Identifying Critical Success F

Identifying critical success factors for the
General Data Protection Regulation

implementation in higher
education institutions
José Fernandes, Carolina Machado and Luís Amaral
Abstract José Fernandes and

Purpose – On May 25, 2018, the General Data Protection Regulation (GDPR) became mandatory for all Carolina Machado are
organizations that handle the personal data of European Union citizens. This exploratory study aims to based at the School of
determine the critical success factors (CSFs) related to implementing the GDPR in Portuguese public Economics and
higher education institutions (HEIs). Management, University of
Design/methodology/approach – This study adopts a multimethod methodology with qualitative and Minho, Braga, Portugal.
quantitative methods. A multiple case study was carried out in Portuguese public universities. As Luı́s Amaral are based at
procedures for data collecting and analysis, semistructured interviews with 26 questions were conducted the School of Engineering,
with the data protection officers of these universities during May and July 2019 to derive a set of CSFs.
University of Minho,
Next, the Delphi method has been applied to determine the ranking of the CSFs. The hierarchical clusters
Guimarães, Portugal.
analysis has also been applied to determine the cluster with essential CSFs. To derive the CSF, the
method by Caralli et al. (2004) has been applied.
Findings – This study has identified the list of 16 CSFs related to the implementation of GDPR in HEIs,
among which we can highlight, for instance, empower workers on the GDPR; commit top management
with the GDPR; implement the GDPR with the involvement of management and workers; create a culture
for data protection; and create a decentralized team of pivots for data protection.
Research limitations/implications – It could have been more enriching in the CSF determination
process if all Portuguese public universities had participated in this study. In fact, within their many
similarities, universities are also very different in approaching privacy and data protection. New studies
are needed to determine whether the CSFs identified apply equally to other organizations, namely,
private HEIs with less bureaucracy.
Originality/value – Identifying CSFs related to GDPR implementation in Portuguese public universities is
a new area of study. This paper is a contribution to its development.
Keywords GDPR, Critical success factors, Organizational change management,
Higher education institutions
Paper type Research paper
1. Introduction
The growth in the use of information and internet technologies has brought enormous
economic and social benefits to organizations and citizens by creating new business Received 4 December 2020
Revised 17 June 2021
opportunities, by removing barriers facilitating access to culture, health, education and 24 November 2021
knowledge, as well as in the digitalization of the public services, by becoming less 11 January 2022
Accepted 28 May 2022
bureaucratic and closer to the citizens (Pors, 2015; Plesner et al., 2018; Mishra, 2020;
Authors thank the DPOs of the
McKinsey and Company, 2018, 2016, 2014). New business opportunities arise with the Universities that participated in
commercialization of personal data, which are now available in the cloud and held by the study.
DOI 10.1108/DPRG-03-2021-0041 VOL. 24 NO. 4 2022, pp. 355-379, © Emerald Publishing Limited, ISSN 2398-5038 j DIGITAL POLICY, REGULATION AND GOVERNANCE j PAGE 355
companies, creating consumer profiles and selling them with little or no control by their
legitimate holders (Montgomery, 2015; Mantelero and Vaciago, 2015). Thus, on May 24,
2016, the European Union (EU) approved the General Data Protection Regulation (GDPR),
which became mandatory on May 25, 2018, for any organization, regardless of its location,
which treats EU citizens’ personal data. This new regulation seeks to respond not only to the
growing need to protect personal data because of constant technological developments
but it also harmonizes how different EU member states treat personal data (Tankard, 2016).
As this is a current regulatory requirement, the organizations initiate the process without
having guaranteed the existence of the critical factors that are decisive for the successful
implementation of the GDPR. In this article, the definition given by Bullen and Rockart (1981,
p. 7) is used to define the concept of critical success factors (CSFs) by indicating that
“CSFs are the few key areas where things must go right for the business to flourish and for
the manager’s goals to be attained.” In the literature, the few existing empirical studies have
identified a set of various constraints, challenges or CSFs related to the implementation of
GDPR in generic organizations (Tikkinen-Piri et al., 2018; Grundstrom et al., 2019; Gabriela
et al., 2018; Presthus et al., 2018; Teixeira et al., 2019), without, however, focusing on the
identification of CSFs related to the implementation of the GDPR, in a particular type of
organization such as higher education institutions (HEIs) and, in particular, in public
universities. Thus, the identification of the CSFs that relate to the implementation of the
GDPR in HEIs and, in particular, in Portuguese public universities, something that because
of the knowledge we have as a result of the literature review carried out has not yet been
studied, is the main motivation and focus of this article. Thus, the research question (RQ)
that we will answer throughout this article is:
RQ1. What are the CSFs related to the implementation of GDPR in public HEIs?
In Section 2, the theoretical background will be presented. Section 3 focuses on the study’s
context, whereas Section 4 presents the research methodology that was adopted. In
Section 5, the main results will be presented and discussed, followed by the final
considerations in Section 6.
2. Theoretical background
The literature review carried out identifies a set of articles that highlight the constraints and
challenges that are somehow common to all organizations, which are faced with the
pressing need to comply with the GDPR, either in the European space or more globally.
HEIs are no exception to this need to quickly adapt to the GDPR, having to create policies
to deal with the constraints and challenges that arise in different dimensions, namely, at the
technological, procedural, financial and human resources levels.
On May 25, 2018, the GDPR became mandatory, expanding the data protection law’s
territorial and material scope, starting to apply inside and outside the EU, as long as
controllers and subcontractors work with personal data from residents in the EU (A&L
GoodBody, 2016). On the other hand, it also seeks to harmonize how each member state of
the EU deals with data protection (Tankard, 2016; Ayala-Rivera and Pasquale, 2018).
The GDPR is a legal document with some complexity, considering its 173 recitals, 99
articles, 11 chapters spread over 88 pages, with the necessary framework for protecting
European citizens’ data, not applying to anonymous or anonymized data (Dove, 2018).
In this sense, the GDPR reinforces the existing rights of data subjects, namely, the right to
access, rectification, objection and restriction of processing (Dı́az Dı́az, 2016; Brodin,
2019), and creates two new rights, the right to forgetfulness and the right to data portability
(Dı́az Dı́az, 2016; Tankard, 2016). On the other hand, the data subject’s consent must be
given as a free, specific, informed and explicit expression of will, by which the data subject
accepts, using an unequivocal positive statement or act, that personal data are subject to
treatment (GDPR, 2016). Thus, the prefilled acceptance boxes or the explicit nonobjection
PAGE 356 j DIGITAL POLICY, REGULATION AND GOVERNANCE j VOL. 24 NO. 4 2022
by the data subject can no longer be used to justify data processing operations (A&L
GoodBody, 2016).
It is hard for organizations to demonstrate compliance with the GDPR because this is a
technical regulation with no technical guidance on how it should be implemented (Politou
et al., 2018). For these authors, this limitation causes several problems for organizations that
embark on the implementation process because of their internal processes. The most
severe difficulties in the implementation process are related to the preservation of
information in backups when asked by a data subject to have their data removed. The issue
of using biometric data in the authentication process and the implementation is a simple,
specific and unambiguous way of informed consent in current user-friendly information
collection interfaces (Politou et al. (2018).
The process of implementing GDPR in organizations is complicated because it requires the
registration of all ongoing data processing operations, the need to make adaptations in
technological systems, as well as in the network of internal processes and procedures, and
the need to the training of workers and managers in areas related to data protection
(Tikkinen-Piri et al., 2018; Presthus et al., 2018; Gabriela et al., 2018; Teixeira et al., 2019).
The training and empowerment of workers in change processes increase motivation and
satisfaction because they have given workers a feeling that they have control during
organizational change (Kappelman and Richards, 1996). Furthermore, it implies the
allocation of time for workers and managers, as well the financial resources, and the need to
create guides with clear, practical indications of how to must proceed to implement the
regulation (Tikkinen-Piri et al., 2018; Gabriela et al., 2018; KPMG, 2017). The increased
bureaucratic burden, the complexity of the regulation, the lack of training on the part of
workers in areas related to data protection, the foreseeable increase in consultancy costs,
the lack of available time for managers, the need to increase investment in hardware and
software as well as the lack of support from the national supervisory authority represent
constraints that Gabriela et al. (2018) elect those with the most significant negative impact
on the GDPR implementation process.
There are diverse challenges related to the implementation of the GDPR, namely, the need
to contract the relationship with subcontractors, the need to create evidence of GDPR
compliance, the need to find mechanisms to deal with and protect from undue access, the
vast amount data collected daily, thus ensuring the privacy of personal data, and the need
to change the organizational culture, making it more consistent with data protection
(Grundstrom et al., 2019; Lopes and Oliveira, 2018). The need for organizations to make
GDPR uncomplicated by not adding bureaucracy to existing tasks and incorporating
security in the design of new information systems and interpretation and understanding of
GDPR is very important (Ataei et al., 2018). It is crucial to map the functions performed by
workers and the internal process network so that the need to introduce new technologies
can then be assessed to comply with the GDPR (Presthus et al., 2018), and, in this sense,
people and information technologies represent CSFs in implementing it (Lopes and Oliveira,
2018). For Sirur et al. (2018), there must be human and financial resources available for
implementing GDPR and organizations need to have adequate information security
practices in use by their workers. Using a literature review process, Teixeira et al. (2019)
add new constraints, challenges and CSF, namely, the extension, complexity and
subjectivity of the GDPR, as well as the need to appoint a data protection officers (DPOs),
and the need to apply robust practices for data management.
Poritskiy et al. (2019) identify significant challenges in auditing systems and processes and
the practical implementation of the right to be forgotten. These authors concluded that
larger organizations have a more excellent perception of GDPR implementation benefits
related to the increase in trust relationships, the minimization of personal data and internal
management processes for the creation of competitive advantages. On the other hand, they
state that larger organizations have more incredible difficulty in implementing the right to be
VOL. 24 NO. 4 2022 j DIGITAL POLICY, REGULATION AND GOVERNANCE j PAGE 357
forgotten and that smaller organizations have a more excellent perception of the difficulties
related to the increase in technical complexity that the implementation of GDPR will
originate, thus limiting the growth of emerging technologies.
The implementation of GDPR represents a challenge for all the organizations that collect
and process information, namely, that which is used or stored in the cloud, being a good
strategy to mitigate the existing risks, the encryption of all the information available in this
scope (Markovic et al., 2019). In the study carried out by these authors, they point out
students’ need to improve their knowledge of their rights regarding how HEIs use their data.
In their study, Brown and Klein (2020) identified a bureaucratic nature underlying the
different data privacy policies analyzed, stating that these are rooted in outdated
assumptions related to data collection and HEIs’ current functioning. As a constraint, these
authors refer to the fact that privacy policies do not consider the changing nature of the
data and modern higher education’s specific needs. For Brown and Klein (2020), current
privacy policies are described as static artifacts managed by institutions, placing students
as informed partners and managing personal data to protect institutions against the risk of
legal liability for misuse. For these authors, these privacy policies, although they can be
understood as beneficial in a complex environment such as that of higher education, limit
students’ performance, hide the way data is treated and favor organizational interests to the
detriment of personal interests.
The acceptance of minimum standards of performance related to privacy issues by
organizations is currently considered necessary as a way for them to be able to work
economically in a network in an increasingly globalized world (Bennett, 2018). However, the
implementation of GDPR will not prevent many organizations, through their voracious
appetite for increasingly refined personal information that supports their business models,
from continuing to monitor and oversee citizens often in an unlawful manner. For Bennett
(2018), the GDPR does not necessarily change this state of affairs, but it can regulate and
generate a more just and fair use of the personal data collected.
The application of the GDPR does not only have negative implications for organizations.
Several benefits will result from the application of the GDPR. Some of the benefits that result
from the application of GDPR in organizations are: economic benefits – information storage
costs decrease, as we only collect and store what is necessary; analytical benefits – having
access to the right information at the right time, allows for better and faster decisions;
reputational benefits – an organization that is recognized for complying with the GDPR will
benefit from promoting its ethical principles by transmitting a feeling of security to
customers; and other benefits – once the information is organized, the organization
improves its efficiency and effectiveness when dealing with the internal processes where
this information is needed (Beckett, 2017). Poritskiy et al. (2019) identify as benefits of
implementing the GDPR the increase of the confidence and the clarification regarding the
legal questions.
HEIs maintain personal information regarding its former, current and potential future
workers (through application processes), including names, addresses, personal emails,
professional experience, performance appraisals, curriculum vitae, medical data, bank
data, various financial data, communications made and internet access, among others
(Markovic et al., 2019). Other data that can be found are academic records, health records,
financial records, usage records and website searches, records of extracurricular activities,
records of donations, photographs, disciplinary proceedings and various personal
documents (Podnar, 2017; Markovic , Debeljak, and Kadoic, 2019).
According to Microsoft (2018), universities “[. . .] have a seemingly endless supply of data
flowing through the organization, a large portion of which is personal data” (p. 3), with much
of this information being sensitive. Universities increasingly base their activity on information
and communications technologies in a decentralized computing environment and with
some essential functions performed by external entities, thus increasing the risk of personal
data exposure to malicious people (Culnan and Carlin, 2009). These situations increase
vulnerabilities that can be used for attacks to violate personal data held by universities. In
this sense, for Green (2018, p. 1), “The more accelerated the pace of change, and the
greater the demands from customers and organizations to roll out technology quickly, the
more opportunities there are for cybercriminals - and universities are one of their top
targets.” The most significant risks to information security that universities face are because
of phishing (theft of confidential data through techniques in which the attacker pretends to
be a credible entity), social engineering (manipulation of users to provide confidential data
for access to systems), lack of awareness, training of users, limited resources and
compliance with legal requirements (Grama and Vogel, 2017).
In this sense, with so many and so varied personal data in its possession, the GDPR
applies to universities, and according to Cormack (2017), the most significant change for
universities with the entry into force of the GDPR “is that institutions will be held far more
accountable for the data they hold. As well as records of what personal data exist within
the organization, the GDPR requires a documented understanding of why information is
held, how it is collected, when it will be deleted or anonymized, and who may gain
access to it” (p. 1). With so many and varied personal data, universities must invest in the
training and awareness of their workers in matters of information security, increasing their
levels of knowledge as to the best practices to adopt when using information systems
and dealing with personal data within the scope of its functions (Chan and Mubarak,
2012).
As far as we know, there are no empirical studies carried out with identifying CSFs related to
the implementation of GDPR in public HEIs. The challenges, constraints and even some
identified CSFs are related to generic organizations without focusing on a particular area:
the public sector and the university public sector.
In fact, the studies that exist are oriented to different areas from those related to higher education.
Some examples of these existing studies are: requirements analysis (Rockart, 1979), planning
and development of information systems (Bullen and Rockart, 1981; Edwita et al., 2017),
enterprise resource planning implementation projects (Sousa, 2004), implementation of total
quality management (TQM) (Hietschold et al., 2014), to sustainable urban design (Dias et al.,
2018), in the implementation of document management systems in public entities (Alshibly et al.,
2016), in the implementation of the Lean Six Sigma methodology associated with leadership
(Laureani and Antony, 2018), in tourist destinations (Marais et al., 2017), or in the implementation
of the business process management methodology in public entities (Syed et al., 2018).
More recently, Teixeira et al. (2019) through a literature review process inferred a set of
generic CSFs related to the implementation of the GDPR. Teixeira et al. (2019) divided the
determined CSFs into two groups – the CSFs considered as facilitators (enablers) of the
implementation and those that consider themselves barriers (barriers) and which can hinder
the process of implementing the GDPR. This work is also not oriented toward HEIs, a very
particular universe of identification of CSFs associated with the GDPR implementation.
Some of the identified CSFS are somewhat common to those identified in this work, such as
document data processing operations, appoint a DPO with the essential human resources,
implement security measures and mechanisms and train and empower workers.
The way in which the public sector looks at the implementation of the GDPR is believed to
be different from that of the private sector. In fact, according to Boyne (2002), the public
sector has a set of its own characteristics, which distinguishes it from the private sector,
such as greater complexity, because of the fact that it has a very broad set of stakeholders
you have to direct, putting more pressure on those responsible; a lot of permeability to
external events; much instability resulting from the frequent shift in political power that
impacts government policies for the public sector; vague, conflicting goals and too many to
try to serve all stakeholders; and a lot of bureaucracy and very little autonomy for those
responsible (Boyne,2002).
The public sector has been under enormous pressure to better serve citizens, with the
maximum saving of resources, by adopting organizational and functional principles used
for several years in the private sector (Matei and Chesaru, 2014). Thus, this pressure to do
more and more with fewer resources is, according to Mauro et al. (2019), since the 1980s,
making the public sector subject to numerous reforms, making a transition, “[. . .] from a
rigid and beaurocratic structure, based on legal functioning norms and procedures, to a
flexible, result-based, resource-efficient sector” (Matei and Chesaru, 2014, p. 860), based
on the concepts of new public management, to make public services more flexible and
efficient, in the image of the private sector (Hameed et al., 2019).
However, for Gumport (2000), universities, in an attempt to respond to the need to act
following management practices typical of the business sector, thus demonstrating that
they are up to the financial requirements, may end up losing is historical heritage as they
move away from their historical character as educational institutions and to lose credibility
accumulated over time. There are characteristics at universities that can pose difficulties in
the application of change processes, namely, about “[. . .] complexity, high degree of
differentiation, multiplicity of units and standards, autonomy of professors, control and
management philosophies and mechanisms, which increasingly do not operate effectively
even in business organizations [. . .]” (Bartell, 2003, p. 53).
HEIs need to adapt to be able to respond adequately to a very varied set of internal and
external stakeholders, namely, students, parents of students, alumni, boards of directors,
legislators, teachers and nonacademic staff (Bastedo, 2007). Thus, “Universities are complex
social organizations with distinctive cultures” (Sporn, 1996, p. 41). The increase in costs is the
main threat to higher education (Bastedo, 2012), and for Meister-Scheytt and Scheytt (2005,
p. 76), change management in universities “[. . .] is an odious task: it tends to be carried out in
periods of decreasing budgets and must deal with unclear goals of the organization.” The
reduction of funding, with the competition for funds, students and projects, with the
proliferation of laws (Sporn, 1996; Dill and Sporn, 1995, cited by Gumport and Sporn, 1999)
which, taken as a whole, increasingly pressure the universities to limit values considered
fundamental by them, such as academic freedom and university autonomy (Sporn, 1996).
Only with full knowledge of the university culture, the heads of these institutions can
implement change processes successfully (Tierney, 1988) because, only then, “[. . .] they
articulate decisions in a way that will speak to the needs of various constituencies and
marshal their support” (Tierney, 1988, p. 5). Välimaa (2008) refers to the existence of three
possible connotations when discussing organizational culture at universities. The first
connotation and the most widespread connotation, is associated with the transmission to
new members, of cultural and academic values and traditions by universities. The second
connotation sees universities as social spaces, where their members develop their
professional activity, surrounded by a set of “[. . .] epistemic traditions, disciplinary cultures,
local institutional conditions, and national traditions” (Välimaa, 2008, p. 11). The third
connotation is based on methodological, epistemological and philosophical issues related
to how research is carried out in higher education.
Strong organizational cultures with an outward orientation are the most propitious to
contribute to the realization of change processes (Sporn, 1996). On the other hand, the
homogeneity of views in a given culture does not determine its greater or lesser internal
strength. In this sense, for Bartell (2003, p. 53), “A strong culture is one that not only
tolerates debate and discussion of diverse and alternative views and strategies but rather
actively encourages them for the sake of improvement of the quality of decision making and
problem solutions.” However, the culture of universities does not always facilitate the
introduction of change initiatives.
In this sense, the implementation of GDPR in universities, as institutions normally resistant to
change, makes it necessary to create a change management plan so that the entire
organization is involved (Podnar, 2017).
For Pryor et al. (2008), Kotter’s (1995) model acts in the organization at the strategic level by
changing the vision defined above for the organization, causing this change to impact its
functioning. Appelbaum et al. (2012) carry out an analysis of Kotter’s change management
model stating that they obtained support for its eight steps and that this is still a prevalent
model because of the way it allows a quick practical application, continuing in this way as a
planning tool for the implementation of any change initiative. According to Kotter (1995), his
model consists of eight sequential steps: establishing the sense of urgency; form a powerful
coalition for change; create the vision that characterizes change; communicate the vision;
training workers to act according to the vision; plan and create short-term wins; consolidate
improvements and produce even more change; and institutionalize new approaches.
The eight-step model by Kotter (1995) for the management of organizational change
related to the implementation of the GDPR is defended for application in this work because
this is one of the most referenced change management models in scientific studies
(Appelbaum et al., 2012). Kotter’s (1995) model , it is easy to communicate and understand
and has multiple applications, including in HEIs (Grayson, 2014; Hackman, 2017;
Wentworth et al., 2020; Ossiannilsson, 2018; Calegari et al., 2015), and is especially
suitable for dealing with organizational change’s emotional aspects, namely, in
organizations that are slow to incorporate change (Wentworth et al., 2020).
3. Context of the study

Public higher education in Portugal is organized in a binary system, consisting of university
higher education and polytechnic higher education. Public university higher education
comprises 14 universities (excluding the Military University Institute, with specific operating
conditions) and public polytechnic higher education by 15 polytechnics.
The population that was considered for this multiple case study were the 14 Portuguese
public universities, more specifically their DPOs. Each university has a single DPO. The
DPOs of 13 of the 14 Portuguese public universities where it was possible to identify the
respective DPO are characterized as follows:
䊏 84.6% of the DPOs are internal and 15.4% of DPOs are external;
䊏 50% of the internal DPOs are from the academic career;
䊏 46.15% of the DPOs have information technology (or related areas) as the scientific
areas associated with their academic background, 15.39% in the law and 38.46% in
other scientific areas;
䊏 25% of the DPOs are members of the rectoral teams; and
䊏 84.6% of the DPOs are male and 15.4% are female.
This characterization of the HEIs DPOs was obtained as follows: for the DPOs who
participated in the interviews, this information was obtained during the interviews and for
DPOs who did not participate in the interviews, this information was obtained by consulting
public information – university websites and official publications for appointing them.
In this study, an invitation was sent to the 14 DPOs, with the following results being
obtained:
䊏 8 of the 14 DPOs (57.14% of the entire population) responded positively to participation
in the study, provided that they participate anonymously;
䊏 3 of the 14 DPOs (21.43%) either did not respond or it was not possible to identify the
DPO institutional contact;
䊏 2 of the 14 DPOs (14.29%) answered, but it was not possible to schedule the interview
because of scheduling difficulties manifested by the DPOs; and
䊏 1 of the 14 DPOs (7.14%) gave a positive response to participation, with the condition
that the interview is held months later, well beyond the months established in the
schedule for this study. For this reason, it was decided not to include this DPO in the
study.
DPO’s responsibilities are formally detailed in articles 37, 38 and 39 and in the recital 97 of
the GDPR. According to GDPR legal document, the DPO must:
䊏 inform and advise the controller or processor, as well as their employees, of their
obligations under data protection law;
䊏 monitor compliance of the organization with all legislation in relation to data protection,
including in audits, awareness-raising activities as well as training of staff involved in
processing operations;
䊏 provide advice where a data protection impact assessment has been carried out and
monitor its performance;
䊏 act as a contact point for requests from individuals regarding the processing of their
personal data and the exercise of their rights; and
䊏 cooperate with data protection authorities (DPAs) and act as a contact point for DPAs
on issues relating to processing.
The DPOs who participated anonymously in the interviews reported that their activities are
oriented toward the GDPR, it being important that:
䊏 coordinate the HEI data protection team;
䊏 respond to requests for clarification from HEI services and units as well as data
subjects;
䊏 issue guidance on requests for data processing;
䊏 contribute so that HEI is able to establish and define procedures and mechanisms that
protect it and data subjects, within the scope of the GDPR;
䊏 conduct audits to assess HEI’s degree of compliance with the GDPR; and
䊏 be a change agent at HEI for the GDPR implementation and compliance.
As the participation in the study of universities and their DPOs was carried out under the
condition of anonymity, it should be noted that among the eight universities that participated
in the study, there are some of the largest universities in the Portuguese public university
education system.
4. Methodology and model implementation.

The methodology used is based, concerning the research philosophy, on the subjectivist
ontological paradigm justified by the dynamism, complexity and particular organizational
culture that characterize the social actors’ different interactions that make up the academic
environment. The interpretative epistemological paradigm has been adopted by allowing
the researcher to interpret what he saw, heard and understood in the empirical study he
carried out. These interpretations are somehow conditioned by what the researcher is as a
professional. As this is an exploratory study, as it seeks to determine a set of CSFs in a
study area that needs further development, the approach to research adopted is of the
inductive type, seeking to generate knowledge from the data collected.
The CSF method has several advantages (Rockart, 1979): it allows the organization to
focus on information relevant to its success and the CSF concept has different
applications. There is a wide range of studies in the literature related to the determination
of CSF associated with the most diverse areas of activity, such as requirements analysis
(Rockart, 1979), planning and development of information systems (Bullen and Rockart,
1981; Edwita et al., 2017), CSF associated with projects to implement TQM (Hietschold
et al., 2014) and sustainable urban design (Dias et al., 2018) , in the implementation of
document management systems in public entities (Alshibly et al., 2016) and in the
implementation of the lean six sigma methodology associated with leadership (Laureani
and Antony, 2018). In this way, the CSFs method proves to be suitable for use by any
organization that wants to guarantee the success of any initiative or activity. Therefore, it
is considered that the CSFs method is adequate to determine CSFs related to the
implementation of GDPR in HIEs.
The research strategy used is characterized by being a holistic multiple case study type,
conducted in 8 of the 14 public universities in Portugal, representing 57.14% of the entire
population.
The investigation process adopted in this study consisted of two investigation cycles.
In the first research cycle, the CSFs method was applied by Caralli et al. (2004), based on
the pioneering work carried out by Rockart (1979). Regarding the first activity – define the
scope of the CSF activity – it was decided that the CSFs that were to be determined would
be of an organizational type, insofar as they should be applied to the entire university and
not in isolation to a school, faculty, specific department or service. It was also decided that
the DPOs of the universities will be the participants in the interviews. DPOs are, in fact, at
universities that best know the constraints related to the implementation of the GDPR, thus
being the ones who can best contribute to the identification of CSFs.
The next activity involves collecting data – collect data. In carrying out this activity, it was
decided by the recommendations of Bryman (2012) and Seidman (2006) to conduct a pilot
interview to assess whether the idealized research instrument was well constructed and
whether it worked according to what was intended (Bryman, 2012) or on the other hand,
needed some refinement (Seidman, 2006). Thus, to carry out the pilot, a DPO was selected,
which, although it has characteristics similar to the DPOs that will be part of the final study,
is not part of this group, thus following the recommendations of Bryman (2012). The pilot
interview held on May 14, 2019, lasted 90 min, simulated the interview protocol, thus
allowing the final script’s stabilization.
The interview script with the 26 questions was created from references related to the
positioning of different authors concerning the topic of study, namely, by Caralli et al.
(2004); Rockart (1979, 1998); and Tikkinen-Piri et al. (2018), among others; from the
author’s own professional experience in the context of higher education; as well as from the
adaptation of questions initially proposed by Rockart (1979, 1982) and Caralli et al. (2004),
in their works related to the determination of CSF. The topics covered during the interview
were related to mission, vision, objectives, and goals; CSFs and organizational aspects;
rights of data subjects; privacy; DPAs; impact, costs, facilitators and obstacles to the
implementation of the GDPR; information management, IT governance; data protection –
GDPR; and change management, change agent and resistance to change.
Next, invitations to participate in this study were sent to the 14 DPOs. In response, 8 of the
14 DPOs agreed to participate anonymously in the study. The interviews with these 8 DPOs
took place during May and July 2019, with a total duration of 10 h, 30 min, 20 s, and an
average duration per interview of 79 min.
The recordings of the interviews conducted in the previous activity were transcribed. The
transcription was carried out in as much detail as possible, having followed a series of
procedures defined by Azevedo et al. (2017), which led to the eight interviews’
transcription, with 407 pages containing 100,588 characters. Transcripts were sent by email
to be validated by DPOs, who did not express any disagreement regarding their content.
Thus, the transcripts were then analyzed to derive the CSFs. According to Caralli et al.
(2004), to derive the CSFs, several steps are necessary, which are shown in Figure 1.
After transcribing the interviews, a list of the answers given by each of the DPOs interviewed
has been created for each question. The responses were condensed to their essential
meaning and depersonalized from their author. Thus, a set of 440 activity statements were
obtained. According to Caralli et al. (2004, p. 65), activity statements are “[. . .] statements
that are harvested from interview notes and documents that reflect what managers do or
believe they and organization should be doing to ensure success.”
The 440 activity statements were, by affinity, initially grouped into 34 groups, with each
group having activity statements that somehow have some affinity or similarity with each
other. Subsequently, it was found that 4 of the 34 groups with activity statements could be
grouped. This phase of the process was concluded with the derivation of 30 groupings,
which aggregate the 440 activity statements previously obtained.
Then, 30 supporting themes were obtained, which, according to Caralli et al. (2004, p. 66),
are nothing more than “[. . .] the intention and substance of the activity statements as they
have been grouped.” The 30 supporting themes obtained are no more than 30 designations
attributed to each of the 30 groups with activity statements, ensuring that each supporting
themes can characterize the activity statements that constitute it.
The final step consisted of deriving 30 CSFs from the list with the 30 supporting themes
previously selected. Thus, from the name given to each of the supporting themes, a CSF
was derived, which for Caralli et al. (2004) should immediately and without a doubt transmit
what the organization must accomplish to be successful. The CSF designation must start
with an action verb (Caralli et al., 2004). The CSF list obtained was as follows (list of 30 CSFs
in alphabetical order related to GDPR implementation in HEIs [own elaboration]):
䊏 Adapt data processing operations to the GDPR, with minimal impact on the HEIs
mission.
䊏 Adapt the information systems to the GDPR.
䊏 Adopt a computer application that allows integrated management of the GDPR
operationalization.
䊏 Adopt IT governance frameworks.
䊏 Commit top management, with the GDPR.
䊏 Conduct security audits generating evidence of the degree of GDPR compliance.
䊏 Create a culture for data protection.
䊏 Create a decentralized team of pivots for data protection.
䊏 Create institutional communication channels dedicated to the GDPR.
䊏 Empower workers on the GDPR.
䊏 Ensure that there is a change agent in the implementation of the GDPR.
䊏 Ensure the existence of an ethics committee.
䊏 Ensure the security of information held by the HEI.
䊏 Guarantee the necessary resources and means for the DPO.
Figure 1 Necessary steps to derive CSFs
䊏 Implement a change management process around the GDPR.

䊏 Implement the GDPR with an imposing top management approach.
䊏 Implement the GDPR with the involvement of management and workers.
䊏 Implement the GDPR with the least negative impact on the HEI.
䊏 Make certification of HEIs compliance with the GDPR mandatory.
䊏 Obtain external consultancy to speed up the implementation of the GDPR.
䊏 Obtain support from CNPD (Portuguese National Data Protection Commission) in the
creation of guidelines common to HEIs.
䊏 Promote the centralization of the information systems/information technologies function.
䊏 Promote the inclusion in the human resources performance evaluation systems of
objectives associated with the fulfillment of the GDPR.
䊏 Reinforce the HEIs budget with the necessary means for the implementation of the
GDPR.
䊏 Select a resilient DPO, with a spirit of leadership, charisma, thoughtfulness and
determination, with internal recognition, knowledge about the institution and the GDPR.
䊏 Select an external DPO with a multidisciplinary team.
䊏 Select an internal EPD (Data Protection Officer), dedicated to the function and who is
knowledgeable of the institution.
䊏 Start implementing the GDPR with a sociotechnological approach.
䊏 Start the implementation of the GDPR, by surveying the process network.
䊏 Use a progressive approach in the implementation of the GDPR.
In the second research cycle, the Delphi method was applied and the hierarchical cluster
analysis. The Delphi method was applied to create a ranking for the 30 CSFs previously
obtained (Table 1). The Delphi method has multiple applications, namely, in item
prioritization (Okoli and Pawlowski, 2004), where in multiple rounds with questionnaires, a
consensus is sought, between members of a panel of experts (Hsu and Sandford, 2007;
Avella, 2016). Thus, on November 29, 2019, the eight DPOs that were part of the first
research cycle were invited to participate as the expert panel members. In response to the
invitation sent, these eight DPOs agreed to participate anonymously in this new research
cycle. The Web application was configured, which allowed the implementation of the Delphi
Table 1 Information about the interviews conducted with the university DPOs
Interviewed DPO code Interview duration Interview date
DPO E1 34 min 34 s June 7, 2019

DPO E2 65 min 51 s June 6, 2019
DPO E3 60 min 55 s May 30, 2019
DPO E4 100 min June 14, 2019
DPO E5 104 min June 18, 2019
DPO E6 80 min June 25, 2019
DPO E7 88 min July 5, 2019
DPO E8 97 min July 18, 2019
Source: Own elaboration
method. The accesses for the eight DPOs were configured. The questionnaire was created
with the 30 CSFs, which will be ordered by the degree of importance.
Then, between December 2 and December 7, 2019, a pilot was carried out with two
professors from a university in management and information systems to assess whether the
data collection instrument was sufficiently clear to be put into production. The pilot’s results
concluded that the instrument was well designed and could be implemented.
After this, the Delphi study’s first round was carried out between December 10 and 17,
2019. In this first round, a response rate of 87.5% was obtained, with seven out of eight
DPOs completing this first round. The statistical data generated by the Web application
were introduced in IBM SPSS Statistics (version 26). The SPSS calculated a Kendall
coefficient of agreement W of 0.407, which means, according to Schmidt (1997), a weak to
moderate level of agreement between panel members. Considering that we are in the first
round of execution of the Delphi method, it did not make sense to calculate the stability
coefficient between rounds measured using Spearman’s Rho and Kendall’s Tau b.
Considering the existence of a Kendall W coefficient with a weak to moderate level of
agreement, the need to execute a new round of the Delphi method was considered justified.
This second round of the Delphi study was carried out between December 20, 2019 and
January 11, 2020. This second round had a response rate of 87.5%, with six out of seven
DPOs completing it. Once again, the statistical data generated by the Web application were
introduced in the SPSS. The SPSS calculated a Kendall W coefficient of agreement of 0.788,
meaning, according to Schmidt (1997), a level of strong agreement among the DPOs. As for
the voting stability between the first and second rounds, a Spearman’s Rho stability
coefficient of 0.977 and a Kendall’s Tau b of 0.899 were obtained. Both coefficients close to
1 mean very high stability between rounds for each CSF. In Figure 2, we can see the
evolution of CSF classification in the two rounds of the Delphi study.
As shown in the previous figure, when analyzing the results obtained between the first round
and the second round, there was a great consensus among the panel. Given these results
obtained in this second round, it was considered that there was no need for a third round
and that the Delphi study was therefore closed. Table 2 shows the ranking with the 30 CSFs
previously obtained.
The hierarchical cluster analysis was used to determine from these 30 CSFs, a cluster with
those CSFs that, because of their more excellent statistical proximity to each other, are
virtually the most important for the DPOs. The mean and standard deviation of each CSF in
the ranking obtained by applying the Delphi method was used as variables to generate
clusters. This option is related to the fact that these measures are considered to fully
characterize the CSFs or cases under study (Hair et al., 2014). As a distance measure, to
realize how similar the CSFs under analysis are (Malhotra, 2006), we chose the quadratic
Euclidean distance, as it is the most used in the measurement between continuous
Figure 2 Evolution of the classification of CSF in the two rounds of the Delphi study
variables (Yim and Ramdeen, 2015). To link the cases or clusters together, Ward’s
connection was used, as it is one of the most used algorithms in social sciences
(Aldenderfer and Blashfield, 1984; Malhotra, 2006), but also because it is usually chosen
when the measure of selected distance is the quadratic Euclidean distance (Hair et al.,
2014; Sarstedt and Mooi, 2014).
With these definitions, the list ordered with the 30 CSFs was used to generate a cluster
solution in IBM SPSS Statistics. We chose to do an initial generation with a minimum of two
clusters and a maximum of five clusters. The initial cluster solution generated by IBM SPSS
Statistics, constituted by the proximity matrix and agglomeration scheme, allowed the
analysis of the dendrogram presented in the following figure to realize that the ideal cluster
solution consists of two clusters.
It should be noted that the horizontal scale of the dendrogram, which reflects the
coefficients in the agglomeration scheme, is automatically adjusted by the SPSS for easier
reading on a scale ranging from 0 to 25. Thus, the cut in the dendrogram was made in
position 6.96 which corresponds to stage or step 28 in the execution of Ward’s algorithm,
generating a coefficient of 535.177 in the agglomeration scheme.
As we can see in Figure 3, we have two clusters formed by smaller clusters (horizontal lines)
grouped at a considerable distance (vertical lines), meaning that they are very different
from each other. In this way, the dashed line that can be seen in the dendrogram shows the
cut made to obtain the final solution with two clusters (Figure 3).
In this way, as we can see in Table 3, a solution of two clusters was obtained – the first
cluster with 16 CSFs and a second cluster with the remaining 14 CSFs.
5. Analysis and discussion of results

The 16 CSFs in Table 4 answer the starting question of this study. The first cluster has the
16 CSFs that the DPOs considered most important.
Table 2 Statistical results for the first and second rounds of the Delphi study (own elaboration)
PAGE 368
Delphi first round Delphi second round (final results)
Sum of Ordering at the end Sum of Standard Ordering at the end
CSFs points Average SD of the first round points Average deviation of the second round
Empower workers on the GDPR 22 3.14 1.86 1 11 1.83 0.98 1

Commit top management, with the GDPR 61 8.71 9.69 4 16 2.67 2.25 2
Implement the GDPR with the involvement of management and workers 42 18.33 4.28 2 22 3.67 1.63 3
Create a culture for data protection 68 9.71 8.06 5 25 4.17 0.75 4
Ensure the security of information held by the HEI 71 10.14 6.26 6 36 6 1.67 5
Adapt the Information Systems to the GDPR 47 6.71 3.4 3 39 6.5 5.89 6
Implement the GDPR with the least negative impact on the HEI 86 12.29 7.7 9 49 8.17 1.33 7
Use a progressive approach in the implementation of the GDPR 82 11.71 6.24 8 57 9.5 2.17 8
Start the implementation of the GDPR, by surveying the process network 87 12.43 7 10 62 10.33 2.16 9
Adapt data processing operations to the GDPR, with minimal impact on
the HEIs mission 80 11.43 9.02 7 64 10.67 10.05 10
Conduct security audits generating evidence of the degree of GDPR
compliance 100 14.29 6.99 11 68 11.33 3.83 11
Guarantee the necessary resources and means for the DPO 100 14.29 6.68 12 68 11.33 2.16 12
Create a decentralized team of pivots for data protection 101 14.43 9.36 13 77 12.83 1.47 13
Create institutional communication channels dedicated to the GDPR 104 14.86 9.17 15 90 15 1.26 14
j DIGITAL POLICY, REGULATION AND GOVERNANCE j VOL. 24 NO. 4 2022

Adopt a computer application that allows integrated management of the
GDPR operationalization 105 15 3.79 16 94 15.67 4.03 15
Implement a change management process around the GDPR 102 14.57 7.32 14 106 17.67 2.88 16
Select a resilient DPO, with a spirit of leadership, charisma,
thoughtfulness and determination, with internal recognition, knowledge
about the institution and the GDPR 105 15 9.04 17 116 19.33 6.95 17
Start implementing the GDPR with a sociotechnological approach 141 20.14 7.01 22 117 19.5 5.68 18
Reinforce the HEIs budget with the necessary means for the
implementation of the GDPR 130 18.57 6.21 20 117 19.5 6.16 19
Ensure that there is a change agent in the implementation of the GDPR 125 17.86 5.93 18 123 20.5 4.09 20
Adopt IT governance frameworks 142 20.29 10.45 24 131 21.83 3.97 21
Select an internal EPD. dedicated to the function and who is
knowledgeable of the institution 127 18.14 7.49 19 132 22 9.34 22
Ensure the existence of an ethics committee 142 20.29 8.34 23 138 23 2.9 23
Promote the centralization of the Information Systems/Information
Technologies function 143 20.43 8.28 25 138 23 3.1 24
Obtain support from CNPD in the creation of guidelines common to HEIs 145 20.71 7.23 26 145 24.17 4.12 25
Promote the inclusion in the human resources performance evaluation
systems of objectives associated with the fulfillment of the GDPR 134 19.14 3.85 21 145 24.17 4.45 26
Obtain external consultancy to speed up the implementation of the
GDPR 152 21.71 5.82 27 146 24.33 3.2 27
Make mandatory the certification of HEIs compliance with the GDPR 162 23.14 9.21 28 148 24.67 3.98 28
Implement the GDPR with an imposing top management approach 170 24.29 6.07 29 154 25.67 4.97 29
Select an external DPO with a multidisciplinary team 179 25.57 5.59 30 156 26 4.73 30
Figure 3 Dendrogram using Ward’s connection – final solution with two clusters
These 16 CSFs with greater relevance for DPOs fall into six organizational dimensions:
human resources (CSFs 1, 2, 3 and 13), organizational culture (CSF 4), finance (CSF 12),
processes (CSFs 7, 8, 9, 10, 14 and 16), information systems and technologies (CSFs 5, 6
and 15) and quality (CSF 11).
Three of the four CSFs related to the human resources dimension are positioned in the top
positions of the first cluster, thus highlighting the importance that the human resources
management must have in implementing the GDPR. On the other hand, these CSFs
highlight a set of practices that positively impact any change process: training,
commitment, involvement and the delegation of competencies with accountability.
Empowerment (CSF-1), through training on topics related to data protection and the
different implications arising from the application of GDPR, is of enormous importance for
workers to perform their duties respecting data protection. Training increases the motivation
and satisfaction of workers in change processes (Kappelman and Richards, 1996), and in
Table 3 Cluster analysis – final solution with two clusters (own elaboration)
Cluster membership
Case (CSF) Two clusters
1: Empower workers on the GDPR 1

2: Commit top management, with the GDPR 1
3: Implement the GDPR with the involvement of management and workers 1
4: Create a culture for data protection 1
5: Ensure the security of information held by the HEI 1
6: Adapt the Information Systems to the GDPR 1
7: Implement the GDPR with the least negative impact on the HEI 1
8: Use a progressive approach in the implementation of the GDPR 1
9: Start the implementation of the GDPR, by surveying the process network 1
10: Adapt data processing operations to the GDPR, with minimal impact on the HEIs mission 1
11: Conduct security audits generating evidence of the degree of GDPR compliance 1
12: Guarantee the necessary resources and means for the DPO 1
13: Create a decentralized team of pivots for data protection 1
14: Create institutional communication channels dedicated to the GDPR 1
15: Adopt a computer application that allows integrated management of the GDPR 1
operationalization
16: Implement a change management process around the GDPR 1
Select a resilient DPO, with a spirit of leadership, charisma, thoughtfulness, and determination, 2
with internal recognition, knowledge about the institution and the GDPR
Start implementing the GDPR with a sociotechnological approach 2
Reinforce the HEIs budget with the necessary means for the implementation of the GDPR 2
Ensure that there is a change agent in the implementation of the GDPR 2
Adopt IT governance frameworks 2
Select an internal EPD, dedicated to the function and who is knowledgeable of the institution 2
Ensure the existence of an ethics committee 2
Promote the centralization of the Information Systems/Information Technologies function 2
Obtain support from CNPD in the creation of guidelines common to HEIs 2
Promote the inclusion in the human resources performance evaluation systems of objectives 2
associated with the fulfillment of the GDPR
Obtain external consultancy to speed up the implementation of the GDPR 2
Make mandatory the certification of HEIs compliance with the GDPR 2
Implement the GDPR with an imposing top management approach 2
Select an external DPO with a multidisciplinary team 2
Table 4 Cluster 1 – list of most important 16 CSFs to the DPOs (own elaboration)
List of 16 most important CSFs related to the implementation of GDPR in public HEIs
CSF-1 Empower workers on the GDPR

CSF-2 Commit top management, with the GDPR
CSF-3 Implement the GDPR with the involvement of management and workers
CSF-4 Create a culture for data protection
CSF-5 Ensure the security of information held by the HEI
CSF-6 Adapt the Information Systems to the GDPR
CSF-7 Implement the GDPR with the least negative impact on the HEI
CSF-8 Use a progressive approach in the implementation of the GDPR
CSF-9 Start the implementation of the GDPR, by surveying the process network
CSF-10 Adapt data processing operations to the GDPR, with minimal impact on the HEIs mission
CSF-11 Conduct security audits generating evidence of the degree of GDPR compliance
CSF-12 Guarantee the necessary resources and means for the DPO
CSF-13 Create a decentralized team of pivots for data protection
CSF-14 Create institutional communication channels dedicated to the GDPR
CSF-15 Adopt a computer application that allows integrated management of the GDPR operationalization
CSF-16 Implement a change management process around the GDPR
this sense, they are essential in implementing the GDPR. Without the training of workers, the
implementation of the GDPR and its compliance by the HEIs will be seriously compromised,
which is why the importance of this CSF is emphasized by different authors in the literature
review, namely, by Tikkinen-Piri et al. (2018), Presthus et al. (2018), Gabriela et al. (2018)
and Teixeira et al. (2019). Without a continuous training plan for current and new workers,
which requires a minimum of hours of annual training, which is even integrated into the
employee performance evaluation system, we will continue to see bad practices in the way
data personal data are treated.
The commitment (CSF-2) of top management, with the allocation of resources (CSF-12), is
necessary, because the implementation of GDPR will have multiple impacts on the day-
today of HEIs, namely, on the necessary adaptation to the internal process network, as well,
as the need to appoint a DPO and the creation of a multidisciplinary human resources team
to support it. Without institutional support, human resources, material resources and
financial resources will not be allocated, nor will the information and communication
resources necessary to carry out its mission as enshrined in the GDPR be made available to
the DPO and its team. Different authors mention that the need for top management
commitment in the literature review (Teixeira et al., 2019; Gabriela et al., 2018; KPMG, 2017)
is essential in the GDPR implementation process. The resources can only be made
available in the universities, where the top management understands the importance of data
protection, for the pursuit of the mission. It is also necessary that they strive to create a
change management plan (Pryor et al., 2008; Kotter, 1995) that involves the entire
organization: explaining the reasons for the changes that are going to be made; the
consequences in case of noncompliance with the GDPR are emphasized; and all those
dealing with personal data are guided, indicating what they should and should not do and
follow-up and implementation, giving the necessary answers to existing doubts (Podnar,
2017). If not, a DPO’s existence, without strong institutional support and consequently
without resources, will be nothing more than a proforma empty of any useful content in the
way HEIs treat personal data.
The delegation of competencies and workers’ responsibility in implementing the GDPR
(CSF-3 and CSF-13) is essential in highly decentralized structures and the high complexity
of functioning such as HEIs (Podnar, 2017). In the decentralized structures of HEIs such as
their schools, colleges, research centers and services, there is no one locally who
guarantees that data processing operations are carried out according to the strategy
adopted centrally by the institution, the process of organizational change necessary to
GDPR implementation is unlikely to be successful. The DPO and his team, will not be
permanently in all schools, colleges, research centers and support services of the HEIs.
Delegation of competencies and accountability is essential to gradually be able to
permanently internalize practices and procedures of work more in line with those advocated
by the GDPR, which leads to the creation of an authentic culture of data protection, a
hallmark of the functioning of HEIs.
In institutions like HEIs, with a particular organizational culture (Bartell, 2003; Sporn, 1996), it
is essential to institutionalize new ways of proceeding, more in line with the GDPR. This
CSF’s importance was also emphasized in the literature review by Grundstrom et al. (2019)
and Lopes and Oliveira (2018). In this way, creating and maintaining a data protection
culture (CSF-4) is of enormous importance in HEIs, something that will only be realized if
there is a strong involvement of the institution’s managers, through a firm policy of training
of workers, as well as, with the availability of the necessary resources and means to the
DPO and its team so that they achieve a comprehensive and lasting implementation of the
GDPR. The success of the GDPR implementation will only be possible if the CSFs 1, 2, 3
and 13 have an adequate level of performance, as foundations that allow the
institutionalization of new approaches in the organization’s culture (Appelbaum et al., 2012;
Kotter, 1995) and in this way, allowing the new practices to proceed more in line with the
GDPR, lasting in time and becoming part of what the institution is.
CSF-5, 6 and 15 are related to the dimension of information systems and technologies in
areas essential to the fulfillment of GDPR by HEIs. Thus, forcing the GDPR to hold HEIs
accountable for the way they treat the personal data of all its stakeholders (Cormack, 2017),
information systems and technologies must be able to guarantee information security in
terms of confidentiality, integrity and availability, as well as an effective response to the
need for privacy by design and by default. The most significant risks to information security
and consequently to data protection in HEIs are the criminal activities carried out by
hackers based on phishing and social engineering (Grama and Vogel, 2017; Chan and
Mubarak, 2012). These illegal activities are possible because of the lack of security of
information systems and technologies, often caused by subsequent divestment or the lack
of human resources technically qualified to make an adequate management of the critical
systems of HEIs. On the other hand, the lack of awareness and training of users for security
issues in information systems and technologies often facilitates these illegal activities’
success. It is also essential that an information system give the DPO a comprehensive view
of all data processing operations to be carried out by the institution. This comprehensive
view of the state of execution of all data processing operations is essential in highly
decentralized and complex institutions such as HEIs. Thus, CSF-1, 2, 3, 4 and 12 must exist
with a high level of performance to realize CSF-5, 6 and 15.
Another dimension where it will be necessary to intervene is in the procedural aspect, in the
sense of adapting the network of processes and internal procedures to the reality imposed
by the GDPR. Thus, CSF-7, 8, 9, 10, 14 and 16 are essential for the pursuit of this objective.
In complex organizations with decentralized functioning and with a particular organizational
culture averse to change like universities (Podnar, 2017), implementing the GDPR be
carried out gradually, with the least possible impact on the institution’s functioning. Thus,
CSF-16, related to implementing a change management process around the GDPR, is
essential. In this context, Kotter’s (1995) eight-step model for change management is still
very current and popular because of its ease and speed of application (Appelbaum et al.,
2012) and because it is instrumental in change management processes in organizations
that are not oriented toward change (Grayson, 2014). On the other hand, it is also used in
change management processes in HEIs (Hackman, 2017; Grayson, 2014; Ossiannilsson,
2018; Wentworth et al., 2020; Calegari et al., 2015).
Finally, it is essential to address the last dimension of quality (continuous improvement),
where CSF-11 is located. To assess the degree of compliance with the GDPR, the
performance of audits is essential in the process of self-regulation and accountability
through internal control practices, to which HEIs are obliged. In this way, the performance of
an initial audit assesses the degree of distance from HEIs to the GDPR and subsequent
phases with regular audits by internal and external experts to demonstrate the degree of
compliance essential. These audits demonstrate to the national supervisory authority that
the HEI acts according to the principles stipulated in the GDPR. All those entrusted
personal data to HEI and intended to have guarantees that they are being treated
according to the legal framework. To carry out audits, support from top management (CSF-
2) in different areas is necessary, namely, resource allocation (CSF-12).
6. Conclusions
With this study’s development, the existing knowledge has been increased regarding the
CSFs essential for a successful implementation of GDPR in HEIs.
Having the RQ1 as a starting point and support for the study developed, it was possible to
increase the still very little existing knowledge in this area by making known a set of 16 CSFs
to implement GDPR in HEIs, framed in six dimensions of organizational performance. A set
of 8 DPOs identified these 16 CSFs as part of a multiple case study in 8 of the 14
Portuguese public universities. From a methodological point of view, a research
methodology was defined to identify CSFs related to the implementation of GDPR in HEIs.
Various methods and techniques of data collection and analysis were used. The method of
Caralli et al. (2004) was used to identify the CSF through semistructured interviews as well
as the Delphi method to create a ranking for the CSFs previously identified. Hierarchical
cluster analysis was also used to select a subset of CSFs that are most relevant to the
DPOs.
Thus, from a theoretical point of view, it is possible to perceive that of the 16 CSFs, there are
4 CSFs, more specifically CSFs 1, 2, 3 and 13, which are related to the dimension of human
resources at universities. This set of CSFs must show high performance because otherwise
the old practices and work habits that are very inconsistent with data protection and the
preservation of all university stakeholders’ privacy will continue to exist. Academic and no
academic staff will continue to ask for personal data they do not need. Personal data will be
stored indefinitely with very little control over who accesses it and why they do it. Laptops
and PENs (portable storage device that plugs into a computer and facilitates moving data
between machines) will continue to circulate with critical documents from the institution.
Passwords for access to information systems and technologies will continue to be shared.
Each employee’s email will continue to be the deposit, even after leaving the institution’s
positions to occupy much critical information.
Without the sufficient commitment of top management, a DPO’s existence will have no
practical significance and will be mere proforma because, without resources to support it,
the DPO will not effectively fulfill the functions provided for in the GDPR. Without the
necessary delegation of competencies and responsibility of workers in functions in the units
and services with a decentralized operation, creating local data protection groups, it will be
challenging to enforce the GDPR in all mission activities of the universities, as the voice and
DPO guidelines, it will not be easy to reach all places with equal accuracy and efficiency.
These CSFs can be translated into the need to train, support, empower and transform and
can be configured as a set of practices and attitudes which, when applied with the
necessary intensity and guidance, can have a very positive impact on any process of
organizational change and, in particular, on organizational change related to the
implementation of the GDPR (Tikkinen-Piri et al., 2018; Gabriela et al., 2018; Kappelman
and Richards, 1996; Bass, 1999).
It is important that HEIs see their budgets increased to be able to adapt the networks of
internal processes and the technologies and information systems that support them, with a
substantial increase in information security. It is urgent to simultaneously make a strong
investment in human resources with training and awareness-raising actions for the need to
reconcile professional performance with the absolute need to protect personal data. With
HEIs budgets under pressure, it is important to prioritize and allocate with maximum
efficiency the means and resources available that drive an organizational change in the way
the organization deals with personal data on a daily basis.
On the other hand, it was also evident, through CSF 4, how important it is to institutionalize
new practices in the organizational culture under the GDPR. We have seen that universities
have their own culture (Tierney, 1988; Sporn, 1996; Bartell, 2003), which is why
organizations are slow to internalize change (Wentworth, 2020). In this way, it was clear that
this will be a long process, which will involve a much-continued effort by a group of people,
including the data controller, who cohesively support the DPO in carrying out the functions
assigned to it by the GDPR, institutionalizing the new practices and in this way, giving
shape to the CSF that is related to the need to create an authentic culture of data protection.
Thus, it was evident that, in these institutions, the dimension related to the organizational
culture has a substantial weight for the success of the GDPR implementation process.
It is believed that the work carried out is essential for HEIs with regard to the implementation
and compliance with the GDPR. Knowing the critical factors for the HEIs to implement the
GDPR successfully will allow these organizations to equip themselves with the necessary
resources to successfully carry out the enormous and complex task of fulfilling the
increasingly demanding standards related to data protection.
Therefore, a strong commitment to the effective implementation of the GDPR by those who
manage the resources available in HEIs is very important, placing the protection of personal
data as a strategic priority of the organization when carrying out the allocation of resources
and thus, truly making the way in which personal data is handled as a differentiating
element from the competition.
This task is not easily accomplished for any medium/large organization, much less for HEIs.
In a particular and highly complex academic culture, thousands of students, teachers,
researchers and nonteaching workers interact daily in the most various activities.
In all projects and activities carried out by HEIs in teaching, research and interaction with
society, the need for data protection should truly be seen as a central element, without
which no project or activity can be considered complete.
Regardless of where the HEIs are based, the academic culture very typical of these
organizations has an impact on the way in which different activities are carried out. The
existence of internal conflicts, between professors and researchers who seek to maintain
strong autonomy and freedom of action and administrators/operational staff who are
obliged to ensure that the organization complies with the laws, rules and other regulations,
causes potential problems in governance and, in particular, how they need to protect
personal data is seen by these different stakeholders. It is possible to verify on the public
websites of English, French or American HEIs, a large amount of information guiding and
normalizing internal practices related to data protection, which demonstrates a great
concern on data protection and privacy issues. Thus, it is believed that the main CSFs
identified, which are related to the need for training, commitment, involvement and the
delegation of competencies with accountability, as well as the need to strengthen the
organizational culture to obtain a true culture of data protection, would not be very different
if the study had been extended to other HEIs in the European space or in a more global way
where the GDPR is mandatory. Eventually, the CSFs could have a distinct order.
On the other hand, the change in the organizational culture to make data protection a
strategic priority in all activities carried out by HIEs, namely, in teaching, research and
interaction with society, makes it necessary to call upon external entities to carry out
compliance audits of the functioning of HEIs with the GDPR. The need for a DPO as well to
adapt information systems and technologies to ensure the security of information held by
HEIs in terms of confidentiality, integrity and availability will also cause an increase in
commercial activity with an economic impact on HEIs that they will have to have budgets to
face the increase in expenses, as well as for private service providers, who will have new
business opportunities in this area.
With the necessary adequacy of academic culture to the need for data protection in all
contexts in which HEIs work, namely, from an academic and research point of view,
professors and researchers will have to ensure that the practices that are used on a daily basis
are in accordance with the GDPR, not collecting or storing more personal data than those that
are strictly necessary for the pursuit of these activities and that the collection and subsequent
processing of personal data have been explicitly accepted by the data subjects. This aspect
will be essential for HEIs to act based on a true data protection culture.
It is believed that that the implementation of GDPR and its long-term compliance by HEIs
with creating an authentic culture of data protection is done with people more than with
technology. In this way, it is necessary to get involved, to listen, to train and create the
necessary conditions so that, within the scope of the different functions that daily workers
perform in a complex and eminently decentralized environment, they can assume
themselves in a network, with guidance from the institutional DPO, as guarantors of data
protection for all those who somehow entrust their data to HEIs.
In this way, the adoption by the HEIs of strict data protection practices, we do not doubt that
in the short term it will become a differentiating factor about the competition, at the moment
when one has to decide where one wants to teach, research or study.
Thus, with the transition to a true data protection culture in the adoption of strict data
processing practices by HEIs, there will be an effective impact on society, as students who
graduated from these institutions will be more oriented to adopt in their lives practices
aligned with the GDPR. Ensuring privacy is an essential aspect to ensure a better quality of
life, something that will not be possible without transmitting and adopting robust data
protection practices. HEIs, as organizations with responsibilities in the formation of citizens,
have a fundamental role in this regard. Therefore, it is essential to move toward a true data
protection culture that is embedded in the academic culture typical of HEIs.
As in any study, there were limitations that somehow conditioned its realization. We can
identify two main limitations. In fact, it could have been more enriching in the process of
determining the CSF, if instead of having participated 8 of the 14 Portuguese public
universities, all universities had participated, that is, the 14. Universities within their many
similarities are also very similar in the way they approach the issue of privacy and data
protection and in the way, they deal with the personal data of everyone who interacts with
the organization. On the other hand, each DPO also has an academic and professional
background that somehow shaped the way it perceives the issue of implementing the
GDPR, which is why this diversity of experiences and opinions is enriching for the process
of determination of the CSFs.
Another limitation or constraint is related to the application of the method by Caralli et al.
(2004). In fact, in addition to the description with some detail of the method carried out by
the authors of the method, it was not possible to find practical applications where it was
possible to obtain other indications arising from empirical work already carried out related to
the process of determining CSF, namely, in what concerns relates to extracting activity
statements, supporting themes and CSF. This is a process that results from the always
subjective interpretation of the transcripts of a set of interviews carried out in this specific
case to the HEIs DPOs. The existence of other studies already carried out could have been
important to understand how some of the problems encountered during the phase of
extracting the information necessary to derive the CSF were overcome.
As future work, it is believed that it could be essential to extend the work carried out to
private HEIs to understand whether the public sector’s constraints are the same as those
seen in the private sector with less bureaucracy. On the other hand, it would also be
essential to study in greater detail each of the 16 CSFs identified, namely, those that relate
to the role that change management, organizational culture, leadership and governance in
information technology has in the GDPR implementation process.
References
A&L GoodBody (2016), “The GDPR: a guide for businesses”, available at: www.algoodbody.com/media/
The_GDPR-AGuideforBusinesses1.pdf (accessed 06 February 2020).
Aldenderfer, M.S. and Blashfield, R.K. (1984), “Cluster analysis”, Sage Publications, Beverly Hills.
Alshibly, H., Chiong, R. and Bao, Y. (2016), “Investigating the critical success factors for implementing
electronic document management systems in governments: evidence from Jordan”, Information Systems
Management, Vol. 33 No. 4, pp. 287-301.
Appelbaum, S.H., Habashy, S., Malo, J.L. and Shafiq, H. (2012), “Back to the future: revisiting Kotter’s
1996 change model”, Journal of Management Development, Vol. 31 No. 8, pp. 764-782.
Ataei, M., Degbelo, A., Kray, C. and Santos, V. (2018), “Complying with privacy legislation: from legal text
to implementation of privacy-aware location-based services”, ISPRS International Journal of Geo-
Information, Vol. 7 No. 11, p. 442.
Avella, J.R. (2016), “Delphi panels: research design, procedures, advantages, and challenges”,
International Journal of Doctoral Studies, Vol. 11 No. 1, pp. 305-321.
Ayala-Rivera, V. and Pasquale, L. (2018), “The grace period has ended: an approach to operationalize
GDPR requirements”, In 2018 IEEE 26th International Requirements Engineering Conference (RE), IEEE,
pp. 136-146.
Azevedo, V., Carvalho, M., Fernandes-Costa, F., Mesquita, S., Soares, J., Teixeira, F. and Maia, Â.
(2017), “Interview transcription: conceptual issues, practical guidelines, and challenges”, Revista de
Enfermagem Referência, Vol. 4 No. 14, pp. 159-167.
Bartell, M. (2003), “Internationalization of universities: a university culture-based framework”, Higher
Education, Vol. 45 No. 1, pp. 43-70.
Bass, B.M. (1999), “Two decades of research and development in transformational leadership”,
European Journal of Work and Organizational Psychology, Vol. 8 No. 1, pp. 9-32.
Bastedo, M.N. (2007), “Sociological frameworks for higher education policy research”, Sociology of
Higher Education: Contributions and Their Contexts, Vol. 295.
Bastedo, M.N. (2012), The Organization of Higher Education: Managing Colleges for a New Era, Johns
Hopkins University Press, Baltimore, MD.
Beckett, P. (2017), “GDPR compliance: your tech department’s next big opportunity”, Computer Fraud &
Security, Vol. 2017 No. 5, pp. 9-13.
Bennett, C.J. (2018), “The European General Data Protection Regulation: an instrument for the
globalization of privacy standards?”, Information Polity, Vol. 23 No. 2, pp. 239-246.
Boyne, G.A. (2002), “Public and private management: what’s the difference?”, Journal of Management
Studies, Vol. 39 No. 1, pp. 97-122.
Brodin, M. (2019), “A framework for GDPR compliance for small-and medium-sized enterprises”,
European Journal for Security Research, Vol. 4 No. 2, pp. 243-264.
Brown, M. and Klein, C. (2020), “Whose data? Which rights? Whose power? A policy discourse analysis of
student privacy policy documents”, The Journal of Higher Education, Vol. 91 No. 7, pp. 1149-1178.
Bryman, A. (2012), Social Research Methods, (Fourth edition), Oxford University Press, Oxford New York, NY.
Bullen, C.V. and Rockart, J.F. (1981), “A primer on critical success factors”, Center for Information
Systems Research Working Paper, (69). Massachusetts Institute of Technology, Cambridge,
Massachusetts.
Calegari, M.F., Sibley, R.E. and Turner, M.E. (2015), “A roadmap for using Kotter’s organizational change
model to build faculty engagement in accreditation”, Academy of Educational Leadership Journal,
Vol. 19 No. 3, pp. 30-43.
Caralli, R.A., Stevens, J.F., Willke, B.J. and Wilson, W.R. (2004), The Critical Success Factor Method:
establishing a Foundation for Enterprise Security Management (No. CMU/SEI-2004-TR-010, Carnegie-
Mellon Univ Pittsburgh Pa Software Engineering Inst.
Chan, H. and Mubarak, S. (2012), “Significance of information security awareness in the higher education
sector”, International Journal of Computer Applications, Vol. 60 No. 10, pp. 23-31.
Cormack, A. (2017), “A year to get your act together: how universities and colleges should be preparing
for new data regulations”, (accessed 25 March 2020), available at: www.jisc.ac.uk/blog/a-year-to-get-
your-act-together-how-universities-and-colleges-should-be-preparing-for-new-data-regulations
Culnan, M.J. and Carlin, T.J. (2009), “Online privacy practices in higher education: making the grade?”,
Communications of the ACM, Vol. 52 No. 3, pp. 126-130.
Dias, N., Keraminiyage, K., Amaratunga, D. and Curwell, S. (2018), “Critical success factors of a bottom
up urban design process to deliver sustainable urban designs”, International Journal of Strategic
Property Management, Vol. 22 No. 4, pp. 265-277.
Dı́az Dı́az, E. (2016), “The new European Union General Regulation on Data Protection and the legal
consequences for institutions”, Church, Communication and Culture, Vol. 1 No. 1, pp. 206-239.
Dove, E.S. (2018), “The EU General Data Protection Regulation: implications for international scientific-
research in the digital era”, Journal of Law, Medicine & Ethics, Vol. 46 No. 4, pp. 1013-1030.
Edwita, A., Sensuse, D.I. and Noprisson, H. (2017), “Critical success factors of information system-
development projects”, in 2017 International Conference on Information Technology Systems and
Innovation (ICITSI), pp. 285-290.
Gabriela, G., Cerasela, S.E. and Alina, C.A. (2018), “The EU General Data Protection Regulation-
implications for Romanian small and medium-sized enterprises”, Ovidius University Annals (Economic
Sciences Series), Vol. 18 No. 1, pp. 88-91.
GDPR (2016), “Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 –
On the protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing directive 95/46/EC (General Data Protection Regulation – GDPR)”,
Official Journal of the European Union, Vol. 59, pp. 1-88.
Grama, J. and Vogel, V. (2017), “Information security: risky business”, EDUCAUSE Review, Vol. 52 No. 1, pp. 22.
Green, M. (2018), “Is Higher Education ready for the General Data Protection regulation (GDPR)?”,
available at: www.pwc.co.uk/industries/government-public-sector/education/ishigher-education-ready-
for-the-gdpr.html
Grayson, D. (2014), “The quality enhancement project: a systematic intervention for improving teaching
and learning”, Paper Presented at the ICED Conference Educational Development in a Changing World,
Sweden Stockholm, pp. 16-18.
Grundstrom, C., Väyrynen, K., Iivari, N. and Isomursu, M. (2019), “Making sense of the General Data
Protection Regulation – four categories of personal data access challenges”, in Proceedings of the 52nd
HI international conference on system sciences, pp. 5039-5048.
Gumport, P.J. (2000), “Academic restructuring: organizational change and institutional imperatives”,
Higher Education, Vol. 39 No. 1, pp. 67-91.
Gumport, P.J. and Sporn, B. (1999), “Institutional adaptation: demands for management reform and
university administration”, in Smart, J. (Ed.), Higher Education: Handbook of Theory and Research,
Volume XIV., Agathon Press, Bronx, New York, NY, pp. 103-145.
Hackman, T.A. (2017), “Leading change in action: reorganizing an academic library department using
Kotter’s eight stage change model”, Library Leadership & Management, Vol. 31 No. 2, pp. 1-27.
Hair, J.F., Black, W.C., Babin, B.J. and Anderson, R.E. (2014), “Multivariate data analysis”, (7th ed.), NJ,
Person Education Limited.
Hameed, I., Khan, A.K., Sabharwal, M., Arain, G.A. and Hameed, I. (2019), “Managing successful
change efforts in the public sector: an employee’s readiness for change perspective”, Review of Public
Personnel Administration, Vol. 39 No. 3, pp. 398-421.
Hietschold, N., Reinhardt, R. and Gurtner, S. (2014), “Measuring critical success factors of TQM
implementation successfully – a systematic literature review”, International Journal of Production
Research, Vol. 52 No. 21, pp. 6254-6272.
Hsu, C.C. and Sandford, B.A. (2007), “The Delphi technique: making sense of consensus”, Practical
Assessment, Research, and Evaluation, Vol. 12 No. 10, pp. 1-8.
Kappelman, L.A. and Richards, T.C. (1996), “Training, empowerment, and creating a culture for change”,
Empowerment in Organizations, Vol. 4 No. 3, pp. 26-29.
Kotter, J.P. (1995), “Leading change: why transformation efforts fail”, Harvard Business Review,
pp. 59-67. March-April.
KPMG (2017), “O Impacto do Regulamento Geral de Protecção de Dados Em Portugal”, accessed on 5/
08/2017, available at: https://assets.kpmg.com/content/dam/kpmg/pt/pdf/pt-2017-rgpd.pdf
Laureani, A. and Antony, J. (2018), “Leadership-a critical success factor for the effective implementation
of lean six sigma”, Total Quality Management & Business Excellence, Vol. 29 Nos 5/6, pp. 502-523.
Lopes, I.M. and Oliveira, P. (2018), “Implementation of the General Data Protection Regulation: a survey
in health clinics”, in 2018 13th Iberian Conference on Information Systems and Technologies (CISTI),
IEEE, pp. 1-6.
McKinsey & Company (2014), “PUTTING CITIZENS FIRST: how to improve citizens experience and
satisfaction with government services”, McKinsey Center for Government. www.mckinsey.com/mcg
McKinsey & Company (2016), “Digital by default: a guide to transforming government. Designed by
global editorial services”, www.mckinsey.com
McKinsey & Company (2018), “Public Services Government 4.0 – the public sector in the digital age.
Visual media Europe”, www.mckinsey.com
Malhotra, N.K. (2006), Pesquisa de Marketing-: Uma Orientação Aplicada, (4. ed.), Bookman, Porto Alegre.
Mantelero, A. and Vaciago, G. (2015), “Data protection in a big data society. Ideas for a future
regulation”, Digital Investigation, Vol. 15, pp. 104-109.
Marais, M., Du Plessis, E. and Saayman, M. (2017), “Critical success factors of a business tourism
destination: supply side analysis”, Acta Commercii, Vol. 17 No. 1, pp. 1-12.
Markovic , M.G., Debeljak, S. and Kadoic
, N. (2019), “Preparing students for the era of the General Data
Protection Regulation (GDPR)”, TEM Journal, Vol. 8 No. 1, p. 150.
Matei, L. and Chesaru, O.M. (2014), “Implementation guidelines of the new public management. Cases
of Romania and Sweden”, Procedia – Social and Behavioral Sciences, Vol. 143, pp. 857-861.
Mauro, S.G., Cinquini, L. and Pianezzi, D. (2019), “New public management between reality and illusion:
analysing the validity of performance-based budgeting”, The British Accounting Review, Vol. 53 No. 6,
doi: 10.1016/j.bar.2019.02.007.
Meister-Scheytt, C. and Scheytt, T. (2005), “The complexity of change in universities”, Higher Education
Quarterly, Vol. 59 No. 1, pp. 76-99.
Microsoft(2018). “GDPR for education. Acedido em 6/02/2020 de”, available at: https://pulse.microsoft.
com/uploads/prod/2018/03/WorkProductivity_GDPRforEducation_KickStartGuide.pdf
Mishra, M.K. (2020), Digital Transformation of Public Service and Administration, ZBW – Leibniz
Information Centre for Economics, Kiel, Hamburg.
Montgomery, K.C. (2015), “Youth and surveillance in the Facebook era: policy interventions and social
implications”, Telecommunications Policy, Vol. 39 No. 9, pp. 771-786.
Okoli, C. and Pawlowski, S.D. (2004), “The Delphi method as a research tool: an example, design
considerations and applications”, Information & Management, Vol. 42 No. 1, pp. 15-29.
Ossiannilsson, E. (2018), “Visionary leadership for digital transformation: in a time when learners take
ownership of their learning”, Asian Journal of Distance Education, Vol. 13 No. 1, pp. 128-148.
Plesner, U., Justesen, L. and Glerup, C. (2018), “The transformation of work in digitized public sector
organizations”, Journal of Organizational Change Management, Vol. 31 No. 5, doi: 10.1108/JOCM-06-
2017-0257.
Podnar, K. (2017), “Is your university ready to pass the GDPR exam?”, available at: https://medium.
com/kpodnar/is-your-universityready-to-pass-the-gdpr-exam-eac6641cebbc (accessed on 6/
February/2020).
Politou, E., Alepis, E. and Patsakis, C. (2018), “Forgetting personal data and revoking consent under the
GDPR: challenges and proposed solutions”, Journal of Cybersecurity, Vol. 4 No. 1, pp. 1-20.
Poritskiy, N., Oliveira, F. and Almeida, F. (2019), “The benefits and challenges of General Data Protection
Regulation for the information technology sector”, Digital Policy, Regulation and Governance, Vol. 21
No. 5.
Pors, A.S. (2015), “Becoming digital – passages to service in the digitized bureaucracy”, Journal of
Organizational Ethnography, Vol. 4 No. 2, doi: 10.1108/JOE-08-2014-0031.
Presthus, W., Sørum, H. and Andersen, L.R. (2018), “GDPR compliance in Norwegian companies”, Norsk
Konferanse for Organisasjoners Bruk av IT (NOKOBIT, Svalbard, Norway, pp. 1-14.
Pryor, M.G., Taneja, S., Humphreys, J., Anderson, D. and Singleton, L. (2008), “Challenges facing
change management theories and research”, Delhi Business Review, Vol. 9 No. 1, pp. 1-20.
Rockart, J.F. (1979), “Chief executives define their own data needs”, Harvard Business Review, Vol. 57
No. 2, pp. 81-93.
Rockart, J.F. (1982), “The changing role of the information systems executive: a critical success factors
perspective”, Sloan Management Review, Vol. 24, pp. 3-13.
Rockart, J.F. (1987), “The line takes the leadership”, Revised March 1988.
Sarstedt, M. and Mooi, E.A. (2014), “A concise guide to market research”, The Process, Data, and
Methods Using IBM SPSS Statistics, Springer, Berlin.
Schmidt, R.C. (1997), “Managing Delphi surveys using nonparametric statistical techniques”, Decision
Sciences, Vol. 28 No. 3, pp. 763-774.
Seidman, I. (2006), Interviewing as Qualitative Research: A Guide for Researchers in Education and the
Social Sciences, (3rd ed.), Teachers College Press, New York, NY.
Sirur, S., Nurse, J.R. and Webb, H. (2018), “Are we there yet? Understanding the challenges faced in
complying with the General Data Protection Regulation (GDPR)”, in Proceedings of the 2nd International
Workshop on Multimedia Privacy and Security, pp. 88-95.
Sousa, J.E. (2004), “Definition and analysis of critical success factors for ERP implementation projects
(PhD thesis”, Universidade Politécnica da Catalunha. Barcelona, Espanha.
Sporn, B. (1996), “Managing university culture: an analysis of the relationship between institutional culture
and management approaches”, Higher Education, Vol. 32 No. 1, pp. 41-61.
Syed, R., Bandara, W., French, E. and Stewart, G. (2018), “Getting it right! Critical success factors of BPM
in the public sector: a systematic literature review”, Australasian Journal of Information Systems, Vol. 22,
pp. 1-39.
Tankard, C. (2016), “What the GDPR means for businesses”, Network Security, Vol. 2016 No. 6, pp. 5-8.
Teixeira, G.A., da Silva, M.M. and Pereira, R. (2019), “The critical success factors of GDPR
implementation: a systematic literature review”, Digital Policy, Regulation and Governance, Vol. 21 No. 4,
pp. 402-418.
Tierney, W.G. (1988), “Organizational culture in higher education: defining the essentials”, The Journal of
Higher Education, Vol. 59 No. 1, pp. 2-21.
Tikkinen-Piri, C., Rohunen, A. and Markkula, J. (2018), “EU General Data Protection Regulation: changes
and implications for personal data collecting companies”, Computer Law & Security Review, Vol. 34
No. 1, pp. 134-153.
Välimaa, J. (2008), “Cultural studies in higher education research”, in Valimaa, J. and Ylijoki, O.H. (Eds),
Cultural Perspectives on Higher Education, Springer Science, Dordrecht, pp. 9-25.
Wentworth, D.K., Behson, S.J. and Kelley, C.L. (2020), “Implementing a new student evaluation of
teaching system using the Kotter change model”, Studies in Higher Education, Vol. 45 No. 3,
pp. 511-523.
Yim, O. and Ramdeen, K.T. (2015), “Hierarchical cluster analysis: comparison of three linkage measures
and application to psychological data”, The Quantitative Methods for Psychology, Vol. 11 No. 1, pp. 8-21.
Corresponding author
José Fernandes can be contacted at: jf@reitoria.uminho.pt
For instructions on how to order reprints of this article, please visit our website:
www.emeraldgrouppublishing.com/licensing/reprints.htm
Or contact us for further details: permissions@emeraldinsight.com
Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.

Identifying Critical Success F

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Identifying Critical Success F

Uploaded by

Copyright:

Available Formats

Identifying critical success factors for the

General Data Protection Regulation

Abstract José Fernandes and

3. Context of the study

4. Methodology and model implementation.

䊏 Implement a change management process around the GDPR.

DPO E1 34 min 34 s June 7, 2019

5. Analysis and discussion of results

Empower workers on the GDPR 22 3.14 1.86 1 11 1.83 0.98 1

j DIGITAL POLICY, REGULATION AND GOVERNANCE j VOL. 24 NO. 4 2022

1: Empower workers on the GDPR 1

CSF-1 Empower workers on the GDPR

You might also like