This thesis will rely on a qualitative methodology. The triangulation of methods for this thesis will consist of document analysis and interviews. These methods are used in order to increase the external validity of the findings of the research. The approach of triangulation ensures that the Danish SMEs’ approach to information security in the GDPR is explored more thoroughly and a deeper understanding is acquired. It allows for the data obtained from the sources to be cross checked across these two methods. The methods of document analysis and interviews were chosen as they were the best qualitative methods to answer the research question. The document analysis provided some hypotheses about the phenomenon and it was then possible to validate the findings or analyze why they were different thus avoiding any potential methodological bias.
Document analysis
For this thesis, document analysis served as the primary method of analysis. Overall, three broad categories of documents were analyzed during this research: academic literature, legal documents, and reports/guides on GDPR implementation. The academic literature was mainly scholarly articles and books on information security, risk management, and European data protection legislation. The second category consisted of the GDPR primarily focusing on
Emma Sprøgel Master Thesis 2018 Leiden University article 32, the DPD focusing on article 17, Persondataloven (“the Personal Data Law”) focusing on paragraph 41, and the Danish GDPR implementation law Databeskyttelsesloven. This was the relevant legislation for the scope of this thesis which was compared and analyzed. The last category were various reports and guides on GDPR implementation from sources such as ENISA, the Danish DPA, the French DPA as well as media sources etc. Together these sources were subject to document analysis which served as the basis of the analysis conducted in this thesis.
Interviews
Interviews were used in this thesis as a way to get information which was not necessarily available elsewhere. This mainly went for interviews with SMEs which served to provide inside knowledge and an inside experience into the challenges they have been facing with GDPR implementation. While general conclusions on this topic were made via document analysis, the interviews provided concrete empirical examples from Danish SMEs. As the number of SMEs interviewed for this thesis are limited, the conclusions drawn from the interviews cannot be considered general. The interviews with the SMEs therefore serve as illustrations for the conclusions drawn from document analysis.
Moreover, the DPA in Denmark was interviewed to acquire concrete empirical knowledge of how they are working with SMEs on GDPR implementation and what will be their strategy going forward. The interview with the DPA does not serve as illustration like the two other interviews but as a source of information in itself from which conclusions can be drawn from. Overall, the results of the interviews were satisfactory and the results corresponded well with the expected findings based on document analysis.
For this thesis a total of three people were interviewed. Two representatives from two SMEs were interviewed as well as a representative from the Danish DPA, Datatilsynet. All interviews were conducted in April and May 2018. The interviews followed a semi-structured plan where questions were prepared in advance and follow-up questions were also asked in response to the answers of the interviewee. The purpose of the interviews with the SMEs was to get an understanding of how they interpreted article 32, how they implemented, what challenges they had faced particularly in the risk management process, and what guidance they had received. The purpose of the interview with the representative from Datatilsynet was
Emma Sprøgel Master Thesis 2018 Leiden University to get an understanding of their role in determining compliance with article 32, their guidance to SMEs on the implementation of article 32 as well as a more general opinion on the state of data protection and information security in Denmark both legally and culturally. The interviews were conducted over the phone due to geographical limitations and were recorded and transcribed. The interview subjects had been briefed on the themes of the interview but had not seen the questions beforehand. The SMEs interviewed will be anonymized for the purpose of thesis as this was a condition for participating of the representative of Company B. Company A did not request anonymity. Therefore, Company A’s name has been anonymized for coherence but potentially identifying information pertaining both to the company and the interviewee has not. The interviewee from the Danish DPA did not request anonymity and appears with her name.
The first SME interview was with the IT manager of Company A. Company A is a pharmaceutical research and educational center with approximately 130 employees. It has one location in Denmark. This interview was the first one of the three conducted. The interview took about 20 minutes and was conducted in Danish and relevant quotes have been translated and in some cases paraphrased for clarity by the author.
The second SME interview was with an employee responsible for GDPR implementation in Company B. Company B provides IT solutions for other companies. The company has 65 employees in Denmark but it also have departments in the United Kingdom and the United States. The exact number of global employees of Company B, the author of this paper has not been able to obtain, and this is recognized as a weak spot of this research as there is a risk that Company B does not live up to the formal requirements of an SME. However, a decision was made to keep the interview in the thesis as the focus was on the Danish branch with 65 employees and the content of the interview was still in line with the results of the document analysis performed. The representative of Company B was asked the same set of questions as the representative of Company A. The interview lasted about 35 minutes and was conducted in English. Relevant quotes have in some cases been paraphrased or shortened by the author for clarity.
The third interview subject was a representative of the Danish DPA, Datatilsynet. This person was asked a different set of questions. This interview lasted about 30 minutes. However, on
Emma Sprøgel Master Thesis 2018 Leiden University the request of the interviewee a follow-up interview was conducted in order to clarify certain things said in the first interview. Written clarifications were also received after the interview. The follow-up answers meant that the interviewee had known the questions beforehand but as the clarifications mainly pertained to facts and not opinions, they were deemed valuable to the research and have been included in the analysis.