to believe that it is appropriate, proper, and just”.

Early studies suggested the use of threat or punishment to motivate compliance (Tyler and Jackson, 2014; Sutinen and Kuperan, 1999). Costly enforcement of the regulation, leading to a low perceived probability of being punished, but high cost penalties (Sutinen and Kuperan, 1999). The researchers notice that policies are often designed without the recognizing the effect of these policies on compliance behaviour and when the implementation of the regulation goes wrong, the authorities resort to more and better, but costly enforcement (Sutinen and Kuperan, 1999). In order to enforce the new GDPR, the EU has appointed Data Protection Authorities in each nation. These authorities supervise the application of the Data Projection Law (European Commission, 2018) and have coercive powers. The fines can take on significant proportions, up to 20 million euro’s or 4-percent of global annual turnover. With these high fines and difficult enforcement, one can argue that the GDPR follows this model.

14

social values (Tyler, 2001). A concept which influences whether an authority is perceived as legitimate is procedural fairness, which relates to relational concerns, like trustworthiness of the authority (Tyler and Mitchell, 1993). According to Tyler and Mitchell (1993) and Sutinen and Kuperan (1999) distributive justice is the second most important concept in determining legitimacy. Distribute justice is a result of comparing outcomes with past outcomes - benefits or sacrifices - or outcomes by others (Crosby, 1976), described by Tyler and Mitchell (1993) as resource concerns. Sutinen and Kuperan (1999) argue that legitimacy can positively influence behaviour, through an interaction with PMO and subjective norms. They argue that when the regulation is perceived as fair by a community, the social pressure to comply with the regulation within that community increases (Sutinen and Kuperan, 1999). In the present study, legitimacy of the authority is thus expected to influence intentions to comply, either directly or mediated by PMO or subjective norms.

• H5: Higher legitimacy leads to higher intentions to comply with the GDPR regulation. • H5a: Higher legitimacy leads to higher intentions to comply with the GDPR regulation,

mediated by (I) subjective norms and/or (II) perceived moral obligation.

• H5b: The relation between (I) subjective norms’ and/or (II)perceived moral obligation with intention to comply with the GDPR regulation is moderated by legitimacy.

3 Method

The study is of quantitative and qualitative nature, using a questionnaire to test the hypotheses and additional open questions for qualitative analysis. The questionnaire items are based on the

extended version of the Theory of Planned behaviour, categorizing the questions related to the implementation of the GDPR based on the different aspects of the model. Additionally, questions are added from the literature on legitimacy and regulation compliance. The full questionnaire can be found in Appendix I. All main constructs for the analysis were measured, using 7-point-likert scales. The questions were designed using the method of direct measurement, as described by Francis, et al. (2004). Confirmatory factor analysis is done for each of the constructs by calculating Cronbach’s Alpha, testing whether the items in the questionnaire correspond with the defined constructs. According to Francis, et al. (2004) items can be omitted if this improves the internal consistency of the construct.

15

The hypotheses are tested using standard-linear regressions with multiple independent variables. This regression method returns the explanatory power of the model with the adjusted R-square and allows for hypothesis testing, based on significance levels.To allow for direct comparison between predictors in the regression analyses, the coefficients in the regressions are standardized (Kline, 2015, p. 21). A second reason for the use of standardized coefficients, is the moderator analysis, in which the interaction variable is a product of two standardized variables.

To create more context and allow for a broader discussion, the questionnaire included open ended questions. These were not required to finish the questionnaire but allow for a better interpretation of the data. The answers were coded and compared with the outcomes of the questionnaire. The questionnaire was pre-tested by three individuals, determining the quality of the questions. Based on their interpretation of the questions, items were reformulated or removed from the questionnaire and the corresponding construct.

3.1 Sample

The questionnaire was sent by e-mail to 239 companies, with the request to fill-out the form. In return, a factsheet with results was offered to the companies. The privacy of all participants was guaranteed, and no company details were required for participation. The invite list with e-mails consisted of different companies from five different major cities in the Netherlands. The list was obtained manually, leveraging the websites of shared office buildings, where companies can rent offices. This means all respondents were currently or recently renting an office in such a building. Because no other companies were emailed, the recorded responses are from companies in this group.

We argue that companies in these office buildings are relevant for this research, because they frequently categorize as service companies and they can serve both private and business customers. Compared to incubated companies, companies in shared office buildings can vary significantly in their age and growth rates and share many relevant characteristics with small businesses that are individually located. Since the e-mails were gathered from their websites, the companies had online presence, which often involves at least minimal data collection of visitors on a website.

16

after which 10 complete and 8 partial responses were started and recorded. The partial responses included 3 responses with sufficient completion.

Five responses were from companies with more than a hundred employees. Because they do not fall in the ‘small company’ category for this thesis, their responses are excluded from the analyses, leading to a final dataset with 52 responses.

The response rate for the questionnaire was 23,8% (past the control question) and 19,2% (100% of the required questions completed). 21 companies asked to receive the factsheet in return for their response. For the main constructs in this thesis, at least 48 responses were recorded. Bentler and Chou (1987) argued in favour of the N:q rule, where the predictive power is a function of sample size and the number of constructs. The rule of thumb is that a minimum of 5:1 is required for SEM methods, like a regression analysis, though higher ratios are preferred (Bentler and Chou, 1987). This thesis, with a maximum number of 7 constructs in a model, has a minimum ratio of 6.9, making statistical analyses worthwhile.

To deal with non-response bias, a Mann-Whitney test is used to differentiate between early and late respondents. The late responders are defined as responses, started and recorded after the reminder was send to the companies (13 companies). All variables used in this study are tested between the groups. The results of the Mann-Witney U test can be found in Appendix II. Between the normal and late respondents, none of the variables indicates a statistical difference between the groups. This leads to the assumption that non-response bias is also not significant for this study.

3.2 Measurements

In this section the dependent, independent and control variables are explained. The manual by Francis, Eccles, Johnston, Walker, Grimshaw, Foy, Kaner, Smith and Bonetti (2004) and the article by Ajzen (2002) are used to develop measurements for the concepts of the TPB with regards to the GDPR. These concepts are intentions, attitudes, subjective norms and perceived behavioural control. The full list of questions and the corresponding literature sources are available in Appendix I (8.1.2.) The constructs are coded such that higher values and positive beta’s correspond with higher values of the constructs (positive coding).

3.2.1 Dependent variable: Intention to comply with the GDPR

The intention to comply with the GDPR is the dependent variable for this study. It measures whether the small business has the intention to comply with the regulation. The concept was measured with three items in the questionnaire, following Ajzen’s (2002) recommended questions for the

17

‘plan’, the behaviour in question and a time boundary. For this study, the time boundary was set to the 25th _{of May 2019, which is a year after the effective date of the regulation and 6 months from the}

moment at which the questionnaire was send. Cronbach’s Alpha based on the three questions was 0.890, which is above the cut-off point. The inter-item correlation is high for the three items,

however previous studies have shown high external validity for the construct, thus all three items are kept, and intention is the mean value.

3.2.2 Independent variables

Attitudes, subjective norms, PBC and PMO are the independent variables in the extended version of the Theory of Planned Behaviour.

Attitude was measured using four items in the questionnaire, based on the manual by Francis, et al. (2004) and Ajzen (2002). In order to access the attitude of respondent with regards to the

regulations, question are asked whether about their attitude with regards to the GDPR, and specifically the process of becoming compliant. The items measure attitude on four components, asking about the beneficially, pleasantness, goodness and value of the behaviour. Ajzen’s guide included the enjoyability measurement, however based on the pre-test of the questionnaire, this item was not included in the current study. Cronbach’s Alpha for the attitude items was 0.80 and deletion of any of the items leads to a lower value. The highest correlation is between item three and four, at 0.649. The average of all four items is thus used as a measure of attitude in the study.

Subjective norms were measured using direct measurement. The construct contains both injunctive and descriptive items, following Ajzen (2002) and Francis, et al. (2004). Subjective norms relate to the opinions and behaviour of parties that have a stake in the business. Stakeholders may be clients, employees, stockholders or other business owners. The first three injunctive questionnaire items ask about the social pressure that the respondent may experience. Especially the third one directly asks whether the respondent experiences social pressure to comply. The descriptive questions ask

whether the respondent believes other companies show the intended behaviour. All six items lead to Cronbach’s Alpha at 0.744, which is sufficient for the inclusion of all items.

18

from the final questionnaire. In correspondence with Francis, et al. (2004), the mean of the items is taken as the measure of PBC.

The Cronbach alpha for the three items is below the cut-off point at 0.532. Controllability has a very low correlation with confidence and difficulty, at 0.149 and 0.262 respectively. At 5,33 average and an std. dev at 1.608, respondents lean towards sufficient control over compliance.

The two items of self-efficacy had a Spearman-Brown coefficient of 0.617, which is below the cut-off point. The higher correlation and reliability coefficients of self-efficacy items alone and the relatively high mean value of controllability (indicates more control), leads to the exclusion of controllability from the construct.

Perceived Moral Obligation is based on questions by Lam (1999), measured with the same Likert scale as the other items for consistency. Lam (1999) devoted two questions to the measurement of PMO. Their structure was the following: ‘Everyone is obligated’ and ‘everyone should’. During the pre-test of the questionnaire, the two questions were considered too similar, thus only the second one was used to measure PMO in the final questionnaire. Rather than asking whether every company should comply, the question was formulated to ask whether “every company should protect the privacy of their stakeholders”, thus asking whether the respondent has a moral standing on privacy protection. The latter question was deemed more appropriate for the current study as it concerns morality with regards to privacy of others and is thus more outcome focused, rather more general regulation compliance.

Legitimacy is measured using two sub-constructs, namely procedural justice and distributive justice. Legitimacy measures whether the procedures for penalization by the authority and the costs and benefits related to the regulation are considered fair. The legitimacy construct was measured using five questions, based on Mueller and Landsman (2004). The first three questions consider the fairness of the costs of the GDPR, the last two questions ask respondents whether they believe the criteria and penalty system is fair. Cronbach’s Alpha for the five items is 0.800, which indicates that the items load correctly into the legitimacy construct.

3.2.3 Control variables

19

Firm age is not included as a control variable. The correlation with firm size is 0.419. Because of the interest in resource constraints of smaller companies, firm size is preferred over firm age. Current compliance has a correlation of 0.563, 0.443, 0.402 and 0.420 with intention, subjective norms, PBC and legitimacy respectively. It’s excluded as a control variable as it’s correlation would influence potential other relations and, its validity is difficult to access, where the other constructs have been frequently proven in previous studies.

3.3 Data Analysis

To analyse the data, obtained from the questionnaire, the current study uses SPSS version 24 by IBM. The descriptive statistics in table 1 show that all main constructs in the model, have a mean above 4 out of a maximum of 7. The distributions are thus skewed to the right. For intention, this means that on average, respondents are skewed towards positive intentions with regards to compliance

behaviour. Because the constructs for the independent variables are positively coded, their right-skewed distributions correspond with the right right-skewed dependent variable, since higher

independent variables are expected to result in higher values for the dependent variable. With regards to the normality of intentions, a Shapiro-Wilk test for normality indicates that the intention distribution is statistically different from a normal distribution (statistic: 0.858, p = 0.000). To check if the residuals are normally distributed, another Shapiro-Wilk test is used on the residual values of intention, using model 2 (see table 3). The result of the test indicate that the residuals are not normally distributed (statistic: 0,910, p=0.001).

Min. Max. (out of) Mean Std. Dev

Size 1 4 (4) 2.4 0.72 Intention 1 7 (7) 5.55 1.47 Attitude 2 7 (7) 4.24 1.07 SN6 2.33 6.17 (7) 4.86 0.99 PBC Self-efficacy 1 7 (7) 4.93 1.37 PBC Controllability 1 7 (7) 5.40 1.58 Confidence (PBC) 1 7 (7) 5.75 1.34 PMO 5 7 (7) 6.38 0.64 Legitimacy 1 7 (7) 4.50 1.15

20

The correlation matrix in table 2 indicates that many of the constructs correlate, but with the highest significant correlation at 0.485 (Legitimacy / PBC self-efficacy), the regression results are not likely to suffer from multicollinearity. significantly Looking at legitimacy, the construct correlates with all the other variables in the extended TPB.

Size Intention Attitude Subjective norms PBC (Self-Eff.) PBC (control.) Legitimacy PMO Size 1 Intention -0.021 1 Attitude -0.008 0.297** 1 Subjective norms 0.198 0.468*** 0.376*** 1 PBC (Self-eff.) -0.074 0.375*** 0.429*** 0.438*** 1 PBC (control.) 0.052 0.243* 0.199 0.282* 0.180 1 Legitimacy -0.049 0.444*** 0.478*** 0.425*** 0.485** 0.315** 1 PMO 0.096 0.123 0.379*** 0.195 0.032 0.355** 0.333** 1

Table 2 – Correlation Matrix: p<0.1 = *, p<0.05 = **, p<0.01 = ***

3.3.1 Open-Question analysis

The responses were coded, so limited statistical analyses are possible. A table with the coding and frequencies, average importance score and std deviation of the importance score are shown in Appendix III (only with frequency > 1). In order to prevent mistakes and wrong conclusions, only clear answers were coded. A total 37 responses contained input for at least one of the open questions. From the advantages to the GDPR, privacy improvements are mentioned most frequently.

21

difficult or challenging. The last set of open questions relate to difficulties or obstacles in becoming compliant. Here, lack of resources and dependence on third parties are mentioned frequently. The latter one potentially indicating a lack of control over compliance.

4 Results

4.1 Hypothesis testing

Model ► Construct▼ 1 2 3 4 5 6 7 Size X X X X X X Attitude X X X Subjective norms X X X X X PBC (Self-efficacy) X X X X X PBC (Controllability) X X PMO X Legitimacy X X X X X Interaction 1 X X Interaction 2

Table 3 – Model overview

Model 1, which only includes the control variable, thus company size. The model is insignificant and has an R-square close to zero.

Model 2 includes the main components of the TPB, namely attitude, subjective norms, perceived behavioural control. The model is significant (p<0.05) and has an adjusted R-Square of 0.184. The subjective norms construct is significant at a 5% level (p<0.05) and has a positive beta coefficient, which indicates that pressure from subjective norms positively impacts attitude towards compliance. These results have implications for the first three hypotheses. Hypothesis 1, a positive relation between attitude and intentions, is rejected. For hypothesis 2, a positive relation between subjective norms and intentions, the hypothesis is supported, indicating a positive relation between subjective norms and intentions. Also, hypothesis 3, a positive relation between perceived behavioural control and intentions is rejected, based on this result.

22

implications for hypothesis 4 and 5aII, since PMO does not directly influence intentions. Due to the insignificant relation between PMO and intentions, legitimacy is not mediated by PMO, thus hypothesis 4 and 5a(II) are both rejected.

Model 4 excludes the highly insignificant constructs from model 3, mainly in order to test the relations between intentions and subjective norms and legitimacy. After several runs, the highest adjusted R-square was obtained by including only the subjective norms and legitimacy constructs. The model is significant (p<0.01) and has an adjusted R-square at 0.252, meaning 25.2% of variance in intentions is explained by this model. Both subjective norms and legitimacy are significant at a 5% level (p<0.05) and have positive beta coefficients at 0.325 and 0.306 respectively. This is further support for hypothesis 2, a positive relation between subjective norms and intentions. This result also indicates support for hypothesis 5, a positive relation between legitimacy and intentions.

Mediation

To test for mediation effects, following hypothesis 5aI (h5a II has been rejected), where subjective norms mediates the legitimacy – intention relation the method for mediation testing by Kenny and Baron (1986) is followed. First, legitimacy is regressed on subjective norms, the potential mediator. The beta coefficient of legitimacy is 0.445 (SE = 0.143) and is significant (p<0.01). The results indirect a significant relation between legitimacy and subjective norms. Model 5 is a rerun of model 4, without subjective norms. The result shows that when subjective norms are excluded in the model, legitimacy becomes significant (from p<0.05 to p<0.01). This method is an indication of partial mediation, according to the method for mediation testing by Kenny and Baron (1986). A second test for mediation is ran, using the PROCESS macro by Hayes (Hayes, 2017) is used with 5000

bootstrapping samples. As a model simple mediation is chosen with subjective norms as a mediator (model 4). The result of this bootstrapping is shown in figure 2.

23

In this model, for the indirect effect through subjective norms, the confidence interval does not contain 0. This strengthens the support for hypothesis 5aI. This leads to the conclusion that there is a mediation effect from subjective norms, on the legitimacy and intention relation.

To test whether this relation also holds in reverse, where subjective norm is mediated by legitimacy, the same model is executed with legitimacy as mediator. Figure 3 shows the result. Even though subjective norms to positively impact legitimacy, null is included in the confidence interval. Subjective norms is thus not mediated by legitimacy.

Figure 3 – Mediation of subjective norms

Moderation

Model 6 includes an interaction variable for legitimacy and subjective norms (interaction 1) as a moderator, following case 4 by Kenny and Baron (1986). The standardized subjective norms and legitimacy are also included in the model, leading to an adjusted R-square of 0.437. In this model, legitimacy is insignificant. Subjective norms (p<0.05) and the moderator (p<0.01) are both significant. Because of this result hypothesis 5b (I) is supported. To get a better understanding of this relation, another moderator analysis is executed, using the PROCESS macro by Hayes (Hayes, 2017), using model 1. The results in table 4 indicate that at values of -0.9631 and 0.0118 for standardized legitimacy, subjective norms is positively related to intentions (p<0.001 and p<0.05 respectively), however when legitimacy is 0.9868, the relation becomes insignificant.

Effect Subjective norms on Intentions

Effect size (SE/Sig.)

Std. Legitimacy = -0.9631 0.5720*** (0.1311/0.0001) Std. Legitimacy = 0.0118 0.2538**(0.1126/0.0293) Std. Legitimacy = 0.9868 -0.0643 (0.1448/0.6590)

24

The moderator beta is negative (Beta = -0.3264, SE= 0.0820, p=0.0003) and significant with zero not included in the confidence interval (CI: [-0.4917, -0.1610]), in support of the moderation, based on Kenny and Baron (1986).

Both methods show a negative beta coefficient for the moderator. Legitimacy is converted into a low (N=16, Mean = 3.35, Std = 0.90), medium (N=19, Mean = 4.59, Std = 0.30), high (N=13, Mean = 5.79, Std = 0.67) variable and added as a moderator between the subjective norms, intention relationship. The low group with a mean below 4 (middle point) reflects a relatively low legitimacy, the medium group is slightly above the middle point and the high group corresponds with high legitimacy. The interaction plot (figure 4) visualizes the effect from table 4, showing that when legitimacy is low the relation between subjective norms and intentions is more positive, compared to when legitimacy is medium. The negative slope of the ‘high’ graph is insignificant. This result indicates that hypothesis 5bI is supported.

Figure 4: Moderation of legitimacy on subjective norms-intentions

25 Anova Sig. (Adjusted R-square) Model 1 0.881 (-0.020) Model 2 0.017** (0.184) Model 3 0.030** (0.186) Model 4 0.001*** (0.252) Model 5 (Mediation) 0.009*** (0.178) Standardized constr. Beta (SE / Sig.)

Beta (SE / Sig.) Beta (SE / Sig.) Beta (SE / Sig.) Beta (SE / Sig.)

Constant 0.059 (0.140/0.000) 0.041 (0.135/0.765) 0.047 (0.135/0.732) 0.087 (0.121/0.474) 0.067 (0.126 /0.597) Size -0.029 (0.191/0.881) -0.157 (0.192/0.418) -0.128 (0.194/0.512) Attitude 0.057 (0.140/0.683) 0.012 (0.154/0.940) Subjective norms 0.323 (0.146/0.032**) 0.283 (0.149/0.064*) 0.301 (0.129/0.024**) PBC (Self-Efficacy) 0.170 (0.159/0.292) 0.097 (0.170/0.571) PBC (Controllability) 0.104 (0.134/0.441) 0.077 (0.142/0.592) PMO -0.043 (0.150/0.778) Legitimacy 0.245 (0.170/0.158) 0.303 (0.138/0.033**) 0.440 (0.131/0.002***)

Table 5 - Linear Regression Results of the models 1-3 and 5: Dep. Standardized intentions to comply. Model 4 – Dep. Standardized subjective norms

Anova Sig. / Adjusted R-square

Model 6 (Moderator 1) (0.000/0.437)

Model 7 (Moderator 2) (0.015/0.156)

Beta (SE / Sig.) Beta (SE / Sig.)

Constant 0.224** (0.110/0.048) 0.114 (0.141/0.424)

Subjective norms 0.256** (0.113/0.027)

Legitimacy 0.121 (0.128/0.353) 0.527*** (0.170/0.003) Interaction 1 -0.326*** (0.082/0.000)

Interaction 2 -0.153 (0.189/0.423)

26

4.2 Additional analyses

Model I Beta (Std dev / Sig.)

Model II Beta (Std dev / Sig.)

Model III Beta (Std dev / Sig.) Constant -1.113 (1.416/0.436) -1.228 (0.492/0.016) 0.064 (0.127/0.616) Subjective norms PMO 0.186 (0.221/0.404) PBC (Self-efficacy) 0.264 (0.096/0.009***) Attitude 0.279** (0.127/0.033) Table 7 - Additional regressions: Dep. Standardized Intentions

Because of the expected relation between PMO and legitimacy, the next test is another double mediation test is executed, where PMO is mediated by legitimacy and subsequently by subjective norms. In a sole regression on intentions, PMO is not significant (model I, table 7), however may still be mediated in two steps. The regression is done, using the same PROCESS model 6 by Hayes (Hayes, 2017) for two mediators. Figure 5 shows the relationship with the corresponding beta’s and

significance levels. Because the CI does not contain zero, the result indicates that there is indeed an indirect effect of PMO on Intention, through these two mediators. Because of this indirect effect, we argue that hypothesis 4 requires a notation that we found a positive mediated relation between PMO and intentions. Additionally, this picture adds additional support for hypothesis 5, a positive relation between legitimacy and intentions.

Figure 5 – Mediation of PMO

27

effect, we argue that hypothesis 3 requires a notation that we found a positive mediated relation between PBC and intentions.

Figure 6 – Mediation of PBC

The same test is executed for attitude, which shows the same result as for PBC. The confidence interval does not contain zero, so there is an indirect effect through subjective norms on intentions.

Figure 7 – Mediation of Attitude

4.3 Hypothesis results

Hypothesis 1 Rejected * Hypothesis 2 Supported Hypothesis 3 Rejected ** Hypothesis 4 Rejected *** Hypothesis 5 Supported

Hypothesis 5a (I) / (II) Supported / Rejected

Hypothesis 5b (I) / (II) Supported / Rejected

Table 8 – Hypothesis Summary

28

5 Discussion, conclusions and implications

5.1 Discussion

The present study contributes to the literature on regulation compliance, revealing interaction effects between legitimacy and other TPB variables. The study leverages the TPB to find antecedents of GDPR compliance in small companies, extending its use for entrepreneurship research. From the 9 hypotheses support was found for five. Additionally, two mediation effects were found with regards to behavioural control and moral obligation.

With regards to the models, at 19.2% for model 2, the R-square is relatively low compared to common R-squares at 0.30 in TPB models, with intention as the dependent variable (Francis, et al., 2004). This low R-square is reflected in the insignificance of the PBC and attitude construct. The model with the highest prediction rate was model 6, with an interaction effect between subjective norms and legitimacy. This model explained 43.7% of variance in the dependent variable. The final model is displayed below in figure 8.

Figure 8: Results model

The control variable of firm size was not significant in the relations. Between the smaller firms (1-100 employees) the relative size differences have no influence on intentions to comply. This is an

indication that the constructs in the model similarly influence intentions for companies within the predetermined size-range and generalization within this group is possible.

29

prevent any negative consequences and penalties. From the open questions, an answer that was given several times was that work related to compliance is ‘boring’ and the regulation and becoming compliant is a complex matter. Even though these answers would correspond to a negative attitude towards becoming compliant, they do not necessarily lead to low intentions.

The subjective norms relation with intention to comply was found significant and positive. This means higher levels of perceived social pressure do increase the intention of the small company to comply. Looking at the results from the open questions, the most frequently mentioned advantage to the GDPR is a general improvement in privacy. Combining this with important parties who approve of compliance, namely clients, employees and business partners and this may lead to a perceived pressure to comply with the regulation. The result also corresponds with the idea that company image and trust are influenced by their compliance. When a company believes that image and trust from clients or business partners depend on compliance, they experience this as social pressure. Perceived behavioural control had a poor score on Cronbach’s alpha. This led to the separation of the self-efficacy and controllability construct for PBC in the regressions. However, both self-efficacy and controllability were not found significant in the model. This result indicates that potentially, the resource restrictions do not necessarily lead to a perceived inability to comply. Looking at the open questions, time and money were frequently mentioned as restrictive for compliance or negative aspects of the GDPR. With regards to controllability, an answer that was given multiple times was dependency on third parties. This answer matches the expectations of this thesis, though it’s not reflected in a significant relation between PBC and intentions. An explanation for the insignificance of the construct is that these disadvantages or restricting factors negatively influence actual

compliance, rather than intentions towards compliance.

Both attitude and PBC have an indirect effect on intentions, through subjective norms. These indirect effects are expected, due to the correlations between the constructs. Looking back at the TPB model in figure 1, based on the TPB by Ajzen (1991), the constructs not only influence intentions, but their correlations are reflected in the arrows between the antecedents.

30

the costs of compliance related to distributive fairness and thus increased levels of perceived legitimacy. The benefits of the GDPR would in that case outweighing the costs.

Legitimacy, encapsulating distributive justice and procedural justices with regards to the GDPR, has a positive influence on intentions. When a company considers the GDPR to be fair, the companies intentions to comply increase. Similar to moral obligation, when the regulation is fair and thus, the benefits outweigh the costs, a company is more willing to invest into compliance.

From the open-questions, items that may potentially impact the legitimacy of the regulation. Firstly, the complexity of the regulation is mentioned as a complicating factor for compliance. Secondly, the required adaptations and additional administrative pressure is considered a negative effect of this regulation and thirdly, the penalties are mentioned frequently as downside of the GDPR. According to Sutinen and Kuperan (1999), small business may require some additional attention through education, positively influencing their attitude. In similar fashion, we argue that education may positively influence legitimacy, which can be defined as attitude towards the regulation itself, where attitude in this study, focused on attitude towards compliance.

The relation between legitimacy and intentions is partially mediated by subjective norms. An explanation is that when the GDPR is considered fair by a group, this will lead to additional social pressure to comply. The assumption to be made here is that a company rates the fairness of the regulation, based on what the general perception of fairness in the community in which the company resides. The positive correlation between the two constructs and the reverse regression of subjective norms, mediated by legitimacy, does indicate that subjective norms can influence legitimacy, in support of the assumption.

Legitimacy also moderates the subjective norms relation with intentions. High values of legitimacy result in an insignificant subjective norms-intentions relation, whilst lower and medium levels of legitimacy have a positive and slightly less positive relation with intentions respectively. This

indicates that when a company considers the GDPR as highly legitimate, social pressure becomes less of an incentive for compliance. The companies who rate the GDPR as most legitimate, do not form their intentions to comply, based on social pressure.

5.2 Conclusions

31

on intentions to comply with the GDPR. Adding legitimacy to the model, which positively influenced intentions to comply, improved the power of the model. Attitude and perceived behavioural control did have an indirect effect on intention, through subjective norms. Moral obligation was mediated by legitimacy and subsequently subjective norms. When either legitimacy or subjective norms increase, the intention to comply increase. When either legitimacy is rated as very high however, social pressure is does not lead to compliance intentions.

5.3 Implications

This study contributes both on an academic level and on a policy level. First of all, this study confirms the importance of subjective norms in case of small businesses. Secondly, this study shows that legitimacy of the GDPR is an important antecedent of compliance and should be considered as a separate construct in researching intentions and compliance behaviour.

For policymakers the results indicate that, when compliance of small businesses is important, regulation should be designed in a way, that small businesses perceive it as sufficiently legitimate. When the benefits of a regulation outweigh the costs, they are more likely to comply with the regulation. This can be influenced by the complexity of the regulation and the pressure it puts on resources, for instance through administration. In correspondence with Sutinen and Kuperan (1999), we agree that education can help small businesses to understand the regulation and what it means for them. According to Sutinen and Kuperan (1999) this may result in attitude improvements, however we argue that this may also influence perceived legitimacy, for instance through reduced perceptions of complexity. Another concept which may impact the legitimacy of the regulation is penalties that are associated with the GDPR. The deterrence of non-compliance, may be

counterbalanced by the negative impact on legitimacy.

6 Limitations and future research

The first limitation was the small sample size (N=47), which made a factor analysis less applicable and thus, factor loadings could not be checked. Larger sample sizes combined with a factor analysis would be desirable in in future research. The sample in the questionnaire only consisted of

companies (recently) located in gathering buildings and listed on websites of gathering buildings. This makes generalization to all small companies not possible. There may be differences between

32

different outcomes. Future research should focus on obtaining a better sample, without these generalization constraints.

The current thesis had several limitations with regards to the study design and data. The study was cross-sectional in nature, which means that no tests on target behaviour would be performed. For future researchers, a longitudinal design would create a clearer picture of the processes and antecedents, which lead to actual target behaviour. The study did not have a pilot, to test the questioning and validity of items. A pilot study allows for an improved selection of items and answering options to these questions. The items were all self-reported measurements of the

33

References

Ajzen, I. (1985). From intentions to actions: A theory of planned behavior. In Action control (pp. 11-39). Springer, Berlin, Heidelberg.

Ajzen, I. (1991). The theory of planned behavior. Organizational behavior and human decision

processes, 50(2), 179-211.

Ajzen, I. (2002). Constructing a TPB questionnaire: Conceptual and methodological considerations.

Ajzen, I. (2002). Perceived behavioral control, self‐efficacy, locus of control, and the theory of planned behavior 1. Journal of applied social psychology, 32(4), 665-683.

Albrecht, J. (2016). How the gdpr will change the world. European Data Protection Law Review, 2(3), 287-289.

Al-Saggaf, Y., & Islam, M. Z. (2015). Data mining and privacy of social network sites’ users: implications of the data mining problem. Science and engineering ethics, 21(4), 941-966.

Armitage, C. J., & Conner, M. (2001). Efficacy of the theory of planned behaviour: A meta‐analytic review. British journal of social psychology, 40(4), 471-499.

Bagozzi, R. P., & Kimmel, S. K. (1995). A comparison of leading theories for the prediction of goal‐ directed behaviours. British Journal of Social Psychology, 34(4), 437-461.

Bandura, A. (1998). Health promotion from the perspective of social cognitive theory. Psychology and

health, 13(4), 623-649.

Baron, R., & Kenny, D. (1986). The moderator-mediator variable distinction in social psychological research: Conceptual, strategic, and statistical considerations. Journal of Personality and Social

Psychology, 51(6), 1173-82.

Beck, L., & Ajzen, I. (1991). Predicting dishonest actions using the theory of planned behavior. Journal

of research in personality, 25(3), 285-301.

Bentler, P. M., & Chou, C. P. (1987). Practical issues in structural modelling. Sociological Methods & Research, 16(1), 78-117.

Bird, B. (1988). Implementing entrepreneurial ideas: The case for intention. Academy of management

Review, 13(3), 442-453.

Centraal Bureau voor Statistiek (2015). De staat van het MKB 2015. Den Haag: CBS

34

Crosby, F. (1976). A model of egoistical relative deprivation. Psychological review, 83(2), 85.

Curran, K., Graham, S., & Temple, C. (2011). Advertising on Facebook. International Journal of

E-business development, 1(1), 26-33.

Department for Business Innovation and Skills (2015). Business population estimates for the UK and Regions 2015. London: BIS

De Vries, H., Dijkstra, M., & Kuhlman, P. (1988). Self-efficacy: the third factor besides attitude and subjective norm as a predictor of behavioural intentions. Health education research, 3(3), 273-282.

Edwards, B., Hofmeyr, S., & Forrest, S. (2016). Hype and heavy tails: A closer look at data breaches. Journal of Cybersecurity, 2(1), 3-14.

European Commission (2018, November 14). Retrieved November 21, 2018, from https://ec.europa.eu/info/law/law-topic/data-protection_en

Faradina, A. R. (2017) Towards the Adoption of EU General Data Protection Regulation: An Empirical Study of Businesses’ Perception on Privacy and Data Protection.

Fletcher, I. (2001). A small business perspective on regulation in the UK. Economic Affairs, 21(2), 17-22.

Francis, J., Eccles, M. P., Johnston, M., Walker, A. E., Grimshaw, J. M., Foy, R., Kaner, E. F. S., Smith, L. & Bonetti, D. (2004). Constructing questionnaires based on the theory of planned behaviour: A manual for health services researchers.

Gao, L., Wang, S., Li, J., & Li, H. (2017). Application of the extended theory of planned behavior to understand individual’s energy saving behavior in workplaces. Resources, Conservation and

Recycling, 127, 107-113.

Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation. (2017, May 3). Retrieved November 5, 2018, from https://www.gartner.com/en/newsroom/press- releases/2017-05-03-gartner-says-organizations-are-unprepared-for-the-2018-european-data-protection-regulation. Gartner

Gorsuch, R. L., & Ortberg, J. (1983). Moral obligation and attitudes: Their relation to behavioral intentions. Journal of Personality and Social Psychology, 44(5), 1025.

Gunningham, N. (2002). Regulating small and medium sized enterprises. Journal of Environmental

Law, 3-32.

35

Hayes, A. (2017). Introduction to mediation, moderation, and conditional process analysis, second edition : A regression-based approach (2nd ed., Methodology in the social sciences ser) [2nd ed.]. New York: Guilford Publications. (2017). Retrieved January 4, 2019

Iannopollo, E (2018) The State Of GDPR Readiness. Forrester

Jaquemin, A., & Janssen, F. (2009). Studying the impact of regulation on entrepreneurship: How to overcome current conflicting results?.

Katz, J., & Gartner, W. B. (1988). Properties of emerging organizations. Academy of management

review, 13(3), 429-441.

Kline, R. B. (2015). Principles and practice of structural equation modeling. Guilford publications.

Krueger, N. F., & Carsrud, A. L. (1993). Entrepreneurial intentions: applying the theory of planned behaviour. Entrepreneurship & Regional Development, 5(4), 315-330.

Krueger, N. F., Reilly, M. D., & Carsrud, A. L. (2000). Competing models of entrepreneurial intentions. Journal of business venturing, 15(5-6), 411-432.

Lam, S. P. (1999). Predicting Intentions to Conserve Water From the Theory of Planned Behavior, Perceived Moral Obligation, and Perceived Water Right 1. Journal of Applied Social

Psychology, 29(5), 1058-1071.

Malhotra, N. K., Kim, S. S., & Agarwal, J. (2004). Internet users' information privacy concerns (IUIPC): The construct, the scale, and a causal model. Information systems research, 15(4), 336-355.

Moerel, L., & Tigner, R. (2016). Data Protection Implications of Brexit. Eur. Data Prot. L. Rev., 2, 381.

Mueller, C. W., & Landsman, M. J. (2004). Legitimacy and justice perceptions. Social Psychology

Quarterly, 67(2), 189-202.

Murphy, K., Tyler, T. R., & Curtis, A. (2009). Nurturing regulatory compliance: Is procedural justice effective when people question the legitimacy of the law?. Regulation & governance, 3(1), 1-26.

Newbert, S. L. (2008). Value, rareness, competitive advantage, and performance: a conceptual‐level empirical investigation of the resource‐based view of the firm. Strategic management journal, 29(7), 745-768.

Nooteboom, B. (1994). Innovation and diffusion in small firms: theory and evidence. Small Business

Economics, 6(5), 327-347.

Poulter, D. R., Chapman, P., Bibby, P. A., Clarke, D. D., & Crundall, D. (2008). An application of the theory of planned behaviour to truck driving behaviour and compliance with regulations. Accident

Analysis & Prevention, 40(6), 2058-2064.

36

Ponemon (2018) The Race to GDPR: A Study of Companies in the United States & Europe.

Reitan, B. 1997. Where do we learn that entrepreneurship is feasible, desirable, and/or profitable? Paper presented to the ICSB World Conference.

Richards, N. M., & King, J. H. (2014). Big data ethics. Wake Forest L. Rev., 49, 393.

Rivis, A., & Sheeran, P. (2003). Descriptive norms as an additional predictor in the theory of planned behaviour: A meta-analysis. Current Psychology, 22(3), 218-233.

Russom, P. (2011). Big data analytics. TDWI best practices report, fourth quarter, 19(4), 1-34.

Sunshine, J., & Tyler, T. R. (2003). The role of procedural justice and legitimacy in shaping public support for policing. Law & society review, 37(3), 513-548.

Sutinen, J. G., & Kuperan, K. (1999). A socio-economic theory of regulatory compliance. International

journal of social economics, 26(1/2/3), 174-193.

Tyler, T. R. (2001). 17 A Psychological Perspective on the Legitimacy of Institutions and

Authorities. The psychology of legitimacy: Emerging perspectives on ideology, justice, and intergroup

relations, 416.

Tyler, T. R. (2006). Why people obey the law. Princeton University Press.

37

7 Appendix

7.1 Appendix I – Questionnaire and question sources

7.1.1 Questionnaire

Required part of the questionnaire

Q1: Introduction text

Q2: What is your role within the company? – Selection input

Q3: How many employees does the company have? (1/2-15/16-50/51-100/100+) Q4: What is the company age? (0-2/2-5/5-10/10-20/20-50/50+)

Q5: What is the primary sector / industry of the company? – Selection input

Q6: Which country does the company operate in? You can select multiple answers – Selection input

Q7: How informed are you about the requirements of the GDPR? (Knowledge about the GDPR is not required to answer this survey)

Q8: How frequently have you dealt with the GDPR during the previous twelve months? (Experience with the GDPR is not required to answer this survey)

Q9: How much effort has the GDPR required from your company in the previous twelve months? Q10.1: Indicate to which extent you agree with the following statements (Effective date GDPR: 25-05-2018) The company ... - 1. intends to be fully compliant with the GDPR before 25-05-2019 Q10.2: ... - 2. will try to be fully compliant with the GDPR before 25-05-2019

Q10.3: ... - 3. plans to be fully compliant with the GDPR before 25-05-2019 Q11.1: For me, becoming compliant with the GDPR is ... - Beneficial: Harmful Q11.2: ... - Pleasant: Unpleasant

Q11.3:... - Good: Bad

Q11.4:... - Valuable: Worthless

Q12.1: Indicate to which extent you agree with the following statements Most people who are important to me, think that the company should ... - 1. comply with the GDPR

Q12.2: ... - 2. protect the privacy of stakeholders (clients, employees)

Control question

Q13: This question tests your attention. Alex buys a box of eggs and three apples at the

supermarket. She continues to the flower shop and buys twelve flowers. Please select red as the answer.

Q14.1:Indicate to which extent you agree with the following statements It is expected of my company to ... - 1. comply with the GDPR