The Four Dimensions of the GDPR Framework: An Institutional Theory Perspective
The EU general data protection regulation (GDPR) is the most important change in data privacy regulation in 20 years. The regulation will fundamentally reshape the way in which data are handled across every sector. The organizations had two years to implement it. Despite this, it has been observed that, in several sectors of activity, the number of organizations having adopted that control is low. This study aimed to identify the factors which condition the adoption of the GDPR by organizations. Methodologically, the study involved interviewing the officials in charge of information systems in 18 health clinics in Portugal. The factors facilitating and inhibiting the implementation of GDPR are presented and discussed. Based on these factors, a set of recommendations are made to enhance the adoption of the measures proposed by the regulation. The study used Institutional Theory as a theoretical framework. The results are discussed in light of the data collected in the survey, and possible future works are identified.
KeywordsRegulation (EU) 2016/679 General data protection regulation Institutional Theory Health clinics
UNIAG, R&D unit funded by the FCT—Portuguese Foundation for the Development of Science and Technology, Ministry of Science, Technology and Higher Education. Project n.º UID/GES/4752/2019.
This work has been supported by FCT—Fundação para a Ciência e Tecnologia within the Project Scope: UID/CEC/00319/2019.
- 3.European Parliament and Council, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Official Journal of the European Union (2016)Google Scholar
- 4.XXXXGoogle Scholar
- 5.Skendzic, A., Kovacic, B., Tijan, E.: General data protection regulation—protection of personal data in an organization. In: 41st International Convention on Information and Communication Technology, Electronics and Microelectronics, pp 1370–1375 (2018)Google Scholar
- 6.Da Conceição Freitas, M., Mira da Silva, M.: GDPR in SMEs, vol. 2018, pp. 1–6. In: 13th Iberian Conference on Information Systems and Technologies (2018)Google Scholar
- 7.West, I.: The big scan thing!—How the EU General Data Protection Regulation (GDPR) will affect your business! https://www.slideshare.net/CraigShipley1/digital-enterprise-festival-birmingham-130417-ian-west-cognizant-vp-data-management-the-implications-of-the-eu-global-data-protection-regulation-on-every-business-and-their-digital-service-providers. Last accessed 1 Dec 2018
- 8.Brown, S.L., Eisenhardt, K.M.: Competing on the edge: strategy as structured chaos. Harvard Business School Press, Boston (1998)Google Scholar
- 9.Scott, W.: Institutional Theory. Encyclopedia of Social Theory, pp. 408–414. Thousand Oaks, Sage (2004)Google Scholar
- 10.DiMaggio, P. Powell, W.: Introduction. In: Powell, W.W., DiMaggio, P.J. (eds.) The New Institutionalism in Organizational Analysis, pp. 1–38. University of Chicago Press, Chicago (1991)Google Scholar
- 12.Scott, W.R.: Institutions and Organizations: Ideas and Interests, 3rd edn. Sage, Thousand Oaks (2008)Google Scholar
- 13.Tolbert, P.S., Zucker, L.G.: The institutionalization of institutional theory. In: Handbook of Organization Studies. Sage, London (1996)Google Scholar
- 14.Tolbert, P.S., Zucker, L.G.: A institucionalização da teoria institucional. In: Clegg, S., Hardy, C., Nordy, W (eds.) Handbook de estudos organizacionais (pp. 196–219). Tradução de Humberto F. Martins e Regina Luna S. Cardoso, v.1. Atlas, São Paulo (1999)Google Scholar