Factors determining the extent of GDPR implementation within organizations: empirical evidence from Czech Republic

    Adam Faifr   Affiliation
    ; Martin Januška   Affiliation


In this paper, the key factors that affect the extent of GDPR implementation in enterprises are analysed. Since 2018, all organizations operating in the European Union or processing personal data of EU citizens have had to incorporate a new regulation in their work. After three years of experience, possible key factors that significantly affect the cost of the entire project have been theoretically identified. However, a research gap remains whether the factors thus defined actually have a real impact on the implementation within organizations. Therefore, this study focuses on an empirical investigation of those characteristics using quantitative approach combining Chi-squared tests and the Classification and Regression Tree method. Based on a survey of organizations in the Czech Republic, this paper outlines that the size of the organization, the typology of personal data processed and the way GDPR is implemented determine the scope of the implementation project within organizations. On the other hand, there is no clear evidence that there is significant role in whether it is a public or private organization.

Keyword : General Data Protection Regulation, GDPR, SMEs, implementation, organizations, compliance, public administration

How to Cite
Faifr, A., & Januška, M. (2021). Factors determining the extent of GDPR implementation within organizations: empirical evidence from Czech Republic. Journal of Business Economics and Management, 22(5), 1124-1141.
Published in Issue
Aug 27, 2021
Abstract Views
PDF Downloads
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.


Almeida Teixeira, G., Mira da Silva, M., & Pereira, R. (2019). The critical success factors of GDPR implementation – a systematic literature review. Digital Policy, Regulation and Governance, 21(4), 402–418.

Beckett, P. (2017). GDPR compliance: Your tech department’s next big opportunity. Computer Fraud & Security, 2017(5), 9–13.

Bleier, A., Goldfarb, A., & Tucker, C. (2020). Consumer privacy and the future of data-based Innovation and marketing. International Journal of Research in Marketing, 37(3), 466–480.

Council of the European Union. (2013). Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises.

Creswell, J. W. (2013). Research design: Qualitative, quantitative, and mixed methods approaches (4th ed.). SAGE Publications, Inc.

Czech Chamber of Commerce. (2018). Účet za GDPR? Podnikatele nařízení vyjde na 25 miliard korun. Retrieved April 8, 2020, from

Datoo, A. (2018). Data in the post-GDPR world. Computer Fraud & Security, 2018(9), 17–18.

Diamantopoulou, V., Tsohou, A., & Karyda, M. (2019). General Data Protection Regulation and ISO/ IEC 27001:2013: Synergies of activities towards organisations’ compliance. In Lecture notes in computer science: Vol. 11711. Trust, privacy and security in digital business (pp. 94–109). Springer Publishing.

Diamantopoulou, V., Tsohou, A., & Karyda, M. (2020). From ISO/IEC27001:2013 and ISO/ IEC27002:2013 to GDPR compliance controls. Information and Computer Security, 28(4), 645–662.

European Parliament, & Council of the European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Everett, C. (2011). Is ISO 27001 worth it? Computer Fraud & Security, 2011(1), 5–7.

Garber, J. (2018). GDPR – compliance nightmare or business opportunity. Computer Fraud & Security, 2018(6), 14–15.

Gal, M. S., & Aviv, O. (2020). The competitive effects of the GDPR. Journal of Competition Law & Economics, 16(3), 349–391.

Hofman, D., Lemieux V. L., & Batista, D. (2019). The margin between the edge of the world and infinite possibility: Blockchain, GDPR and information governance. Records Management Journal, 29(1/2), 240–257.

Hoofnagle, C. J., Sloot, B., & Borgesius, F. Z. (2019). The European Union general data protection regulation: What it is and what it means. Information & Communications Technology Law, 28(1), 65–98.

Huber-Carol, C., Balakrishnan, N., Nikulin, M. S., & Mesbah, M. (2002). Goodness-of-fit tests and model validity. Springer Publishing.

Khan, J. (2018). The need for continuous compliance. Network Security, 2018(6), 14–15.

Kindt, E. J. (2018). Having yes, using no? About the new legal regime for biometric data. Computer Law & Security Review, 34(3), 523–538.

Kounoudes, A. D., & Kapitsaki, G. M. (2020). A mapping of IoT user-centric privacy preserving approaches to the GDPR. Internet of Things, 11, 100179.

Larrucea, X., Moffie, M., Asaf, S., & Santamaria, I. (2020). Towards a GDPR compliant way to secure European cross border Healthcare Industry 4.0. Computer Standards & Interfaces, 69, 103408.

Lindgren, P. (2018). GDPR regulation impact on different business models and businesses. Journal of Multi Business Model Innovation and Technology, 4(3), 241–254.

Longras, A., Pereira, T., Carneiro, P., & Pinto, P. (2018). On the track of ISO/IEC 27001:2013 implementation difficulties in Portuguese organizations. In 2018 International Conference on Intelligent Systems (pp. 886–890). IEEE.

Maňourová, M. (2019). GDPR – Evaluation of the impacts of GDPR on businesses in the Czech Republic. University of West Bohemia, Pilsen, Czech Republic.

Martin, K. D., Kim, J. J., Palmatier, R. W., Steinhoff, L., Stewart, D. W., Walker, B. A., Wang, Y., & Weaven, S. K. (2020). Data privacy in retail. Journal of Retailing, 96(4), 474–489.

McCall, B. (2018). What does the GDPR mean for the medical community? The Lancet, 391(10127), 1249–1250.

Mesquida, A. L., & Mas, A. (2015). Implementing information security best practices on software lifecycle processes: The ISO/IEC 15504 Security Extension. Computers & Security, 48, 19–34.

Nguyen, L. D., Le-Hoai, L., Tran, D. Q., Dang, C. N., & Nguyen, C. V. (2019). Effect of project complexity on cost and schedule performance in transportation projects. Construction Management and Economics, 37(7), 384–399.

Nonnemann, F. (2011). Personal data protection during information providing by public organizations. Ministry of the Inferior of the Czech Republic. Retrieved April 8, 2020, from

Park, M., Choi, S., Shin A. M., & Koo, C. (2013). Analysis of the characteristics of the older adults with depression using data mining decision tree analysis. Journal of Korean Academy of Nursing, 43(1), 1–10.

Parliament of the Czech Republic. (2019). ZÁKON ze dne 12. března 2019 o zpracování osobních údajů.

Perry, R. (2019). GDPR – project or permanent reality? Computer Fraud & Security, 2019(1), 9–11.

Prakash, M., & Singaravel, G. (2015). An approach for prevention of privacy breach and information leakage in sensitive data mining. Computers & Electrical Engineering, 45, 134–140.

Quinn, O., & Quinn, L. (2018). Big genetic data and its big data protection challenges. Computer Law & Security Review, 34(5), 1000–1018.

Sirkin, M. R. (2006). The Chi-Square test, statistics for the social sciences. In Sirkin, M. R., Statistics for the Social Sciences (3rd ed.). SAGE Publications, Inc.

Sirur, S., Nurse, J., & Webb, H. (2018). Are we there yet? Understanding the challenges faced in complying with the General Data Protection Regulation (GDPR). In 25th ACM Conference on Computer and Communication Security (pp. 88–95). Canada.

Starčevič, K., Crnkovič, B., & Glavaš, J. (2018). Implementation of the General Data Protection Regulation in companies in the Republic of Croatia. Ekonomski Vjesnik / Econviews, 31(1), 163–176.

Strickland, J. (2016). Data analytics using open-source tools (1st ed.).

Sue, V. M., & Ritter, L. A. (2007). Conducting online surveys. SAGE Publications, Inc.

Tamburri, D. A. (2020). Design principles for the General Data Protection Regulation (GDPR): A formal concept analysis and its evaluation. Information Systems, 91, 101469.

Tankard, C. (2016). What the GDPR means for businesses. Network Security, 2016(6), 5–8.

The office for personal data protection. (2018). S účinností GDPR končí oznamovací povinnost správců.

Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), 134–153.

Udroiu, M., Dumitrache, M., Sandu, I., & Brezulianu, A. (2018). Implementing an integrated information system designed for Romanian public entities. Studies in Informatics and Control, 27(3), 369–376.

Yuan, B., & Li, J. (2019). The policy effect of the General Data Protection Regulation (GDPR) on the digital public health sector in the European Union: An empirical investigation. International Journal of Environmental Research and Public Health, 16(6), 1070.