Share:


Factors determining the extent of GDPR implementation within organizations: empirical evidence from Czech Republic

    Adam Faifr   Affiliation
    ; Martin Januška   Affiliation

Abstract

In this paper, the key factors that affect the extent of GDPR implementation in enterprises are analysed. Since 2018, all organizations operating in the European Union or processing personal data of EU citizens have had to incorporate a new regulation in their work. After three years of experience, possible key factors that significantly affect the cost of the entire project have been theoretically identified. However, a research gap remains whether the factors thus defined actually have a real impact on the implementation within organizations. Therefore, this study focuses on an empirical investigation of those characteristics using quantitative approach combining Chi-squared tests and the Classification and Regression Tree method. Based on a survey of organizations in the Czech Republic, this paper outlines that the size of the organization, the typology of personal data processed and the way GDPR is implemented determine the scope of the implementation project within organizations. On the other hand, there is no clear evidence that there is significant role in whether it is a public or private organization.

Keyword : General Data Protection Regulation, GDPR, SMEs, implementation, organizations, compliance, public administration

How to Cite
Faifr, A., & Januška, M. (2021). Factors determining the extent of GDPR implementation within organizations: empirical evidence from Czech Republic. Journal of Business Economics and Management, 22(5), 1124-1141. https://doi.org/10.3846/jbem.2021.15095
Published in Issue
Aug 27, 2021
Abstract Views
1221
PDF Downloads
1111
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

References

Almeida Teixeira, G., Mira da Silva, M., & Pereira, R. (2019). The critical success factors of GDPR implementation – a systematic literature review. Digital Policy, Regulation and Governance, 21(4), 402–418. https://doi.org/10.1108/DPRG-01-2019-0007

Beckett, P. (2017). GDPR compliance: Your tech department’s next big opportunity. Computer Fraud & Security, 2017(5), 9–13. https://doi.org/10.1016/S1361-3723(17)30041-6

Bleier, A., Goldfarb, A., & Tucker, C. (2020). Consumer privacy and the future of data-based Innovation and marketing. International Journal of Research in Marketing, 37(3), 466–480. https://doi.org/10.1016/j.ijresmar.2020.03.006

Council of the European Union. (2013). Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:124:0036:0041:EN:PDF

Creswell, J. W. (2013). Research design: Qualitative, quantitative, and mixed methods approaches (4th ed.). SAGE Publications, Inc. https://upog.pw/lixez_hibuk_ky_ke_letir.pd

Czech Chamber of Commerce. (2018). Účet za GDPR? Podnikatele nařízení vyjde na 25 miliard korun. Retrieved April 8, 2020, from https://www.komora.cz/press_release/ucet-za-gdpr-podnikatele-narizeni-vyjde-na-25-miliard-korun

Datoo, A. (2018). Data in the post-GDPR world. Computer Fraud & Security, 2018(9), 17–18. https://doi.org/10.1016/S1361-3723(18)30088-5

Diamantopoulou, V., Tsohou, A., & Karyda, M. (2019). General Data Protection Regulation and ISO/ IEC 27001:2013: Synergies of activities towards organisations’ compliance. In Lecture notes in computer science: Vol. 11711. Trust, privacy and security in digital business (pp. 94–109). Springer Publishing. https://doi.org/10.1007/978-3-030-27813-7_7

Diamantopoulou, V., Tsohou, A., & Karyda, M. (2020). From ISO/IEC27001:2013 and ISO/ IEC27002:2013 to GDPR compliance controls. Information and Computer Security, 28(4), 645–662. https://doi.org/10.1108/ICS-01-2020-0004

European Parliament, & Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN

Everett, C. (2011). Is ISO 27001 worth it? Computer Fraud & Security, 2011(1), 5–7. https://doi.org/10.1016/S1361-3723(11)70005-7

Garber, J. (2018). GDPR – compliance nightmare or business opportunity. Computer Fraud & Security, 2018(6), 14–15. https://doi.org/10.1016/S1361-3723(18)30055-1

Gal, M. S., & Aviv, O. (2020). The competitive effects of the GDPR. Journal of Competition Law & Economics, 16(3), 349–391. https://doi.org/10.1093/joclec/nhaa012

Hofman, D., Lemieux V. L., & Batista, D. (2019). The margin between the edge of the world and infinite possibility: Blockchain, GDPR and information governance. Records Management Journal, 29(1/2), 240–257. https://doi.org/10.1108/RMJ-12-2018-0045

Hoofnagle, C. J., Sloot, B., & Borgesius, F. Z. (2019). The European Union general data protection regulation: What it is and what it means. Information & Communications Technology Law, 28(1), 65–98. https://doi.org/10.1080/13600834.2019.1573501

Huber-Carol, C., Balakrishnan, N., Nikulin, M. S., & Mesbah, M. (2002). Goodness-of-fit tests and model validity. Springer Publishing. https://doi.org/10.1007/978-1-4612-0103-8

Khan, J. (2018). The need for continuous compliance. Network Security, 2018(6), 14–15. https://doi.org/10.1016/S1353-4858(18)30057-6

Kindt, E. J. (2018). Having yes, using no? About the new legal regime for biometric data. Computer Law & Security Review, 34(3), 523–538. https://doi.org/10.1016/j.clsr.2017.11.004

Kounoudes, A. D., & Kapitsaki, G. M. (2020). A mapping of IoT user-centric privacy preserving approaches to the GDPR. Internet of Things, 11, 100179. https://doi.org/10.1016/j.iot.2020.100179

Larrucea, X., Moffie, M., Asaf, S., & Santamaria, I. (2020). Towards a GDPR compliant way to secure European cross border Healthcare Industry 4.0. Computer Standards & Interfaces, 69, 103408. https://doi.org/10.1016/j.csi.2019.103408

Lindgren, P. (2018). GDPR regulation impact on different business models and businesses. Journal of Multi Business Model Innovation and Technology, 4(3), 241–254. https://doi.org/10.13052/jmbmit2245-456X.434

Longras, A., Pereira, T., Carneiro, P., & Pinto, P. (2018). On the track of ISO/IEC 27001:2013 implementation difficulties in Portuguese organizations. In 2018 International Conference on Intelligent Systems (pp. 886–890). IEEE. https://doi.org/10.1109/IS.2018.8710558

Maňourová, M. (2019). GDPR – Evaluation of the impacts of GDPR on businesses in the Czech Republic. University of West Bohemia, Pilsen, Czech Republic. https://dspace5.zcu.cz/handle/11025/38705

Martin, K. D., Kim, J. J., Palmatier, R. W., Steinhoff, L., Stewart, D. W., Walker, B. A., Wang, Y., & Weaven, S. K. (2020). Data privacy in retail. Journal of Retailing, 96(4), 474–489. https://doi.org/10.1016/j.jretai.2020.08.003

McCall, B. (2018). What does the GDPR mean for the medical community? The Lancet, 391(10127), 1249–1250. https://doi.org/10.1016/S0140-6736(18)30739-6

Mesquida, A. L., & Mas, A. (2015). Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension. Computers & Security, 48, 19–34. https://doi.org/10.1016/j.cose.2014.09.003

Nguyen, L. D., Le-Hoai, L., Tran, D. Q., Dang, C. N., & Nguyen, C. V. (2019). Effect of project complexity on cost and schedule performance in transportation projects. Construction Management and Economics, 37(7), 384–399. https://doi.org/10.1080/01446193.2018.1532592

Nonnemann, F. (2011). Personal data protection during information providing by public organizations. Ministry of the Inferior of the Czech Republic. Retrieved April 8, 2020, from https://www.mvcr.cz/clanek/clanek/ochrana-osobnich-udaju-pri-poskytovani-informaci-verejnou-instituci.aspx

Park, M., Choi, S., Shin A. M., & Koo, C. (2013). Analysis of the characteristics of the older adults with depression using data mining decision tree analysis. Journal of Korean Academy of Nursing, 43(1), 1–10. https://doi.org/10.4040/jkan.2013.43.1.1

Parliament of the Czech Republic. (2019). ZÁKON ze dne 12. března 2019 o zpracování osobních údajů. https://eur-lex.europa.eu/legal-content/CS/TXT/PDF/?uri=NIM:272327

Perry, R. (2019). GDPR – project or permanent reality? Computer Fraud & Security, 2019(1), 9–11. https://doi.org/10.1016/S1361-3723(19)30007-7

Prakash, M., & Singaravel, G. (2015). An approach for prevention of privacy breach and information leakage in sensitive data mining. Computers & Electrical Engineering, 45, 134–140. https://doi.org/10.1016/j.compeleceng.2015.01.016

Quinn, O., & Quinn, L. (2018). Big genetic data and its big data protection challenges. Computer Law & Security Review, 34(5), 1000–1018. https://doi.org/10.1016/j.clsr.2018.05.028

Sirkin, M. R. (2006). The Chi-Square test, statistics for the social sciences. In Sirkin, M. R., Statistics for the Social Sciences (3rd ed.). SAGE Publications, Inc. https://doi.org/10.4135/9781412985987.n12

Sirur, S., Nurse, J., & Webb, H. (2018). Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR). In 25th ACM Conference on Computer and Communication Security (pp. 88–95). Canada. https://dl.acm.org/doi/10.1145/3267357.3267368

Starčevič, K., Crnkovič, B., & Glavaš, J. (2018). Implementation of the General Data Protection Regulation in companies in the Republic of Croatia. Ekonomski Vjesnik / Econviews, 31(1), 163–176. https://pdfs.semanticscholar.org/d75a/1a38e0a560f7ac9dde52c33a387c0c6fe21a.pdf

Strickland, J. (2016). Data analytics using open-source tools (1st ed.). Lulu.com.

Sue, V. M., & Ritter, L. A. (2007). Conducting online surveys. SAGE Publications, Inc. https://doi.org/10.4135/9781412983754

Tamburri, D. A. (2020). Design principles for the General Data Protection Regulation (GDPR): A formal concept analysis and its evaluation. Information Systems, 91, 101469. https://doi.org/10.1016/j.is.2019.101469

Tankard, C. (2016). What the GDPR means for businesses. Network Security, 2016(6), 5–8. https://doi.org/10.1016/s1353-4858(16)30056-3

The office for personal data protection. (2018). S účinností GDPR končí oznamovací povinnost správců. https://www.uoou.cz/s-ucinnosti-gdpr-konci-oznamovaci-povinnost-spravcu/d-28855

Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), 134–153. https://doi.org/10.1016/j.clsr.2017.05.015

Udroiu, M., Dumitrache, M., Sandu, I., & Brezulianu, A. (2018). Implementing an integrated information system designed for Romanian public entities. Studies in Informatics and Control, 27(3), 369–376. https://doi.org/10.24846/v27i3y201812

Yuan, B., & Li, J. (2019). The policy effect of the General Data Protection Regulation (GDPR) on the digital public health sector in the European Union: An empirical investigation. International Journal of Environmental Research and Public Health, 16(6), 1070. https://doi.org/10.3390/ijerph16061070