Building data management capabilities to address data protection regulations: Learnings from EU-GDPR

The European Union’s General Data Protection Regulation (EU-GDPR) has initiated a paradigm shift in data protection toward greater choice and sovereignty for individuals more accountability organizations. Its strict rules have inspired regulations other parts of the world. However, many organizations are facing difficulty complying with EU-GDPR: these new types cannot be addressed by an adaptation contractual frameworks, but require fundamental reconceptualization how companies store process personal on enterprise-wide level. In this paper, we introduce resource-based view as theoretical lens to explain lengthy trajectories towards compliance argue that build dedicated, management capabilities. Following design science research approach, propose theoretically empirically grounded capability model EU-GDPR integrates interpretation legal texts, findings from EU-GDPR-related publications, practical insights focus groups experts 22 four projects. Our study advances interdisciplinary at intersection between IS law: First, proposed adds regulatory literature connecting abstract requirements three capabilities resources required their implementation, second, it provides perspective extends fragmented body EU-GDPR. Practitioners may use assess current status set up systematic approaches increasing number regulations.