1
Isomorphism and organizational culture: how hospitals
adapt to the General Data Protection Regulation
Master’s thesis
MSc BA - Organizational & Management Control University of Groningen, Faculty of Economics and Business
Thesis supervisor: Dr. E.G. van de Mortel
Trijntje Jannie (Reina) Kooistra Student number: S3272389
Abstract
On 25 May 2018, the European Union implemented the General Data Protection Regulation (GDPR). Especially systems and processes of hospitals are affected by the new regulation, because hospitals process the most sensitive data in our society. However, research on how hospitals adapt to such institutional change is found to be limited. By combining theories of institutional isomorphism and organizational culture, a clear description is given on how hospitals adapt to the GDPR and whether hospitals adopt similar policies or not. Using thirteen interviews with employees of Dutch hospitals, I find that coercive, mimetic and normative isomorphic pressures are present in the institutional field of hospitals. I also find that organizational culture plays a decisive role in the adaptation to the GDPR if the formal institution does not provide sufficient guidance.
2
1. INTRODUCTION
One of the most important changes in data protection has been the General Data Protection Regulation (GDPR), which was implemented on 25 May 2018 (John, 2018; GDPR, 2016). Albrecht (2016) even calls this change, from the 1995 Data Protection Directive to the GDPR, revolutionary. The aim of the GDPR is to harmonize data protection laws across the European Union (EU) ensuring a free flow of data and to strengthen the protection of personal data, particularly when processing sensitive personal data, in order to maintain individuals’ privacy. You only need to look at recent scandals in the press to understand how crucial the protection of data has become. Most recently, the Dutch hospital Erasmus MC has been under fire for failing to protect sensitive data. The hospital leaked e-mail addresses of HIV-infected children, when mailing a newsletter (RTL Nieuws, 2018), with huge consequences for both the hospital and the involved individuals. Of course, owning data has the potential to create significant value by improving outcomes while lowering costs (Roski et al., 2014). However, insufficient protection might cause big scandals which increases costs and harms the reputation of both the reputation of the organization and the involved individuals. Therefore, the EU adopted the GDPR in 2016, which came into force on 25May 2018.
Especially hospitals perceive many consequences from the regulation, since they process really sensitive data which should be protected. This institutional change has six implications which require major changes in their data protections systems and processes. First, awareness has to be created among employees. Second, there is an obligation to fulfill the new right to data portability. Third, hospitals have to maintain a record of processing activities. Fourth, they have to perform data protection impact assessments. Fifth, a data protection officer (DPO) needs to be appointed. And sixth, hospitals have to comply with the more severe requirements for data breaches. Showing compliance with the above-described rules to the data protection authority is mandatory. Ignorance of those six changes cannot be afforded, because hospitals possess the most sensitive information in our society (Hordern, 2016) and fines for insufficient protection are high (John, 2018; GDPR, 2016).
3 EU government to influence its policy. DiMaggio & Powell (1983) find that coercive isomorphism emerges from such formal pressure. Coercive pressure may cause hospitals to form similar policies concerning data protection. Hospitals can also adapt to institutional change through mimetic isomorphism or normative isomorphism. Isomorphism is an acknowledged theory of institutional change within organizations and tries to explain how organizations adapt to institutional change similarly through coercive, mimetic and normative forces (DiMaggio & Powell, 1983).
However, if a formal institution like the EU government does not provide sufficient guidance to adequately develop processes, institutional change will also be shaped by informal institutions such as organizational culture (North, 1990). Indeed, due to the ambiguity of the GDPR, the EU permits every organization to adjust to the GDPR in a way that suits the organization. This ambiguity leaves room for organizations’ own interpretation (Jackson, 2018; Keller, 2017), which gives organizations the freedom to interpret the law in such a way that it fits their organizational culture. Large hospitals may have a hierarchical culture (De Jonge, 2018; Shortell et al., 1995) and smaller hospitals a clan culture (Jacobs et al., 2013). Entrepreneurial culture and rational culture may also be present in the field of hospitals, but are however not related to size according to academic literature. Organizational culture may identify, among others, why some organizations respond to institutional change slowly, while other organizations are able to respond to external pressures quickly. An organization with a hierarchical culture focuses on the internal organization and has problems adapting to external pressures (Jacobs et al., 2013; Shortell et al., 1995). The clan culture emphasizes flexibility, thus enabling change (Quinn & Rohrbaugh, 1983). Hospitals with a rational and entrepreneurial culture adapt to change primarily to be competitive and innovative. These different attitudes towards change can cause hospitals to adapt to institutional change in dissimilar ways.
4
“Do isomorphic pressures and organizational culture influence the adaption process of the General Data Protection Regulation and how?”
With the help of the following sub-questions, the main research question will be answered: 1. “What is the GDPR and what does it mean for hospitals?”
2. “What are the isomorphic pressures on hospitals when adapting to the General Data Protection Regulation?”
3. “How is the size of a hospital related to its organizational culture and will differences in the culture of hospitals lead to different ways of adapting to the GDPR?”
This study contributes to the academic literature in three ways. First, this paper contributes to the institutional theory, because it explains clearly how a specific institutional change is adopted by hospitals. Second, no research has yet related isomorphism to the adaptation of the recent GDPR. Previously, researchers related isomorphism to the importance of IT systems to protect health data (Appari et al., 2009; Currie, 2012; Sherer et al., 2016). Third, most studies using the Competitive Value Framework (CVF) in healthcare settings are related to other concepts than the adaptation to the GDPR. They study the relationship between the organizational culture of hospitals and performance (Acar & Acar, 2012; Jacobs et al., 2013), the implementation of total quality management (Mohammad Mosadegh Rad., 2006; Shortel et al., 1995; Wagner et al., 2014), change in general (Carlström & Ekman, 2012) or how healthcare organizations respond to disruptions in the supply chain channel (Mandal, 2017). No research has yet unveiled how organizational culture may cause hospitals to adapt to institutional change differently. In addition, a combination of isomorphism and organizational culture to influence the adaption of an institutional change has not been researched before.
5 of the GDPR. As such, hospitals can compare their own practices with that of the hospitals of this research.
6
2. CONTEXT DESCRIPTION
The focus of this paper is on how the institutional change concerning the General Data Protection Regulation (GDPR) is adopted by hospitals. This chapter explains which parts of the regulation causes changes for hospitals, by answering the following sub-question “What is the new General Data Protection Regulation and what does it mean for hospitals?”. Relevant information about Dutch hospitals, the GDPR and the effect of the GDPR on Dutch hospitals is outlined below.
2.1 Dutch hospitals
Long ago, churches were in charge of hospitals, the so-called guest houses. Nowadays, Dutch hospitals are part of the semi-public sector and are owned by foundations and sometimes (partially) by private investors. In 2006, the first Dutch hospital (Slotervaart) was privatized, because of financial distress and conflicts of interests. The Dutch IJsselmeer hospitals have also been taken over by the private investor MC Group. Currently, both hospitals are bankrupt and the IJsselmeer hospitals are trying to breathe fresh life into the economy (Weeda, 2018). The privatization of the Dutch hospital sector also has consequences for the protection of data. The possibility in the Netherlands of (partial) private ownership comes with great dangers in the area of privacy and security. Data will be stored everywhere and nowhere (Tuin, 2018). Also, the size of hospitals makes it harder to protect data sufficiently. The larger the hospital is, the more data there is to protect. The following table gives an overview of the number of University Medical Centers (UMC’s), general hospitals, specialized hospitals and the rehabilitation institutions in the Netherlands, arranged from the largest to the smallest.
Total number of hospitals 134 UMC’s > 600 beds 8 8 General hospitals > 600 beds 400 – 600 beds 300 – 400 beds < 300 beds 83 24 21 22 16 Specialized hospitals 23 Rehabilitation institutions 20
7 The vast majority of the rehabilitation centers are united in the Dutch hospital association NVZ (Dutch Hospital Data, 2016). However, those do not belong to the scope of this research, just like specialized hospitals. This research focuses on the University Medical Centers and general hospitals, because these hospitals have several departments, which need to be managed in their entirety. Moreover, University Medical Centers and general hospitals are typically larger and have therefore more data to protect than specialized hospitals and rehabilitation centers. It is interesting to see how these hospitals implement a change throughout the organization.
2.2. Privacy and data protection
Over the years the words privacy and data protection have been used interchangeably with many discussions as a result. The Right of Privacy is a fundamental right and it is enshrined in the Constitution (Article 10 Privacy, 2015). It states that everyone has the right to be left alone in their own environment or private life. The private sphere includes, among others, the home, communication via telephone, the right not to be spied on or have your phones tapped and the right to careful treatment of personal information.
The Medical Treatment Agreement Act describes the rights of patients when they are under treatment (Article 446 WGBO, 1994). A Treatment Agreement automatically arises, when a citizen requires care and the doctor treats that person. The legal obligation of confidentiality is incorporated in this law. Doctors are obligated to keep the medical data of patients secret. Because every doctor in a hospital has this obligation, hospitals are allowed to process sensitive personal data.
An example of privacy protection is that it is not allowed to spy on someone else in their houses or put camera’s in a bathroom. A line at the desk is an example of privacy protection within hospitals (interviewee A, 20181). When it concerns the protection of data, hospitals take technical and organizational actions, like closing the door if you leave your working place and giving as little as possible access to patient files (interviewee A, 2018). The right of protection of personal data can be seen as a part of privacy; data protection includes a set of activities in order to protect the privacy of individuals. To narrow the scope of this research, only the
1 Exploratory interview with the DPO of a University Medical Center conducted on 20 September 2018. At a
8 changing institutions regarding data protection are discussed. Moreover, the EU uses the word “data protection” consistently, whereas “privacy” or “privacy protection” are not used in the GDPR legislation.
2.3 Changing institutions for hospitals; GDPR
The GDPR came into force on 25 May 2018 and replaced the former Personal Data Protection Act (Laybats & Davies, 2018; GDPR, 2016). Adjusting processes will take six to nine months to achieve compliance with the GDPR (Laybats & Davies, 2018). Differences can be found in the complexity and extensivity of the new regulations. As noted earlier, personal medical data is very sensitive. In the GDPR, this group of data is mentioned as a specific category, namely as sensitive personal data like Data concerning health2, Genetic data3 and Biometric data4 (Article 4 GDPR, 2016). The GDPR highlights these types of data, because they are subject to greater protections than other forms of personal data. According to Article 9 (GDPR, 2016), the starting point of the GDPR is that no one is allowed to process Sensitive Personal Data, unless it concerns vital interests, legal requirements, legitimate interests, the common good or when the individual has given permission for their data to be processed.
As previously mentioned, care providers have the legal obligation of confidentiality and have therewith the permission to process the data. In this sense, nothing really changes for hospitals. However, the 2018 reform of EU data protection involves implications, which require a change in the work processes of hospitals in order to become legitimate. The Dutch data protection authority has provided a roadmap for organizations with ten requirements (In 10 stappen voorbereid op de AVG, 2018/ In 10 steps prepared for the GDPR, 2018). Those requirements are outlined below.
2 Data concerning health: personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about his or her health status.
3 Genetic data: personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
9 First, organizations need to create awareness among employees by explaining and promoting the new data protection rules. As a result, employees should consider the impact of the GDPR on the current processes and which changes are needed to comply with the GDPR.
Second, individuals are given more and improved rights. Hospitals have to ensure that patients can exercise their rights. Many of those rights already exist for hospitals, because they were already founded in the Medical Treatment Agreement Act of 1994 (WGBO, 1994). A completely new right, for which hospitals need to change their processes drastically, is the right to data portability (Article 20 GDPR, 2016). Patients can call upon the right to data portability, when they want their data to be transferred to another vendor (Miglicco, 2018). Compliance with this right is one of the main aims of the GDPR: free flow of data within the EU.
Third, hospitals need to prove their compliance with the GDPR by use of a record of processing activities (Article 30 GPDR, 2016). Broadly speaking, it shows the purpose of processing, where and how long the data is stored and how the organization transfers the data. The register does not only offer an overview and insight into all data processes for the hospital, but also for the purpose of the control, which hospitals can expect from the data protection authority.
Fourth, a data protection impact assessment has to be performed to evaluate the risks of the particular processing of personal data (Article 35 GDPR, 2016). The assessment should map the impact on the privacy of citizens.
Fifth, hospitals should comply with the principles of privacy by design and privacy by default. Privacy by design means that organizations have to protect their data when designing their products and services. It also means that organizations do not process more data than necessary and that data is not kept longer than necessary. Privacy by default means that organizations have to ensure that only data that is necessary for the specific aim of the organization is processed.
10 advice when data protection impact assessments need to be done, gives information when needed, is the contact person for the data protection authority and raises awareness and training in data protection (Article 39 GDPR, 2016). The DPO needs to have the possibility to report to the senior management directly (Article 38 GDPR, 2016). However, in practice, the position of the DPO differs per hospital (interviewee A, 2018).
Seventh, personal data breaches must be reported within 72 hours to the data protection authority (Article 33 GDPR, 2016). Organizations must document all their data breaches, so that the data protection authority can ensure that the organizations have met the reporting obligation. A personal data breach can result in a high risk to the rights and freedoms (privacy) of individuals. Individuals affected by the breach must be informed without undue delay. Breaches can be separated into technical and organizational breaches. Hacking, viruses and password attacks are technical breaches. Organizational breaches include human error, such as loss or theft of paperwork, data being sent to the wrong person by email and data being posted or faxed to an incorrect person (MLP Law, n.d.). It can happen to every employee in every layer in the organization. Systems, portals and files including medical data have to be adequately secured to minimize the risk of a data breach.
Eighth, hospitals should have data processing agreements with organizations that process their data or organizations that supply data processing systems.
Ninth, hospitals that have subsidiaries in several other member states of the EU only have to show compliance to one data protection authority.
Tenth, the GDPR makes far greater demands when it concerns the consent of individuals. Patients should have the possibility to monitor and control their own personal identifiable information (Laybats & Davies, 2018; Miglicco, 2018). Hospitals must be able to demonstrate that they have received explicit consent from patients to process their personal data. It has to be as easy for patients to give consent as it is to delete their consent.
11 The first four and the sixth and seventh requirement entail the greatest changes in data protection systems and processes of hospitals. Therefore, only those six changes do belong to the scope of this research. Table two provides an overview of the ten requirements and indicates which requirements belong to the scope of the research.
GDPR requirements Description Scope 1. Creation of awareness Promote the GDPR among employees x 2. Right to data portability Ensure a free flow of data within the EU x 3. Record of processing activities Provide an overview and insight into all data processes x 4. Data protection impact assessment Evaluate risks of each data processing x 5. Privacy by design and privacy by default Show that the processing of data of an individual is
necessary
6. Data Protection Officer Appoint a DPO if you process data on a large scale x 7. Reporting data breaches Document and report every data breach x 8. Data processing agreements Set up agreements with organizations that process their
data or supply data systems 9. Compliance to one data protection
authority
Show compliance to one authority when you have subsidiaries in other member states
10. Monitor and control own data Give individuals the possibility to monitor and control their own data
Table 2: Overview of GDPR requirements
2.3.1 Ambiguity of the GDPR
12 introduce further conditions, including limitations, with regard to the processing of Genetic data, Biometric data or Data concerning health” (Article 6 GDPR, 2016). The ambiguity leaves room for organizations’ own ideas (interviewee A, 2018; Keller, 2017) to influence policy making regarding data protection. Therefore, the GDPR can be seen as a vague legislation (Miglicco, 2018). It gives freedom to interpret the law in such a way that it is suitable for the organization. Within this freedom, “hospitals can imitate what other organizations do or make the systems fit their organizational structure and culture” (interviewee A, 2018).
13
3. LITERATURE REVIEW
The literature review encompasses both isomorphism and organizational culture on which I base the theoretical framework. Whereas isomorphism causes hospitals to change in similar ways, the organizational culture can be used to fill the freedom within the GDPR and causes hospitals to change in dissimilar ways. This chapter studies both subjects and tries to answer the theoretical part of sub-question two and sub-question three.
3.1 Institutional theory
It is relevant to dig into what is said about institutional theory and institutional change, because the institutional environment of hospitals has changed as a consequence of the new regulation. As Scott (1987) identified “the beginning of wisdom in approaching institutional theory is to recognize at the outset that there is not one but several variants” (p.493). The major streams of institutional theory are Old Institutional Economy, New Institutional Economy and New Institutional Sociology (Burns & Scapens, 2000), which do not have much in common. I added North’s (1990) ideas of the formal and informal institution, because he was an influential literature professor in the context of institutional change. His work was rewarded with a Nobel prize in 1993 (Levinovitz & Ringertz, 2001). For every stream, the term “institution” means something different. Therefore, I approach them separately and see whether they can explain institutional changes in hospitals.
3.1.1 Old Institutional Economy
14 3.1.2 Formal and informal institutions
North can be placed close to the Old Institutional Economists, because he recognizes that individuals are influenced by social pressures (Hodgson, 2007). North (1990) defines institutions as “the humanly devised constraints that shape human interaction” (p. 3) and differentiates between formal and informal institutions. Formal institutions (legislation and regulation) are only a small part of the constraints that shape choices. It is the informal institutions, which arise through culture, that guide choices if formal institutions do not provide sufficient guidance. It provides a framework for interpreting information. Culture is the “transmission from one generation to the next, via teaching and imitation, of knowledge, values, and other factors that influence behavior” (North, 1990, p. 37) and plays a role in the development of institutions. A common culture can reduce differences between individuals, or can affect their goals and beliefs (North, 1990). Formal (written) rules and informal constraints like culture together shape the process of institutional change. The embeddedness of informal institutions causes organizations to change incrementally, rather than overnight as is the case for political interventions (North, 1990).
3.1.3 New Institutional Economy
New Institutional Economy is mainly driven by Transaction Cost Economics (Burns & Scapens, 2000; Walker, 1998). Organizations behave in certain ways in order to get the highest utility irrespective of all other organizations. With regards to organizational change, efficiency is the main motivation. It is believed that everyone is economically rational (Walker, 1998; Roberts & Greenwood, 1997). Moreover, it assumes no uncertainty, perfect competition and that “institutional influences play no part in determining which organizational designs are adopted” (Roberts & Greenwood, 1997, p. 353). The more sociological concept of institutionalization is not captured by this theory, but rather by New Institutional Sociology. The belief that the external environment has no contradictory expectations is also undermined by New Institutional Sociology.
3.1.4 New Institutional Sociology
15 rationality) (North, 1990). The desires of these institutions pressure organizations to organize their activities in a specific way. Organizations pander to the pressures in order to become legitimate, which decreases the diversity within the institutional field. They compete for institutional legitimacy, by showing that they are improving their working conditions. Gaining social legitimacy leads to isomorphism, which is a useful phenomenon to understand and explain institutional change (DiMaggio & Powell, 1983). It suggests that organizations in an institutional field adapt to change homogenously, because they receive the same pressure from stakeholders as every other organization within that field.
16 institutional change, which is, within institutional theory, a useful phenomenon to show how Dutch hospitals change in similar ways. More on this can be found in section 3.2.
However, hospitals are given the freedom to change, as long as they stay within the boundaries indicated by the EU government. In this paper, those boundaries can be seen as formal institutions or coercive isomorphic pressure received from the EU government. Informal institutions, which arise through culture, guide choices if formal institutions do not provide enough guidance (North, 1990). Organizational culture may cause hospitals to adapt to institutional change in dissimilar ways. The role organizational culture plays in the adaptation to an institutional change is discussed in section 3.3.
3.2 Isomorphism
In general, more institutional theorists explain uniformity (isomorphism) than diversity (DiMaggio & Powell, 1983). Isomorphism explains how organizations incorporate change and how it causes organizations within an institutional field to implement similar policies. Similarity eases organizations for example to negotiate with other organizations, to attract staff, to be seen as legitimate and to receive public and private grants (DiMaggio & Powell, 1983). DiMaggio & Powell (1983) differentiate between three mechanisms through which institutional isomorphic change occurs to improve legitimacy: coercive, mimetic and normative isomorphism.
17 Powell, 1983). Second, the existence of professional and branch organizations ensure that individuals of a certain profession interact. As such, certain ideas and helpful hints are spread stimulating change.
Coercive, mimetic and normative isomorphism are often used to explain the adoption of competitive IT systems like E-commerce (Gibbs & Kraemer, 2004), E-business (Jeyaraj et al., 2004), ERP systems (Liang et al., 2007). Organizations experience a growing dependence on IT systems, which involves data protection and privacy risks. Several researchers have related isomorphism to the importance of IT systems to protect health data (Appari et al., 2009; Currie, 2012; Sherer et al., 2016).
3.2.1 Coercive isomorphism and healthcare
In the United states, hospitals received coercive pressure from the states when the Health Information Interoperability and Accountability Act (HIPPAA) was implemented (Appari et al., 2009). However, some states exerted more regulatory pressure regarding privacy, increasing the tendency for hospitals to become HIPAA compliant. Currie (2012) studied how isomorphism could explain the adoption of electronic health records in the United Kingdom. The electronic health record had to encourage uniformity among hospitals and it had to improve the IT know-how across healthcare organizations. However, the opposite result was achieved, because hospitals received coercive pressure from more than one organization upon which they were dependent to implement an electronic health record. Hospitals also had to meet other government targets and the local hospitals did not have the same budget as the large teaching hospitals (Currie, 2012).
18 3.2.2 Mimetic isomorphism and healthcare
If the imposed requirements are not clear, hospitals may face uncertainty and tend to mimic hospitals that have already found a solution or that have incorporated practices regarding successful data protection. In the case of the imposed electronic health record in the United Kingdom, this “best practice” was not present. Hospitals were trying to find a practical solution or a role model, but it was unavailable (Currie, 2012). Thus, organizations tend to mimic other organizations when they are in an uncertain position, for example, when the benefits of a new system are uncertain (Sherer et al., 2016). Mimetic pressure to conform to the norm can also arise in situations where a higher proportion of hospitals are already fully compliant to new data protection requirements (Appari et al., 2009). When a best practice is available, organizations tend to mimic peers that are part of the same institutional and resource environment (Martin et al., 1998). In a similar vein, organizations imitate successful competitors (DiMaggio & Powell, 1983). D’Aunno et al. (2000) explain divergent change in United States rural hospitals among others by mimicry and suggest that hospitals mimic models of their nonlocal but equivalent peers. Another study concerning United States hospitals, proposes that small hospitals imitate large hospitals when it comes to the adoption of matrix management programs (Burns & Wholey, 1993).
Previous literature suggests that healthcare organizations mimic equivalent peers, larger hospitals or successful competitors when they face uncertainty. Dutch hospitals also face uncertainty because the GDPR lacks precision in a number of requirements. Therefore it is expected that Dutch hospitals mimic other hospitals, causing them to adopt similar policies.
Proposition 1: “Mimetic isomorphism is present in the institutional field of hospitals and cause
them to change in a similar way”
3.2.2 Normative isomorphism and healthcare
19 degree seems to have a positive effect on the implementation of a new system in a hospital (Young et al., 2011). These managers are the early adopters and see the fit between innovation and the needs of the organization. The early adopters are seen as influential through other hospitals. The late adopters react to signals from the network of the institutional field, consisting of, for example, suppliers or distributors (Young et al., 2011). A network can support adoption or can be helpful when implementing a new system. To illustrate, Appari et al. (2009) propose that hiring external consultants contributes to the compliance of a new data protection system. A new data system benefits health information exchanges, because it can link systems within healthcare networks. As a result, more data is available for more parties which reduces costs and improves quality (Sherer et al., 2016). However, it is important to mention that the coercive and normative forces may benefit patients and insurance companies more than the decision maker or adopter of the system. Also, hospitals may be influenced by professional associations or branch organizations. Dutch hospitals are typically engaged in associations (Dutch Hospital Data, 2016). A common association is the NVZ5. Irrespective of the University Medical Centers, all hospitals in the Netherlands belong to that association. University Medical Centers are typically affiliated to the branch organization NFU6.
Previous literature suggests that hospitals are part of a network, from which they may perceive pressure to adapt to the GDPR similarly. Hospitals may, for example, have the same suppliers, hire consultants from the same company or be part of the same branch organization. Therefore it is expected that Dutch hospitals may be influenced by their network, causing them to adopt similar policies.
Proposition 2: “Normative isomorphism is present in the institutional field of hospitals and
cause them to change in a similar way”
3.3 Organizational culture
As noted earlier, formal and informal constraints together shape the process of institutional change (North, 1990). Informal constraints are especially present when formal constraints do not provide sufficient guidance. The data protection regulations (formal constraints) are
5 NVZ = Nederlandse Vereniging van Ziekenhuizen / Dutch hospital association
6 NFU = Nederlandse Federatie van Universitair Medische Centra / Netherlands Federation of University
20 sometimes ambiguous and leave room for hospitals to set its own policy. Therefore, informal constraints may also shape the process of institutional change. Informal constraints arise through culture, which provides a framework for interpreting information (North, 1990). As such, if hospitals pursue different organizational cultures, information can be interpreted differently and therefore hospitals may react to change differently. In this section, the different organizational cultures are discussed and their responses to change.
In literature, several organizational culture frameworks are present. Most widely-known is the four-dimension framework of Hofstede (1983) to evaluate culture by power distance, individualism/collectivism, masculinity/feminity and uncertainty avoidance. Schein (2010) developed three levels of culture consisting of artefacts, espoused beliefs and values and underlying assumptions. Liu (1999) described the culture of real-estate professionals in Hong Kong by using nine artefacts. Quinn & Rohrbaugh (1983) developed the Competitive Value Framework (CVF), which distinguishes four types of culture. These frameworks enable researchers to evaluate culture, the CVF however is most useful for this research. First, it distinguishes the four types of cultures with clear boundaries and characteristics. Second, a related Organizational Culture Assessment Instrument is developed in order to reveal the type of culture of the organization (Cameron et al., 2014). Third, the CVF enables comparison of culture across organizations. Moreover, the CVF is often used in healthcare settings (Acar & Acar, 2012; Carlström & Ekman, 2012; Jacobs et al., 2013; Mandal, 2017; Shortell et al., 1995; Wagner et al., 2014). The CVF is discussed extensively below in order to understand the possible relationship between organizational culture and the adaptation to the institutional change.
21 others differentiated by the two dimensions: the Clan Culture - ‘do things together’, the Entrepreneurial Culture – ‘do things first’, the Rational Culture – ‘do things fast’ and the Hierarchical Culture – ‘do things right’ (Jacobs et al., 2013). Importantly, hospitals often do not have one specific culture, but often have a tendency towards one of the described organizational cultures (Jacobs et al., 2013). An organization can be stable and flexible (Quinn et al., 1983)
Table 3: The Competing Value Framework (Cameron et al., 2014; Jacobs et al., 2013)
22 is committed to rules and policies, which supports the quality of data (Jacobs et al., 2013). However, problems arise with adapting to external pressures.
3.3.1 Organizational culture in hospitals
Although no research related the CVF to institutional theory, previous literature related the CVF to other concepts in the healthcare sector. Shortell et al. (1995), for example, found clan culture to be positively related to the implementation of total quality management systems in United States hospitals. Flexibility, emphasis on teamwork and empowerment enable this positive response to change. Due to its flexibility, healthcare organizations with a clan culture do not suffer from disruption in the supply chain (Mandel, 2017). Clan culture decreases the resistance to change within an organization and therefore facilitate hospitals to accept new standards (Carlström & Ekman, 2012). Clan culture is related to a small number of beds (Jacobs et al., 2013; Shortell et al., 1995), which may be the reason that clan culture hospitals are flexible and adapt to change easily.
Entrepreneurial culture tends to be associated with high consultant and nurse salaries, which might imply that clinical teams are given more freedom and responsibilities. Management salaries also seem to be high for these hospitals, which confirms entrepreneurship and growth. Entrepreneurial culture aims for low waiting times and good ratings in order to keep patients satisfied (Jacobs et al., 2013). Entrepreneurial hospitals change in order to be innovative. Such risk-taking hospitals are also positive related to the implementation of total quality management systems (Mohammad Mosadeh Rad, 2006; Shortell et al., 1995).
Rational culture tends to be present in hospitals that have great financial and managerial autonomy (Jacobs et al., 2013). Management salaries are high, reflecting the competitive attitude. The expanded role of private investors in the hospital sector might increase competition, which favors the rational culture. Hospitals with a rational culture adapt to change primarily in order to stay ahead of other hospitals. Therefore the focus is to provide services at an optimal costs and every possible effort is being made to avoid disruption in the supply chain (Mandal, 2017).
23 which hinders change (Carlström & Ekman, 2012). Due to the maintenance of stability and control, healthcare organizations with a hierarchical culture have difficulties with responding to disruptions in the supply chain (Mandal, 2017). Shortell et al (1995) find that large-sized hospitals have more difficulties with implementing a quality system than small hospitals, because large hospitals are organized bureaucratically and have a hierarchical culture. In this regard, large hospitals face difficult challenges when adapting a change. Moreover, Dutch STZ7 hospitals, which are typically large, mainly have a hierarchical culture, which is found to be a barrier to innovation (De Jonge, 2018). This evidence suggests that hospitals with hierarchical characteristics can have difficulties with adapting to institutional change.
Although the main aim is to find evidence of the influence of organizational culture on the adaption to change, previous literature often relates organizational culture to the size of hospitals. Clan culture seems to be present in small hospitals and hierarchical culture seems to be present in large hospitals. It is therefore expected that the size of hospitals is related to the organizational culture.
Proposition 3: “The size of the hospital influences organizational culture” Proposition 3a: “Clan culture is dominant in small hospitals”
Proposition 3b: “Hierarchical culture is dominant in large hospitals”
Proposition 3c: “Entrepreneurial and rational culture are not present in hospitals based on
size”
The literature suggests that organizational culture influences the way in which a change is adopted. Hospitals with a clan culture are characterized by flexibility and therefore adapt to change quickly. Those with an entrepreneurial culture think of the most innovative solutions and dare to take risks, because it leads them to success. Hospitals with a rational culture also adapt to change quickly, but for another reason; to stay ahead of competitors. Those with hierarchical cultures have to deal with difficult challenges when they face change and therefore typically change at a slower pace. The only reason for change is because of the formal rules and policies. Thus, each organizational culture deals with change differently. Therefore, the organizational culture may play a role in determining the new data protection policy.
24
Proposition 4: “The type of organizational culture influences the way in which the GDPR is
adopted”
Proposition 4a: “Clan culture emphasizes flexibility and therefore adapts to change quickly” Proposition 4b: “Hierarchical culture emphasizes stability and has therefore problems with
adapting to change”
Proposition 4c: “If entrepreneurial and rational culture are present, it influences the way in
which the GDPR is adopted”
3.5 Conceptual model
In this research the institutional change is the adaptation to the GDPR by hospitals, which is presented in the center of the conceptual model in figure one. The adaptation to the GDPR may be shaped by isomorphism and organizational culture.
On the one hand, mimetic and normative isomorphism may cause hospitals to change in similar ways. Hospitals tend to mimic other hospitals when they find themselves in an uncertain position, for example, when there is uncertainty about the benefits of a new system. Normative isomorphism may also be present in the institutional field of hospitals. Due to the expectation that mimetic and normative isomorphic forces are present in the institutional field of hospitals, hospitals are expected to change in similar ways.
On the other hand, organizational culture may cause hospitals to adapt to the GDPR in dissimilar ways. Previous literature often suggests that size influences the culture of the hospital. Clan culture seems to be present in small hospitals and hierarchical culture seems to be present in large hospital. Moreover, there is a strong contradiction between the influence clan culture and hierarchical culture may have on the adaptation to change. Therefore only clan culture and hierarchical culture are considered in the conceptual model.
26
4. METHODOLOGY
4.1 Type of research
The aim of this study is to answer the research question: “Do isomorphic pressures and
organizational culture influence the adaption process of the General Data Protection Regulation and how?”. Findings about the adaptation to the recent GDPR are scarce and
therefore qualitative research is required. Qualitative research answers how questions and allows to describe processes (Rynes & Gephart, 2004). This is the essence of this study, which tries to investigate how hospitals adapt to institutional change and how this adaption process is influenced. Qualitative research is therefore very useful to explore topics that require further research and to build a theory around the adaptation to the institutional change.
4.1 Interview method
In-depth interviews are an often used qualitative method and allow an in-depth analysis about the adaptation to the GDPR by Dutch hospitals. Note that one of the principles of qualitative research is that there is no magic number of interviews (Pratt, 2009). Normally, the number of respondents are connected to the moment of saturation, the moment where no new and relevant information emerge. However, due to time limits it is not possible to interview until the moment the interviews repeat each other.
4.1.1 In-depth interviews
27 4.1.2 Interview questions
The questions of the semi-structured interviews are separated into three categories. The first part of the interview is concerned with institutional change. Hospitals have to go through six changes as a result of the GDPR. For each change, questions were asked related to the time of adoption and how the change is implemented. The second category is related to isomorphism. The questions within this part aimed to discover mimetic and normative isomorphism. The third part contains questions about the organizational culture of the hospital and aimed to find evidence on the relationship between organizational culture and the institutional change. As noted earlier, the Organizational Culture Assessment Instrument (OCAI) related to the Competitive Value framework is developed in order to reveal the type of culture of the organization (Cameron et al., 2014). The instrument is based on six questions, the Dominant Characteristics, Organizational Leadership, Management of Employees, Organizational Glue, Strategic Emphases and Criteria of Success. In a quantitative study, individuals would be asked to divide 100 points among the four alternatives per question representing the four organizational cultures (Jacobs et al., 2012; Shortell et al., 1995; Wagner et al., 2014). However, this research is qualitative and therefore the questions are changed and adjusted to the institutional field of hospitals. A quantitative questionnaire use of OCAI might not reveal all the aspects which would come to light in a qualitative interview (Moussa, 2007). In appendix A, the English and Dutch version of the interview protocol can be found, divided into three parts. Each part is articulated separately in the results section. Due to the reason that size may influence organizational culture, a comparison of size is made for the first part, institutional change, and the second part, isomorphism.
4.2 Data collection
28
4.2.1 Selecting the hospitals
Since the literature suggests that organizational culture influences the way in which a change is adapted and that size influences the organizational culture, I have selected hospitals of different sizes. The intention was to differentiate between hospitals with more than 600 beds and less than 400 beds, based on the differentiation of Dutch Hospital Data (Dutch Hospital Data, 2016). By trying to select the largest hospitals and the smallest hospitals, the large category consists of hospitals with more than 1000 beds and the small category consists of hospitals with less than 300 beds. This increases the reliability of the sample. The time frame for this research is limited and it was therefore not possible to contact every large hospital and every small hospital in the Netherlands. Therefore, the aim was to interview twelve employees from six hospitals in total. Interviewing more than one employee from more than one organization, makes the research more durable and provides convincing evidence (Herriott & Firestone, 1983). The total of six hospitals should have ideally included three large hospitals and three small hospitals, because it was assumed that these types of hospitals pursue different organizational cultures. Large hospitals were assumed to be characterized by a hierarchical culture, small hospitals by a clan culture. I succeeded to interview employees from three large and three small hospitals. Due to time constraints and because I did not expect any differences in the organizational culture based on the location of the hospitals, I approached the largest and smallest hospitals that are close to my hometown. If a hospital was not willing to participate, a replacement hospital was sought within the same group.
4.2.2 Selecting respondents
29 not ask the manager questions about the institutional change. I emphasized the first and second part during the interviews with the DPO and emphasized the second and third part during the interviews with the primary process manager (hereafter: department manager). As such, the answers complemented each other well.
The aim was to conduct one-to-one interviews with one DPO and one department manager of each hospital. For one large hospital it was not possible to interview a department manager. Two interviews resulted in one-to-two interviews. First, the DPO of a small hospital was not employed long enough to give all sufficient information and therefore the security officer of the hospital was also present during the interview. Second, the department manager of a large hospital proposed to interview the quality manager as well, because the quality manager has much knowledge about the GDPR. The number and positions of interviewees are described in table four, as well as the size of the hospital. Hospitals are called 1,2,3 etcetera, because they have to stay anonymous. Note that the exploratory interview with the DPO of a large hospital conducted on 20 September 2018 is not included in the table. The DPO is interviewed in order to explore the concepts of data protection and institutional pressures. The interview enabled the concept of institutional change to be related to organizational culture. At a later stage of the research, the same DPO is interviewed again. This interview is described in the table as interview A. Despite the aim of the first interview with the DPO was exploratory, the content of the interview is also used for the results designated as interview A.
Hospital Hospital type Interview Position interviewee Date Time
1 Large (# beds: 1.339) A DPO 12-11-2018 9:00 – 10:00 B Department manager 26-11-2018 10:00 – 11:00 C Quality manager 26-11-2018 10:00 – 11:00 2 Large (# beds: 1.103) D DPO 13-11-2018 11:30 – 12:30 E Department manager 13-11-2018 11:00 – 11:30 3 Large (# beds 1042) F DPO 12-12-2018 13:00 – 14:30 4 Small (# beds: 277) G DPO 16-11-2018 10:00 – 11:30 H Information Security Officer 16-11-2018 10:00 – 11:30 I Department manager 16-11-2018 14:00 – 15:00 5 Small (# beds: 251) J DPO 23-11-2018 10:00 – 12:00 K Department manager 23-11-2018 12:30 – 13:30 6 Small (# beds: 300) L DPO 29-11-2018 13:00 – 14:30 M Department manager 29-11-2018 11:30 – 12:00
30
5. RESULTS
As described in the previous chapter, the interviews are divided into three categories. First, questions about the GDPR were asked. Second, isomorphism was discussed and in the third part, the organizational culture was the subject of the interview.
5.1 GDPR
Six institutional changes of the GDPR are part of the scope of this research. In this section an overview is given of how hospitals have implemented the institutional changes. For each requirement of the GDPR, six DPO’s and one security officer are asked, among others, what has been changed in order to comply with that specific requirement. The DPO and the security officer of the small hospital work together closely and together decide on how to implement a change. This is why I consider their opinion as one in this section. Five out of six department managers, two of a large hospital and three of a small hospital, were asked one general questions about the GDPR: “What did you change to comply with the GDPR?”. A summary of the results is presented in table five.
5.1.1 Creation of awareness
One of the requirements of the GDPR is to make employees aware of new regulations. Interviewees are asked one question: “How do you comply with this requirement?”. As can be gleaned from the answers, considerably less attention has been paid to the creation of awareness of data protection before the GDPR was adapted by the EU. Currently, as can be seen in table five, all hospitals promote the GDPR during the introduction for new personnel and give presentations about it during meetings. For one small hospital those techniques are the only techniques by which they promote the GDPR.
31 afraid of what is still allowed and what is not when it concerns the GDPR. The DPO of another large hospital has experienced the same commotion among personnel: “I have given several presentations where I met resistance and I could reassure the personnel with “you are still allowed to do things with personal data” [...] I am especially reassuring.” (interviewee A). Three DPO’s in total have experienced reassuring to be part of the awareness creation.
Five hospitals state that attention has to be continuously drawn to the GDPR. Awareness of GDPR visibly dwindles when you do not draw attention to it. Three hospitals create awareness for the GDPR via the staff newspaper and via the intranet. However, one DPO clearly states that techniques like these do not work: “Care staff in particular do not read it, they are busy with care. Office staff deals with it differently. They sit down, take a cup of coffee and take their time to read it. That is not possible in care. I have to look at it rather differently. And that is, tell, tell, tell. Inviting yourself to department meetings and talk. Very simple.” (interviewee L). A DPO of a large hospital also comments on this issue: “All you have to do is communicate.” (interviewee D).
One hospital implemented something really different to raise awareness among employees. The DPO was given the task of adopting a privacy structure throughout the eighteen divisions. For each division, an employee stimulating privacy is hired: “Someone who purely looks after privacy and security. […] They are my eyes and ears, but they also do the talks at their departments to increase awareness [...]. We are really unique in this. We stole it from banks.” (interviewee M).
32 to all colleagues. For the prank, with absolute nonsense. You can tell and inform employees, but that lacks impact.” (interviewee I).
5.1.2 Right to data portability
A completely new right is the right to data portability, the purpose of which is to ensure a free flow of data within the EU. Interviewees are asked two questions: “Was it already there?” and “How do you comply with this requirement?”. For five hospitals, the right to data portability is new and they do not have it under control yet. Currently, five hospitals offer an interim solution: printing dossiers on paper or USB’s. Another option for patients is to download their data themselves in the online care portal. Five hospitals have a care portal, and one small hospital is working on it, but it is still not possible to access this data at another hospital. Two small hospitals signed up for the VIPP8 project, developed by the hospital association NVZ9. The aim of the project is to speed up information exchange between patients and professionals. It supports hospitals financially when they achieve certain deadlines.
Another technique to exchange data is the GERRIT system. A DPO of a small hospitals explains how the system works: “If a former patient of ours checks in at another hospital, the patient can give permission that we make those data available for that hospital. So, we push a button “patient has given permission” and then the other hospital has the permission. That data portability is going well. [...] But that is not for complete databases, it is only for images.” (interviewee L).
An Electronic Patient Database (EPD) can supply whole databases to other hospitals with the same EPD. Hospitals in the Netherlands however do have three different types of EPDs, which makes exchanging information smoothly difficult. A DPO of a small hospital wishes to have the same situation as in America: “In America everyone has the EPD Epic. That is a standard content, the exchange goes really well over there.” (interviewee J). The three suppliers of EPD systems are ChipSoft (HiX), Epic and Nexus. ChipSoft and Epic are the most common ones in the Netherlands. Both systems have their own pros and cons. A DPO of a small hospital explains why they have chosen HiX: “Epic was a few million more expensive [...] You also have to look
8 VIPP = Versnellingsprogramma Informatie-uitwisseling Patiënt en Professional / Accelerator programm
information exchange patient and professional
33 at the finances, so Epic drops out automatically.” (interviewee L). Whereas Epic is static and autistic, HiX is a much smoother system and not standardized. All in all, the biggest problem is the fact that the different EPD systems do not work together smoothly.
5.1.3 Record of processing activities
Every hospital should maintain a record of processing activities. Interviewees are asked two questions concerning this subject: “Was it already there?” and “How do you comply with this requirement?”. As can be seen in table five, four hospitals did not maintain a record of processing activities before the GDPR came into force. The DPO of the hospital who maintained the record before the GDPR explains why they already did it: “It has always been mandatory by the data protection authority to register which processing activities you had [...]. But the register under the GDPR is much more comprehensive.” (interviewee L). A DPO of a large hospital adds: “Now everything has to be centralized. We had to make one record from all small records. We did it from an IT perspective, but it should be boosted to a higher level. But for now, this is the most practical solution.” (interviewee F). As shown in table five, also two DPO’s of small hospitals keep the record as simple as possible.
Five DPO’s use Excel to maintain the record (one DPO was not asked about the tool), but they are not yet satisfied. A DPO of a large hospital explains: “We have an overview now, but that is very static. That is not what you want. It is not totally filled out by the way. It is there, but filling it out is the next step.” (interviewee D). All five DPO’s are looking for a more holistic approach and a better system to keep their record of processing activities updated.
5.1.4 Data protection impact assessment (DPIA)
34 really have to do a DPIA for every system we have? […] I do not think the risk is that high for the patient. [...] We use the comply or explain principle. We are not going to do the NOREA PIA, but we do explain why we do not do it. That is not yet done properly, we still have to do something with it.” (interviewee H). The other hospital did a DPIA twice in the last two years, because he already knew the answer of the assessment: “Be careful, there are sensitive personal data in the system, so take appropriate measures to protect the data.” (interviewee J). In large hospitals DPIA’s pass by around three times a week.
5.1.5 Data Protection Officer (DPO)
On 25 May 2018, organizations that process sensitive data on a large scale should have hired a DPO. Interviewees are asked two questions: “When is the DPO hired?” and “Where is the DPO seated?”. Also the background and the type of function (fulltime or dual) are taken into account. Answers to the question “When is the DPO hired?” varied between three years ago and September last year. A DPO of a large hospital was hired three years ago. The current DPO’s of the other two large hospitals were both hired in time, but the former DPO’s were already in house for more years. Exact starting dates of the current DPO’s are presented in table five. One small hospital hired the current DPO officially on 1 April 2018: “The GDPR popped up and I wanted to pick it up. I do not like holding the same positions for years. So, I did the training: Certified Data Protection Officer. Very nice, I have been working on it since the beginning of the GDPR.” (interviewee L). The other two small hospitals hired the current DPO later than 25 May. At that time, the formal position of the DPO was held by a member of the board of directors in both hospitals. The security officer of the small hospital explains this by saying: “We waited to inform the data protection authority until we had to. [...] Thereafter we had two other chairman of the board of directors, which we both registered at the data protection authority. And since September, we have registered our current DPO officially.” (interviewee H). The other small hospital informed the data protection authority around 25t May that a member of the board of directors performed the position of the DPO “just to have someone” (interviewee J).
35 DPO. In total, three DPO’s have a jurisdictional background and three DPO’s have experience with information security.
According to the law, the DPO should report directly to the senior management. The senior management of hospitals is the board of directors. The answers to the question “Where in the hospital is the DPO seated?” are summarized in table five and demonstrate that not every DPO is seated under the board of directors. Three DPO’s, one of a large hospital an two of a small hospital, are seated under the board of directors directly. This structure benefits communication and an open work environment.
In the other two large hospitals, the DPO under the IT department still has a direct line with the board of directors and the DPO under legal affairs can only go to the board of directors in case of emergency. Also in one small hospital, the DPO is not directly operating under the responsibility of the board of directors, but rather under the responsibility of the concern controller. However, “In cases of data breaches I do not even go to the concern controller, rather I directly walk into the office of the board of directors.” (interviewee L).
5.1.6 Reporting data breaches
Interviewees are asked two questions concerning the DPIAs concerning the reporting of data breaches: “Was it already there?” and “How do you comply with this requirement?”. Four hospitals already reported data breaches, because of the Data Leaks Reporting Obligation Act of 1 January 2016. At that time, those hospitals had already set up processes to report data breaches, varying from a Safety Incident Reporting System to reporting in all possible ways. How often the processes are used, can be found in table five. Note that one DPO of a large hospital was not asked what the process looked like.
36 With regard to the documentation and number of data breaches, hospitals are totally dependent upon their employees. A DPO of a large hospital explains this by saying: “People must be educated in such a way that they use the reporting system. [...] Not everyone is yet reporting it. [...] But if you ask for more attention to it, you notice that more people report data breaches” (interviewee D). In a small hospital, the security officer states that the culture plays a role in the number of reported data breaches: “It is in the culture of the hospital, the Safety Incident Reporting” (interviewee H). That is why raising awareness among employees is one of the key activities of all six DPO’s to comply with this right.
Four DPO’s experience an increase in the number of data breaches. One small hospital even experienced an increase of almost 50% in the number of data breaches this year compared to last year. Two DPO’s were not asked whether they experienced a change in the number of data breaches.
Comparison of size
Some similarities are found in how large and small hospitals adapted to the six institutional changes. All the hospitals created awareness during the introduction of new personnel and during meetings. The remaining techniques to create awareness are not used by every hospital, but do have similar characteristics. The right to data portability also seems to be adapted by all hospitals in more or less the same way. Still not everyone complied with this right, but they all try hard to control it by, for example, offering interim solutions. However, small hospitals do have more techniques to offer, like the GERRIT system and following the VIPP project, which makes the small hospitals similar and make them different from large hospitals.
37 protection authority. Another difference is that the DPO in small hospitals employ a dual function rather than a full time function like the DPO’s of two large hospitals. When it concerns data breaches, all hospitals are dependent on the culture and awareness among employees.
38
Subject Large hospitals > 1000 Small hospitals < 300 1. Creation of awareness
How do you comply with this requirement?
During introduction & meetings (3/3) Ask for attention continuously (2/3) In the staff newspaper (2/3) Intranet (2/3)
Reassure (2/3) Posters (1/3)
Privacy and security organization (1/3) Department:
Checklist & quality lunch (1/1)
During introduction & meetings (3/3) Ask for attention continuously (3/3) In the staff newspaper (1/3) Intranet (1/3)
Reassure (1/3) Posters (1/3)
E-learning & Phishing (1/3) Department:
Checklist (1/3)
Discuss failures during meetings (1/3)
Send messages from computers that are open (1/3)
2. Right to data portability
Was it already there?
How do you comply with this requirement?
No and not yet in control (2/3) Yes (1/3)
Online care portal (3/3) USB (2/3)
EPD system: Epic (1/3) EPD system: HiX (1/3)
No and not yet in control (3/3) Print document (3/3)
GERRIT (3/3)
Online care portal (2/3) USB (2/3)
VIPP project (2/3) EPD system: HiX (3/3)
3. Record
Was it already there?
How do you comply with this requirement?
No (2/3)
Yes, but not centralized (1/3) Excel (2/2)
Looking for a better system (2/2) We keep it simple (1/3)
No (2/3) Yes (1/3) Excel (3/3)
Looking for a better system (3/3) We keep it simple (2/3)
4. DPIA
Was it already there?
How do you comply with this requirement?
Yes (1/3) No (2/3)
NOREA standard as a basis (2/2) For purchase processes (2/3)
No (2/2)
39
For IT projects and Standard Operating Procedures (1/3) For every new processing of data that enters the building (1/3)
5. DPO
When is the DPO hired?
Where is the DPO seated?
- Background DPO - Type of function
Three years ago (1/3) March 2018 (1/3) September 2017 (1/3) Under board of directors (1/3)
Under legal affairs & go to board in case of emergency (1/3) Under IT & direct line with board (1/3)
Law (2/3) IT (1/3) Fulltime (2/3) Dual (1/3) September 2018 (1/3) July 2018 (1/3) April 2018 (1/3)
Under board of directors (2/3)
Under concern controller & go to board in case of breaches (1/3) Law (1/3)
IT (2/3) Dual (3/3)
6. Reporting data breaches
Was it already there?
How do you comply with this requirement?
Yes (3/3)
Raise awareness (3/3)
Report via Safety Incident Reporting (1/2) Report via IT help line (1/2)
Data breaches are reported more often (3/3)
Yes (2/3)
No, but we do it now otherwise data protection authority mentions that we do not report (1/3)
Raise awareness (3/3)
Report via Safety Incident Reporting (2/3) Report via IT desk or telephone (1/3) Reporting in all possible ways (1/3) Data breaches are reported more often (1/1)
Table 5: Overview of GDPR requirements in large and small hospitals 10
10 The numbers in the table represent the number of hospitals. Thus, (1/3) means that one out of the three hospitals pursues that answer. When otherwise mentioned, as in the
40
5.2 Isomorphism
Since mimetic and normative isomorphism may be present in the institutional field of hospitals, several questions about these phenomena are asked to the thirteen interviewees. More specifically, several questions about mimetic and normative isomorphism are asked to six DPO’s, one security officer and six managers of large and small hospitals. First, mimetic isomorphism highlighted in this section and second, normative isomorphism will be covered. A summary of the results is presented in table six.
5.2.1 Mimetic isomorphism
Interviewees are asked three questions concerning mimetic isomorphism: “Do you look at other hospitals when implementing the GDPR?”, “Do you look at hospitals that are early adopters or that seem successful?” and “Is your hospital an early adopter when implementing the GDPR?”. As can be seen in table six, ten interviewees think they are in the middle of rankings of early and late adopters. Late adopter or hospitals in the middle have the possibility of copying the early adopters. And indeed, eight hospitals do look at hospitals that are early adopters or that seem successful. A DPO of a large hospital does not look at successful hospitals per se, but also takes circumstances of their own hospital into account: “There is one hospital that was a bit of an early adopter, that is the hospital in Nieuwegein. That is where I look at sometimes. But sometimes it is also very much adapting to the circumstances and wishes of your own hospital.” (interviewee D).
