Identifying critical success factors for the General Data Protection Regulation implementation in higher education institutions
| DOI | https://doi.org/10.1108/DPRG-03-2021-0041 |
| Published date | 22 June 2022 |
| Date | 22 June 2022 |
| Pages | 355-379 |
| Subject Matter | Information & knowledge management,Information management & governance,Information policy |
| Author | José Fernandes,Carolina Machado,Luís Amaral |
Identifying critical success factors for the
General Data Protection Regulation
implementation in higher
education institutions
José Fernandes, Carolina Machado and Luís Amaral
Abstract
Purpose –On May 25, 2018, the General DataProtection Regulation (GDPR) became mandatory for all
organizations that handle the personal data of European Union citizens. This exploratory study aims to
determine the critical success factors (CSFs) related to implementing the GDPR in Portuguese public
highereducation institutions (HEIs).
Design/methodology/approach –This study adopts a multimethodmethodology with qualitative and
quantitative methods. A multiple case study was carried out in Portuguese public universities. As
proceduresfor data collecting and analysis, semistructuredinterviews with 26 questions were conducted
with the data protection officersof these universities during May and July 2019 to derive a set of CSFs.
Next, the Delphimethod has been applied to determine the rankingof the CSFs. The hierarchical clusters
analysis has also been applied to determine the cluster with essential CSFs. To derive the CSF, the
methodby Caralli et al. (2004) has been applied.
Findings –This study has identified thelist of 16 CSFs related to the implementation of GDPR in HEIs,
among which we can highlight, for instance, empower workers on the GDPR; commit topmanagement
with the GDPR; implementthe GDPR with the involvement of managementand workers; create a culture
for data protection;and create a decentralized teamof pivots for data protection.
Research limitations/implications –It could have been more enriching in the CSF determination
process if all Portuguese public universities had participated in this study. In fact, within their many
similarities, universities are also very different in approaching privacy and data protection. New studies
are needed to determine whether the CSFs identified apply equally to other organizations, namely,
privateHEIs with less bureaucracy.
Originality/value –IdentifyingCSFs related to GDPR implementation in Portuguesepublic universities is
a new area ofstudy. This paper is a contribution to itsdevelopment.
Keywords GDPR, Critical success factors, Organizational change management,
Higher education institutions
Paper type Research paper
1. Introduction
The growth in the use of information and internet technologies has brought enormous
economic and social benefits to organizations and citizens by creating new business
opportunities, by removing barriers facilitating access to culture, health, education and
knowledge, as well as in the digitalization of the public services, by becoming less
bureaucratic and closer to the citizens (Pors, 2015;Plesner et al., 2018;Mishra, 2020;
McKinsey and Company, 2018,2016,2014). New business opportunities arise with the
commercialization of personal data, which are now available in the cloud and held by
Jose
´Fernandes and
Carolina Machado are
based at the School of
Economics and
Management, University of
Minho, Braga, Portugal.
Luı
´s Amaral are based at
the School of Engineering,
University of Minho,
Guimara
˜es, Portugal.
Received 4 December 2020
Revised 17 June 2021
24 November 2021
11 January 2022
Accepted 28 May 2022
Authors thank the DPOs of the
Universities that participated in
the study.
DOI 10.1108/DPRG-03-2021-0041 VOL. 24 NO. 4 2022, pp. 355-379, ©Emerald Publishing Limited, ISSN 2398-5038 jDIGITAL POLICY, REGULATION AND GOVERNANCE jPAGE 355
companies, creating consumer profiles and selling them with little or no control by their
legitimate holders (Montgomery, 2015;Mantelero and Vaciago, 2015). Thus, on May 24,
2016, the European Union (EU) approved the General Data Protection Regulation (GDPR),
which became mandatory on May 25, 2018, for any organization, regardless of its location,
which treats EU citizens’ personaldata. This new regulation seeks to respond not only to the
growing need to protect personal data because of constant technological developments
but it also harmonizes how different EU member states treat personal data (Tankard, 2016).
As this is a current regulatory requirement, the organizations initiate the process without
having guaranteed the existence of the critical factors that are decisive for the successful
implementation of the GDPR. In this article,the definition given by Bullen and Rockart (1981,
p. 7) is used to define the concept of critical success factors (CSFs) by indicating that
“CSFs are the few key areas where things must go right for the business to flourish and for
the manager’s goals to be attained.”In the literature, the few existing empirical studies have
identified a set of various constraints, challenges or CSFs related to the implementation of
GDPR in generic organizations (Tikkinen-Piri et al.,2018;Grundstrom et al., 2019;Gabriela
et al.,2018
;Presthus et al., 2018;Teixeira et al.,2019), without, however, focusing on the
identification of CSFs related to the implementation of the GDPR, in a particular type of
organization such as higher education institutions (HEIs) and, in particular, in public
universities. Thus, the identification of the CSFs that relate to the implementation of the
GDPR in HEIs and, in particular, in Portuguese public universities, something that because
of the knowledge we have as a result of the literature review carried out has not yet been
studied, is the main motivation and focus of this article. Thus, the research question (RQ)
that we will answer throughout this articleis:
RQ1. What are the CSFs relatedto the implementation of GDPR in public HEIs?
In Section 2, the theoreticalbackground will be presented. Section 3 focuses on the study’s
context, whereas Section 4 presents the research methodology that was adopted. In
Section 5, the main results will be presented and discussed, followed by the final
considerations in Section 6.
2. Theoretical background
The literature review carried out identifies a set of articles that highlight the constraints and
challenges that are somehow common to all organizations, which are faced with the
pressing need to comply with the GDPR, either in the European space or more globally.
HEIs are no exception to this need to quickly adapt to the GDPR, having to create policies
to deal with the constraints and challenges that arise in different dimensions, namely, at the
technological, procedural,financial and human resources levels.
On May 25, 2018, the GDPR became mandatory, expanding the data protection law’s
territorial and material scope, starting to apply inside and outside the EU, as long as
controllers and subcontractors work with personal data from residents in the EU (A&L
GoodBody, 2016). On the other hand,it also seeks to harmonize how each member state of
the EU deals with data protection (Tankard,2016;Ayala-Rivera and Pasquale, 2018).
The GDPR is a legal document with some complexity, considering its 173 recitals, 99
articles, 11 chapters spread over 88 pages, with the necessary framework for protecting
European citizens’data, notapplying to anonymous or anonymized data (Dove, 2018).
In this sense, the GDPR reinforces the existing rights of data subjects, namely, the right to
access, rectification, objection and restriction of processing (Dı
´az Dı
´az, 2016;Brodin,
2019), and creates two new rights, the right to forgetfulness and the right to data portability
(Dı
´az Dı
´az, 2016;Tankard, 2016). On the other hand, the data subject’s consent must be
given as a free, specific, informed and explicit expression of will, by which the data subject
accepts, using an unequivocal positive statement or act, that personal data are subject to
treatment (GDPR, 2016). Thus, the prefilled acceptance boxes or the explicit nonobjection
PAGE 356 jDIGITAL POLICY, REGULATION AND GOVERNANCE jVOL. 24 NO. 4 2022
To continue reading
Request your trial