The Four Dimensions of the GDPR Framework: An Institutional Theory Perspective

  • Isabel Maria LopesEmail author
  • Teresa Guarda
  • Pedro Oliveira
Conference paper
Part of the Smart Innovation, Systems and Technologies book series (SIST, volume 152)


The EU general data protection regulation (GDPR) is the most important change in data privacy regulation in 20 years. The regulation will fundamentally reshape the way in which data are handled across every sector. The organizations had two years to implement it. Despite this, it has been observed that, in several sectors of activity, the number of organizations having adopted that control is low. This study aimed to identify the factors which condition the adoption of the GDPR by organizations. Methodologically, the study involved interviewing the officials in charge of information systems in 18 health clinics in Portugal. The factors facilitating and inhibiting the implementation of GDPR are presented and discussed. Based on these factors, a set of recommendations are made to enhance the adoption of the measures proposed by the regulation. The study used Institutional Theory as a theoretical framework. The results are discussed in light of the data collected in the survey, and possible future works are identified.


Regulation (EU) 2016/679 General data protection regulation Institutional Theory Health clinics 



UNIAG, R&D unit funded by the FCT—Portuguese Foundation for the Development of Science and Technology, Ministry of Science, Technology and Higher Education. Project n.º UID/GES/4752/2019.

This work has been supported by FCT—Fundação para a Ciência e Tecnologia within the Project Scope: UID/CEC/00319/2019.


  1. 1.
    Mäkinen, J.: Data quality, sensitive data and joint controller ship as examples of grey areas in the existing data protection framework for the Internet of Things. Inf. Commun. Technol. Law 24(3), 262–277 (2015)CrossRefGoogle Scholar
  2. 2.
    Nurse, J.R.C., Creese, S., De Roure, D.: Security risk assessment in Internet of Things systems. IEEE IT Prof. 19(5), 20–26 (2017)CrossRefGoogle Scholar
  3. 3.
    European Parliament and Council, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, Official Journal of the European Union (2016)Google Scholar
  4. 4.
  5. 5.
    Skendzic, A., Kovacic, B., Tijan, E.: General data protection regulation—protection of personal data in an organization. In: 41st International Convention on Information and Communication Technology, Electronics and Microelectronics, pp 1370–1375 (2018)Google Scholar
  6. 6.
    Da Conceição Freitas, M., Mira da Silva, M.: GDPR in SMEs, vol. 2018, pp. 1–6. In: 13th Iberian Conference on Information Systems and Technologies (2018)Google Scholar
  7. 7.
  8. 8.
    Brown, S.L., Eisenhardt, K.M.: Competing on the edge: strategy as structured chaos. Harvard Business School Press, Boston (1998)Google Scholar
  9. 9.
    Scott, W.: Institutional Theory. Encyclopedia of Social Theory, pp. 408–414. Thousand Oaks, Sage (2004)Google Scholar
  10. 10.
    DiMaggio, P. Powell, W.: Introduction. In: Powell, W.W., DiMaggio, P.J. (eds.) The New Institutionalism in Organizational Analysis, pp. 1–38. University of Chicago Press, Chicago (1991)Google Scholar
  11. 11.
    North, D.: Institutions, Institutional Change and Performance. Cambridge University Press, Cambridge (1990)CrossRefGoogle Scholar
  12. 12.
    Scott, W.R.: Institutions and Organizations: Ideas and Interests, 3rd edn. Sage, Thousand Oaks (2008)Google Scholar
  13. 13.
    Tolbert, P.S., Zucker, L.G.: The institutionalization of institutional theory. In: Handbook of Organization Studies. Sage, London (1996)Google Scholar
  14. 14.
    Tolbert, P.S., Zucker, L.G.: A institucionalização da teoria institucional. In: Clegg, S., Hardy, C., Nordy, W (eds.) Handbook de estudos organizacionais (pp. 196–219). Tradução de Humberto F. Martins e Regina Luna S. Cardoso, v.1. Atlas, São Paulo (1999)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  • Isabel Maria Lopes
    • 1
    • 2
    • 3
    Email author
  • Teresa Guarda
    • 1
    • 4
  • Pedro Oliveira
    • 3
  1. 1.Centro ALGORITMIUniversidade do MinhoBragaPortugal
  2. 2.UNIAG (Applied Management Research Unit)Polytechnic Institute of BragançaBragançaPortugal
  3. 3.School of Technology and ManagementPolytechnic Institute of BragançaBragançaPortugal
  4. 4.Universidad Estatal Peninsula de Santa Elena—UPSELa LibertadEcuador

Personalised recommendations