The critical success factors of GDPR implementation: a systematic literature review
| Pages | 402-418 |
| Published date | 10 June 2019 |
| DOI | https://doi.org/10.1108/DPRG-01-2019-0007 |
| Date | 10 June 2019 |
| Author | Gonçalo Almeida Teixeira,Miguel Mira da Silva,Ruben Pereira |
| Subject Matter | Information & knowledge management |
The critical success factors of GDPR
implementation: a systematic literature
review
Gonçalo Almeida Teixeira, Miguel Mira da Silva and Ruben Pereira
Abstract
Purpose –The digital paradigm people live in today, which drastically increased the consumption of
data, is a threat to theirprivacy. To create a high level of privacyprotection for its citizens, the European
Union proposed the General Data Protection Regulation (GDPR), which introduces obligations for
organizations regarding the storing, processing, collecting and disclosing of data. This paper aims to
identifythe critical success factors of GDPR implementation.
Design/methodology/approach –A systematic literature review was conducted by following a strict
review protocol, where 32 documents were found relevant to perform the review and to answer to the
proposedresearch questions.
Findings –The critical success factorsof GDPR implementation were identified, includingbarriers and
enablers.Furthermore, benefits of complyingwith GDPR were identified.
Research limitations/implications –As GDPR is a relatively recent subject,there are still few scientific
papers about it. Therefore, the authors were unable to neither identify nor present a robust conclusion
regardingspecific topics, such as practical outcomes.
Originality/value –On the basis of the literature,the identified critical success factors may be useful for
organizations as these can be better prepared to achieve compliance by prioritizing the enablers and
avoidingthe barriers.
Keywords Critical success factors, Barriers, Organizations, Implementation, Enablers, GDPR
Paper type Literature review
1. Introduction
Since the foundation of the internet and the World Wide Web, the evolution of technology
has enabled the increasing collection, process and storage of large amounts of personal
data (Huth, 2017).
New information tools and techniquessuch as Big Data, Data Mining and Machine Learning
revolutionized business models through the processing of data, as well as Cloud
Computing and the Internet of Things, which leveraged the consumption of data to a whole
new level.
All these improvements led to the ubiquitous information technology society we have today,
having a visible digital impact in many organizations across several sectors, which take
advantage of all the possibilities providedby new technologies (Lopes and Oliveira, 2018).
However, this digital revolution and the increasing collection of personal data by
organizations have inherent security challenges and risks. The significant low prices to
collect, process and analyze large amounts of data lure organizations to collect more data
than necessary, leading to the misuse of personal data and making them vulnerable to
privacy breaches (Agarwal, 2016).Therefore, to protect citizens’ personal data and privacy,
Gonc¸alo Almeida Teixeira
and Miguel Mira da Silva
are both based at Instituto
Superior Te
´cnico,
Universidade de Lisboa,
Lisboa, Portugal.
Ruben Pereira is based at
Instituto Universita
´rio de
Lisboa (ISCTE-IUL),
Lisboa, Portugal.
Received 23 January 2019
Revised 13 March 2019
Accepted 19 March 2019
PAGE 402 jDIGITAL POLICY, REGULATION AND GOVERNANCE jVOL. 21 NO. 4 2019, pp. 402-418, ©EmeraldPublishing Limited, ISSN 2398-5038 DOI 10.1108/DPRG-01-2019-0007
regulators are adapting regulations to the present digital economy (Agarwal, 2016). On this
track, the European Union proposed a new regulation, the General Data Protection
Regulation (GDPR), with a set of obligations regarding the storing, processing, collecting
and disclosing of data (Gabrielaet al.,2018).
GDPR replaces and repeals the EU Data Protection Directive, which was adopted in 1995
and no longer meets the privacy requirements of the new digital landscape (Tikkinen-Piri
et al., 2018), and introduces significant changes regarding personal data and privacy,
aiming to give more control to citizens over their personal data to ensure a harmonized,
unified and sustainable approachto data protection (Boban, 2018).
Enforced from May 25, 2018, the regulation applies to any organization that processes EU
citizens’ data and may impose hefty fines when non-compliance is detected (European
Commission, 2016).
To comply with GDPR, organizations need to review their internal procedures and
processes, which will impose a lot of changes and adaptations that will impact
organizations’ businesses.
To the best of our knowledge, and as GDPR is a relatively recent subject, there are no
literature reviews and few scientific papers with an in-depth study regarding GDPR
implementation. Therefore, we conducted a systematic literature review to identify the
critical success factors (CSF) that contribute for GDPR implementation by identifying the
enablers and barriers in the complianceprocess.
It is important to note that this research focuses on the implementation of GDPR in
organizations in general, without any specific sector or industry, even though it is obvious
that some may have more impact than others,such as IoT or Big Data industries.
This paper is structured as follows. Section 2 explains the chosen research methodology
(systematic literature review). Section 3 presents the theoreticalbackground with the GDPR
and CSF description. Section 4 describes the motivationof our research, where the problem
is revealed, along with the addressed research questions and thereview protocol. Section 5
presents the review protocol application and the data extraction results. Section 6
discusses and analyzes the findings from the review. Finally, Section 7 concludes the
paper.
2. Research methodology
A systematic literature review (SLR)is a form of study used to identify, analyze and interpret
all available evidence regarding a specific topic or question, using a trustworthy,
rigorous and auditable methodology, to synthesize the existing work in a systematic,
comprehensive and unbiasedmanner (Kitchenham, 2004).
Our research methodology is based on Kitchenham(2004), complemented by Webster and
Watson (2002), which contains the followingsteps:
䊏planning: identify the need and motivation for the review, specify the research
questions that will be addressed and answered by the review and design a review
protocol by defining the basic review procedures;
䊏conducting: apply the review protocol previously designed to obtain studies which will
be the object of the review; and
䊏reporting: summarize the extracted data from the selected studies to report the
findings.
We chose SLR as the research methodology as we wanted to summarize the existing
evidence regarding GDPR implementation, with the aim to answer to the proposedresearch
questions.
VOL. 21 NO. 4 2019 jDIGITALPOLICY, REGULATION AND GOVERNANCE jPAGE 403
To continue reading
Request your trial