Motivation
The EU General Data Protection Regulation (GDPR) proposes certifications issued by independent and accredited certification bodies to demonstrate compliance with data protection standards in Articles 42 and 43. Beyond demonstrating regulatory compliance, certifications are a valuable means to tackle current challenges in data governance. First, certifications can serve as a global mechanism for decentralized self-regulation [1]. Competitive pressure may motivate companies to adopt data governance and protection standards and undergo corresponding certifications, even if they are not explicitly mandated by governmental regulations [2–4]. Second, certifications can help reduce the asymmetric power distribution between individuals and companies by creating transparency about data processing practices and enabling individuals to make better-informed decisions [5]. Finally, certifications provide organizations with guidance on how to fulfill the requirements imposed by the GDPR and achieve efficient data governance by clarifying the specific requirements an organization needs to fulfill and recommending best practices on how to implement the requirements into the organization’s processes [5]. ... mehr
However, related literature on certifications indicates a severe issue that threatens the effectiveness of certifications as an enforcement mechanism for data governance. Some organizations tend to follow a minimalist approach in implementing the certification. They only meet the minimum requirements and take a short-cut approach to attain the certification [6, 7], which is referred to as superficial internalization. Internalization is defined as the process through which organizations incorporate certification information into their procedures and daily practices [8]. This includes not only the explicit certification information (e.g., proposed data governance best practices) but also tacit information (e.g., attestation results and feedback of the certification body). Despite policymakers demanding rigorous internalization of the certification requirements [9, 10], extant research found that organizations frequently internalize certifications only at a superficial level, undermining their intended effects [6, 11]. As a result, compliance is pretended but not achieved [12]. Such malicious use of the certification mechanism can have detrimental consequences for the societal view on certifications as it downgrades them to a "greenwashing" mechanism used by dubious organizations [12] and is thus particularly concerning for societal relevant areas such as data protection and privacy.
Research Objective
We strive to examine certifications' potential to contribute to data governance and the safeguarding of data protection standards, as recommended by the EU GDPR. For this purpose, we study potential pitfalls for organizations adopting certifications, illustrate the risks associated with superficial internalization, and provide suggestions for mitigation. Hence, we are seeking to answer the following research question: What are potential pitfalls and which measures for mitigation can be taken in order to leverage data protection certifications to safeguard the requirements of the GDPR?
Methods
To answer the research question, we conducted a descriptive literature review [13] to synthesize the current state of research on the pitfalls related to superficial internalization. Our database search revealed 800 articles, of which we examined 60 relevant articles to reveal pitfalls hampering organizations' effectiveness in internalizing certifications by using thematic analysis [14].
Results
We identified three key pitfalls that pose critical risks for organizations' success in internalizing certifications. First, organizations differ in their motivations to seek certification [15], which impacts their depth of internalization. Research has shown that external pressure exerted by customers or regulators is either not or negatively impacting internalization (e.g., [7, 16]). Hence, relying on external motivation as the sole motive for certification acquisition should be avoided. Instead, this pitfall can be mitigated by empathizing that acquiring a certification should be driven by internal aspirations: approaching the certification as a chance to improve organizational data governance practices is positively impacting internalization (e.g., [17, 18]). Policymakers and developers of certifications should include implementational guidance for organizations to fulfill the certification requirements, and internalizing organizations should perform specific activities to harness internal benefits besides conforming to external pressures.
The second pitfall that organizations should avoid is a lack of stakeholder engagement, such as limited executive buy-in and employee involvement [19–22]. Different stakeholder groups inside the organization may have opposing views of the certification, thus hampering internalization [23]. As a mitigation strategy, we argue that organizations need to perform additional internalization activities, such as adequate internal communication, executive sponsorship, and employee participation to avoid this pitfall [22, 24, 25].
The way internalization activities are conveyed across the organizational structure was identified as the third pitfall. Adopting the certification in a purely top-down manner (i.e., using the certification as a blueprint to derive organizational practices and work instructions) neglects the organization's as-is situation and may lead to superficial internalization or even open resistance [6, 21, 22]. At the same time, a bottom-up approach (i.e., drawing mainly from the organization's as-is state and comparing the existing practices to the certification requirements) can lead to a sole mapping of the certification requirements to the as-is situation without achieving organizational change [19, 26]. As mitigation, a mixed (called "discursive") approach should be chosen so that the as-is state is considered and suggestions for improvement based on the certification can be incorporated [19–22].
Conclusion
Certifications can only contribute to the safeguarding of data protection standards when risks of superficial internalization are mitigated and pitfalls avoided. We identified key pitfalls and corresponding mitigation strategies for avoidance. These pitfalls hold relevance not only for organizations adopting certifications but also for policymakers designing best practices.
References
[1] A. A. King, M. J. Lenox, and A. Terlaak, "The Strategic Use of Decentralized Institutions: Exploring Certification With the ISO 14001 Management Standard," AMJ, vol. 48, no. 6, pp. 1091–1106, 2005, doi: 10.5465/amj.2005.19573111.
[2] P. Christmann and G. Taylor, "Globalization and the Environment: Determinants of Firm Self-Regulation in China," Journal of International Business Studies, vol. 32, no. 3, pp. 439–458, 2001, doi: 10.1057/palgrave.jibs.8490976.
[3] P. Christmann and G. Taylor, "Firm self-regulation through international certifiable standards: determinants of symbolic versus substantive implementation," Journal of International Business Studies, vol. 37, no. 6, pp. 863–878, 2006, doi: 10.1057/palgrave.jibs.8400231.
[4] I. Guler, M. F. Guillén, and J. M. Macpherson, "Global Competition, Institutions, and the Diffusion of Organizational Practices: The International Spread of ISO 9000 Quality Certificates," Administrative Science Quarterly, vol. 47, no. 2, pp. 207–232, 2002, doi: 10.2307/3094804.
[5] N. Maier, S. Lins, H. Teigeler, A. Roßnagel, and A. Sunyaev, “Die Zertifizierung von Cloud-Diensten nach der DSGVO,” Datenschutz und Datensicherheit - DuD, vol. 43, no. 4, pp. 225–229, 2019, doi: 10.1007/s11623-019-1097-3.
[6] O. Boiral, "ISO 9000: Outside the Iron Cage," Organization Science, vol. 14, no. 6, pp. 720–737, 2003, doi: 10.1287/orsc.14.6.720.24873.
[7] D. I. Prajogo, "The roles of firms' motives in affecting the outcomes of ISO 9000 adoption," International Journal of Operations & Production Management, vol. 31, no. 1, pp. 78–100, 2011, doi: 10.1108/01443571111098753.
[8] G. A. Knight and P. W. Liesch, "Information internalisation in internationalising the firm," Journal of Business Research, vol. 55, no. 12, pp. 981–995, 2002, doi: 10.1016/s0148-2963(02)00375-2.
[9] E. Naveh and A. A. Marcus, "When does the ISO 9000 quality assurance standard lead to performance improvement? Assimilation and going beyond," IEEE Transactions on Engineering Management, vol. 51, no. 3, pp. 352–363, 2004, doi: 10.1109/TEM.2004.830864.
[10] J. A. Briscoe, S. E. Fawcett, and R. H. Todd, "The Implementation and Impact of ISO 9000 among Small Manufacturing Enterprises," Journal of Small Business Management, vol. 43, no. 3, pp. 309–330, 2005, doi: 10.1111/j.1540-627X.2005.00139.x.
[11] P. Stephanow and C. Banse, "Evaluating the Performance of Continuous Test-Based Cloud Service Certification," in 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), 2017, pp. 1117–1126.
[12] I. Heras‐Saizarbitoria, O. Boiral, and A. Díaz de Junguitu, "Environmental management certification and environmental performance: Greening or greenwashing?," Business Strategy and the Environment, vol. 29, no. 6, pp. 2829–2841, 2020, doi: 10.1002/bse.2546.
[13] G. Paré, M.-C. Trudel, M. Jaana, and S. Kitsiou, "Synthesizing information systems knowledge: A typology of literature reviews," Information & Management, vol. 52, no. 2, pp. 183–199, 2015, doi: 10.1016/j.im.2014.08.008.
[14] V. Braun and V. Clarke, "Thematic analysis," in APA handbook of research methods in psychology, Vol 2: Research designs: Quantitative, qualitative, neuropsychological, and biological, H. Cooper, P. M. Camic, D. L. Long, A. T. Panter, D. Rindskopf, and K. J. Sher, Eds., Washington, DC, US: American Psychological Association, 2012, pp. 57–71.
[15] S. Lins, T. Kromat, J. Löbbers, A. Benlian, and A. Sunyaev, "Why Don't You Join In? A Typology of Information System Certification Adopters," Decision Sciences, pp. 1–34, 2020, doi: 10.1111/deci.12488.
[16] J. J. Tarí, J. Pereira-Moliner, J. F. Molina-Azorín, and M. D. López-Gamero, "Heterogeneous adoption of quality standards in the hotel industry: drivers and effects," International Journal of Contemporary Hospitality Management, vol. 31, no. 3, pp. 1122–1140, 2019, doi: 10.1108/IJCHM-09-2017-0606.
[17] A. Nair and D. Prajogo, "Internalisation of ISO 9000 standards: the antecedent role of functionalist and institutionalist drivers and performance implications," International Journal of Production Research, vol. 47, no. 16, pp. 4545–4568, 2009, doi: 10.1080/00207540701871069.
[18] C. Valmohammadi and M. Kalantari, "Using structural equation modelling to test ISO 9000 motivation, depth of ISO implementation and performance of Iranian manufacturing organisations," International Journal of Productivity and Quality Management, vol. 20, no. 3, pp. 405–427, 2017, doi: 10.1504/IJPQM.2017.082675.
[19] O. Boiral, "Corporate Greening Through ISO 14001: A Rational Myth?," Organization Science, vol. 18, no. 1, pp. 127–146, 2007, doi: 10.1287/orsc.1060.0224.
[20] H. Yin and P. J. Schmeidler, "Why do standardized ISO 14001 environmental management systems lead to heterogeneous environmental outcomes?," Business Strategy and the Environment, vol. 18, no. 7, pp. 469–486, 2009, doi: 10.1002/bse.629.
[21] G. Guzman and L. F. Trivelato, "Transferring codified knowledge: socio-technical versus top-down approaches," Learning Organization, vol. 15, no. 3, pp. 251–276, 2008, doi: 10.1108/09696470810868873.
[22] K. W. Sandholtz, "Making Standards Stick: A Theory of Coupled vs. Decoupled Compliance," Organization Studies, vol. 33, 5/6, pp. 655–679, 2012, doi: 10.1177/0170840612443623.
[23] C. W. Hsu, "Frame misalignment: interpreting the implementation of information systems security certification in an organization," European Journal of Information Systems, vol. 18, no. 2, pp. 140–150, 2009, doi: 10.1057/ejis.2009.7.
[24] O. Boiral, I. Heras‐Saizarbitoria, and M.-C. Brotherton, "Corporate Biodiversity Management through Certifiable Standards," Business Strategy & the Environment, vol. 27, no. 3, pp. 389–402, 2018, doi: 10.1002/bse.2005.
[25] I. Heras-Saizarbitoria and O. Boiral, "Symbolic adoption of ISO 9000 in small and medium-sized enterprises: The role of internal contingencies," International Small Business Journal, vol. 33, no. 3, pp. 299–320, 2015, doi: 10.1177/0266242613495748.
[26] V. S. Amundsen and T. C. Osmundsen, "Becoming certified, becoming sustainable? Improvements from aquaculture certification schemes as experienced by those certified," Marine Policy, vol. 119, pp. 1–8, 2020, doi: 10.1016/j.marpol.2020.104097.
