Factors determining the extent of GDPR implementation within organizations: empirical evidence from Czech Republic
Abstract
In this paper, the key factors that affect the extent of GDPR implementation in enterprises are analysed. Since 2018, all organizations operating in the European Union or processing personal data of EU citizens have had to incorporate a new regulation in their work. After three years of experience, possible key factors that significantly affect the cost of the entire project have been theoretically identified. However, a research gap remains whether the factors thus defined actually have a real impact on the implementation within organizations. Therefore, this study focuses on an empirical investigation of those characteristics using quantitative approach combining Chi-squared tests and the Classification and Regression Tree method. Based on a survey of organizations in the Czech Republic, this paper outlines that the size of the organization, the typology of personal data processed and the way GDPR is implemented determine the scope of the implementation project within organizations. On the other hand, there is no clear evidence that there is significant role in whether it is a public or private organization.
Keyword : General Data Protection Regulation, GDPR, SMEs, implementation, organizations, compliance, public administration
How to Cite
Faifr, A., & Januška, M. (2021). Factors determining the extent of GDPR implementation within organizations: empirical evidence from Czech Republic. Journal of Business Economics and Management, 22(5), 1124-1141. https://doi.org/10.3846/jbem.2021.15095
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
Almeida Teixeira, G., Mira da Silva, M., & Pereira, R. (2019). The critical success factors of GDPR implementation – a systematic literature review. Digital Policy, Regulation and Governance, 21(4), 402–418. https://doi.org/10.1108/DPRG-01-2019-0007
Beckett, P. (2017). GDPR compliance: Your tech department’s next big opportunity. Computer Fraud & Security, 2017(5), 9–13. https://doi.org/10.1016/S1361-3723(17)30041-6
Bleier, A., Goldfarb, A., & Tucker, C. (2020). Consumer privacy and the future of data-based Innovation and marketing. International Journal of Research in Marketing, 37(3), 466–480. https://doi.org/10.1016/j.ijresmar.2020.03.006
Council of the European Union. (2013). Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:124:0036:0041:EN:PDF
Creswell, J. W. (2013). Research design: Qualitative, quantitative, and mixed methods approaches (4th ed.). SAGE Publications, Inc. https://upog.pw/lixez_hibuk_ky_ke_letir.pd
Czech Chamber of Commerce. (2018). Účet za GDPR? Podnikatele nařízení vyjde na 25 miliard korun. Retrieved April 8, 2020, from https://www.komora.cz/press_release/ucet-za-gdpr-podnikatele-narizeni-vyjde-na-25-miliard-korun
Datoo, A. (2018). Data in the post-GDPR world. Computer Fraud & Security, 2018(9), 17–18. https://doi.org/10.1016/S1361-3723(18)30088-5
Diamantopoulou, V., Tsohou, A., & Karyda, M. (2019). General Data Protection Regulation and ISO/ IEC 27001:2013: Synergies of activities towards organisations’ compliance. In Lecture notes in computer science: Vol. 11711. Trust, privacy and security in digital business (pp. 94–109). Springer Publishing. https://doi.org/10.1007/978-3-030-27813-7_7
Diamantopoulou, V., Tsohou, A., & Karyda, M. (2020). From ISO/IEC27001:2013 and ISO/ IEC27002:2013 to GDPR compliance controls. Information and Computer Security, 28(4), 645–662. https://doi.org/10.1108/ICS-01-2020-0004
European Parliament, & Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Everett, C. (2011). Is ISO 27001 worth it? Computer Fraud & Security, 2011(1), 5–7. https://doi.org/10.1016/S1361-3723(11)70005-7
Garber, J. (2018). GDPR – compliance nightmare or business opportunity. Computer Fraud & Security, 2018(6), 14–15. https://doi.org/10.1016/S1361-3723(18)30055-1
Gal, M. S., & Aviv, O. (2020). The competitive effects of the GDPR. Journal of Competition Law & Economics, 16(3), 349–391. https://doi.org/10.1093/joclec/nhaa012
Hofman, D., Lemieux V. L., & Batista, D. (2019). The margin between the edge of the world and infinite possibility: Blockchain, GDPR and information governance. Records Management Journal, 29(1/2), 240–257. https://doi.org/10.1108/RMJ-12-2018-0045
Hoofnagle, C. J., Sloot, B., & Borgesius, F. Z. (2019). The European Union general data protection regulation: What it is and what it means. Information & Communications Technology Law, 28(1), 65–98. https://doi.org/10.1080/13600834.2019.1573501
Huber-Carol, C., Balakrishnan, N., Nikulin, M. S., & Mesbah, M. (2002). Goodness-of-fit tests and model validity. Springer Publishing. https://doi.org/10.1007/978-1-4612-0103-8
Khan, J. (2018). The need for continuous compliance. Network Security, 2018(6), 14–15. https://doi.org/10.1016/S1353-4858(18)30057-6
Kindt, E. J. (2018). Having yes, using no? About the new legal regime for biometric data. Computer Law & Security Review, 34(3), 523–538. https://doi.org/10.1016/j.clsr.2017.11.004
Kounoudes, A. D., & Kapitsaki, G. M. (2020). A mapping of IoT user-centric privacy preserving approaches to the GDPR. Internet of Things, 11, 100179. https://doi.org/10.1016/j.iot.2020.100179
Larrucea, X., Moffie, M., Asaf, S., & Santamaria, I. (2020). Towards a GDPR compliant way to secure European cross border Healthcare Industry 4.0. Computer Standards & Interfaces, 69, 103408. https://doi.org/10.1016/j.csi.2019.103408
Lindgren, P. (2018). GDPR regulation impact on different business models and businesses. Journal of Multi Business Model Innovation and Technology, 4(3), 241–254. https://doi.org/10.13052/jmbmit2245-456X.434
Longras, A., Pereira, T., Carneiro, P., & Pinto, P. (2018). On the track of ISO/IEC 27001:2013 implementation difficulties in Portuguese organizations. In 2018 International Conference on Intelligent Systems (pp. 886–890). IEEE. https://doi.org/10.1109/IS.2018.8710558
Maňourová, M. (2019). GDPR – Evaluation of the impacts of GDPR on businesses in the Czech Republic. University of West Bohemia, Pilsen, Czech Republic. https://dspace5.zcu.cz/handle/11025/38705
Martin, K. D., Kim, J. J., Palmatier, R. W., Steinhoff, L., Stewart, D. W., Walker, B. A., Wang, Y., & Weaven, S. K. (2020). Data privacy in retail. Journal of Retailing, 96(4), 474–489. https://doi.org/10.1016/j.jretai.2020.08.003
McCall, B. (2018). What does the GDPR mean for the medical community? The Lancet, 391(10127), 1249–1250. https://doi.org/10.1016/S0140-6736(18)30739-6
Mesquida, A. L., & Mas, A. (2015). Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension. Computers & Security, 48, 19–34. https://doi.org/10.1016/j.cose.2014.09.003
Nguyen, L. D., Le-Hoai, L., Tran, D. Q., Dang, C. N., & Nguyen, C. V. (2019). Effect of project complexity on cost and schedule performance in transportation projects. Construction Management and Economics, 37(7), 384–399. https://doi.org/10.1080/01446193.2018.1532592
Nonnemann, F. (2011). Personal data protection during information providing by public organizations. Ministry of the Inferior of the Czech Republic. Retrieved April 8, 2020, from https://www.mvcr.cz/clanek/clanek/ochrana-osobnich-udaju-pri-poskytovani-informaci-verejnou-instituci.aspx
Park, M., Choi, S., Shin A. M., & Koo, C. (2013). Analysis of the characteristics of the older adults with depression using data mining decision tree analysis. Journal of Korean Academy of Nursing, 43(1), 1–10. https://doi.org/10.4040/jkan.2013.43.1.1
Parliament of the Czech Republic. (2019). ZÁKON ze dne 12. března 2019 o zpracování osobních údajů. https://eur-lex.europa.eu/legal-content/CS/TXT/PDF/?uri=NIM:272327
Perry, R. (2019). GDPR – project or permanent reality? Computer Fraud & Security, 2019(1), 9–11. https://doi.org/10.1016/S1361-3723(19)30007-7
Prakash, M., & Singaravel, G. (2015). An approach for prevention of privacy breach and information leakage in sensitive data mining. Computers & Electrical Engineering, 45, 134–140. https://doi.org/10.1016/j.compeleceng.2015.01.016
Quinn, O., & Quinn, L. (2018). Big genetic data and its big data protection challenges. Computer Law & Security Review, 34(5), 1000–1018. https://doi.org/10.1016/j.clsr.2018.05.028
Sirkin, M. R. (2006). The Chi-Square test, statistics for the social sciences. In Sirkin, M. R., Statistics for the Social Sciences (3rd ed.). SAGE Publications, Inc. https://doi.org/10.4135/9781412985987.n12
Sirur, S., Nurse, J., & Webb, H. (2018). Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR). In 25th ACM Conference on Computer and Communication Security (pp. 88–95). Canada. https://dl.acm.org/doi/10.1145/3267357.3267368
Starčevič, K., Crnkovič, B., & Glavaš, J. (2018). Implementation of the General Data Protection Regulation in companies in the Republic of Croatia. Ekonomski Vjesnik / Econviews, 31(1), 163–176. https://pdfs.semanticscholar.org/d75a/1a38e0a560f7ac9dde52c33a387c0c6fe21a.pdf
Strickland, J. (2016). Data analytics using open-source tools (1st ed.). Lulu.com.
Sue, V. M., & Ritter, L. A. (2007). Conducting online surveys. SAGE Publications, Inc. https://doi.org/10.4135/9781412983754
Tamburri, D. A. (2020). Design principles for the General Data Protection Regulation (GDPR): A formal concept analysis and its evaluation. Information Systems, 91, 101469. https://doi.org/10.1016/j.is.2019.101469
Tankard, C. (2016). What the GDPR means for businesses. Network Security, 2016(6), 5–8. https://doi.org/10.1016/s1353-4858(16)30056-3
The office for personal data protection. (2018). S účinností GDPR končí oznamovací povinnost správců. https://www.uoou.cz/s-ucinnosti-gdpr-konci-oznamovaci-povinnost-spravcu/d-28855
Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), 134–153. https://doi.org/10.1016/j.clsr.2017.05.015
Udroiu, M., Dumitrache, M., Sandu, I., & Brezulianu, A. (2018). Implementing an integrated information system designed for Romanian public entities. Studies in Informatics and Control, 27(3), 369–376. https://doi.org/10.24846/v27i3y201812
Yuan, B., & Li, J. (2019). The policy effect of the General Data Protection Regulation (GDPR) on the digital public health sector in the European Union: An empirical investigation. International Journal of Environmental Research and Public Health, 16(6), 1070. https://doi.org/10.3390/ijerph16061070
Beckett, P. (2017). GDPR compliance: Your tech department’s next big opportunity. Computer Fraud & Security, 2017(5), 9–13. https://doi.org/10.1016/S1361-3723(17)30041-6
Bleier, A., Goldfarb, A., & Tucker, C. (2020). Consumer privacy and the future of data-based Innovation and marketing. International Journal of Research in Marketing, 37(3), 466–480. https://doi.org/10.1016/j.ijresmar.2020.03.006
Council of the European Union. (2013). Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises. https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:124:0036:0041:EN:PDF
Creswell, J. W. (2013). Research design: Qualitative, quantitative, and mixed methods approaches (4th ed.). SAGE Publications, Inc. https://upog.pw/lixez_hibuk_ky_ke_letir.pd
Czech Chamber of Commerce. (2018). Účet za GDPR? Podnikatele nařízení vyjde na 25 miliard korun. Retrieved April 8, 2020, from https://www.komora.cz/press_release/ucet-za-gdpr-podnikatele-narizeni-vyjde-na-25-miliard-korun
Datoo, A. (2018). Data in the post-GDPR world. Computer Fraud & Security, 2018(9), 17–18. https://doi.org/10.1016/S1361-3723(18)30088-5
Diamantopoulou, V., Tsohou, A., & Karyda, M. (2019). General Data Protection Regulation and ISO/ IEC 27001:2013: Synergies of activities towards organisations’ compliance. In Lecture notes in computer science: Vol. 11711. Trust, privacy and security in digital business (pp. 94–109). Springer Publishing. https://doi.org/10.1007/978-3-030-27813-7_7
Diamantopoulou, V., Tsohou, A., & Karyda, M. (2020). From ISO/IEC27001:2013 and ISO/ IEC27002:2013 to GDPR compliance controls. Information and Computer Security, 28(4), 645–662. https://doi.org/10.1108/ICS-01-2020-0004
European Parliament, & Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Everett, C. (2011). Is ISO 27001 worth it? Computer Fraud & Security, 2011(1), 5–7. https://doi.org/10.1016/S1361-3723(11)70005-7
Garber, J. (2018). GDPR – compliance nightmare or business opportunity. Computer Fraud & Security, 2018(6), 14–15. https://doi.org/10.1016/S1361-3723(18)30055-1
Gal, M. S., & Aviv, O. (2020). The competitive effects of the GDPR. Journal of Competition Law & Economics, 16(3), 349–391. https://doi.org/10.1093/joclec/nhaa012
Hofman, D., Lemieux V. L., & Batista, D. (2019). The margin between the edge of the world and infinite possibility: Blockchain, GDPR and information governance. Records Management Journal, 29(1/2), 240–257. https://doi.org/10.1108/RMJ-12-2018-0045
Hoofnagle, C. J., Sloot, B., & Borgesius, F. Z. (2019). The European Union general data protection regulation: What it is and what it means. Information & Communications Technology Law, 28(1), 65–98. https://doi.org/10.1080/13600834.2019.1573501
Huber-Carol, C., Balakrishnan, N., Nikulin, M. S., & Mesbah, M. (2002). Goodness-of-fit tests and model validity. Springer Publishing. https://doi.org/10.1007/978-1-4612-0103-8
Khan, J. (2018). The need for continuous compliance. Network Security, 2018(6), 14–15. https://doi.org/10.1016/S1353-4858(18)30057-6
Kindt, E. J. (2018). Having yes, using no? About the new legal regime for biometric data. Computer Law & Security Review, 34(3), 523–538. https://doi.org/10.1016/j.clsr.2017.11.004
Kounoudes, A. D., & Kapitsaki, G. M. (2020). A mapping of IoT user-centric privacy preserving approaches to the GDPR. Internet of Things, 11, 100179. https://doi.org/10.1016/j.iot.2020.100179
Larrucea, X., Moffie, M., Asaf, S., & Santamaria, I. (2020). Towards a GDPR compliant way to secure European cross border Healthcare Industry 4.0. Computer Standards & Interfaces, 69, 103408. https://doi.org/10.1016/j.csi.2019.103408
Lindgren, P. (2018). GDPR regulation impact on different business models and businesses. Journal of Multi Business Model Innovation and Technology, 4(3), 241–254. https://doi.org/10.13052/jmbmit2245-456X.434
Longras, A., Pereira, T., Carneiro, P., & Pinto, P. (2018). On the track of ISO/IEC 27001:2013 implementation difficulties in Portuguese organizations. In 2018 International Conference on Intelligent Systems (pp. 886–890). IEEE. https://doi.org/10.1109/IS.2018.8710558
Maňourová, M. (2019). GDPR – Evaluation of the impacts of GDPR on businesses in the Czech Republic. University of West Bohemia, Pilsen, Czech Republic. https://dspace5.zcu.cz/handle/11025/38705
Martin, K. D., Kim, J. J., Palmatier, R. W., Steinhoff, L., Stewart, D. W., Walker, B. A., Wang, Y., & Weaven, S. K. (2020). Data privacy in retail. Journal of Retailing, 96(4), 474–489. https://doi.org/10.1016/j.jretai.2020.08.003
McCall, B. (2018). What does the GDPR mean for the medical community? The Lancet, 391(10127), 1249–1250. https://doi.org/10.1016/S0140-6736(18)30739-6
Mesquida, A. L., & Mas, A. (2015). Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension. Computers & Security, 48, 19–34. https://doi.org/10.1016/j.cose.2014.09.003
Nguyen, L. D., Le-Hoai, L., Tran, D. Q., Dang, C. N., & Nguyen, C. V. (2019). Effect of project complexity on cost and schedule performance in transportation projects. Construction Management and Economics, 37(7), 384–399. https://doi.org/10.1080/01446193.2018.1532592
Nonnemann, F. (2011). Personal data protection during information providing by public organizations. Ministry of the Inferior of the Czech Republic. Retrieved April 8, 2020, from https://www.mvcr.cz/clanek/clanek/ochrana-osobnich-udaju-pri-poskytovani-informaci-verejnou-instituci.aspx
Park, M., Choi, S., Shin A. M., & Koo, C. (2013). Analysis of the characteristics of the older adults with depression using data mining decision tree analysis. Journal of Korean Academy of Nursing, 43(1), 1–10. https://doi.org/10.4040/jkan.2013.43.1.1
Parliament of the Czech Republic. (2019). ZÁKON ze dne 12. března 2019 o zpracování osobních údajů. https://eur-lex.europa.eu/legal-content/CS/TXT/PDF/?uri=NIM:272327
Perry, R. (2019). GDPR – project or permanent reality? Computer Fraud & Security, 2019(1), 9–11. https://doi.org/10.1016/S1361-3723(19)30007-7
Prakash, M., & Singaravel, G. (2015). An approach for prevention of privacy breach and information leakage in sensitive data mining. Computers & Electrical Engineering, 45, 134–140. https://doi.org/10.1016/j.compeleceng.2015.01.016
Quinn, O., & Quinn, L. (2018). Big genetic data and its big data protection challenges. Computer Law & Security Review, 34(5), 1000–1018. https://doi.org/10.1016/j.clsr.2018.05.028
Sirkin, M. R. (2006). The Chi-Square test, statistics for the social sciences. In Sirkin, M. R., Statistics for the Social Sciences (3rd ed.). SAGE Publications, Inc. https://doi.org/10.4135/9781412985987.n12
Sirur, S., Nurse, J., & Webb, H. (2018). Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR). In 25th ACM Conference on Computer and Communication Security (pp. 88–95). Canada. https://dl.acm.org/doi/10.1145/3267357.3267368
Starčevič, K., Crnkovič, B., & Glavaš, J. (2018). Implementation of the General Data Protection Regulation in companies in the Republic of Croatia. Ekonomski Vjesnik / Econviews, 31(1), 163–176. https://pdfs.semanticscholar.org/d75a/1a38e0a560f7ac9dde52c33a387c0c6fe21a.pdf
Strickland, J. (2016). Data analytics using open-source tools (1st ed.). Lulu.com.
Sue, V. M., & Ritter, L. A. (2007). Conducting online surveys. SAGE Publications, Inc. https://doi.org/10.4135/9781412983754
Tamburri, D. A. (2020). Design principles for the General Data Protection Regulation (GDPR): A formal concept analysis and its evaluation. Information Systems, 91, 101469. https://doi.org/10.1016/j.is.2019.101469
Tankard, C. (2016). What the GDPR means for businesses. Network Security, 2016(6), 5–8. https://doi.org/10.1016/s1353-4858(16)30056-3
The office for personal data protection. (2018). S účinností GDPR končí oznamovací povinnost správců. https://www.uoou.cz/s-ucinnosti-gdpr-konci-oznamovaci-povinnost-spravcu/d-28855
Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), 134–153. https://doi.org/10.1016/j.clsr.2017.05.015
Udroiu, M., Dumitrache, M., Sandu, I., & Brezulianu, A. (2018). Implementing an integrated information system designed for Romanian public entities. Studies in Informatics and Control, 27(3), 369–376. https://doi.org/10.24846/v27i3y201812
Yuan, B., & Li, J. (2019). The policy effect of the General Data Protection Regulation (GDPR) on the digital public health sector in the European Union: An empirical investigation. International Journal of Environmental Research and Public Health, 16(6), 1070. https://doi.org/10.3390/ijerph16061070