The Consequences of Uncertainty over Future
Legislation for Performance: the ‘General Data
Protection Regulation’
A Qualitative Case Study using Natural Observation among large organizations
in the Logistics, E-commerce, Consultancy, Automotive, Legal, and Financial
sector.
Overview
Title: The Consequences of Uncertainty over Future Legislation for Performance: the ‘General Data Protection Regulation’
Date: March 23, 2018.
Study: MSc Business Administration: International Management
Student: 10687432
Author: Sauer, T.Y.
Assignment: Master Thesis Word Count: 21.232
Supervisor: Dr. Paukku, Markus 2nd Reader: …
Statement of Originality
This document is written by Thom Y. Sauer who declares to take full responsibility for the contents of this document.
I declare that the text and the work presented in this document is original and that no sources other than those mentioned in the text and its references have been used in creating it.
The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.
Abstract
Recent literature shows debate about the extent to which the General Data Protection Regulation will affect organizations that are involved in digital information processes with the personal data of consumers. In this study, digital information processes are considered part of the digital aspect of knowledge management, as the academic literature suggest that KM is the way for organizations to enhance performance. The opposing views in the debate whether the GDPR will lead to promised increased benefits by the EU, or to ‘economic friendly fire’. Due to the opposed views, a lot of uncertainty exists over the consequences of the regulation. To explore the interaction between the uncertainty due to legislation and the effect on organizational performance, a multiple case study was conducted. This enabled in depth investigation of each particular case, and the recognition of possible patterns in the data in a cross-case analysis. This research builds its argumentation on 6 semi-structured interviews conducted with GDPR compliance executives from large organizations in multiple disciplines (>250 employees). The results in this study show that increased uncertainty over digital information process legislation leads to stronger perceptions of negative effects on organizational performance. However, this study is explorative and future research will be needed to prove the identified patterns.
Keywords: Big data, Digital knowledge management, European Union, GDPR, Large organizations, Legislation, Performance, Uncertainty. Regulation.
Table of content
1. INTRODUCTION ... 7
2. LITERATURE REVIEW ... 12
2.1KNOWLEDGE MANAGEMENT ... 12
2.1.1 Characteristics of knowledge management ... 12
2.2BIG DATA ... 15
2.2.1 Big data value chain... 16
2.3THE GENERAL DATA PROTECTION REGULATION ... 17
2.3.1 Context and background ... 18
2.3.2 Implications of the GDPR for the utilization of big data ... 19
2.3.3 The need for the General Data Protection Regulation ... 20
2.4UNCERTAINTY IN STRATEGIC MANAGEMENT ... 23
2.4INTEGRATION LITERATURE IN THEORETICAL FRAMEWORK ... 24
3. RESEARCH DESIGN ... 30
3.1METHODOLOGICAL DESIGN ... 30
3.2DATA COLLECTION ... 33
3.3DATA ANALYSIS AND CODING ... 36
3.4VALIDITY ... 38
4. RESULTS... 40
4.1WITHIN-CASE ANALYSIS ... 40
Case one: DHL Express ... 40
Case two: ISM ... 43
Case three: ATOS ... 46
Case four: KIA ... 49
Case five: Project Moore ... 52
Case six: ABN Amro ... 55
4.2CROSS-CASE ANALYSIS ... 58
5. DISCUSSION ... 61
5. CONCLUSION ... 71
List of abbreviations
BDVC Big Data Value Chain
DPD Data Protection Directive
EC European Commission
EU European Union
GDPR General Data Protection Regulation
IT Information Technology KM Knowledge Management RQ Research Question IT Information Technology RtbF SMEs Right to be Forgotten Small-Medium Enterprises SQ Sub-Question WP Working Propositions
1. Introduction
“Whenever you open a bank account, join a social networking website or book a flight online, you hand over vital personal information such as your name, address, and credit card number. What happens to this data? Could it fall into the wrong hands? What rights do you have regarding your personal information?
Everyone has the right to the protection of personal data. (European Commission, 2017)”
“Knowledge is power” Francis Bacon stated (1597) in his book Meditationes Sacrae. A phrase then meant to refer to the qualities of god and the understanding of his word. The world of knowledge has changed since the years of Sir Bacon, from an era in which the telescope was not yet invented, to a time in which a small device provides its owner with all the digital knowledge in the world. Knowledge has become the primary source of competitive advantage and critical to the long-term sustainability and success of organizations (Nonaka & Takeuchi, 1995: Dalkir, & Liebowitz, 2011). The utilization of knowledge to improve organizational practices, is referred to as knowledge management (KM). As our capability for data generation has never been so powerful (Wu, Zhu, Wu, & Ding, 2014), KM is rapidly becoming essential to be competitive (Lavalle, Lesser, Shockley, Hopkins, & Kruschwitz, 2011). The concept of KM is broad, as it encompasses all possible ways organizations can utilize all forms of data. This research focusses on the use of digital knowledge for performance enhancing processes, hence, the digital aspect of KM and its primary component: big data.
‘Big data’ is the most prominent element in the collection and analysis of personal data and is one of the most important concepts of our century, given that almost all regularly used devices generate vast amounts of data about their users (Cavanillas, Curry, & Wahlster, 2016).
Big data offers possibilities for organizations and has the potential to, like the internet, transform the way businesses do business, governments rule, and people live. The elementary asset of big data is the possibility to improve organizational efficiency and reduce costs (Cukier, & Mayer-Schoenberger, 2013). As big data provides organizations with more possibilities, it simultaneously provides them with more challenges. One of its largest challenges is the possible personal nature of data sources, which generate protection concerns. Signs of a growing repulsion towards extensive data mining, the collection of data, begin to appear (Crawford & Schultz, 2014) and concerns about the data organizations possess about individuals have reached the European Union (EU).
Why legislation on digital KM and big data utilization could be important is illustrated by the following example. An article in the New York Times (Duhigg, 2012) caused public outrage by revealing the big data practises, predicting which female customers were pregnant, of retail chain Target. Targets analysists’ predictive analysis found correlations in shopping behaviour and estimated that a certain customer was pregnant. Problems occurred when this data was shared with all Target’s sales related departments, providing them personal information that, in some cases, was not even known by the customer itself. The retail chain successfully used personal data analysis to increase its performance. However, if any of the female clients involved had knowledge of these practices, the majority would probably have disapproved. The revelation had a negative effect on Target’s performance, but also brought the use of digital KM and big data analytics in business to public awareness (Crawford, & Schultz, 2014). This example is from an American retailer and is not representative for the European context as the data laws in the United States are less restrictive compared to Europe (Bygrave, 2015). However, it does serve as an illustration of what could happen if regulations lag while markets evolve. European regulations remained unchanged from the Data Protection Directive (DPD) in 1995 until 2014. This allowed organizations to prosper upon digital personal
data, that consumers often willingly reveal about themselves, in a hardly restricting legislative environment (Acquisti, Brandimarte, & Loewenstein, 2015).
The European policymakers responded in 2014, when the EU accepted a new legislation bill: The General Data Protection Regulation (GDPR) (Nicolaidou, & Georgiades, 2017), a regulation to create protection of personal data in the dynamic digital environment (EUGDPR, 2017). Every organization that processes personal information of a EU citizen, has to comply to the GDPR by the 25th of May 2018, and if not substantial fines could follow. In short, the GDPR intends to strengthen and unify data protection for all individuals in the EU and constitutes the biggest change to data protection in the EU since the 1995s’ DPD. With the issuing of the GDPR, the European Commission (EC) stated that the new regulation would lead to cost savings of 2.3 billion a year for organizations in the EU (European Commission, 2017). A surprising statement, given that the GDPR proposes new measurements that organizations have to adhere to, which are naturally expected to come with a cost. An example is the right to be forgotten (RtbF). The RtbF states that protection of personal data is a fundamental right. It allows EU civilians to request any organization, at any point in time, to locate and erase the data that they possess about this specific individual. Given that this data has been passing through many information systems, the localization of all this data might prove costly for organizations (Bauer, Lee-Makiyama, van der Marel, & Verschelde, 2014; Zarsky, 2017). Yet, the EC (2014) argues that the GDPR leads to a reduction in administrative costs due to the homogenization of data protection laws from 28 different European laws and authorities to a single one (Ciriani, 2015). The influence of the GDPR on the performance of organizations in the EU is a matter of debate, inciting uncertainty over its consequences.
Uncertainty influences the performance of organizations, as their strategic managers will have to predict outcomes. The regulation could either enhance performance by homogenizing the transnational law which decreases administrative burdens, or weaken
performance by increasing costs for organizations. In the ideology of Porter (1985), firms are able to outperform other firms by decreasing the cost of operations. This enables them to offer their product or service against lower prices than competitors, increasing their competitive position. The competitive dynamic might not be affected if all firms experience performance gains due to homogenization of the law, or experience equal costs of compliance to the legislation. However, a shift of competitive position might occur if some organizations incur more costs than others. The outcomes of these examples are open for speculation and potentially increase uncertainty over the consequences of the regulation on performance. However, if, and how, uncertainty affects these perceptions is not completely understood yet.
This research uses a ‘big data value chain (BDVC) for organisations’ approach (Miller, & Mork, 2013), combined with the ‘framework of value chain analysis’ (Peck, 2005) to provide insight in the way the GDPR increases uncertainty and how this leads to costs in the value chain, to gain insights in its effect on performance. This research is focused on a future event, the GDPR, and studies the effects that are yet to happen by assessing organizations that will be affected by the regulation. It differs in approach from conventional studies which study a phenomenon that already had its impact. Thus, it focusses on the perceived effects of the regulation and the uncertainty that is inherent to these perceptions in order to contribute to the scientific understanding on how, and why these variables relate. To study this, the data used in this research is obtained in seven semi-structured interviews, of which the first six are used1, with GDPR compliance experts employed at large organizations (>250 employees). These organizations are active in the logistics, E-commerce, consultancy, automotive, information technology (IT) legal, financial, and the certification sector. Although the organizations are from different industries, they share characteristics in being part of the service industry and in being involved in digital KM processes with EU citizen data. Why the firm from the automotive
industry classifies as such will be elaborated upon in the data collection paragraph (3.2). The aim is to gain sufficient data from different industries to perform a within-case analysis and to find patterns in a cross case analysis between the sectors. Due to the GDPR, digital legislation will be uniform throughout the EU. As this study focusses on firms in the EU, the data in this study has to originate from a member state. As such, the data used in this study will originate from the Netherlands. Working propositions (WPs) are proposed to guide the research and formulate an answer to the gap in the understanding of the effects of uncertainty in the context of digital KM legislation. The following research question (RQ) and sub-questions (SQ) are proposed (for the WPs, examine section 2.4):
RQ: How will uncertainty over the effect of the future regulation, the GDPR, affect the performance of large organizations involved in handling personal data of EU citizens?
SQ1: How does future homogenization of transnational law affect organizational performance in the context of organizations that are involved in such practices?
SQ2: How do the costs that affected organizations perceive to incur due to GDPR compliance impact performance?
This paper will adhere to the following structure: the next section ‘Literature Review’ (2) offers an overview of the scientific literature on the concepts: KM, Big Data, BDVC, GDPR, Uncertainty, and the theoretical framework. The following section ‘Research Design’ (3), elaborates on the design of the study and the methods used. The study proceeds with the ‘Analysis’ (4) which discusses the results of the within- and cross case analysis. Concluding, the ‘Discussion’ (5) will elaborate on the findings and the answer to the RQ and SQs.
2. Literature review
This literature review intends to offer an examination of the topics discussed in the introduction. Big data is part of the digital KM and is mostly used by commercial parties that predict consumer behaviour based on obtained data, to improve organizational performance by decreasing the costs of operations (Anthes, 2015). This study focuses on the digital aspect of KM and specifically on its aspects big data and analytics, as such, the first concept discussed in this literature review is KM. The following topic of elaboration is big data followed by the big data value chain, one of the two key frameworks in this research. The section proceeds with an examination of the literature on the GDPR, divided in four sections: the GDPRs context and background, the GDPRs implications for the utilization of big data, the need for the GDPRs, the costs due to the GDPR. Following the GDPR, the next section proceeds with the concept of uncertainty in strategic management. The concluding section in the literature review offers the integration of the literature in a theoretical framework and the WPs. To understand the BDVC and its vulnerabilities it is important to understand that all actions involving big data are part of KM. Therefore, it is important to gain a general understanding of both concepts to comprehend the outcomes of this study. The GDPR affects the way that organizations can utilize big data and, as big data is part of digital KM and is important for performance, uncertainty arises over the way the regulation will affect performance. Thus, it is important to understand the concepts and the consequences that restrictions and uncertainties are expected to have for performance.
2.1 Knowledge Management
2.1.1 Characteristics of knowledge management
The concept of knowledge in organizations has become increasingly popular in the academic literature (Alvesson, & Karreman, 2001). The recognition of knowledge as a key
resource strengthens the need for processes that facilitate creation, sharing, and leveraging of knowledge, which is referred to as KM (Becerra-Fernandez, & Sabherwal, 2001; Drucker, 1993). KM is described as the practice of identifying intellectual assets within and outside the organization, to generate new knowledge and utilize its value to create strategic advantage and a better competitive position (Barclay, & Murray, 1997). There are various approaches to KM, which is shown in its multiple definitions that range from generic: “doing what is needed to get the most out of knowledge resources” (Becerra-Fernandez, & Sabherwal, 2014), and “Knowledge management refers to identifying and leveraging the collective knowledge in an organization to help it compete” (von Krogh, 1998), to more abstract: “KM is the focus on the possibilities of transforming tacit knowledge to explicit and usable knowledge and distributing it through information systems” (Lundvall, & Nielsen, 2007; Rasmussen, & Nielsen, 2011). This study acknowledges the view by von Krogh (1998) and alters it to a digital KM context, assuming that the management of digital knowledge is a strategic asset for organizations to compete and increase performance. The field of KM is dominated by IT driven perspectives (Davenport, De Long, & Beers, 1998; Gourlay, 2001). As this research focusses on the digital, IT, aspect of KM, it is useful to consider the different views on knowledge in the IT, strategic management, and organizational theory literature, to uncover processes that underlie digital KM. The common view is that data is raw numbers and facts, information is processed data, and knowledge is authenticated information (Dretske, 1981; Machlup, 1980; Vance, 1997). This view is not a matter of complete consensus as different perspectives of knowledge lead to different views on KM (Carlsson, El Sawy, Eriksson, & Raven, 1996), in any case, different concepts of digital knowledge suggest a different managing strategy. This study accepts the common view, that data leads to knowledge, and assumes that digital knowledge with the potential to improve organizational processes stems from analyzing data. The following section will proceed with the management of knowledge.
The contribution of KM resides in generating meaningful information to increase organizational learning and maximize the intellectual value of an entity (Dalkir, & Liebowitz, 2011). The literature largely agrees with Davenport and Prusak (1998), who state that the underlying assumption of KM is that organizational performance will improve by locating and sharing useful knowledge. There are several authors that assert importance of KM: Tanriverdi (2005) linked KM to enhanced financial performance; Mukherjee, Lapre and Wassenhove (1998) argued that it led to enhanced non-financial performance; Forcadell and Guadamillas (2002) reported increased innovation; while Lapre and Wassenhove (2001) noted increased productivity. Gold, Malhotra an Segars (2001) proclaim that KM, and a firms’ ability to realize economic value from it, has become the trademark of the ‘new economy’, a concept that they label as “the most dramatic evolution of business over the past decade”. The above literature agrees on the large potential of digital KM to become the major factor in optimizing business practices and increasing performance. Jeopardizing the abilities to utilize data could impair organizational performance, while efforts to reduce its complexities could enhance it. Although knowledge exists at various levels in organizations, the purpose of this article is to contribute to a better understanding of the digital aspect of KM, drawing on its elements big data and analytics. Thus, the following definition will be used: Digital KM is the practise of acquiring and making the most of digital knowledge by collecting, analysing, and sharing it through information systems to enhance organizational performance. Given that digital KM has the abovementioned potential to enhance performance, it is attractive for organisations to implement. Metaphorically speaking, digital KM is the key to the present-day vault of intellectual capital, which could enhance organizational performance. It provides organizations with a strategic asset to perform their activities more efficiently and decrease the costs of their operations, potentially leading to an increased competitive position compared to firms that do not use digital KM.
Digital KM is the way for organizations to extract the strategic asset from digital knowledge. This study perceives any attempt to increase organizational performance by the use of digital information as digital KM, which enables research to examine the effects of the concept and its effect on organizational performance. As this research is focussed on the digital aspect of KM, the following section will discuss its primary element with the largest strategic potential for organizations: big data (Cukier, & Mayer-Schoenberger, 2013).
2.2 Big data
The concept ‘big data’ consists of a multitude of different elements, ranging from data2 storage, to social phenomena, to statistical analytics. Laney (2001), created a framework in an attempt to highlight the importance of data volume, velocity and variety. A concept that was later expanded by Marr (2015), who refers to the five Vs of importance: The volume of data collected, the variety of sources and types of data, the velocity of the data analysis, veracity: the messiness or trustworthiness of the data, and value: the ability to turn data into performance. This is summarized in a short definition by Zarsky (2017): big data is the practice of creating and analysing vast datasets, which could include personal information. In the current digital environment data is stored in growing databases while the relative costs of storing decrease. Data is processed differently, by increasingly advanced analytical processes that allow for more powerful examination, extracting more meaning. The present-day processes enable analysts to utilize large data sets and improve efficiency while decreasing organizational costs (Zarsky, 2017). Analysing the data enables organizations to predict consumer behaviour. Thus, it enables them to perform more efficiently as they can provide an offering that is tailored to the specific consumers’ needs and the organizations’ capabilities (Brynjolfsson, Hitt, & Kim, 2011; Brynjolfsson, & McAfee, 2012; Marr, 2015). Society as a whole experiences benefits from big
data as governments are using big data and analytics to improve their processes (Mickoleit, 2014; Olsthoorn, 2016) and it improves efficiency and performance in public sectors like healthcare (Groves, Kayyali, Knott, & Kuiken, 2016), transport (Batty, 2012) and security (Marr, 2015). In the current situation, big data technology in business is an imperative for most organizations to perform (Cavanillas et al., 2016).
The dramatic reductions in the costs of obtaining, processing and transmitting data are changing the way business is done. Porter (1985) emphasizes the strategic significance of creating an organizational culture, in which the costs of data processes are reduced, to realize better performance. In this regard, we can link big data to Porter’s (1985) view, as it allows organizations to increase their overall efficiency by reducing operational costs in virtually all processes. From this perspective, it can be assumed that KM in the form of big data is important for any organization to compete and is essential for strategic decisions. The following section elaborates on the way big data is utilized in organizations; the BDVC.
2.2.1 Big data value chain
Miller and Mork (2013) use Porter’s (1985) value chain and ‘fit’ the big data environment into the framework (Figure 1). The authors describe the use of big data in organizations though the main phases ‘discovery’, ‘integration’, and ‘exploitation’. Enterprises need a strategy that considers the entire continuum according to the three phases, from the beginning of data collection, to eventually making decisions based on predictions. The model shows the steps organizations have to take in each phase, in order to obtain the benefits of big data and enhance performance by improved operational quality and reduced costs. By providing these steps, the figure allows for the analysis, and ultimately, understanding of the effect of digital KM legislation on specific elements of big data (Miller, & Mork, 2013). The BDVC is a way for organizations to apply KM on their digital activities, to gain structure and realize
more value from the utilization of data. It focuses on the way organizations utilize big data and how they, through a series of steps, process this digital knowledge with to goal to improve decision making and ultimately better performance. Thus, the BDVC perfectly aligns with the KM view by von Krogh (1998) in a digital context, which assumes that the management of digital knowledge is a strategic asset for organizations to compete and increase performance. The paper will now continue with the most important legislation that has ever existed for utilization of data in Europe; the GDPR.
2.3 The General Data Protection Regulation
The predecessor of the GDPR, the DPD, was adopted by the EU in 1995, with the intention to regulate the processing of personal data of its citizens (EUR-Lex, 2003). In order to strengthen and unify data protection the European Union Parliament, Council, and the EC have issued the GDPR (Regulation EU, 2016), to protect the personal data of EU citizens. The work on the GDPR started as early as 2009, reached its peak in 2012, and is to be implemented on May 25, 2018, to replace the DPD (Regulation EU, 2016).
2.3.1 Context and background
The GDPR bill went into effect in April 2016, forcing all organizations in the EU to comply with the uniform legislation before the law becomes fully enforceable in May 2018. The GDPR is labelled as “the most comprehensive and forward looking piece of legislation for the challenges of data protection in the digital age as it enters in a time when digital risks and liberties are emerging while at the same time there is also potential for improved value creation, increased welfare and enhanced social objectives” (Zarsky, 2017). The GDPR is the answer of the EU to the growing challenge of big data, as the DPD legislation has become obsolete due to the constant technological advancements and the lack of harmony across regulation in EU member states (De Hert, & Papakonstantinou, 2016). When comparing the DPD to the GDPR, it is noticeable that the latter has a broader scope of entities engaging in analysis of EU members’ personal data, stricter rules, higher fines in case of non-compliance ranging up to 20 million euros or 4% of global revenues per incident, and the ability to legally force entities to adopt the policy (Regulation EU, 2016). In the DPD, legislations about the use of technology, data protection, and personal data are too prescriptive, while the GDPRs aims to make organizations “implement appropriate technological and operational safeguards for securing data” (Tankard, 2016). In other words, a regulation that will last even in a dynamic digital world. The objective of the GDPR is to give EU citizens control over their personal data, while simplifying the regulatory environment for international business in the EU. As the regulation is extraterritorial, it applies to all organizations that process data from EU citizens, even when they are not based in the EU. The GDPR is a considerable matter of importance for digital KM and big data, as it restricts the way data can be collected, processed and utilized legally. It is clear that the regulation is focussed on the protection of consumers in the digital context. However, its effect on organizations that currently use consumer data in their processes is not clear. Other than the statements by the EU about the significant benefits organizations will
make financially, there is no clarity about its implications in terms of costs and benefits for the organizations that have to become GDPR compliant. Organizations will have to reform their practices in big data, for what used to be a domain with hardly any restrictions on the use of data will become an updated legislative context with substantial penalties for non-compliance. As the regulation restricts big data practices, it has the potential to significantly impair organizational performance. The next section will elaborate on the most important changes and the implications of the GDPR for organizations that perform activities involving the personal data of EU citizens.
2.3.2 Implications of the GDPR for the utilization of big data
There are several authors that reviewed the GDPR papers and elaborated on its implications for data utilization in the EU3. Unsurprisingly most of these papers show overlap in their conclusions on the most important aspects and implications of the GDPR. Since the law is not entirely in effect yet, the literature does not provide a comprehensive examination framework of the effect on big data practises, instead, it predominantly consists of authors’ predictions. The EC provides a future prospect on its effects, but many authors question the predominantly positive prediction of the possible outcomes (for example, Bauer et al. 2014; Zarsky, 2017). To create a structured insight in the implications for utilizing consumer data originating from EU citizens for organizations, the overlapping work of the authors (Barrett, 2017; Berbers, Hildebrandt, & Vandewalle, 2017; Hoel, & Chen, 2016; Kuné, & Piersma, 2017; Kroeks-de Raaij, Westerdijk, & Zwenne, 2016; Zwenne, & Mommers, 2016), is bundled into a table, which can be found in Appendix 1. Many of these authors argue that the regulation does not provide enough clarity on what compliance means, effectively increasing the uncertainty of
3 As this research is aimed on firms that are based in the Netherlands, the literature does not entirely consist of
strategic managers. Zarsky (2017) argues that the state’s active intervention, where not demanded by the public, amounts to paternalism and reduced autonomy of civilians. However, this might not be a bad thing, as a certain degree of paternalism might be required in this situation as the public does not necessarily comprehend the situation in which their personal data is involved. In the case of big data, there are characteristics that might bias the public opinion. One example is the privacy paradox: people strongly express concerns over the violation of their rights and ability to control their personal information in the marketplace, but in spite of the complaints, it appears that consumers freely and abundantly provide personal data (Norberg, Horne, & Horne, 2007). Although the GDPR comes with large uncertainties for managers, it can also provide them with another strategic opportunity to perform better than others and improve their relative competitive position. This paper will now continue with an elaboration on the need for the GDPR, to provide insight in the reason for establishing the law.
2.3.3 The need for the General Data Protection Regulation
The EC states that the new regulation will improve big data activities by promoting trust, and enhancing data creation while enlarging benefits for all parties involved and creating greater engagement with the platforms that utilize big data in a GDPR compliant way (Rouvroy, 2016). Whether these claims will hold once the law is fully enforceable is not entirely clear. The enhanced data protection potentially undermines the abilities to engage in big data (Zarsky, 2017). The need for the GDPR is not a matter of consensus. Some authors praise the regulation, stating that it is a cause for celebration of civil rights (De Hert, & Papakonstantinou, 2012), others claim that that the claimed benefits might have the exact opposite effects. (Zarsky, 2017). Behavioural intentions are not necessarily a predictor of actual behaviour and government intervention might be required to protect people as their autonomous protection seems to fail. Furthermore, the opinion of the ‘crowd’ should not always be leading in decision making, an
emblematic example of this is given in Walker (2014): “If Henry Ford has asked the public what they wanted, they would have just demanded faster horses”. Although the subjects from this example do not match and Henry Ford was no politician, it shows why, in some cases, it is better to provide the people with what they need, even if they do not have direct knowledge of it. The following section will provide elaboration on the ways the costs organizations might incur due to the GDPR.
2.3.4 Individual and organizational costs due to the GDPR
This section provides insight in the concepts within the GDPR that might become costly for organisations. Although the compliance to the GDPR will be an accumulation of costs for organisations, there is one aspect that has the potential to become considerably costly for organizations; the RtbF. The concept is also known as the ‘right of enhanced data erasure’ is outlined in article 17 of the GDPR and is one of its most controversial parts. It allows individuals to request any organization to locate and erase all information that they consider inaccurate, irrelevant, and excessive, when data is obsolete, when consent is withdrawn, or when the processing is illegal (EU commission, 2014). If any individual uses this right, the obliged organization will have to handle the request within one month.
Digital profiles keep getting more accurate and extensive and all information concerning particular individuals is accumulated and stored. One could, for example, always be negatively remembered to a childhood foible that will never disappear from the digital databases in which it is stored (European Commission, 2017). The Federal Trade Commission indicates that one in four individuals have an error in their digital accumulated credit profile (FTC, 2012), which could negatively affect their likelihood of receiving credit from financial institutions4, while
4 This example is from an US perspective and is not representative for the EU context, it serves as an illustration of the consequences of poor data management
leaving them with an incorrect personal profile and difficulties correcting them (Horwitz, 2014). The new legislation seems suitable as it creates a right that enables individuals to delete these personal files (Mayer-Schönberger, 2011). Although restricting legislation might seem a plausible reaction, there is strong criticism on aspects like the RbtF and on the GDPR in general. Critics claim that the new regulation will bring demise to freedom of speech, that firms will be saddled with considerable costs related to processing the requests, and that individuals who exercise their right will disrupt free speech and expression by altering the information that can be found on the internet (Bygrave, 2015). Further criticism is voiced over other constructs that are incorporated in the GDPR, for example, the costs of ‘data localization’. Data localization requires organizations to physically store data within the country of origin, and only allows for the transfer of personal data when the receiving party complies to the GDPR ruling. This is based on the ideology of market protection and is an attempt to reduce the amount of cross border data transactions. It has raised severe protests from advocates for open internet and global trading systems and is labelled as ‘the product of poor or one-sided economic analysis’, and ‘protectionism that only leads to reduced economic growth and job losses in other parts of the economy’ (Bauer et al., 2014). Under the GDPR, personal data cannot be transferred outside the EU to third party countries, unless these countries or organizational binding rules are equal to the GDPR (European Commission, 2014). Given its strict regulations, few countries will be able to pass this bar. Assuming the nature of today’s global and digitally interconnected economy, a poorly designed policy that increases data processing costs has the potential to have a severe economic impact. Economies are dependent on having access to a broad range of services at competitive prices – such as logistics, retail distribution, finance or other professional services – which in turn are heavily dependent on secure, cost-efficient and real-time access to data across borders. When data must be confined within a country, it does not merely affect social networks and email services, but potentially any business that uses the
internet (Bauer et al. 2014). As such, organizations will encounter more barriers in conducting their data-involved practices, which require additional investment of capital that could otherwise be allocated to other means to increase performance. This increases the opportunity costs of capital for organizations as they do not achieve the maximum possible value that could have been realized by their financial assets (Modigliani, & Miller, 1958). The next section will proceed with an examination of the literature on the effect of uncertainty in strategic management.
2.4 Uncertainty in strategic management
The early conceptualizations of uncertainty state that business environments are inherently unstable, creating uncertainty for managers (Knight, 1921). Uncertainty arises when managers do not feel confident about understanding the major events or changes in their business and are unable to make accurate predictions (Duncan, 1972). Key elements of the organizational environment are exogenous to the organisations’ own efforts, but the control an organisation can assert over its environment does not apply to this study, as the organisations involved do not have an influencing role over the decision-making entity. Organizations utilize data to decrease uncertainty over predictable outcomes by turning data into strategic assets. In this research, it is examined how organizations are affected by uncertainty over legislation that, on its own, also restricts the organizations’ skill of reducing uncertainty. When uncertainty is high in the institutional environment, organisations tend to create a buffer to protect them from vulnerabilities (Oliver, 1991). The GDPR restricts organizations’ possibilities of utilizing data to create valuable insights, effectively decreasing the knowledge organizations base their decisions on, and increasing their uncertainty over possible outcomes. In relation to the GDPR, there is also uncertainty over the way the regulation will affect organizations and whether the regulation will lead to the benefits promised by the EC (2017), or to ‘economic friendly fire’
(Bauer et al. 2014). In the case of the former, organizations will prosper under the new law and organizational costs will, indeed, decrease for organizations active in the EU. In case of the latter, costs will increase for organizations and performance will decrease (Porter, 1985). However, the consequences of the GDPR are not a matter of consensus, which leads to uncertainty in strategic management. The legislation affects all phases of the BDVC (Figure 1), and the collection, preparation, organization, integration, and analysis in particular. Organizations do not have a clear ‘boundary of compliance’ that can be crossed and have to allocate resources to the process of becoming compliant according to their own interpretation of the regulation. These allocations will come at a cost in financial assets, organizational quality and output efficiency (Oliver, 1991), however, it is unclear if the benefits predicted by the EU will cover, or exceed these costs. Some authors and the EU claim a cost reduction of 2.3 billion due to the homogenization of data protection laws from 28 European laws and authorities to 1 (Ciriani, 2015; European Commission, 2017), while other authors claim that the regulation will rather increase costs and decrease performance (Bauer et al. 2014; Zarsky, 2017). The following section provides the integration of the literature into a theoretical framework and elaborates on the factors of importance in this research.
2.4 Integration literature in theoretical framework
This section tends to integrate the literature into the factors of importance in this research and to formulate WPs that will provide an answer to the research question. Anfara (2006) states the following definition: “a theoretical framework is defined as any empirical or quasi-empirical theory of social and/or psychological processes, at a variety of levels that can be applied to the understanding of phenomena”. Since there are many ways to analyse a problem, researchers must choose the theoretical framework that provides the best lens to explain the circumstances regarding the subject of investigation (Anfara, 2006; Miles &
Huberman, 1994). This study focuses on the effect that legislation will have performance through the way it affects the elements of the BDVC. Therefore, it will use a framework for the analysis of the supply chain of organizations and will slightly alter its interpretation to enable the analysis of the supply chain in a digital KM perspective. Thus, it focusses on the elements at play in the way organisations are affected by uncertainty over legislation on the topic of big data. Peck (2005) proposes the following theoretical framework (Framework 1) with four discrete levels for the analysis of the drivers of vulnerability that lead to costs in the supply chain.
Framework 1. The framework of Peck (2005) for the analysis of value chains
Together these levels cover the elements of the supply chain and the environment in which they are embedded. As mentioned above, the framework will be used in the digital KM perspective, turning the supply chain context into a big data context by altering the interpretation of the framework accordingly. Level 1 is described by Peck (2005) as the ‘logistics pipeline’, the efficient flow of information and the emphasis on value based processes. It is interpreted as its digital equivalent, the value creation in digital big data processes, and renamed ‘Digital information processes’. Peck (2005) states that this process is dependent on
Level 4 – The environment
Level 3 – Organisations and inter-organisational networks
Level 2 – Assets and infrastructure dependencies
the availability and credibility of information, which this study interprets as the possibility of organizations to obtain and process big data. Level 2 is described by the author as ‘the necessary infrastructure to support the information flows in Level 1’, and the element lacking IT is seen as the most widely recognised threat to business continuity. While the nodes in the original framework are fixed commercial assets like production facilities. In this study, it is interpreted as the digital infrastructure and the influence of the legislative context on organisations’ big data processes. The nodes and the links are the positive or negative outcomes of the way organisations sustain their digital infrastructure and the implications of legislation. Level 3 moves supply chain vulnerability one step further up to the level of corporate risk management and business strategy. Level 4 takes a macroeconomic perspective within the environment in which organisations do business by big data. Factors of importance are the economic effect of the big data management on the economy, the political effect which is translated in the way legislation affects the performance of organisations, and the social factors of importance in doing business with personal data. Thus, the alteration of the framework for analysis of the value chain is done to sustain the topics of big data analysis, legislation, uncertainty, and performance. The following model (Framework 2) links the framework to the BDVC and elaborates further on level 5.
Framework 2. The altered framework of Peck (2005) for this study
In the framework, the levels of analysing an organizational value chain are altered to provide a model of analysis for the BDVC from figure 1 (Miller, & Mork, 2013). The first level, ‘Digital information processes’, represents the utilization of digital KM by organizations and functions as an insight in the way data is used by the entities of examination in this study. Creating insight in these practises is important for the analysis, as it filters out potentially irrelevant subjects that do not use big data and are not affected by the GDPR. In this level, the BDVC elements are not expressed, as it functions as a tool to filter the population of the study. Several subjects in the study agreed on participating under the condition that no in depth organizational information would be revealed, therefore, this level of analysis will provide a judgement by the author whether the subjects are suitable. More in depth information can be revealed, upon later request, after approval by the respective interview subject. The second level, ‘IT infrastructure and legislation dependency’, represents the way organizations collect, prepare, and organize big data. In other words, how they engage in the ‘data discovery’ phase of the BDVC. This functions as an outlay of the way strategic managers expect their practices
Level 5 – The effect on organizational performance
Level 4 – The economic and political influences (Legislation, performance) Level 3 – Organisational uncertainty and IT power dependencies (GDPR, uncertainty)
Level 2 – IT infrastructure and legislation dependency (Big data, GDPR) Level 1 – Digital information processes (Digital KM)
to be restricted by the GDPR. The third level, ‘Organisational uncertainty 5and IT power dependencies’, represents the way organizations integrate, analyse, and visualize big data in their practises, and eventually, how they make decisions based on these analytics. In other words, how they engage in the ‘data integration’ and a part of the ‘data exploitation’ phases of the BDVC. The fourth level, ‘The economic and political influences’, will examine the way the political influence affects these processes from an economic perspective. Finally, these four levels from Peck’s (2005) framework of value chain analysis, are combined creating the fifth level, ‘The effect on organizational performance’, to provide insight in the effect of the legislation on the performance of organizations. Leading to the following model of analysis (Framework 3):
Framework 3. The combined frameworks of Peck (2005) and Miller, & Mork (2013) for this study
5 Different from the literature review, in which the exogenous legislation GDPR proceeds uncertainty,
in the framework it is proposed after ‘organizational uncertainty’ to improve the logic of the structure for the interview subjects and the readers. This way, uncertainty over the effects of legislation proceed the way these political influences affect the economy, and ultimately the cumulated effect on
L1. Digital KM
- Utilization of digital KM - Digital logistics pipeline
L2. Big data
- Collection and preparation of data - Data discovery phase
L3. Organizational Uncertainty
- The costs of uncertainty over the effect of legilsation on the data integration and
exploitation
L4. Contextual variables
- The political impact - Its costs and economic impact
L5. Performance
- The combined effect of the prior levels on organizational performance from a
To use the framework, this research proposes WPs to guide the research and formulate an answer on the RQ and SQs. The GDPR articles state the GDPRs benefits of businesses, summarized under several headings: ‘one continent, one law’, ‘one-stop-shop’, and ‘the same rules for all companies’. All these proposed benefits resolve around the intention to improve the European single market for all organizations involved (European Commission, 2017). As this matter concerns an event that has yet to happen, WPs are used in order to study its effects according to the first four levels of analysis (Framework 3). In accordance to the framework, the fifth and last level will be derived from the information gathered with the first four WPs. This enables the research to assess the future event of the GDPR, based on the uncertainty over and the expectations of its consequences. Thus, this study proposes the following first WP:
The second WP in this study is based on the assumption that uncertainty over strategic choices affects performance. Big data is used to create valuable knowledge and reduce the ambiguity around the consequences of decisions (Marr, 2015). Further, the literature suggests that uncertainty can negatively affect performance (Duncan, 1972; Mascarenhas, 1982). Thus, as the GDPR restricts the utilization of big data (Zwenne, & Mommers, 2016), it will increase uncertainty over strategic decisions for managers. Therefore, the second WP is:
The third WP in this study explores the costs that come with compliance to the GDPR. The EC claims that the regulation will lead to a cost reduction of 2.3 billion euro (European
WP1 The future homogenization of transnational law will lead to increased organizational performance
WP2 The approaching GDPR will lead to uncertainty over strategic choices for managers
Commission, 2017), but authors claim differently (Bauer et al. 2014; Zarsky, 2017). This WP is built upon the assumption that the costs of compliance will exceed the benefits of the GDPR, leading to the third WP:
The fourth and final WP accumulates the effects of the GDPR in terms of its effect on organizational performance from Porter’s (1985) cost-based perspective. It assumes that the benefits of the regulation (WP1) will not be able to exceed, or even outweigh the costs (WP2 & WP3). Thus, the fourth WP:
3. Research design
In this section, the methods and data used to answer the research question are elaborated upon. Chronologically, the methodological design, the collection of data, the data analysis and the validity will be discussed. This section provides an answer to the question where, and how the data used in this study is found and analysed.
3.1 Methodological design
Yin (1994) describes the qualitative case study design, a design that tries to generalize to theoretical propositions, instead of populations. The author states three criteria for determining the right research design while distinguishing between three forms of case studies:
WP3 The costs of compliance to the GDPR will be considerable and will exceed the proposed benefits of the regulation
exploratory, explanatory, and descriptive. Exploratory studies are best used when a problem is not defined clearly, while explanatory studies are used to explain causal relationships. Descriptive studies are used to explain occurring phenomena or processes. As the problem in this study is in the future, it does not have clear measureable variables and is not clearly defined. Further, this does not try to prove a causal relationship statistically nor does it explain a phenomena or process. Therefore, it is an exploratory study. Yin (1994) distinguishes between the choice for a single or a multiple case design. In essence, the rationale for the single case approach depends on whether a single case is meeting all the conditions for testing a theory. In multiple case studies, two or more cases are considered in the analysis. For this study, the effect of uncertainty over the GDPR on performance, a multiple case approach is the most suitable option to adopt. The last proposed criterion is the distinction between a holistic or an embedded design. A holistic design is a study with one unit of analysis while an embedded design considers multiple units of analysis. Due to the multiple units of analysis in this study, it categorizes as an embedded design (Yin, 1994).
As this research is explorative and the phenomenon it studies has yet to take place, it is not commonly testing hypotheses or attempting to prove causality, but applying the existing literature to obtain further insight in how one factor influences another. This study addresses the research question and future descriptive or explanatory research by formulating WPs. Information is obtained by semi structured interviews and a natural observation of experts from the logistics, financial, E-commerce, consultancy, automotive, certification, and IT law sectors. This study is a multiple N-case study, with an N of 7. This study is a case study, a qualitative method of research, that aims to analyse one, or a few, cases in an in-depth fashion by using mostly interviews (Creswell, 2013; Gerring, 2007). In this design, the major focus of analysis is the experts’ predictions on the costs of the implementation of the GDPR and the effect this will have on organizational. The constructs on which the information is collected, are the levels
of the value chain analysis framework: Digital information processes; IT infrastructure and legislation dependency; Organisational uncertainty and IT power dependencies; The economic and political influences; The effect on organizational performance.
This study uses the abovementioned sectors as the variables on which the difference is tested to see if perceptions on the constructs of data collection differ between the disciplines. These effects shape a population that is hard to research by quantitative methods, as these methods require a large population (N) to draft reliable generalizations and the actual data on the effects will only be available in such amounts after the regulation becomes completely enforceable. This research aims to provide future research with guidelines and areas of interest, as it is exploratory, it examines why there is a relation between legislation in the digital knowledge context and organizational performance. It attempts to indicate relations between these constructs that are not yet known to exist or not yet understood in and from the prior literature. Thus, in this study, measures will be taken that indicate the magnitude of the four levels of analysis (Framework 3) constructs such as ‘uncertainty over legislation’, in order to analyse if and why these constructs are related and how they affect level five, ‘performance’.
The research question narrows the effect of the GDPR down to the perceived costs organizations will occur due to the uncertainty over the consequences of the legislation. Further, it explores what the data experts from large companies, expect to be the effect of the regulation on the performance of large firms. This focus is necessary to provide a contribution to the scientific literature as case studies require an in-depth analysis of internal mechanisms that are at play within the subject of examination. There are many factors that might influence the relationship between uncertainty over legislation and organizational performance, which differ from those in the Netherlands, of which many are not incorporated in this research. Therefore, the respective conclusion of this study regarding the examined relationships is not meant to be generalizable on a world scale. However, it can have value for EU subjects (Gerring, 2007).
The subjects in this case are heterogeneous and will be analysed with a within case analysis, followed by a between case analysis to test the WPs and formulate answers to the RQ and SQs.
3.2 Data collection
The data for this thesis, is collected through semi-structured interviews that are conducted at Dutch based large organizations (>250 employees) that process data of EU civilians. Semi-structured interviews enable the researcher to gain a comprehensive insight in the data, as questions can be added and removed from the interview during the time it is conducted (Saunders, & Lewis, 2012). To ensure that the obtained data is altered the least possible, these interviews are all conducted in a natural observation setting, the offices of the respective organizations, and took in-between 30-40 minutes. The subjects where offered to choose the language in which the interview was held, and all subjects chose the interviews to be in Dutch. All interviews were held with subjects that were closely affiliated with the changes the organizations have to incur to become GDPR compliant, for example the ‘Data Security Manager’ and other managers that are involved in the GDPR compliancy process. Before the start of each interview, the subject was asked to read and agree to a statement of compliance, which can be found in Appendix 2. To ensure the assumed knowledge of the subjects on the matter and to test their suitability for the research, the first stage of the interview invited subjects to elaborate on their knowledge of concepts as digital knowledge management, effectively inquiring about the ‘digital information processes’ in the organization. Once the interview subject indicated to be a valuable contribution to the data, the interview proceeded into the second stage which encouraged the subjects to elaborate on the digital infrastructure in their organisation and the Netherlands, and compared the current legal situation with the GDPR to test whether the Dutch firms have to change considerably to become compliant. The third stage in the interview appealed to the uncertainty that the subjects faced due to the regulations effect
on their organisation and in general. The fourth stage enquired about the effect of GDPR-like legislation on the economy as a whole. The fifth and stage of the interview insisted the subjects to elaborate on their predictions the regulation will have on their organizations’ performance and organizational performance in general. To improve the validity of the research and to avoid altered answers by the social desirability bias (Fisher, 1993), the subjects were not provided with the questions before the interview. To be able to extract the maximum potential from semi-structured interviews, all interviews were recorded using a mobile device.
This research explicitly focusses on large organizations, with over 250 employees (BDO, 2016), for two reasons: in the GDPR different rules apply for small/medium enterprises (SME) with less than 250 employees, and due to their size, large organizations are likely to be actively engaged in implementing the GDPR. They are more likely to be controlled regularly, have an exemplary role in society, and most of all, will be penalized exceptionally harsh upon breaking the rule of law. The data collection of this study begins by enquiring about the way data used to be handled, and how data will be handled in the future, by examining primary source data, the legislation documents issued by the EC (2014), and secondary source data: the papers in which these documents are discussed by scholars (Hox, & Boejje, 2005). Once the perspectives from the legislative and the academic context are clear, this research engages in interviewing experts active in the field to assess whether they deem the claims about the GDPR to hold and to be applicable in their respective work field. The subject of handling personal data is sensitive and could result in consumer outrage with definite negative associations that link with the company name, inflicting it with serious implicit harm, such as the Target example in Duhigg (2012). It is an uneasy subject for large companies who have their reputations on the line. Thus, as sharing this data might be potentially harmful for the organizations involved, this research has chosen to work with the statement of compliance, ensuring that all data collected will be destroyed at any point of time upon request.
To create an accurate, generalizable conclusion and enhance the validity of this study, the data used comes from multiple sources instead of just one company or business segment (Yin, 1994). Based on the above requirements, the organizations are selected that are able to act as representatives for their category. Although they represent different sectors, they share the characteristic of the service industry. Selected are the globally largest organization in logistics, one of the biggest banks in the Netherlands, one of the largest E-commerce firms in the Netherlands, one of the largest global IT-consultancy firms, a firm from the top 10 in the global automotive industry, one of the largest global certification institutions, and a firm specialized in IT law. The firm from the automotive sector does not directly appear to be part of the service industry. However, as the national headquarters in the Netherlands is not engaged in the actual sales of cars, which is done by the brands’ dealers, it only offers service to the involved stakeholders. There are six cases incorporated in the analysis, the subject from case seven had to quit the interview due to a medical emergency. As the data is not complete from this case, it is not included in the analysis. For a structured representation of the subjects in this study, please examine Table 1. Because the availability of these experts is limited to only one interview, this research will use a series of semi-structured interviews which are best used when there is only one chance to interview the subject (Cohen, & Crabtree, 2006). Further, the use of a semi-structured interview adds rigor to the research that would have lacked in the case of an unstructured interview, and allows for the acquiring of potentially important data that would have been missed in a completely structured interview (Leech, 2002). The interview data will consist of the transcribed interviews, under the assumption that all subjects are in function in organizations that deal with the GDPR extensively and all subjects explicitly agree with the use of their interview data.
Table 1: Cases interviewed in this study.
Organization Industry Function interviewee Date
interview
DHL Express Logistics Manager Data Security 15-11-2017
ISM Company E-commerce Manager Marketing Intelligence 29-11-2017
Atos Consultancy Digital Consultancy Digital Transformation Consultant 28-12-2017
KIA Motors Automotive Manager Data Security 28-12-2017
Project Moore B.V. IT Law Associate 12-1-2018
ABN Amro Financial Manager Data Activities 17-01-2018
DNVGL Certification Subject quit the interview due to a
medical emergency
19-01-2018
3.3 Data analysis and coding
The conducted interviews are recorded and the transcripts and original records can be provided upon request. Following the transcription, the interview data are systemically analyzed and coded in Nvivo 11, to identify emerging patterns or common themes (Strauss, & Corbin, 1990) about the implications and effects of the GDPR. To channel the outcomes of this research towards supporting or rejecting the WPs, all data is structured using codes. To create a structured overview of the themes in the data this research uses the techniques to identify themes by Ryan & Bernard (2003), using codes, sub-codes and indicators. The distribution among the codes used in this research can be found in Table 2. This study examines every single case on these codes, using a within case approach. Once all cases are examined, the correlations between cases will be examined in a between case approach. Level 1 ‘Digital information processes’ examines whether the interview subject is relevant for the study, classifying as ‘Strongly digitalized information processes’, based on the authors judgement on the use of big data processes, all levels are scored on a weak-medium-strong scale in which medium is
perceived as strong in the sub coding. Classification is perceived sufficient in case of medium-strong. Level 2 ‘IT infrastructure and legislation dependency’ examines whether the big data structures such as data discovery of the Dutch context is highly influenced by new restrictions. Subjects who state that the Dutch context will not be affected considerably due to the new law classify ‘Strong IT infrastructure and weak legislation dependency’, this could be the case if the GDPR does not differ considerably from preceding legislation. Level 3 ‘Organisational uncertainty and IT power dependencies’ examines whether the subjects in this study experience uncertainty over the consequences of the GDPR for their respective organization, subjects that express doubts over the economic effects will be scored in the ‘Strong uncertainty over the GDPRs consequences’ classification. Level 4 ‘The economic and political influences’ examines the way the subjects expect the political factor GDPR to influence the economy and their own segment, resulting in ‘Strong/Weak political influence on economy’ which can be either positive or negative. Level 5 ‘Consequence of uncertainty over legislation for organizational performance’ combines the cumulated effects of the influence of the restrictions, the uncertainty over possible outcomes, the impact of the legislation on the economy, into the way it affects performance from a cost based perspective.
Table 2: Themes and codes in the analysis
Indicators6 Sub coding Coding
Data, processes, information flow, value creation, availability and credibility, the possibilities to obtain and process big data.
Strongly digitalized information processes
Digital information processes (L1. Digital KM)
Weakly digitalized information processes
Structures, IT, threats, legislation, impact, infrastructure, dependency, data collection; preparation; and organization, ‘data discovery’, restrictions.
Strong IT infrastructure and weak legislation dependency
IT infrastructure and legislation dependency
(L2. Big data) Weak IT infrastructure and strong
legislation dependency
Corporate risk, GDPR uncertainty, strategy, integration, analyzation, visualization of big data processes, data integration and exploitation.
Strong uncertainty over the GDPRs consequences
Organisational uncertainty and IT power dependencies
(L3. Organizational uncertainty) Weak uncertainty over the GDPRs
consequences Economic effect, political processes,
legislation effect on big data management and economy, impact.
Strong political influence on economy
The economic and political influences
(L4. Contextual variables) Weak political influence on
economy Effect, legislation, performance of
organizations.
Increased performance Consequence of uncertainty over legislation for organizational performance
(L5. Performance) Decreased performance
3.4 Validity
To ensure the quality of the findings in this paper, the four recommendations for qualitative research by Yin (1994) are used. These are the construct validity, the internal and external validity, and the criteria of reliability. The construct validity tests if the research does actually investigate what it intends to investigate (Saunders, & Lewis, 2012). This study tries
to enhance its construct validity by examining multiple sources of the academic literature, and by basing its assumptions, claims and evidence on these sources. Internal validity is described by Yin (1994) as the errors that can occur in the analysis of data. To increase internal validity, Gibbert and Ruigrok (2010) suggest that every assumption based on the findings of the research has to be grounded on plausible argumentations. In this research, the internal validity is enhanced by examining the matching patterns between the cases and drawing conclusions that are backed by the theoretical foundations on which this study is build (Gibbert, & Ruigrok, 2010). Further, the results in this study will not just be considered true, as it is possible in qualitative research, all outcomes will be examined to ensure their contexts and possible alternative explanations or biases in the collection of the data, ensuring more valid and reliable conclusions (Gibbert, & Ruigrok, 2010, Yin, 1994). External validity is the concept that reveals the extent to which the results are generalizable outside the scope of the study (Yin, 1994). This study tries to fortify its external validity by examining multiple different industries that all share in the characteristics, service industry and efforts to become GDPR compliant. This factor of homogeneity allows for the cases to be generalized to theory (Yin, 1994). The concept of reliability is the transparency in the collection and analysis of data, and the replicability of the study’s findings (Gibbert, & Ruigrok, 2010). This research ensures the reliability by reporting every single step in the collection and analysis of the data, and providing the records and transcripts of the data collection.
