Identifying critical success factors for the General Data Protection Regulation implementation in higher education institutions

On May 25, 2018, the General Data Protection Regulation (GDPR) became mandatory for all organizations that handle the personal data of European Union citizens. This exploratory study aims to determine the critical success factors (CSFs) related to implementing the GDPR in Portuguese public higher education institutions (HEIs).

This study adopts a multimethod methodology with qualitative and quantitative methods. A multiple case study was carried out in Portuguese public universities. As procedures for data collecting and analysis, semistructured interviews with 26 questions were conducted with the data protection officers of these universities during May and July 2019 to derive a set of CSFs. Next, the Delphi method has been applied to determine the ranking of the CSFs. The hierarchical clusters analysis has also been applied to determine the cluster with essential CSFs. To derive the CSF, the method by Caralli et al. (2004) has been applied.

This study has identified the list of 16 CSFs related to the implementation of GDPR in HEIs, among which we can highlight, for instance, empower workers on the GDPR; commit top management with the GDPR; implement the GDPR with the involvement of management and workers; create a culture for data protection; and create a decentralized team of pivots for data protection.

It could have been more enriching in the CSF determination process if all Portuguese public universities had participated in this study. In fact, within their many similarities, universities are also very different in approaching privacy and data protection. New studies are needed to determine whether the CSFs identified apply equally to other organizations, namely, private HEIs with less bureaucracy.

Identifying CSFs related to GDPR implementation in Portuguese public universities is a new area of study. This paper is a contribution to its development.