In the last decade, both compliance management and data security grew in importance for companies everywhere. Standards on compliance management were updated and are constantly developed further and combined with ongoing technological advancements, data security gains more attention as well. Thereby, data security compliance management as a specialisation of compliance management grows more important as well and multiple regulations on data security and data protection were revised in the past years, such as for example the EU’s General Data Protection Regulation (GDPR) in 2018 or the Swiss Federal Act on Data Protection (FADP). Particularly for smaller companies who do not yet have a data security compliance management system in place, the many different regulations including laws and standards to comply with appear to feel overwhelming. It seems to be difficult for companies to know and decide which measures are necessary and should be taken first to ensure compliance with every relevant data security requirement. Nevertheless, based on a systematic literature review there appears to be a gap when it comes to research-based, peer-reviewed concepts that support companies in building a compliance management system which focuses specifically on the requirements for data security compliance. Therefore, this research’s objective was to develop a comprehensive tool that supports smaller Swiss companies that might not yet have a data security compliance management system in place on their first steps towards building such a system.

The research was built along five research phases: awareness, suggestion, development, evaluation, and conclusion. As foundation of the research, the awareness phase consisted of the aforementioned systematic literature review. After framing the research gap and problem statement, the thesis statement and research questions were derived, and the scope was set. In the suggestion phase, a first draft of the tool, henceforward to be named Act4DSC (Action Plan for Data Security Compliance), was established and assessed with the help of the first interviewee. Based on this suggestion, the development phase expanded over a total of four iterations – each iteration ending with a qualitative interview to evaluate the current version of the Act4DSC tool and its corresponding handbook and starting by building on the gained insights from the previous iteration and interview, thereby further improving Act4DSC.

The final Act4DSC combined with the corresponding handbook offers a step-by-step approach for smaller companies towards building an action plan which is based on the regulations that need to be complied with, further stakeholder expectations (optional), prioritisation, a data criticality classification, and a gap analysis. The big advantages of the tool lie in its flexibility and adaptability to the user company’s needs as well as in its clear structure and guidance through the applied process. Based on the final evaluation, the conclusion can be drawn that Act4DSC provides a valid contribution to the existing knowledge base and to solving the problem of overwhelming in the face of complying with data security regulations.