In this paper, we explore routine change in an organization implementing compliance with an external regulation. We study changes in patterns of action, over time, in a biomedical group implementing routine change for compliance with the General Data Protection Regulation (GDPR), a recent external regulation that impacts data sharing. Using longitudinal data from our field study at BioResearch, we identified four distinct phases of implementing compliance: pre-GDPR, educating, enforcing, and integrating. Utilizing narrative networks, we visualize patterns of action within each of these phases, highlighting change, stability, and variability in the data sharing routine as the organization implements compliance. Implementing compliance impacted the data sharing routine as new actors and artifacts were introduced, resulting in a tension between the goals of compliance and data transfer. We explain how this tension emerged as well as how it was resolved through two key changes: (a) an integration of artifacts from outside the compliance domain and (b) a shift in the role of internal regulators. Our findings contribute to the understanding of roles, artifacts, actors, and interactions in both routine dynamics and regulation and compliance.
