EU General Data Protection Regulation – Blessing or Curse? A difference-in-difference study on Higher Education Institutes in Europe

(1)

,

Leiden University – Faculty for Governance and Global Affairs

Institute of Public Administration

Master Thesis

EU General Data Protection Regulation –

Blessing or Curse?

A difference-in-difference study on

Higher Education Institutes in Europe

Submitted by Malin Sophie Inzinger, BA, S2538997

MSc Public Administration – Management and Leadership

Supervisor: Dr. Brendan J. Carroll

Second Reader: Dr. Dimiter D. Toshkov

(2)

ACKNOWLEDGEMENTS

I want to express my sincere gratitude to my thesis advisor, Dr Brendan J. Carroll at University Leiden, who, with his kind and patient manner, has helped me get through the stressful parts of writing this thesis. His advice was always constructive and to the point, which made his guidance invaluable.

I also want to thank my parents for cheering me on throughout my academic career and my dad specifically for his active advice, open mind, and the time he invested in listening to me about this thesis.

Finally, I want to acknowledge my partner in crime, Martijn Schouten. Thank you for your unconditional support and encouragement and for keeping me sane throughout this process.

(3)

ABSTRACT

This difference-in-difference study examines the impact of the General Data Protection Regulation on Higher Education Institutes (HEIs) in Europe. Specifically, the goal of this research is to assess the impact of the EU regulation “General Data Protection Regulation” by measuring its effectiveness on HEIs and comparing it with outcomes of non-EU countries that were not exposed to this regulation. This research is carried out by a difference-in-difference design based on data from the European Tertiary Education Registry. The performance of HEIs is split in three categories: financial, scientific, and educational. The results of the study suggest that there is a negative impact on educational performance from implementing the General Data Protection Regulation. This research contributes to the current literature on the impact and effectiveness of the GDPR, specifically in the tertiary educational sector.

(4)

LIST OF TABLES

TABLE 1COEFFICIENTS FROM REGRESSION ANALYSES FOR ALL THREE MODELS ... 26

TABLE 2AVERAGE DIFFERENCE OF TREATMENT GROUP POST-TREATMENT, PER MODEL ... 27

LIST OF FIGURES

FIGURE 1MECHANISM FROM GDPR TO PERFORMANCE CHANGE ... 18

FIGURE 2VISUALIZATION OF DIDDESIGN (JANUX 2017) ... 21

FIGURE 3MODEL (1)–FINANCIAL PERFORMANCE PER YEAR AND GROUP ... 25

FIGURE 4MODEL (2)-SCIENTIFIC PERFORMANCE PER YEAR AND GROUP ... 25

(6)

INTRODUCTION

Goal of this research

This thesis will empirically examine the connection between a European legislation and its impact on higher educational facilities in Europe. The origin and initial basis of this legislation was and is to enhance transparency and support efficiency within EU institutions, companies, and organizations. Specifically, the goal of this research is to assess the impact of the EU regulation “General Data Protection Regulation” by measuring its effectiveness on Higher Education Institutes (HEIs) and comparing it with outcomes of non-EU countries that were not exposed to this regulation.

This research will contribute to the current literature on the impact and effectiveness of the GDPR, specifically in the tertiary educational sector. Most likely because of the relative recentness, there are some gaps in the research literature on specific sectors. There is existing independent research on the impact of the GDPR on the health sector (e.g. Yuan & Li 2019), however, further research on the specific impact on the tertiary educational sector in the EU needs to be made.

Problem Statement

The new notion of accountability regarding personal data in the General Data Protection Regulation and the European Union’s strict way of enforcing it are the main reasons for major changes made in all industries regarding data protection. Because of this addendum, organizations that are subject to the regulation must be able to prove the data protection measures they have put in place. If they fail to do so, they face harsh fines that can have serious financial implications on their organizations and limit them in future business endeavours. However, the implementation and maintenance of the requirements of the regulation is also costly and time-consuming. Thus, the problem is twofold: there is a threat of financial instability if the requirements are not carried out properly and just adhering to the rules has financial implications for the organization.

Private organizations deal with this differently than the ones in the public sector. In the private sector, many big companies will be willing to consider a trade-off between the implementation costs and the potential fine. Because they are profit-oriented and implementing would be such an expensive undertaking and might even result in higher losses than just budgeting for the potential fine, private companies are putting a wager on holding off data protection. However,

(7)

public organizations are unable to make this decision. They are forced by their governments and regulations to implement the regulation as indicated. Especially in the public sector, budgets are tightly planned, and a financial strain as imposed here by the implementation expenses alone can have serious consequences on the growth and wellbeing of a public organization.

While the EU might not be able to change anything regarding the regulation - if there is indeed a negative impact on performance due to the regulation - it is still important to know. Future regulations could be researched more in-depth and financial and administrative support could be given to public sector organizations. It is therefore important to determine if the implementation of the regulation is hurting the public sector by decreasing its performance.

Research Question

The problem outlined above also affects the tertiary education sector in Europe, which is of considerable size. The European Tertiary Education Register (ETER) encompasses detailed data on 2465 higher education institutions in 32 countries with more than 17 million students (European Commission, 2018). These universities handle great amounts of data daily. Its core business, if you will, is people and their data. This relates not only to the students and their education, but also to teachers, scientific research employees and administrative staff. A university will usually be a data controller and typically not be in the position of data processor. They will employ data processors that process the data for them, but the personal data will be given to the universities by the data subjects. While privacy is always an important topic for educational institutions, based on its enforcement methods the regulation could have pivotal impact. As outlined above, the changes in the GDP Regulation directly affect the public sector, i.e. universities. How these changes specifically affect universities and which implications this potentially has on their performance is subject of this study.

I want to question and examine the second aim of the regulation, namely ‘to improve business

opportunities by facilitating the free flow of personal data in the digital single market’

(European Union, 2015, p. 1). This relates to the second problem proposed above, namely that merely adhering to the rules will have a significant impact on an organization. Because the implementation of the regulation directly affects the organizations implementing it, universities that are operating within the European Union might be at a competitive disadvantage in comparison to non-EU universities. As the implementation is not just of financial nature, this could affect overall performance and therefore future opportunities for European citizens. This led me to the following research question:

(8)

How did the implementation of the General Data Protection Regulation affect the performance of EU Higher Education Institutes (HEIs)?

I am hypothesizing that the implementation of the EU regulation ‘GDPR’ influences the performance of EU HEIs. I propose that European HEIs that had to implement the regulation had a higher strain on their financial positions over a period of about two years. This financial strain is a result of a higher administrative workload and the implementation of new IT resources to meet the standards of the regulation. On the other hand, the financial strain results in a weaker performance outcome than in previous years and, while financial indicators are prominently related to performance, also other measurements such as scientific research and graduation numbers factor into this equation and could be affected. In turn, non-EU European universities have not had this financial strain and are therefore better off in the European market.

Importance of the topic

Measuring policy impact and effectiveness

In this thesis, the impact of a policy is measured. The measured impact of a policy paves the way for the future of the programme. This can be either continuation, if the impact turns out as intended, amendment or cancellation of the policy programme. As many other organizations, the European Union is always facing budget cuts, trying to make the union more efficient. The resulting financial constraints mandate that policies are cost-efficient and effective at the same time. All resources need to be allocated to projects that return on the investment made. Measuring the impact of policy implementation is an important task in general, but the act of measuring is usually left to the organizations implementing the policy, producing grey literature. Leaving evaluation and control function to the implementing organization is not enough. According to Radaelli et al. (2013), EU Impact Assessments do include a certain level of EU narrative. While the reports are evidence-based, they are presented by the EU ‘to establish EU norms and values, and to create consensus around policy proposals by using causal plots, doomsday scenarios, and narrative dramatization’ (Radaelli et al 2013, p.1). Schrefler and Pelkmans (2014) also make the case for ‘transferring scientific knowledge into policy-making’. Thus, it is necessary to engage in objective research to ensure a maximum of transparency. Of course, financial limitations and access to data plays into this and there is only so much an individual can do, compared to a legislative body like the EU.

(9)

EU competitiveness

The European Union wants to work on making European HEIs more competitive on the global market. They have launched several initiatives appealing to the member states to ‘contribute to the international competitiveness of European universities’ (European Council 2017, p.3). This is crucial because European educational institutes are in direct competition with establishments in the Americas, Asia, and the rest of the world. The graduates that are produced here form the foundation of the future of Europe and ensure the prospective competitiveness of European enterprises and organizations. This applies not only to private corporations but also, and especially, to public institutions and governments. Advancing research capacity and output of EU HEIs is equally as important as their educational function. Being on the forefront of science is an undeniable factor of competitiveness, which adds to the importance of this research.

Scope of the study

This study will be limited to European Higher Education Institutes (HEIs), which includes EU and non-EU Higher Education Institutes on the continent of Europe. While the General Data Protection Regulation also affects non-European organizations, namely those that work with data from European citizens, this is not within the scope of this research. This relates to the chosen method of research and its necessary assumptions (see Parallel Trends Assumption).

Structure

In the introduction, I have outlined the main aim of the thesis, the research question and described the relevance of the topic and scope of the study. In the next chapter, I will set the context for the research problem. After a literature review to assess the requirements of the GDPR and to outline the current state of the research landscape on the topic of organizational performance, the theory and definitions used will be outlined. Based on the literature review and theoretical framework, my hypotheses, and proposed causal mechanisms are laid out. Then, the research design and methodology are described. The analysis and conclusion of the research can be found at the end of this thesis.

(10)

CONTEXT

This chapter outlines what the General Data Protection Regulation is, that it does have real-life implications on organizations, and what they are. The following section will include a summary of the requirements of the GDPR. Based on this, there is a list of action points that require resources that the GDPR has evoked on organizations. The purpose of this chapter is to provide context to this research, underscore the urgency of this research and point out the practical implications the GDPR has on organizations.

What is the GDPR?

The General Data Protection Regulation, short GDPR, was first announced in April 2016 with an implementation and enforcement date of May 2018. It was approved by the European Parliament and the Council of the European Union. The full title is ‘Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive)’.

In the European Union, there are different kinds of legal acts. While all of them are adopted by the member states, they are not equally binding and have different implications in their execution. Directives are pieces of legislature that are passed by the EU and point the member states in a certain ‘direction’ – that means, member states are expected to deliver certain results, but the means of achieving them are subject to national consideration. Regulations on the other hand are binding resolutions that are enforced in member states on a set date. (European Union, n.d.)

The general aims of the regulation can be inferred already from its title. The main objective of it is to enforce the fundamental right of individuals to ‘the protection of […] the processing of personal data’ (European Union, 2016, Article 1). The other, publicly less discussed, aim was ‘to improve business opportunities by facilitating the free flow of personal data in the digital single market’ (Council of the European Union, 2015, p. 1). This regulation was drafted as a replacement to the previous Data Protection Directive (DPD), which was put into place in 1995 (European Union, 1995). By 2016, this directive was outdated, not only due to time, but especially due to the radical changes that took place in the technological world. The way and extent to which personal data is handed over, spread, and used by second and third parties differs remarkably from when the previous bill was drafted. The GDPR is a way of answering to a far-reaching change from a mostly analogue to a digitalized world.

(11)

The content of the regulation introduces a few major changes to the digital landscape in Europe. While the regulation also applies to offline data processing, most data is handled online nowadays. A major novelty was the notion of accountability within the legislation. It now embodies not only the rights of the data subject and the obligations of the data controller, but also gives active responsibility to the latter, i.e. the persons processing the data.

The new regulation has sparked many discussions, especially in the health and medical research sector. The main concern is that research cannot be conducted in the same way as before because data protection makes it to difficult and dangerous for the parties involved. (e.g. Mostert et al. 2015 or Chassang 2017).

Accountability

The regulation includes seven principles of data security to be adhered to when implementing paragraph 1. Only one of them poses an essential change from the DPD to modern data protection. The contents of GDPR Article 5, 1. (‘lawfulness, fairness and transparency’, ‘purpose limitation’, ‘data minimisation’, ‘accuracy’, ‘storage limitation’, and ‘integrity and confidentiality’) were kept widely the same with minor changes compared to Article 6, 1. in the DPD. However, the matter of ‘accountability’ was added to the principles, which is the driving force behind the focus of this thesis.

The difference between the Data Protection Directive (DPD) and the GDPR is an addition of responsibility. to the original article. In the GDPR, Article 5, 2., ‘the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)’. The EU’s GDPR supervisory body explains the principle of accountability as follows: ‘The

General Data Protection Regulation (GDPR) integrates accountability as a principle which requires that organisations put in place appropriate technical and organisational measures and be able to demonstrate what they did and its effectiveness when requested’ (EDPS, n.d.).

Thus, accountability refers to the actual implementation of the regulation’s requirements and the ability to prove it. This also weeds out those organizations that have until now not lived up to data protection standards and holds them accountable to their actions.

Enforcing the regulation

A very important and impactful part of this regulation is its way of enforcement. Chapter 8 of the GDPR deals with ‘remedies, liabilities and penalties’. Article 83 of the regulation dictates a fine of up to 4% of an organization’s annual gross revenue for non-compliance. Naturally, what ensued was a global scrambling of all different kinds of companies and organizations for

(12)

implementing the correct measures to comply with the requirements. Since its implementation, the fine was given out to many companies. Even Google was fined for non-compliance, which showed that the EU is trying to legitimize the regulation and demonstrate that also the big players are not beyond its implications.

Because of this interconnection of accountability and enforcement, most organizations put in real effort to implement all requirements into their organizational structure.

GDPR requirements and their implications

GDPR Requirements

While there are a few things that need to be implemented straight from the regulation, there are some things that are up to the organizations’ interpretation. There are explicit and implicit requirements for the entity that is processing personal data.

Explicit requirements refer to the specific duties and obligations the data controller has. Chapter 4 of the GDPR outlines the obligations of the data controller (and data processor). In Table A.2 in the appendix, all articles of Chapter 4 are mentioned and shortly explained. The articles relevant to practical implementation for the data controller are highlighted and categorized. Implicit requirements are those measures that are put into place to ensure the rights of the data subject. While chapter 3 of the GDPR, ‘rights of the data subject’, does not explicitly state proactive measures for organizations, the articles imply further changes to ensure the data subjects’ rights. Again, in Table A.1, a summary of each article is provided including a categorization of actions to be taken based on them.

To clarify the impact of the regulation further, and to identify the activities needed to be carried out for an organization to be compliant, I have highlighted and categorized the articles that require action on the organization’s side. 0 A.3 lists the need and nature of financial resources according to these compliance activities.

Implications - Cost of GDPR

As can be seen in Table A.3, the financial implications on performance of the different activities needed to be implemented are significant. The main factors that have an impact are the predicted strain on human and IT resources. Implementation and maintenance of IT infrastructure as well as data assessments, processing data and other administrative efforts are only part of the actions that need to be taken to be compliant with the regulation. Organizations need to allocate resources to data protection, for which little or no budget was predefined. This could have a

(13)

major impact on short-term financial performance of organizations. However, this impact is identified not only in the short- but also and especially in the long-term.

In a white paper prepared by London Economics, it is estimated that the amount of spending on data protection is to rise disproportionately (London Economics, 2017, p.7). The nature of the regulation dictates that, but also less quantifiable goals are affected by the implementation. According Chassang (2017), researchers will be less inclined to do research containing sensitive data because of GDPR. If that is the case, this can have a long-term impact on the research community. Especially for public organizations, every working hour that is exceeding the pre-confirmed budget is a problem. Public organizations are usually working with tight budgets anyway, and a regulation like this can make budgets explode and leave them paralyzed or worse, spiralling down.

(14)

LITERATURE REVIEW

The goal of this research is to examine performances outcomes of Higher Education Institutes after implementation of the GDPR. In line with this goal, the following literature review will focus on performance of public organizations and services and the implications of the GDPR requirements. The current literature on performance of public organizations, which types of performance there are and how they can be measured, will be reviewed. Specifically, the performance definition for Higher Education Institutes is examined.

Performance in the public sector

For this thesis, the importance of public performance is twofold. On the one hand, it is important to evaluate the performance of the public service that the European Union is providing by regulating the Union, and in this case specifically Higher Education Institutes within the Union, and with that, providing the GDPR. On the other hand, most HEIs in the EU are part of the public sector and their performance is clearly an outcome of public service. While HEIs originated in the private sector, the repurposing of and rising demand for higher education in Europe has outgrown its native sector and called for a more integrated approach. This often includes government funding and subsequent decision-making and one could argue that a lot of universities were somewhere in between the private and public sector. Due to the nature of higher education and its implication on the population, public regulations still apply to them, regardless of ownership. Thus, also private universities are an integrated part of the public sector. On top of this, in the past decades, “universities were increasingly assimilated to other public entities […] aimed to reinforce their autonomy and make them accountable […]” (Seeber et al., 2015), and through New Public Management reforms in the public sector, an emphasis of performance-based approaches and efficiency was established.

In line with this “New Public Management” movement as described above, there is an emergence of researchers that see the public sector in a new more business-like light (Gruening 2001 gives a good overview of the history and different aspects of NPM). In this new way of seeing public organizations, the organizational leader, also called the public manager, receives new importance. They can actively decide for or against ways of implementing policy and therefore shape the environment and policy-making process. The focus here lies on performance management rather than external factors. According to Rabovsky (2014), performance management in public universities is about informing decisions and improving management of these public organizations.

(15)

However, New Public Management is not adopted throughout the research landscape. Some researchers are sure that due to the characteristics of the public sector, organizations do not have room for decision-making and are “constrained” to their environment and its decisions. The attainment of goals is therefore out of their hands. This was partly substantiated by several studies, e.g. on UK Local Government, where the significance of external constraints was tested on public service outcomes (Andrews and Martin 2010). Public organizations are subject to change when political leadership switches or structural developments are implemented. Keith (1999) defines performance of universities as a way of claiming legitimacy in an institutionalized environment. Scholars that follow this school of thought do not advocate for measuring and improving performance indicators.

It seems that the research community examining organizational performance in the public sector, or Public Service Performance (PSP), is united on one thing: defining it is not very straightforward. There is consensus about some of the basics, but the details of its definition and measurement are explained manifold and differ from author to author. It is described in the literature as “an informed, goal-oriented decision” (Holzer and Yang 2004, p. 16), “outcome-based accountability” (Nielsen 2013), “improv[ing] effiency” (Snyder, Saultz & Jacobsen 2017) and that it “refers to the efficiency, effectiveness and quality of the activities of these organizations” (Meyers & Verhoest 2006). O’Toole and Laurence (2011, p.2) chime in by defining performance as “the achievements of public programs and organizations in terms of the outputs and outcomes that they produce”. Heinrich (2015) sums up the notion of effective performance management as “demand[ing] clarity of goals and their translation into empirical measures that adequately characterize our intended outcomes.” While they all use different words, they have the same general approach. Public Service Performance is about the output of a public organization and the grade of achieving their planned activities/goals.

Outcome vs. process

Defining the essence of the output of a public organization is another topic where opinions differ. Andrew Brown identifies the duality of a target vs. tasks (in: Neely 2007). Sometimes performance will be defined as a specific target, e.g. a determined cost per unit, but a lot of the times this will be mixed up with goals that are activities or tasks, like implementing a new office practice. This adds to the mix of performance definition and makes standardized measuring that much harder. According to O’Toole and Meier (2004) and O’Toole and Laurence (2011), Public Service Performance is a function of past performance and stability, which again is comprised of environmental forces/shocks, internal management, and external management. This is a more theoretical approach that intertwines the performance definition of outcome and

(16)

process. It also takes intergovernmental network characteristics and managerial functions of a public organization into account.

Multiple dimensions and goal disambiguation

In the literature, there are three recurring themes of why organizations measure Public Service Performance. They are improvement of services (Walker, Damanpour & Devece 2011, Meek & van der Lee 2005), legitimization via accountability and transparency (Smith 2006, Kivistö et al. 2019, Meek & van der Lee 2005) and determining future actions on current policies (Meek & van der Lee 2005, Radin 2006).

However, next to these main objectives, individual public organizations follow multiple individual goals, which leads to them following multiple dimensions of activities. Contrary to private organizations who focus mainly on financial performance, defining and measuring performance indicators based on these multi-dimensional activities is difficult (Andrews, Boyne & Walker 2006, p.14). Goal conflict within an organization is a big factor to setting goals and measuring performance, which can have performance-related consequences. (Chun & Rainey 2005; O’Toole & Meier 2011; Rainey & Jung 2015). As outlined above, what a lot of researchers agree on is that the performance of public organizations first and foremost relates to their goals. Because of multi-dimensionality (largely due to the nature of the organizations and socio-economic and political factors), public organizations’ goals are ambiguous and differentiated and they cannot be aligned into one measure of performance. (Carter et al. 1992; Brunsson and Olsen 1997; Boyne 2002, 2003; Huang & Sisay 2015; Chun and Rainey 2005; Chun and Rainey 2006 in: Boyne et al 2006). In 2002, Boyne published a conceptualisation of public performance within five themes: “outputs, efficiency, effectiveness, responsiveness and democratic outcomes” (p.19). A lot of the current literature is based on this concept. O’Toole and Laurence (2011) follow along these lines by citing Boyne from 2003 and use a version of his five themes to explain the performance concept. From his five overarching topics, Boyne (2002) derived 15 dimensions of performance measurement and included examples of what they mean. An example for output quantity could therefore be the “hours of intensive home care” or the “number of council dwelling renovations”.

Takasc (2013, p.37) agrees with this in part and puts it this way: “The operation of a public sector organization can be regarded successful, if its performance serves both the mission, the achievement of the objectives of founders and the maintenance of functionality.” He divides performance into inputs, activities, and outputs, which correlates with a few other authors’ perspective, as outlined above.

(17)

In general, this means that a definition of performance needs to be made on an individual level and needs to focus on the objectives of the public organization that it refers to.

Performance Measurement

Due to the ambiguity of the term itself, the difficulty to produce a generalizable definition and the problem of goal conflict, there are many different approaches on how performance works in detail. Thus, as differentiated as the definitions of public performance are, are its modes of evaluation. Once a definition of performance is found, it becomes easier to determine measurement criteria for this specific idea. Some authors, therefore, take a more hands-on and topic-specific approach when it comes to defining performance measures (e.g. Radin 2006). However, there are also those authors that try to standardize and generalize performance measurement. They are classifying establishing goals and measuring results as a tool for improving policy and accountability of a governing body (Holzer and Yang 2004). These are usually following the New Public Management wave and want to implement corporate practices into the public sector. Sole measurement of financial performance is the measure of performance in private organizations, but as the goal of public organizations is not only of financial nature, this was expanded also to non-financial measuring indicators.

According to Andrews, Boyne & Walker (2006), a mixture of objective and subjective measures of performances should be used to account for potential weaknesses within each measurement type. Objective measures of performance are “impartial, independent, and detached from the unit of analysis.” To measure performance objectively, the relevant dimension of performance needs to be defined and externally verified. (p. 16) Subjective performance measurement, on the other hand, is related to relevant stakeholders’ opinion. These measures can be taken from surveys or interviews and will not be as quantifiable as objective measures.

Also, here, the literature is divided, and it depends on individual taste if an individualized or a generalized approach to performance measurement is taken. Once this choice is made, there are many types of specific performance measures that can be utilized.

Impact on performance

Another important part of public service performance research is what performance is impacted by. To determine a competent strategy to improve an organization’s performance, not only its goals need to be analysed and laid out. Internal and external factors that might impact performance need to be assessed. This goes for negative and positive forms of impact, because

(18)

the former is necessary to identify threats and potential problem causes and the latter is a good starting point for improvement. The literature on this is vast and there are many studies and articles on what specifically impacts performance. Below are a few generalized factors that were frequently mentioned to be influential when it comes to organizational performance.

Resources

There is a strand of research that deals with organizations’ ability to effectively utilize the input it gets, i.e. resources, in order to improve performance (as summarized in Lee & Nowell 2015 or Troisi, Torre & Maione 2016). According to these scholars, resources are significantly related to the status of a public organization’s performance. This could be human, capital, or natural resources and they are frequently categorized in different ways. It depends if the unit of relation is an organization, where sometimes internal and external resources (Bagnoli & Megali 2011) or social, human and physical capital defined as resources (Kendall & Knapp 2000, p. 110), or financial and non-financial resources (Median-Borja & Triantis 2007) are categorized. The organizations ‘create organizational capacity through the acquisition of resources that enhance their ability to offer quality programs and services’ (Lee & Nowell 2015, p. 303). So, if acquisition of these resources enhances their output, the absence of resources or input will decrease the organizations’ capacity to act.

Management

Since the New Public Management movement, researching the impact of management on performance has been the focus of many authors. Links between management and performance have been provided multiple times and the its importance cannot be rejected. (O’Toole & Meier 2011; Van Dooren, Bouckaert & Halligan 2010; Andrews et al. 2011; Holzer & Yang 2004; etc.).

Bureaucracy - Red tape

There is also a strand of research on ‘red tape’, which is what some authors call bureaucracy, and its implications on performance. “Red tape's impact on organizational performance is related to management strategy and organization culture” (Brewer & Walker 2010; Pandey & Moynihan 2006; in: Knies & Leisink 2017).

Innovation

Adoption of innovation is another concept of performance improvement. The process of adopting innovation is characterised by three phases: “initiation, adoption decision, and

(19)

implementation” (Damanpour and Schneider 2006). According to some authors, the innovation will only improve performance, if it is correctly implemented (Walker, Damanpour & Devece 2010).

Performance of higher education institutes

As outlined above, depending on the type of public organization, the outcomes, or goals to be measured will differ. In the next paragraphs, potential performance indicators will be reviewed based on goals of higher educational institutions, e.g. public universities. The literature on this is very complex and differentiated. Most authors find their own set of typologies for performance per Higher Education Institute.

Some authors like Kells (1992) classify performance by their indicators, in this case relating to “university management, teaching, learning, research and service, and response to government goals or policies”.

A different approach is offered by McKinnon, Walker and Davis (2000), who distinguish between criterion reference and quantitative types of performance in universities. The former are outcomes that are compared to a certain criterion and the latter will be compared to other universities’ performance in that rubric. This was also discussed by Sizer, Spee and Bormans in 1992, who distinguish between quality assurance across a system through reaching thresholds and “comparative quality judgments” that compare universities with each other.

While there are many different goals to be attained by higher education institutes, the main goal should always be to “keep student learning as the focus on all activities” (Lennon 2018, p. 528). To obtain this, a balance between accountability and improvement of activities must be kept (European University Association 2019, Lennon 2018).

The European University Association outlines strategies and definitions of efficient universities. They divide efficiency in two groups: resource-based and value-based approaches (European University Association 2019, p.11). Resource-based approaches focus on managing how input relates to outputs and how resources can be minimised by keeping outputs the same. Value-based or ‘value for money’ efficiency is focussing on the outcome of the activities and effectiveness on the desired goals (p.11). Value for money includes “economy (reducing input costs), efficiency (getting more output for the same input) and effectiveness (getting better at achieving objectives)” (p.11) and is focussing on student outcomes and how resources need to be distributed in relation to that. This line of thinking between value-based and resource-based is used throughout the literature.

(20)

Garnett, Roos & Pike (2008) classify overall value of research at a university in instrumental, intrinsic and extrinsic value. While instrumental value relates to the current research output, intrinsic value measures the capability to conduct research. Extrinsic value is about the factors relating to research outside of the organization, i.e. reputation.

Common themes within this research area are a duality of managing resources efficiently versus the attainment of value-based goals. Reaching a set goal that is then compared to other universities is about managing resources in the most efficient way, but when it comes to reputation or quality of teaching, goals need to be set on certain values leaving resources aside.

(21)

THEORY

In the following chapter, the theory underlying my research will be outlined based on the literature reviewed above.

Research Question and Hypotheses

My research question deals with the effect of the GDPR on the performance of EU Higher Education Institutes (HEIs). As mentioned above, one of the reasons of measuring performance is to determine further actions on current policies. Radin (2006) speaks about government reform as the relevant outcome and sees measuring public performance as the means of determining the extent and nature of the reform. The purpose of measuring these goals is to determine future actions on current policies and potential reform of governing structures and mechanisms (e.g. Radin 2006, p.35). This is especially relevant for this research, because as discussed in the introduction, I am examining the efficiency of a supranational government policy, the GDPR, and it is examined by measuring performance. In the box below the research questions and connected hypotheses are listed:

Research Question: How did the implementation of the General Data Protection Regulation

affect the performance of EU Higher Education Institutes (HEIs)?

Hypotheses:

H0: GDPR implementation has no effect on HEI performance.

H1: GDPR implementation has a negative effect on HEI performance.

H1a GDPR implementation has a negative effect on financial performance. H1b GDPR implementation has a negative effect on scientific performance. H1c GDPR implementation has a negative effect on educational performance. H2: GDPR implementation has a positive effect on HEI performance.

H2a GDPR implementation has a positive effect on financial performance. H2b GDPR implementation has a positive effect on scientific performance. H2c GDPR implementation has a positive effect on educational performance.

The null hypothesis suggests no effect of the implementation of GDPR on the performance of Higher Education Institutes. In contrast to this, my alternative hypothesis H1 suggests that the GDPR implementation is affecting HEIs in a negative way. The implementation affects different structural areas of HEIs and subsequently also affect these three areas of performance

(22)

of HEIs. As outlined in the review of performance literature and of the GDPR itself, the implementation costs of the regulation are substantial for organizations and an environmental shock such as this has impact on performance. The consequences of a shock like this might only be of financial nature but are subsequently also impacting the educational and scientific performance of the HEI. The financial implications that are outlined in the chapter above are limiting organizations in their ability to use their budget for other sectors. Cutbacks need to be made and this can have serious repercussions along the whole structure of an organization. Based on the literature, I suggest that due to the strain on financial performance, also the performance of other vital parts within an educational institute suffers. The implementation costs for organizations not only limits them in their ability to react to other issues but takes away resources from other branches and focusses them on this one change.

The alternative hypothesis H2 and its sub-hypotheses propose a positive relationship between the implementation of GDPR and the different performance levels of HEIs. The GDPR’s main goals are promoting transparency and enhancing efficiency for EU institutions, companies and organizations. While this is not the main expectation, this alternative hypothesis could be accepted if the implementation of the GDPR has been enhancing efficiency for these actors. An improvement of data protection regulations also means a revision of bureaucratic processes and structures within the data structures and IT architectures of organizations. This revision could lead to an improvement of general efficiency and less red tape/bureaucracy. If internal and external management is stabilizing the organization and balancing out the environmental shock, this could be a plausible explanation for positive performance of HEIs.

Environmental Shocks

With this thesis I want to examine the impact public governance and its regulations have on the performance of public organizations. In particular, the effect an imposed regulation has on an organization is examined. This does not mean it is contrary to the approach New Public Management scholars have, namely that the managers and leaders of public organizations have substantial influence over outcomes. It rather puts focus on one side of a coin, which does not make the other side obsolete or less important. Management is an important aspect of performance and countless publications provide evidence for a causal link between the two factors (see literature review).

However, to demonstrate the importance of other factors besides management, like regulations from governing bodies, I draw on the performance model of O’Toole and Meier (2004), who define Public Service Performance as a function of past performance and stability. The three

(23)

factors “environmental forces/shocks”, “internal management” and “external management” are affecting the stability of a public organization. As discussed, while internal and external management are important and therefore mentioned here as well, the concept of environmental shocks is not to be underestimated.

As described in O’Toole and Laurence (2011), organizational stability is comprised of external shocks as well as internal and external management. According to their research, external shocks are substantial factors of influence when it comes to organizations and subsequently their performance. But also, other authors have identified external shocks as impactful. The term derives from macroeconomics, where business cycle theory debates on whether external or internal shocks are responsible for a change in a country’s GDP (see e.g. Hallegatte & Ghil 2007).

A shock is created by an environmental force of the environment of the organization, which is in this case the European Union (O’Toole and Meier 2004, p.29). Being subject to implementation of the GDPR is not unexpected for organizations, but still a shock to the system. In line with this, the definition used here is that performance is the sum of a university’s past performance and its overall stability. Thus, an environmental shock like a major, unexpected change in budget will affect the stability of the organization and according to their theory also the organization’s performance.

GDPR Implementation

The financial impact of implementing GDPR in any organization has been demonstrated in the literature review. The complexity of the implementation and subsequent severity of the financial burden leads to universities being affected in their performance (see Figure 1).

Figure 1 Mechanism from GDPR to performance change

O’Toole and Meier (2009) propose that budget cuts affect performance. The addition of a financially straining activity such as this one is in some way a budget cut. While the budget

GDPR Implementatio n (see action points) Environmenta l Shock (Change in Resources) Performance (financial, educational, scientific)

(24)

does not become less literally, there is more to pay from the same amount of money as there are no subsidies for the implementation of the GDPR.

HEI performance – definition through goals

In the literature review, the popular opinion to measure performance according to goals of organizations was identified. In line with this argumentation, goals of Higher Education Institutes are also the key to determine and measure their performance.

In order to evaluate the performance in terms of GDPR effectiveness, the performance on different levels from the perspective of HEIs must be examined. I am focussing on comparative quality judgments (Sizer, Spee and Bormans 1992), where universities are compared with each other based on certain indicators. Based on the literature, I have determined three structural areas of universities on which they base their goals on:

Financial goals

Naturally, financial goals are an important factor for the survival and growth of any organization, but in recent years also of organizations in the public sector. With New Public Management, financial outcome indicators have become more and more popular. The financial well-being of a public organization opens doors for innovation, growth, optimization and more. In the public sector, there is an ambiguity between not reaching the budget and being able to use the money for new projects and having that budget cut because the organization does not seem to need it.

Educational goals

The core business of universities is education. The goal of universities is to give high quality education to as many people as possible. Therefore, the number of students and annual graduations is an important factor for them. Another indicator would be how well students do after attending the university.

Scientific goals

Universities also strive to provide better, more advanced education as well as adding to solve society’s problems by researching in many areas of science. The number of researchers, publications, citation indices and the extent of their research agenda are determining factors for this. However, also PhD programmes and related graduation numbers are valuable indicators on how a HEI is doing.

(25)

Based on this, I argue that the outputs should also be measured according to these three goal categories. In the methodology section, these factors will be operationalized.

(26)

METHODOLOGY

In the following, the methodology and research design are outlined. First, the method of analysis, the Difference-in-Difference design, is explained. Then, the variables used are operationalized and the case selection is explained.

Method of analysis

To answer questions regarding policy effectiveness, a popular method of research is the difference-in-difference (DID) design (e.g. Card and Krueger 1994, Conley & Taber 2011, Delaney & Kearney 2015, Romero & Noble 2008, etc.). This design allows to compare a treatment and a control group over two time periods. The DID design is a quasi-experimental form of quantifying the effect a treatment has on a dependent variable. In this design, it is assumed that both the cases of the control group and the treatment group are following a similar trend over time. With the treatment – in our case a policy change – being administered at a certain point in time, we want to examine if the trend of the treatment group changes compared to the control group. These two groups are compared over two points in time, pre-treatment and post-treatment. The baseline data is the data from the pre-treatment period and the estimated treatment effect is calculated from the difference of the differences within the two groups (see figure 2).

(27)

I am using the following linear regression model for this analysis:

𝑌_𝑖𝑡 = 𝛽₀+ 𝛽₁𝑡𝑟𝑒𝑎𝑡𝑚𝑒𝑛𝑡_𝑖 + 𝛽₂𝑡𝑖𝑚𝑒_𝑡+ 𝛽₃ (𝑡𝑟𝑒𝑎𝑡𝑚𝑒𝑛𝑡_𝑖 𝑥 𝑡𝑖𝑚𝑒_𝑡) + 𝜀_𝑖𝑡

The dependent variable Y is performance, where 𝑖 stands for the unit of observation (higher education institutes) and 𝑡 for time. There are dummy variables that need to be created here. The dummy variable 𝑡𝑟𝑒𝑎𝑡𝑚𝑒𝑛𝑡_𝑖 is the difference between the treated and the untreated group, that have a value of 1 and 0, respectively. The dummy variable is only relevant for the unit of observation because it is not affected by time, as units don’t vary across time. 𝑡𝑖𝑚𝑒_𝑡 describes the treatment period (with value 1) and the pre-treatment period (0) and because time does not vary across the units, we do not include the units in this dummy variable. The variable 𝛽3 is the main causal variable, which is capturing the effect of the GDPR implementation on the performance of the HEIs. This is given the values 1 for performance after treatment and 0 for performance before treatment.

Parallel Trend Assumption and confounding variables

As mentioned above, the research design assumes that the treatment and control group follow a similar trend before admission of the treatment. The counterfactual for this research is that the gap between the treatment and the control group would stay the same without the treatment. That also means the design is “rely[ing] on the assumption that the important unmeasured variables are either time-invariant group attributes or time-varying factors that are group invariant” (Wing, Simon & Bello-Gomez 2018). We are therefore able to minimize bias of confounding variables and do not have to select cases based on only observed characteristics.

Method of Data Collection

The data used in this research comes from a dataset from the ETER project, which is a project financed by the European Commission. The data is produced and managed by the European Commission, EUROSTAT and the participating countries. The implementation and maintenance of the data is carried out by five partners (ETER-Project, 2011-2017). They have been registering data of higher education institutions in Europe between the years 2011 and 2018. The register not only includes EU countries but also other non-EU European countries, which makes the dataset quite diverse and fitting for our research design. They provide data on “the number of students, graduates, international doctorates, staff, fields of education, income and expenditure as well as descriptive information on their characteristics” (ETER-Project, 2011-2017). All variables used come from this dataset.

(28)

Operationalization

The independent and dependent variables are operationalized as shown below: Independent variables: Subject to GDPR implementation

The dummy variable treatment is the treatment that is “given” to the two groups of the experiment and coded as either 1 for EU HEIs or 0 for non-EU HEIs. This is because the GDPR is an EU regulation and therefore only implemented in EU countries. While there are also minor implications of the GDPR for non-EU countries, we assume that this is handled within the ‘usual’ scope of these HEI’s data protection measures, i.e. they are not implementing any new measures in addition to what they already have in place in terms of data protection. The common student in non-EU HEIs are not subject to GDPR protection and it is seen as unlikely that there are specific GDPR measures implemented for the small amount of EU students in non-EU countries. EU HEIs on the other hand need to implement the ‘treatment’ because it is dictated by binding legal regulations.

The dummy variable time stands for either the pre-treatment period in 2015, coded as 0, or the post-treatment period in 2016, coded as 1. Together, these dummy variables create our interaction term as outlined in the regression model above.

Dependent variable: Performance of Higher Education Institutes (HEIs)

As the dependent variable of this research, performance is operationalized on three levels, educational, financial, and scientific performance of universities. From these parameters, it was planned to create a single performance variable. However, due to their heterogenous nature, it seemed reasonable to test for their significance separately. The financial performance is measured by the difference in Euro between total expenditures and total revenue for the respective treatment period. This will give an overview indicator of how the respective observation units are doing on a financial basis. Educational and Scientific performance will be measured in number of graduates in the categories ISCED 5-7. The International Standard Classification of Educational Degrees (ISCED) is a standardization of global education systems and classifies national education programmes. The categories 5 to 8 represent all students in the tertiary education sector. According to this, the educational performance will be measured by the number of graduates in the ISCED categories 5-7, which include short-cycle tertiary level education, bachelor’s degrees or an equivalent and master’s degrees or an equivalent. The scientific performance is measured by ISCED category 8, which is a doctoral degree or an equivalent to this. Both of these indicators are measured in graduates per unit per year.

(29)

Case Selection

Based on the research question, the unit of observation in this research are higher education institutes in Europe. Because the research design is based on Parallel Trend Assumption, the relevant population is selected by comparing the performance of the units in the years leading up to the year of the treatment. With this, it is ensured that only units are selected for comparison that are following the same trend line. In this case, the spill over effect is not relevant, because the EU regulation is valid for within EU countries’ borders. Non-EU countries do not have to adhere to the regulation unless they are dealing with EU citizen’s data.

We need a control group and a treatment group. The treatment group will be HEIs from EU countries, because this is where the GDPR has taken effect. The control group are HEIs from non-EU countries that are on the European continent. The geographical vicinity gives us a chance to avoid bias, because HEIs in vicinity of each other have a higher sociological, cultural, and historic connection. This makes it more likely that they are similar in structure as well as educational system on a national level. Compared to the United States or Japan, the higher education system on the European continent is very different.

The non-EU European countries in the control group are Albania, Liechtenstein, Montenegro, Norway, Serbia, Switzerland, Turkey, UK and the Republic of North Macedonia. The treatment group consists of the EU-28 countries.

The time periods chosen are 2015 for the pre-treatment and 2016 for the post-treatment period. The GDPR was first announced in April of 2016 and implementation commenced after this, which is why it makes sense to examine the pre-treatment in 2015. Post-treatment is set at 2016 because this is the year where it is assumed that most of the implementation was conducted in the HEIs. It is expected that the biggest impact of the implementation on performance will have been in 2016.

Limitations

The difference in difference design does have its drawbacks. According to Khandker et al. (2010), the Difference in Difference design “may give biased estimates if characteristics of project and control areas are significantly different”. This is addressed by the parallel trends assumption above. Albouy (2011) writes that, if the assumptions made do not correlate, we have “no guarantee that the estimator is unbiased” (p.4), which makes the Parallel Trends Assumption one of the most important but also most threatening parts of this research design.

(30)

RESULTS AND ANALYSIS

On the following pages, the results of my analysis will be outlined and examined based on the research question and hypotheses. The statistical models were operationalized with the statistical software package Stata. The data taken from ETER was pre-screened in Excel and the proposed dummy variables were created there and within Stata.

For a general overview, the average numbers of performance and their respective trends of treatment and control group from 2015 to 2016 are shown here in three figures. Figure 3 depicts the general increases of financial performance in million per year and group.

Figure 3 Model (1) – Financial performance per year and group

In figures 4 and 5, the average scientific and educational performance per year and group is pictured. 3,75 4,06 6,54 6,02 0,00 2,00 4,00 6,00 8,00 10,00 12,00 2015 2016 Fi n . Pe rf . i n mi lli o n € Year

Financial Performance per year and group

EU NonEU 36,57 39,93 60,60 64,77 0,00 20,00 40,00 60,00 80,00 100,00 120,00 2015 2016 Sc i. Pe rf . i n g rad u ates Year

Scientific Performance per year and group

(31)

Figure 5 Model (3) - Educational Performance per year and group

Below, the results of the regression analysis based on the three performance indicators are shown. Table 1 shows the results of three regression analyses, one for model 1 on financial performance, one for model 2 on scientific performance and one for model 3 on educational performance. The standard errors are clustered by country to account for unobserved heterogeneity across countries.

Table 1 OLS regressions of types of performance

Model (unit of measurement) Variable (Coefficient) (1) Financial (in million €) (2) Scientific (graduates) (3) Educational (graduates) Treatment (𝛽1) -2.78 (4.40) -24.03 (23.96) -1,470.98*** (573.09) Time (𝛽2) -0.52 (0.44) 4.17*** (0.97) 137.37** (66.90) Treatment x Time (𝛽3) 0.83 (2.72) -0.81 (2.87) -117.49* (69.27) Observations 5,955 5,955 5,955 R² 0.0028 0.0053 0.0241

Notes: standard errors clustered by country in parentheses; * p<0.10, **p<0.05, ***p<0.01.

In these models the variable treatment represents the difference between the treatment and control groups before the treatment, i.e. the difference between EU and non-EU HEIs in 2015

1 104 1 124 2 575 2 712 0 500 1 000 1 500 2 000 2 500 3 000 3 500 4 000 4 500 2015 2016 Ed u . Pe rf . i n g rad u ates Year

Educational Performance per year and group

(32)

based on the respective performance indicators. These results are significant at p<0.01 only in one of the three models, educational performance. The financial performance of EU HEIs in 2015, before treatment, is roughly 2,8 million Euros less than for non-EU HEIs in 2015. Regarding scientific performance before treatment, EU HEIs had on average 24.03 PhD graduates (ISCED level 8) less than non-EU HEIs. Also, educational performance can be reported as less when compared to non-EU HEIs at a mean of -1470.98 graduates at levels ISCED5-7.

The variable time represents the impact of time on the control group (non-EU HEIs). It shows how the dependent variable has changed from 2015 to 2016 for the control group in each model. While these results are not statistically significant at p<0.10 for model (1), they suggest a decrease of financial performance. For models (2) and (3), a significant (p<0.01 and p<0.05 respectively) increase of both scientific and educational performance over the years from 2015 to 2016 for the control group can be reported.

The coefficient of the interaction term 𝛽3, or difference in difference estimator, estimates the difference of the differences between and within the control and the treatment group over time. It shows the expected average difference in performance between the two groups from 2015 to 2016. If there is a change, this indicates an effective treatment without evaluating its success or failure. For each performance indicator, the variable 𝛽3 is the main coefficient for this, meaning it is implicitly capturing the effect of the GDPR implementation on the respective performance of the HEIs. This is calculated by subtracting the average change in performance from the control group between 2015 and 2016 from the average change in performance from the treatment group between 2015 and 2016.

In order to find the actual explicit effect of the treatment on the dependent variables (our three measures of performance) within the treatment group, the coefficients of treatment, 𝛽₁, and of the interaction term, 𝛽₃, need to be added. For each performance indicator this sum is estimating the mean performance for EU HEIs in 2016 (post-treatment) compared to non-EU HEIs. The results of this can be found in Table 2.

Table 2 Average difference of treatment group post-treatment, per model

Model (unit of measurement) Variable (Coefficient) (1) Financial (in million €) (2) Scientific (graduates) (3) Educational (graduates) Treatment -2.78 -24.03 -1470.98*** Treatment x Time 0.83 -0.81 -117.49*

(33)

Average difference EU post-treatment -1.96 -24.84 -1,588.47 Notes: * p<0.10, **p<0.05, ***p<0.01.

For model (1), the difference in difference estimator 𝛽₃ shows that financial performance of EU HEIs has increased in the post-treatment period. The difference between revenue and expenses for EU HEIs has increased by an average of 0.83 million € from a difference to non-EU HEIs of -2,78 million € to -1,96 million €.

The difference-in-difference estimator for the scientific performance model (2) shows a negative result at -0.81, which indicates that EU HEIs in 2016 have – on average – 24.84 graduates less compared to the control group and compared to the EU HEI’s in 2015.

As with scientific performance, the difference-in-difference estimator for educational performance turns out to be negative for the sample data. The output for the third model also suggests that EU HEIs in 2016 have almost 1,600 graduates less than before and without the treatment. The coefficients for model (3) are all significant at p<0.10.

The results suggest that after the implementation of the GDPR the observed performance of EU HEIs has changed. However, for models (1) and (2), the confidence interval tells us that we cannot be sure that these changes are in response to the GDPR at a reasonable confidence level. Model (3), however, is statistically significant which suggests a negative effect of the treatment on the educational performance of Higher Education Institutes in the EU.

For all three sub-hypotheses we will reject the 0-hypothesis based on the sample data. Interestingly, the financial performance indicator suggests that we should reject the first alternative hypothesis based on the sample data. While they are not statistically significant, the findings propose that GDPR implementation has a positive effect on the financial performance of the Higher Education Institutes. This correlates with our alternative hypothesis H2a and not as expected H1a, which would have suggested a negative relationship. As outlined in the context and literature review, a severe financial strain on the HEIs due to implementation costs was expected. Reasons for this might be changes made in accounting structures to free more budget after realizing the immediate need for more financial power. Another reason could be the methodological model and within this the choice of treatment period. As the regulation was only enforced mid-2018, the HEIs might have only implemented the changes on a financial level in the year 2017 and 2018. These periods were not examined in this analysis.

(34)

The estimators on educational performance and scientific performance, however, both suggest a negative relationship of the treatment group with the treatment. This is in line with our hypotheses H1b and H1c, which we therefore do not reject. The results do indicate that graduate numbers for both the educational, ISCED5-7, and the scientific, ISCED8, student categories went down after the treatment was administered. The implementation of the GDPR could be a factor for this development. However, keeping the statistical significance in mind, we cannot make a final decision on the hypotheses for model (2). The results for model (3) let us retain the hypothesis H1c, namely that implementation of GDPR has a negative effect on the educational performance of EHIs.

The findings of this study brought up mixed results regarding different categories of HEI performance. It was unexpected to see a positive change of financial performance in the treatment group over the two time periods compared to the control group. However, the indicators of educational and scientific performance have behaved as expected, albeit that the significance levels of these results were only partly satisfactory.