General data protection regulation: a study on attitude and emotional empowerment

Over the last few years, digitalisation has accelerated its pace, fuelling the creation of a massive amount of data. This has resulted in a need to introduce legal mechanisms to protect the privacy and security of data being exchanged between people and organisations. However, little is known about the individuals ’ perspective on such mechanisms. Given the gap in the literature, this research investigated the drivers and the implications of individuals ’ attitude towards GDPR compliance. To test the research model, structural equational modelling was employed using 540 responses. The result showed that perceived threat severity, self-e ﬃ cacy and response e ﬃ cacy determine a positive attitude towards GDPR compliance, which results in emotional empowerment. The ﬁ ndings contribute to the literature on legal privacy-preserving mechanisms, by providing a user ’ s view on the coping and threat appraisal factors underpinning attitude and demonstrating the implications for driving con ﬁ dence in control over personal data. The ﬁ ndings also contribute to the literature on protection motivation by demonstrating that attitude towards adaptive behaviour drives emotional empowerment. The study o ﬀ ers suggestions to policymakers on how to enhance public perception of the GDPR. The ﬁ ndings also provide guidelines for organisations on how to inform individuals ’ understanding of compliance with the legal framework.


Introduction
The spread of digital technologies across all business sectors has led to the growing interconnectedness between people, internet-enabled devices and organisations, fuelling the rapid digitalisation of economic activities.Such activities reflect the changes in business processes, service delivery and communication with customers (Sturgeon 2021).The digital nature of transactions between users and companies has generated a vast amount of digital data, which has become a valuable source of competitive advantage for organisations (Hagiu and Wright 2020).Having consumer data can help organisations to tailor their services and products in accordance with consumer needs (Hagiu and Wright 2020).The role of data in organisational processes has become even more important after the outbreak of the pandemic, when governments introduced national and local lockdowns to reduce the potential spread of the virus (Carroll and Conboy 2020).In response to such measures, many businesses transferred their activities to online environments, in order to ensure business continuity (Papagiannidis, Harris, and Morton 2020;Venkatesh 2020).Rapid digitalisation, in turn, has fuelled concerns about data privacy (Pandey and Pal 2020;Urbaczewski and Lee 2020).Although privacy issues have long been on the agenda for policymakers and researchers (Kaapu and Tiainen 2009;Rohunen and Markkula 2019;Sørensen 2016), the recent growth in exchanges increases the importance of data protection mechanisms, such as the General Data Protection Regulation (GDPR), and their implications for people.
Introduced in the European Union in 2018, the objective of the GDPR is to give individuals an indisputable right to privacy and personal data protection (Goddard 2017;Presthus and Sønslien 2021;Van Ooijen and Vrabec 2019).Personal data refers to any piece of data that could be used to discern individuals, including but not limited to IP addresses, location data and digital fingerprinting (Goddard 2017;Tankard 2016).Digital fingerprints represent data, such as online behaviour, device configuration and browser information, generated about an individual when they visit websites (Bell 2011).The assurance that organisations comply with the GDPRthe belief that individuals' rights to privacy and personal data protection are acted upon by organisationscan strengthen confidence in control over personal data and potentially make individuals feel empowered (Strycharz, Ausloos, and Helberger 2020).However, perceived non-compliance of organisations with the GDPR can increase distrust towards them and impede individuals' data sharing behaviour (Karampela, Ouhbi, and Isomursu 2019).The unwillingness to participate in data sharing online can be an obstacle to the growth of e-commerce and the creation of agile information systems that can be instrumental for improving the quality and efficiency of services in different sectors, such as healthcare and transport (Hann et al. 2007;Karampela, Ouhbi, and Isomursu 2019;Nienaber et al. 2021).Therefore, the negative perception of privacy in data exchange could hold back digitalisation and its associated benefits.Given the increasing digital transformation of industries and services, and the participatory role of users in such processes (Karampela, Ouhbi, and Isomursu 2019), insight into individuals' perceptions of the regulation is needed (Pins et al. 2022).Specifically, it is important to understand the factors that underpin the attitude towards GDPR compliance.Furthermore, to ensure the wider collective effort towards the enforcement of GDPR practices in organisations, it is critical to understand how the perception of GPDR compliance influences an intrapersonal psychological state.Therefore, there is a need to explore individuals' emotional empowerment entailed by positive beliefs about GDPR compliance.
Researchers so far have extensively studied the legal and ethical aspects of the GDPR (De Hert et al. 2018;Forcier et al. 2019;Larrucea et al. 2020;Truong et al. 2019).There is sufficient evidence in the GDPR literature about the importance of privacy and security when using products/services (Balapour, Nikkhah, and Sabherwal 2020;Hasan, Shams, and Rahman 2021;Marabelli, Vaast, and Li 2021;Oghazi et al. 2020;Renwick and Gleasure 2021;Tolsdorf, Dehling, and Lo Iacono 2022) and the role of the regulation in attenuating privacy concerns (Paul, Scheibe, and Nilakanta 2020).However, despite discussions about the need to explore the GDPR from an individual's perspective (Paul, Scheibe, and Nilakanta 2020;Pins et al. 2022;Strycharz, Ausloos, and Helberger 2020;Van Ooijen and Vrabec 2019), user insights into the role and implementation of the GDPR are under-researched.The role of individuals' beliefs in relation to GDPR-compliant behaviour needs to be investigated by considering the privacy paradox dichotomy (Barth and de Jong 2017;Hann et al. 2007;Huberman, Adar, and Fine 2005;Kokolakis 2017).The privacy paradox is a privacy-compromising behaviour manifested by users, even though they express strong concerns about their data privacy and security (Barth and de Jong 2017;Kokolakis 2017).Users tend to assign value to privacy-protective behaviour (Hann et al. 2007;Huberman, Adar, and Fine 2005).If such behaviour comes at the cost of convenience or financial expenses, the motivation to engage in it decreases (Carrascal et al. 2013;Hann et al. 2007;Huberman, Adar, and Fine 2005).Hence, the role of cost-benefit analysis in privacy-compliant data exchange necessitates the evaluation of the cognitive factors underlying behaviour, which have not been examined to date.Secondly, although it has been argued that the GDPR empowers individuals to carry out transactions online without fear of having personal data being compromised (Strycharz, Ausloos, and Helberger 2020), little is known about how empowerment is manifested on an emotional level.Empowerment has mainly been investigated as an implied state reflecting the consumers' knowledge about the technical and legal measures.It enables individuals to protect their privacy online by restricting the use of personalised advertising or cookies (Strycharz et al. 2019;Strycharz et al. 2021).The practices that the regulation enforces (such as the right to modify, obtain and delete personal information after it has been collected), go beyond the management of access to data by third parties (Tikkinen-Piri, Rohunen, and Markkula 2018).As such, existing literature lacks evidence about the beliefs explaining the formation of the views on compliance with security-preserving regulatory frameworks, such as that of GDPR, and the emotional state of empowerment associated with such views.
To cover the above research gaps this study examines individuals' beliefs that underpin the perception and importance of protective behaviour ensured by the GDPR.To address this objective, first, we adopt Protection Motivation Theory to theorise and examine the role of the cognitive factors conducive to individuals' perceived threats and coping mechanisms.This helps us explore the impact of cognition on positive attitudes towards GDPR compliance.Evidence about the relationship between the cognitive factors associated with privacy and security threats and attitude is important for understanding the conditions that could potentially facilitate individuals' predisposition towards GDPR-compliant behaviour.Second, we investigate whether attitude leads to emotional empowerment.On the one hand, by testing this relationship, this study can provide insight into user perceptions of the degree to which the regulation makes people feel confident that they are in control of personal data exchanged online.On the other hand, such findings aim to shed light on the relationship between protection motivation and emotional empowerment.
The next section of the paper will provide a literature review on the GDPR and the rationale for developing the research model.This is followed by the hypothesis development section, which justifies the relationships between the identified variables.Then, the paper presents the methodology underpinning the study, outlines the results and discusses the findings.The paper concludes with theoretical and practical implications and suggestions for future research.

Literature review
GDPR is a legal privacy-assuring mechanism which was introduced to replace the 1995 Data Protection Directive (DPD) and provide guidelines to EU companies against the backdrop of the increasing role of Big Data in business (Zarsky 2016).The law aims to protect individuals' personal data following the principles of lawfulness, fairness, transparency, accuracy, accountability, confidentiality and integrity when it comes to data usage (Goddard 2017;Perera et al. 2019;Zaeem and Barber 2020).Organisations that are compliant with the GDPR should aim to minimise the amount of personal data collected to the amount which is required to provide the requested services.Consequently, the period of data storage should be limited to the purpose of data usage (Goddard 2017;Zaeem and Barber 2020).The goal of GDPR compliance is to improve individuals' confidence that their privacy is being respected and their personal data is being handled fairly (Perera et al. 2019;Zaeem and Barber 2020).Such confidence is ensured by giving individuals the rights to object to the collection of personal data, have access to personal information that was collected by third parties online, as well as rectify and delete the information after it was collected (Tikkinen-Piri, Rohunen, and Markkula 2018).Non-compliance by organisations can result in heavy fines, which can make it more difficult and costly for firms to operate in a GDPR environment (Albrecht 2016;Presthus and Sønslien 2021;Tankard 2016).
The importance of privacy preservation in view of the massive amounts of digital data created every day and the fact that the GDPR rules were formulated so recently has prompted the interest of researchers (Albrecht 2016;Larrucea et al. 2020;Tolsdorf, Dehling, and Lo Iacono 2022;Truong et al. 2019;Wachter, Mittelstadt, and Russell 2017;Wieringa et al. 2021).This interest has resulted in the development of research streams exploring the GDPR and its implications through mainly organisational, technical, legal and ethical lenses (De Hert et al. 2018;Goddard 2017;Wachter, Mittelstadt, and Russell 2017).For example, from an organisational perspective, studies have focused on the impact of the introduction of the GDPR on companies and the suggestions of best practice to anticipate and cope with the challenges posed by regulatory changes (Leite, Dos Santos, and Almeida 2022;Voss and Houser 2019;Ziegler, Evequoz, and Huamani 2019).On the one hand, it was found that the law had disrupted many areas of business practices (Leite, Dos Santos, and Almeida 2022).On the other hand, compliance with the regulation was found to provide a competitive advantage deriving from enhanced trust in the company (Voss and Houser 2019).
When viewed through a technical lens, the literature has offered insights into technological developments in different sectors and life domains to ensure compliance with data protection rules (Bassi et al. 2019;Mougiakou and Virvou 2017;Truong et al. 2019).On the one hand, researchers focused on system designs that would offer security in line with the regulation requirements (Campanile et al. 2021;Truong et al. 2019).For example, researchers proposed solutions that could process data in a fair and transparent way (Badii et al. 2020;Haque et al. 2021;Kounoudes and Kapitsaki 2020), restrict or minimise private data collection in unauthorised situations (Bassi et al. 2019;De Carvalho, Fantinato, and Eler 2020) and facilitate visual privacy protection (Asghar et al. 2019).On the other hand, the literature provides insights into the implications of the regulation for existing technologies.Specifically, studies have explored the role of the GDPR in enhancing the security of individuals' digital data (Mougiakou and Virvou 2017) and reducing the instances of online tracking (e.g.cookies) (Sanchez-Rola et al. 2019).
Studies in the legal domain have a strong focus on interpreting the GDPR, offering a comprehensive guide for GDPR compliance and suggesting improvements for policymakers (De Hert et al. 2018;Forcier et al. 2019;Leiser 2019).There is a growing awareness that there is a conflict between technologye.g. the use of blockchainsand GDPR rules, such as the right to be forgotten, to delete and to edit personal data (Tatar, Gokce, and Nussbaum 2020).The implementation of these rules can be complicated when the data is in a blockchain, which is considered to be immutable and irreversible (Tatar, Gokce, and Nussbaum 2020).Also, there is a great deal of ambiguity when it comes to the applicability of the law to international organisations and the potential implications of its rules for firms (De Búrca 2020; Hustinx 2021; Kuner 2020).A sub-stream of the literature in the legal domain is concerned with the ethical side of the GDPR (Amram 2020;Larrucea et al. 2020;Rochel 2021;Vlahou et al. 2021).Although the legal framework embraces both jurisdictional and ethical standards about data processing (Amram 2020), the inseparability and the complementarity of ethics to the laws that regulate data use and processing are debated (Rochel 2021;Vlahou et al. 2021).Considering the lack of clarity about the relationship between ethics and law, the literature suggests that the principles of the GDPR can be interpreted from both perspectives (Rochel 2021;Vlahou et al. 2021).
As per above, there has been increasing interest in GDPR and ample research on GDPR-compliant technologies, legal and ethical implications.Still, the evidence about the individual's perspective on the legal framework is limited.Some studies have investigated the GDPR by looking into an individual's view on the regulation (Hartman et al. 2020;Mangini, Tal, and Moldovan 2020;Zhang, Wang, and Hsu 2020).The findings were not consistent.While it was shown that individuals were happy with specific GDPR rules, such as the right to be forgotten (Mangini, Tal, and Moldovan 2020), the public's view on the overall approach to managing data was negative (Hartman et al. 2020).However, the companies that voluntarily adhere to the laws that regulate data use and processing are perceived as trustworthy (Zhang, Wang, and Hsu 2020).Also, it was found that individuals are more willing to disclose personal information and have a lower perception of risks while engaging in online purchase transactions when they consider data protection laws to be effective (Paul, Scheibe, and Nilakanta 2020;Urbonavicius et al. 2021).Furthermore, despite the argued role of the GDPR in empowering individuals to enjoy their rights to personal data protection (Strycharz, Ausloos, and Helberger 2020), the impact of GDPR-compliant practices on people's emotional state of empowerment has not been examined.
The importance of emotional empowerment for this study stems from the research on psychological empowerment, suggesting that there are four empowerment states, namely relational, cognitive, emotional and behavioural (Peterson 2014;Peterson et al. 2021;Rodrigues, Menezes, and Ferreira 2018).Cognitive empowerment is also known as an interpersonal state, as it concerns the critical knowledge of the dynamics in the socio-political environment (Christens, Collura, and Tahir 2013;Zimmerman 1995).It is not only the understanding of the forces of the environment, but the resources and methods that are required to address the impact of the environment on oneself (Wilke and Speer 2011).In the non-social context, cognitive empowerment reflects an assessment of one's own behaviour, competence, self-efficacy, circumstances and behaviour consequences (Thomas and Velthouse 1990).Relational empowerment refers to interpersonal transactions helping individuals exercise their transformative power in the socio-political domain.Behavioural empowerment refers to individuals' actions directed at exerting influence over the social, political, economic and cultural conditions that affect the lives of communities.Emotional empowerment is the emotional state resulting from the awareness of personal ability to influence the conditions in the personal and socio-political contexts (Rodrigues, Menezes, and Ferreira 2018).When it comes to the GDPR application, cognitive empowerment reflects the knowledge of the responsibilities of organisations in ensuring data privacy, the consequences of the violation of the regulation and the rights of individuals whose data is collected.Such knowledge works as a motivational stimulus for attitude formation and behaviour change (Thomas and Velthouse 1990).Consequently, in the context of this study, individuals' knowledge of the benefits of the regulation for data privacy can affect the attitude towards GDPR compliance, rather than result from attitudinal change.Relational and behavioural empowerment are not pertinent for examining the psychological implications of GDPR compliance, because at the application stage, end-users have from limited or even no impact on how organisations adhere to regulations.In contrast, emotional empowerment refers to intra-personal psychological states, resulting from the assessment of the environment where behaviour takes place (Rodrigues, Menezes, and Ferreira 2018).Hence, the use of emotional empowerment makes it possible to explore feelings when individuals assess the regulatory framework when it comes to data privacy and security and realise their strength in controlling how their data is used by organisations.
The existing literature on GDPR has examined empowerment as an implied state.Researchers theorised the concept as individuals' knowledge about technology and legal rights, helping them make informed decisions as to whether to consent to or refuse the collection of personal data by third parties (Strycharz et al. 2019;Strycharz et al. 2021).Specifically, it was found that knowledge drives the evaluation of potential costs and benefits, and the subsequent intention to disclose personal information through personalised advertising and cookies (Strycharz et al. 2019;Strycharz et al. 2021).Such findings are helpful in explaining the instances when knowledge of behavioural costs and benefits can hinder or facilitate privacy-preserving behaviour.Still, the extant literature does not explain the motivation to engage in compliant behaviour, which includes a wider scope of practices than the consent to use cookies and personalised ads.Given the above evidence from extant research, the determinants of protective behaviour and the emotional implications of the regulation remain underexplored.
The attitude towards organisations' GDPR-compliant behaviour can be explained by the privacy-calculus research.This research postulates that privacy-related decisions are based on the premise that perceived benefits would outweigh perceived costs (Culnan and Armstrong 1999;Dinev and Hart 2006).Cost-benefit analysis underpins privacy-compliant and privacy-compromising behaviour (Barth and de Jong 2017;Carrascal et al. 2013;Hann et al. 2007;Huberman, Adar, and Fine 2005;Kokolakis 2017).Individuals may disclose personal information while engaging in transactions if they gain the benefits of cost-saving and convenience, even though it may be at the risk of the violation of online personal data use (Hann et al. 2007;Huberman, Adar, and Fine 2005;Kokolakis 2017).The intention to protect personal data privacy can prevail even if it might entail monetary costs (Egelman, Felt, and Wagner 2013).In a similar vein, organisations' practices directed at protecting individuals' data can be perceived positively by individuals if they believe that ensuring that organisations are compliant with the data law when it comes to data treatment is worth the effort.The belief that one has to spend significant time, money and effort to ensure that organisations do not breach data privacy would probably undermine the value of a company's privacy-protective behaviour.In turn, the threats of personal data misuse and the effectiveness of privacyprotective behaviour are expected to positively affect the evaluation of that behaviour.Given the above, the evaluation of potential threats and the benefits of protective mechanisms eliminating these threats could be decisive factors shaping the attitude towards GDPR-compliant practices.
Therefore, the focus of this paper is on examining the cognitive factors facilitating a positive attitude towards GDPR-compliant behaviour and the resulting feeling of empowerment.By adopting the selected approach, we aim to gain a deeper insight into the determinants that may explain individuals' perceptions of GDPRcompliant behaviour and the implications of perceptions for an individual's psychological state.The following section will provide a justification for the proposed hypotheses in the research model.

Theoretical foundation and hypothesis development
The study uses Protection Motivation Theory as a theoretical foundation to investigate an individual's attitude towards GDPR compliance and the following feeling of emotional empowerment.The theory has been helpful in guiding prior studies on individuals' motivation to engage in security and privacy-preserving behaviour through the employment of technologies with an extra layer of security and adherence to privacy policies (Herath et al. 2014;Hsieh and Lai 2020;Ifinedo 2012;Marikyan et al. 2022;Menard, Bott, and Crossler 2017;Orazi and Johnston 2020).
Protection Motivation Theory posits that individuals' attitudes to compliance behaviours, actual behaviour and behavioural intention are facilitated by the perception of threat vulnerability, threat severity, response efficacy and self-efficacy, and hindered by the perception of response cost (Boss et al. 2015;Rogers 1983;Wu 2020).Early research applying Protection Motivation Theory suggested that the effects on protection motivation are mediated by two cognitive mechanisms, namely threat appraisal and coping appraisal (Boss et al. 2015;Floyd, Prentice-Dunn, and Rogers 2000), which led to some scholars treating appraisal factors as second-order constructs (e.g.Byrd et al. 2023).However, a wide body of research adopts a simplified conceptualisation of protection motivation which omits mediating cognitive appraisal factors.Researchers in that stream of literature examine protective attitudes and behaviour as directly predicted by the perceptions of response efficacy, self-efficacy, threat vulnerability, threat severity and response cost, suggesting that these perceptions denote threat and coping appraisal cognitions (Lee 2011;Menard, Bott, and Crossler 2017;Vance, Siponen, and Pahnila 2012).
Threat appraisal happens when individuals evaluate one's own vulnerability to threat and threat severity (Boss et al. 2015;Rogers 1983).Perceived threat vulnerability concerns the appraisal of the likelihood of the threatening event happening (Ifinedo 2012).In the context of this research, perceived threat vulnerability captures an individual's assessment of the likelihood of their personal data being compromised.Protection Motivation Theory postulates that individuals' vulnerability to potential danger triggers the motivation to engage in protective behaviour (Boss et al. 2015;Chen et al. 2020;Rogers 1983).However, empirical evidence has demonstrated that the relationship between perceived threat vulnerability and behaviour is not consistently significant across studies (Boss et al. 2015;Ifinedo 2012;Lee 2011;Vance, Siponen, and Pahnila 2012).For instance, the research on users' intention to back up data did not show a significant role of perceived threat vulnerability (Boss et al. 2015;Crossler 2010).A study examining the adoption of anti-plagiarism software established an opposite finding.It was found that the assessment of personal susceptibility to threat was a significant driver to anti-spyware adoption and compliance with information systems security policy (Chenoweth, Minch, and Gattiker 2009;Ifinedo 2012;Lee 2011).Perceived threat severity concerns an individual's perception of how harmful the threat of counter protective behaviour might be (Boss et al. 2015;Chen et al. 2020;Rogers 1983).In relation to GDPR practices, perceived threat severity refers to an individual's evaluation of the severity of harm that privacy intrusion and data protection breaches might cause.In the scenario of malicious treatment of data, potential harm is considered to be severe enough to motivate individuals to engage in protective behaviour.Such behaviour may involve the installation of anti-spyware (Chenoweth, Minch, and Gattiker 2009), the purchase of anti-plagiarism software (Lee 2011), compliance with security policies (Vance, Siponen, and Pahnila 2012), intention to take protective measures (De Kimpe et al. 2022) and other activities helping diminish the potential threat.Given the above, the importance of personal privacy and the increasing security threats, we hypothesise the following.
Hypothesis 1: (a) Perceived threat vulnerability and (b) perceived threat severity positively relate to attitude towards GDPR compliance.
Following Protection Motivation Theory, coping appraisal refers to individuals' consideration of their own ability to cope with the consequences of a threat (Woon, Tan, and Low 2005).Coping appraisal captures the assessment of self-efficacy, response efficacy and response cost (Ifinedo 2012).Self-efficacy reflects individuals' beliefs that they are able to fulfil behaviour to achieve certain things or events (Bandura 1977;Bandura 1982).Individuals' confidence in being able to cope with the task increases their motivation to commence it (Boss et al. 2015;Rippetoe and Rogers 1987).For example, it was found that individuals who scored high on the perceived self-efficacy scale tend to abide by IS security policies (Vance, Siponen, and Pahnila 2012), install antispyware software (Lee and Larsen 2009) and back up personal data (Crossler 2010).The relationship between selfefficacy and behaviour is explained by the role of personal capabilities in amplifying the effectiveness of one's own behaviour (Rogers 1983).When it comes to GDPR practices, self-efficacy reflects the individuals' perception of personal ability to ensure that organisations getting hold of their data would treat it in compliance with the data law.The perception of self-efficacy, in turn, strengthens the belief that the GDPR rules are effective.Response efficacy reflects an individual's belief that undertaking protective behaviour will result in benefits (Rogers 1983).In the context of this research, response efficacy refers to individuals' beliefs that adherence to the GDPR will result in rewards.Individuals who believe that complying with security and data protection regulations will help reduce the instances of data violation tend to follow this law (Crossler 2010;Herath et al. 2014;Ifinedo 2012).The response cost factor captures the perception of the costs that the engagement with protective behaviour will entail (Ifinedo 2012).Response cost diminishes the motivation to commence the protective behaviour (Chenoweth, Minch, and Gattiker 2009;Lee and Larsen 2009).When individuals believe that the implementation of IS security measures might be difficult, time-consuming or costly, their motivation to undertake such measures decreases (Chenoweth, Minch, and Gattiker 2009;Lee 2011;Woon, Tan, and Low 2005).Given the above evidence, we postulate that: This study proposes that attitude towards GDPR compliance positively relates to individuals' feelings of emotional empowerment.Attitude is an individual's evaluative judgement (Schwarz 2007) and has been considered as a proxy for behaviour and employed to investigate technology adoption, adaptive and maladaptive use of technology amongst other activities (Tamilmani et al. 2020b;Tamilmani, Rana, and Dwivedi 2020a;Porter and Donthu 2006;Ratchford and Ratchford 2021;Wu 2020).In the information management domain, attitude is an individual's salient beliefs about using technology and the assessment of the benefits related to its use (Karahanna, Straub, and Chervany 1999).In the context of this research, attitude is an individual's overall assessment of the benefits related to GDPR adherence when processing third-party data.Emotional empowerment is a type of psychological empowerment state.Psychological empowerment can be described as individuals' beliefs that they have access to resources, rights and knowledge providing the capabilities to control a situation, and giving individuals the possibility to participate in the attainment of goals (Maton 2008;Zimmerman 1995).The feeling of emotional empowerment captures an intra-personal psychological state arising from the realisation of personal abilities to affect things and events in personal and socio-political contexts (Peterson et al. 2021).Emotional empowerment reflects how people perceive themselves in terms of domain-specific control, selfefficacy and competence (Zimmerman 1995).The concept of empowerment is critical in legal scholarship, as it encourages the involvement of citizens in addressing communal issues and rights (Beckers 2018;Christens, Collura, and Tahir 2013;Mak and Terryn 2020).When it comes to GDPR-compliant behaviour, individuals may feel emotionally empowered for two reasons.First, the regulation gives individuals the ability to control data online, providing information about the purpose for which data is collected and how it is processed.Knowledge about the technical aspect of data processing and the awareness of the effectiveness of legal intervention in ensuring data protection reflect the confidence in protective behaviour (Strycharz et al. 2021;Strycharz et al. 2019).Second, the legal mechanism ensures that a breach of data protection laws by organisations incurs high costs (Tankard 2016;Albrecht, 2016;Presthus and Sønslien 2021).This implies a higher likelihood that the regulatory framework will be followed by organisations, thus increasing confidence in the outcome of protective measures and personal abilities to influence protective behaviour (Strycharz et al. 2021;Strycharz et al. 2019).Consequently, the perception that the GDPR protects individuals' rights to fair data treatment can enhance one's perceived control over personal data and induce associated positive emotions.Therefore, the third hypothesis states that: Hypothesis 3: Individuals' attitude towards GDPR compliance is positively related to emotional empowerment.
The relationships between coping appraisal, threat appraisal, attitude and empowerment are presented in Figure 1.

Data collection
Given the objectives of this study, we employed a crosssectional research design.Before launching the data collection, first we consulted with a researcher in the law discipline, focusing on data protection and public consent, and a researcher involved in technology development, focusing on information systems compliant with privacy-preserving regulations.The objective of the consultation was to ensure that the identified constructs and their adaptation were relevant for a legal security-preserving framework and confirm that the objective knowledge scale represented a good measure of the knowledge of the regulation among the general population.After consultation with the experts, a pilot survey was conducted to generate feedback about the comprehensiveness of the survey, the clarity of the questions and the survey design and structure.The pilot questionnaire was distributed to 20 fellow researchers and Prolific users.Upon the completion of the pilot study and incorporating suggestions/feedback about the wording of the questions provided by the respondents, we embarked on the full-scale data collection.The final questionnaire contained three parts.The first part was the introduction to the survey explaining the purpose of the data collection and including a consent form.We made it explicit in the introduction block of the questionnaire that participation was anonymous, voluntary and respondents could decline or terminate the survey at any point in time.The second part included questions to test the research model, while the third part aimed to collect socio-demographic information about the respondents.For the data collection, we used a convenience sampling method to recruit respondents from a consumer panel in the UK.Access to the sample was provided by Prolific, an independent research company, which distributed a URL to the study among the consumer panel.The use of a research company to collect data enabled quick access to a sample of UK citizens who are eligible to participate in the study, and increased the likelihood of accurate responses due to the incentives offered to respondents for each valid response.As a result, 564 questionnaires were distributed, out of which 540 were returned with complete and valid responses (Table 1).The majority of the respondents were aged between 18 and 35 (55%) and had completed some college or attained a Bachelor's degree (78.3%).In terms of gender, the sample was relatively balanced with 41.9% of men compared to 58.1% of women.A predominant number of respondents considered the importance of privacy to be high (93.3%)and had a strong fear of privacy intrusion (75.7%).While the percentage of respondents with high expertise (46.5%) is similar to the percentage of those with low expertise (49.3%), most of the respondents considered themselves to have a medium and high level of objective knowledge about the GDPR (92%).

Measurement
To ensure the validity of the measures we employed scales from prior literature (Table 2) and the measurement items of seven constructs were anchored on a 7point Likert scale.The points ranged from 1 'strongly disagree' to 7 'strongly agree'.The scales were adapted to fit the context and the objectives of the study.For the socio-demographic profile, we measured individuals' objective knowledge about the GDPR.The scale for this study was developed using an approach employed by other scholars (Manika, Gregory-Smith, and Papagiannidis 2018).The questions about the objective knowledge were gleaned from the GDPR literature and checked by GDPR experts (Appendix).The GDPR experts were two researchers who had been involved in the research on the regulations around digital technology and the development of privacy-preserving information systems compliant with data protection laws.They validated the accuracy of the questions and answers, as well as the relevance of the questions for measuring the objective knowledge of the general public, who do not have professional experience in law.The questions were intended to measure the respondents' knowledge of the responsibilities of organisations in ensuring data privacy, their responses to privacy violation, the rights of individuals whose data is collected and the role of individuals in adhering to the GDPR.

Data analysis
Given the objective of the study to test the research model, covariance-based structural equation modelling (CB-SEM) was used as a data analysis approach.Prior to conducting the analysis, multivariate analysis assumptions were tested.First, the collinearity diagnostics using SPSS were conducted to eliminate the possibility of multicollinearity between independent variables in the model (Tabachnick, Fidell, and Ullman 2007).The tolerance coefficients were >0.1, while the VIF values were <10, which indicated that the variables were not highly correlated (Thompson et al. 2017).Second, to identify outliers and their effect on the model, the Mahalanobis Distances and Cook's Distance coefficients were extracted.Residual statistics showed that there were cases with standardised residuals falling beyond the suggested range between −3.3 and +3.3.However, since Cook's Distances were not above 1, it was considered that the outliers did not have an affect on the results of the analysis (Tabachnick, Fidell, and Ullman 2007).Apart from the analysis of outliers in SPSS, we also checked Mahalanobis Distances in Amos.Ten cases with significant farthest distances from the centroid were identified.To reconfirm that they did not influence the accuracy of the analysis output, the model was tested with and without the identified outliers, which demonstrated that there were no differences in the effect sizes and p-values of the tested relationships.Third, to test the linearity, normality and homoscedasticity of the data, Normal P-Plot and Scatterplot were inspected.All values were distributed linearly along the diagonal line on the Normal P-Plot and around '0' on the Scatterplot.That enabled us to conclude the normality and linearity of data and proceed to the analysis of the measurement and structural models (Tabachnick, Fidell, and Ullman 2007).SPSS v.26 and SPSS-AMOS v.26 were employed to examine the reliability and validity of the adopted measurements and to explore the hypothesised paths.Overall, the analysis procedures followed two steps.The first step was to carry out confirmatory factor analysis to eliminate the possibility of validity and reliability issues.To ensure the measurement model's validity and reliability, we tested the Cronbach's Alpha values, factor loadings, construct reliability, average variance extracted, and CFA model fit indices.As a result of the validity, reliability and model fit analyses, the values were above the acceptable threshold, which is >0.9 for CFI, <0.07 for RMSEA, >0.7 for CR, factor loadings and Cronbach Alpha coefficients, and >0.5 for AVE (Hair et al. 2014).Specifically, the measurement model fit indices were: χ 2 (278) = 632.700,CMIN/DF = 2.276, CFI 0.962, RMSEA = 0.049.Since the sample size was large, χ 2 was significant as expected (Hair et al. 2014).Table 2 presents the factor loadings and Cronbach Alpha coefficients.One item from the self-efficacy scale was deleted as the factor loading was <0.5, which is below the suggested threshold (Hair et al. 2014).The results of convergent and discriminant validity analysis, along with CR and AVE values are provided in Table 3.The diagonal figures in Table 3 represent the square root of the average variance extracted (AVE), while the figures below represent the betweenconstructs correlations.Discriminant validity was established, as the diagonal figures are higher than the between-constructs correlations.In addition, as all data were collected from the same source, we made sure that common method variance would not affect the results.Three post-hoc tests were employed to reject the possibility of a common method bias, suggested by Podsakoff et al. (2003).A Harman's single-factor test showed that one factor explained 30.7% of the variance, the inclusion of a latent variable demonstrated 17% of the variance, while the test using a latent factor and a  (Johnston and Warkentin 2010;Ifinedo 2012) 0.880 I can fall victim to data breach 0.811 The risk of illegal access to my personal data can be high 0.808 My personal data can be compromised 0.871 My personal data can be vulnerable to breaches 0.753 Response efficacy (Vance, Siponen, and Pahnila 2012;Woon, Tan, and Low 2005) 0.910 GDPR is important when it comes to protecting my data because … It would reduce the likelihood of personal data breaches.
0.850 The instances of data breaches would be fewer 0.864 It would help avoid threats to my personal data 0.858 It would be an effective way of deterring potential data breaches 0.823 Self-efficacy (Woon, Tan, and Low 2005) 0.834 Ensuring that organisations that hold my personal data comply with GDPR … Would help protect my personal data 0.803 Would reduce the risk of data breaches 0.895 Response Cost (Vance, Siponen, and (Peterson et al. 2021) 0.892 The rules that GDPR imposes on organisations … Make me aware of my strength as an owner of data 0.823 Make me feel in control of my own data 0.879 Make me feel confident 0.825 Make me speak up for my rights about the usage of my data 0.763 marker variable showed a variance of 16%.All of the values were below the acceptable threshold (Podsakoff et al. 2003).

Structural model analysis
The second step of the structural equation modelling analysis was checking the structural model fit indices and the analysis of the hypothesised paths.Following the guidelines by Hair et al. (2014), the structural model fit indices were satisfactory, with χ 2 having a significant p-value, CFI > 0.9 and RMSEA < 0.07 (χ 2 (283) = 698.930,CMIN/DF = 2.470, CFI = 0.956, RMSEA = 0.052).Given the result of fit testing, we embarked on checking the proposed relationships.The results of the structural model analysis are presented in Table 4, showing that all the proposed hypotheses were supported except H1a and H2c.The model explains 37% of the variance in towards GDPR compliance and 18% of the variance in empowerment.

Discussion
The analysis of the factors underpinning individuals' attitude towards GDPR compliance showed that when it comes to threat appraisal the role of perceived threat vulnerability is not significant.This indicates that individuals do not feel vulnerable to potential security and privacy breaches, which goes against the principles of Protection Motivation Theory (Rogers 1983) and the literature examining compliance behaviour (Lee 2011;Ifinedo 2012).However, there is empirical evidence that this factor has an insignificant effect on individuals' behaviour (Vance, Siponen, and Pahnila 2012;Crossler and Bélanger 2014;Tsai et al. 2016;Crossler et al. 2014;Chen and Yeh 2017).A plausible explanation could be that individuals think that government and organisations ensure their privacy and can provide compensation in the case of a breach.Hence users feel sufficiently protected.On the other hand, perceived threat severity was found to have a positive significant relationship with attitude towards GDPR compliance.
The results are in line with research examining human behaviour in relation to privacy-insurance mechanisms (Mousavi et al. 2020;Vance, Siponen, and Pahnila 2012;Lee 2011;De Kimpe et al. 2022).Considering the nonsignificant effect of threat vulnerability, individuals might recognise the severity of the degree to which potential security and privacy breaches could affect them.However, as they have high objective knowledge about GDPR, they might believe that the compliance with the regulatory framework reduces the risk of such threats arising.When it comes to coping factors, all factors but response cost were found to have significant relationships with attitude towards GDPR compliance.The positive path between self-efficacy and attitude indicates that individuals are confident that organisations complying with the GDPR can protect their personal data and reduce the chances of data breaches.This is logical as the demographic profile of the respondents shows that the majority of them had high objective knowledge.That means that they were aware of the benefits of the law and how organisations can act to protect individuals' right to privacy.Therefore, the respondents believed that ensuring that organisations processing personal data comply with the GDPR principles can help protect personal data.That belief, in turn, improves individuals' attitudes towards GDPR-compliant behaviour.This finding is in line with the principles of  Protection Motivation Theory and related research examining security compliant behaviour (Lee 2011;Ifinedo 2012;Crossler 2010;Mousavi et al. 2020;Marikyan et al. 2022).Similarly, the positive relationship between response efficacy and attitude (H2b) is consistent with evidence confirming the role of this factor in motivating security practices (Lee 2011;Ifinedo 2012;Crossler 2010;Tsai et al. 2016).Attitude towards GDPR compliance is determined by the perception that adherence to the GDPR by organisations can eliminate security and privacy issues.Given that the respondents hold high objective knowledge about the GDPR, the results could mean that the understanding of the data-preserving mechanism increases the confidence in the effectiveness of the regulation and, in turn, attitude towards the practices it promotes.The insignificant path between response cost and attitude contradicts the principles of Protection Motivation Theory (Floyd, Prentice-Dunn, and Rogers 2000), although there have been conflicting results about the effect of the construct on protective behaviour (Ifinedo 2012;Boss et al. 2015;Crossler 2010;Crossler and Bélanger 2014).The perceived cost of compliance with the data-preserving regulation does not diminish individuals' predisposition towards that behaviour.A potential explanation could be that individuals know that GDPR compliance is mandatory, which gives organisations no choice but to follow the law.An alternative interpretation could be that respondents believe that companies' compliance with the GDPR is important, which overshadows the costs associated with the measures that need to be taken to ensure the privacy and security of data.Such an interpretation can be supported by the privacy-calculus research (Culnan and Armstrong 1999;Dinev and Hart 2006), suggesting that the perceived costs are lower than the benefits of the behaviour and thus irrelevant when it comes to the formation of the attitude towards it.
As far as the path between attitude towards GDPR compliance and emotional empowerment is concerned, the analysis showed that the two constructs positively correlate.This is the first empirical evidence confirming the relationship between the perception of GDPR-compliant practices and empowerment.A positive attitude towards GDPR-compliant practices reflects individuals' beliefs that the law is an effective measure to protect personal data, enabling individuals to refuse access to data, see how it is used and provide a means to manage, rectify and delete data after it has been collected (Maton 2008;Peterson et al. 2021;Guchait, Kim, and Namasivayam 2012).The belief that the GDPR can help avoid data privacy and security issues increases individuals' confidence, which is associated with a positive psychological and emotional state (Boshoff and Leong 1998;Boshoff 1997).An affective state stems from an individual's realisation of personal capabilities to control the situation and achieve their goals (Maton 2008;Zimmerman 1995).This finding complements the existing literature about the potentially empowering role of the knowledge of technical/legal underpinnings of GDPR compliance and the effectiveness of the legal framework in privacy-preserving behaviour (Strycharz et al. 2021;Strycharz et al. 2019).

Theoretical and practical contributions
This paper makes several contributions to the literature.Firstly, it contributes to the literature on legal data protection mechanisms.The study responds to a call to explore the user perspective on the regulatory framework (GDPR), which has been under-researched so far (Van Ooijen and Vrabec 2019;Strycharz, Ausloos, and Helberger 2020).The results of the analysis of the research model shed light on how the beliefs induced by the fear of data privacy and security risks correlate with the individual's perception of the privacy-preserving regulatory framework.This finding is important for understanding the factors that can enhance a positive attitude towards GDPR compliance and be associated with a feeling of emotional empowerment.
Second, the findings of the paper extend the knowledge on protection motivation.This study provides evidence about the emotional state following motivation to engage in adaptive behaviour, which was made possible by examining the relationship between attitude towards GDPR compliance and empowerment.While some prior studies suggested that cognitive appraisal factors play a role when a person feels empowered (Strycharz et al. 2021;Strycharz et al. 2019), the variable has not been empirically measured.The investigation of empowerment is important in the context of protective behaviour for two reasons.First, empowerment captures the strength of individual agency in protective behaviour (Zimmerman 1995), while coping and threat factors reflect the evaluation of the efficacy of protective measures (Rogers 1983).Hence, the confirmed role of empowerment enables us to understand whether perceived coping efficacy and threat strength can translate into personal control over the consequences of threatinducing actions in a specific domain.Second, the confirmation of the significance of the psychological state has particular importance for examining the motivations for adaptive behaviour, because empowerment reflects a striving for control and the awareness of a personal participatory role and skills in problemsolving (Zimmerman 1995).
Third, the study contributes to the literature on information systems management.The established relationships between fear-induced beliefs and a positive attitude towards GDPR compliance serve as empirical evidence about the drivers of the use of technologies enhancing individuals' privacy and data security.This evidence is timely, considering growing research directed towards the development of privacy-preserving systems and the exploration of the factors underpinning the adoption of such technology (Truong et al. 2019;Mora et al. 2021;Lumor et al. 2021).The findings about the coping and threat appraisal variables correlating with attitude towards GDPR compliance provide an understanding of the cognitive factors that increase the likelihood of the acceptance of privacy-preserving technologies.
From a practice perspective, this research provides several implications for organisations and policymakers.Given that threat and coping mechanisms determine attitude towards GDPR compliance, open discussion events about the implications of GDPR compliance would encourage an understanding of the benefits of the regulation for different stakeholders.To communicate to the public that they will not fall victim to data misuse, organisations need to ensure that the way in which they treat data is communicated to their stakeholders.The information can be communicated through dedicated pages on firms' websites with a description of the purposes and the types of data that the company collects, processes and stores.To increase individuals' awareness of personal data use, consent forms need to be prompted before individuals' data can be collected.Also, this study can guide policymakers.To enhance trust in the law, which contributes to the perceived effectiveness of GDPR practices, policymakers need to improve the general public's awareness of the benefits of the regulatory framework.The perception of the importance and the effectiveness of the law can be improved by increasing the involvement of individuals in learning the impact of GDPR compliance through multiple channels, such as live consultancy chats, workshops and podcasts.

Conclusion, limitations and future research suggestions
To address the research gaps in the current literature lacking the individuals' perspectives on the legal security-preserving framework, this study examined individuals' attitudes towards GDPR compliance and the individuals' perception of empowerment.To meet the objective, the research model was developed analysing the cognitive antecedents of attitude and the resulting feeling of empowerment.
This study has some limitations that future research can build upon.Since the objective of this study revolved around a specific data law, in the future, researchers could investigate individuals' views on privacy-preserving legal frameworks that are practised outside of the GDPR zone.An international and intercultural perspective is important, as people from different cultures could have a dissimilar perception of legal and governmental interventions and privacy in general (Wu et al. 2012;Cram, Proudfoot, and D'arcy 2017).Second, this study focused on the psychological implications of GDPR application in organisations, which defined the focus on the emotional type of empowerment.Future research could investigate the role of individuals in the formation of the regulation and explore the consequences of a positive attitude towards the regulation in terms of behavioural and relational empowerment.Third, given that threat vulnerability was not significant, future studies could explore the reasons that would explain such beliefs.A possible approach might be to examine the effect of threat vulnerability in two conditions: when individuals have had and have not had prior experience of data protection issues.It is plausible that a prior negative experience of private data misuse increases individuals' beliefs that a similar situation could happen.Fourth, while this study investigated the factors underpinning the attitude towards and experience of GDPR practices, future studies could investigate the psychological factors determining non-compliant behaviour.This approach could shed light on the potential inhibitors of the legal framework implementation.Fifth, future research can extrapolate the findings of the insignificant role of response cost.Studies could examine empirically as to whether the factor is not significant due to the compliance with the GDPR being mandatory or whether the importance of law overshadows any costs associated with the actions that need to be taken to ensure compliance.
Hypothesis 2: (a) Self-efficacy and (b) response efficacy positively relate to attitude towards GDPR compliance.(c) Response cost negatively relates to attitude towards GDPR compliance.

Table 1 .
The profile of the respondents.

Table 2 .
(Vance, Siponen, and Pahnila 2012;Ifinedo 2012)t severity(Vance, Siponen, and Pahnila 2012;Ifinedo 2012)0.768Threats to the security of my personal data can be harmful 0.710 I view access to my private data without my permission as harmful 0.798 Having my private data accessed by someone without my consent is a serious problem for me 0.797 Perceived threat vulnerability

Table 3 .
Convergent and discriminant validity test.

Table 4 .
The results of the structural model analysis.