Definition of key drivers for project success regarding
the General Data Protection Regulation (GDPR)
Nuno Alexandre Costa (firstname.lastname@example.org)
Instituto Universitário de Lisboa (ISCTE-IUL), Business Research Unit (BRU-IUL), Lisboa,
J. M. Vilas-Boas da Silva (email@example.com)
Instituto Universitário de Lisboa (ISCTE-IUL), Business Research Unit (BRU-IUL),
Monika Maria Möhring (firstname.lastname@example.org)
Management und Kommunikation, Technische Hochschule Mittelhessen (THM),
Isabel Duarte de Almeida (email@example.com)
Universidade Lusíada, (CLISSIS-UL), Lisboa, Portugal
Instituto Universitário de Lisboa (ISCTE-IUL), Lisboa, Portugal
In the context of the General Data Protection Regulation (GDPR), organisational
governance must consider data privacy concerns and regulations. This will avoid illegal
situations, the related fines, damage to organisational reputation or, even,
temporary/definitive limitation on processing activities. An innovative conceptual model
is proposed to deliver the necessary change that addresses GDPR concerns based on the
enablers concept. Moreover, project success is (re)examined to include stakeholders
perceptions, in addition to organisational effectiveness, which is defined by the respect
for legal requirements and by demonstration of compliance with the Regulation at an
acceptable cost, i.e. the typical internal deliverables.
Keywords: General Data Protection Regulation (GDPR); project success; privacy by
design and by default.
The purpose of this research is to define the key drivers for project success regarding the
General Data Protection Regulation (GDPR).
Scheduled to be enforced from 25 May 2018, the European Union’s GDPR will
demand that organisations, i.e. data controllers and processors “implement appropriate
technical and organisational measures" to safeguard the “ongoing confidentiality,
integrity, availability and resilience of processing systems and services” (Regulation EU,
2016), in relation with the management of personal information of EU citizens.
In order to do this, it is fundamental at the outset to define what are the drivers that
“motivate” (Lee and Klassen, 2008) organisations for successfully achieving the GDPR
requirements. We argue that those drivers are the principles outlined in the Regulation,
and therefore, they are the motivators to start action through projects that implement what
needs to be done regarding the Regulation. The terms of reference coming from the
Regulation to set what should be done are designated as the permanent enablers (see
The authors recommend that this Regulation should be addressed as part of a GDPR
programme (Room, 2018) to “deliver their intended benefits primarily through
component projects” (PMI, 2017). A “program is defined as a group of related projects,
subprograms, and program activities managed in a coordinated way to obtain benefits not
available from managing them individually” (PMI, 2017). Thus, a GDPR programme and
their compliance project(s) aim to deliver the necessary effective and efficient change that
ensures that organisations are “able to demonstrate the compliance of processing
activities with this Regulation” (Regulation EU, 2016) in a continuous and sustainable
Therefore, it is argued that, whilst effectiveness is defined as the expected
organisational satisfaction of the Regulation requirements (permanent enablers),
efficiency refers to the assessment of the assets (i.e. "any resource or capability" (TSO,
2012)) utilization to achieve a certain purpose (i.e. to be effective).
The results of this reasoning “assume an enormous array of forms, and variations in
these forms are related in the outcomes and behaviours” (Tolbert and Hall, 2016) and
Nevertheless, project success is no longer understood only by the long-established
perspective of accomplishing the implementation of the permanent enablers on the
appropriate timescales, by respecting the agreed costs, and with the desired quality, which
will be just considered as the internal view. Considerations whether the project delivers,
are clearly expressed and properly understood as also important; then, the “satisfaction”
(Pinto and Slevin, 1988) of all the interested parties (Sheikh and Muller, 2014) expressed
by their positive perceptions is also required. This will be considered the external view of
the project evaluation, where most of the project value is generated. For instance, for a
project addressing data privacy being successful, it is a necessary condition that the right
technical procedures are implemented, within the budget, but if the controller entities do
not have a good perception of the project outcomes because these entities are influenced
by a competitor or because some procedure is illegal, then the project might very well be
considered as a failure. Other situation could be citizens being suspicious (i.e. having a
negative perception) that their data could be misused, despite the law forbidding it, and
despite the security technical assurances, like it happens when information of a not yet
closed judicial proceeding, i.e. before the final decision, is leaked to the media (vide
Figure 1). To sum up, the perceptions of the interested parties (external view) are key to
the assessment of the project success (condition of sufficiency), in addition to the
effectiveness and efficiency implementation ratios (internal view, necessary but not
sufficient condition) (vide Figure 1).
After drivers have been defined (Regulation principles) as well as project success
(internal assessment and external perceptions), this paper is also concerned with
describing how the initial drivers are linked with project success. This is the third part of
the conceptual model designed to fulfil the GDPR requirements (vide section ‘Proposal
of a conceptual model’). Thus, the following section adopts a holistic and
multidisciplinary organisational perspective to pursue the construct of the proposed
conceptual model. Then, the components of the model are detailed, and followed by a
description of the interrelationships among them. Finally, the theoretical, practical and
managerial implications of the model are examined.
Proposal of a conceptual model
Organisations need to adapt to face the required change and so, they need to strengthen
themselves and improve their structures in order to incorporate the GDPR requirements.
This section describes a conceptual model for introducing change in the permanent
organization through a temporary one (vide REF for definition), i.e. a project, in order to
achieve the desired result, i.e., Regulation compliance.
Thus, a holistic and multidisciplinary organisational perspective is relevant, insofar, it
focus on the requirements of the Regulation, considering the degree of change that must
be delivered to permanent organisations, at the agreed levels to businesses and respective
users, bearing in mind how those changes will be transitioned into the operational
environment to help improve the effectiveness of the permanent organization (TSO,
2012) as regards data privacy, in an efficient way.
Therefore, since “conceptual models are generally informal and typically graphic
depictions of systems that quickly and easily convey the overall functionality of a system”
(McKenzie, 2010), the proposed model resulting from this literature review is a graphical
representation of all relevant components necessary to depict and apply the GDPR
requirements in organisations (vide Figure 1).
Figure 1 – Conceptual model (Adapted from Costa et al., 2017)
Thus, a meaningful conceptual model will have the following essential components:
A driver is a cognitive (Bandura, 1986) variable “that initiates and motivates” (Lee and
Klassen, 2008) people for achieving something successfully, whether individually or as
part of a group of individuals. It is argued for the key drivers as being the principles
outlined in the Regulation, namely, (a) lawfulness, fairness and transparency, (b) purpose
limitation, (c) data minimisation, (d) accuracy, (e) storage limitation, (f) integrity and
confidentiality, and (g) accountability (Regulation EU, 2016). These dimensions set the
scope for “convincing” organisations to data privacy requirements. It is not only about
going legal, fair and transparent, because business might be lost in partnerships that are
lost due to the
Permanent enablers (PE)
Permanent enablers are the “ones who give power, strength, or competency sufficient for
the purpose” (Lee and Ventres, 1981) and its constituent parts, i.e. process facilitators and
discursive abilities (Müller et al., 2016). It is argued for the permanent enablers as being
(a) governance, (b) Information Security Management System (ISMS) and (c) Personal
Information Management System (PIMS) (BS10012:2017). These are the expected
requirements to be implemented in the organizational structure.
Therefore, a GDPR Privacy Compliance Framework will consist in the following four
fundamental aspects, as summarised in Table 1.
Table 1 – Fundamental aspects of a GDPR Privacy Compliance Framework (PCF)
1. GDPR Principles
Regulation EU, 2016
Regulation EU, 2016
3. Information Security
4. Personal Information
The GDPR Privacy Compliance Framework resulting from the permanent enablers sets
the requirements for conformance in terms of data protection.
Individual organisations (IO)
Individual organisations are the controllers and the processors. The controllers are “the
natural or legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of personal data”
(Regulation EU, 2016). Fundamental to this explanation “is the ability to decide how and
why personal data is processed. When this decision is made jointly by different entities,
those entities are joint controllers” (Westbrook, 2018). The processors are “a natural or
legal person, public authority, agency or other body which processes personal data on
behalf of the controller” (Regulation EU, 2016), “acting on the instructions of the
controller” (Westbrook, 2018).
These organisations must conform with the GDPR PCF. According to Kerzner (2017)
“to move forward, it is crucial that we understand the current state”. Thus, the as-is state
has to be determined representing the current situation that might need to be changed
according to the PCF requirements.
Data Protection Impact Assessment (DPIA) will assess any “privacy and data
protection impacts of any products they [the organisations] offer and services they
provide” (Pothos, 2018), by considering the Principles, Governance, Information Security
(IS) and Personal Information (PI).
Temporary enablers (TE)
Temporary enablers are all that contribute and seek to construct the purpose in a positive-
sum manner. Thus, it includes “any resources or capabilities” (TSO, 2012) (assets) that
could contribute to the delivery of project requirements.
These assets can be the project manager, privacy experts, information and technology
(IT) experts, legal experts, organization experts. Moreover, it is important to highlight
that these assets have an associated cost, in order to deliver value. This cost will be
allocated to the project (i.e. temporary organization) in which they participate,
contributing to the computation of the project cost. The efficiency is effort put (project
cost) to achieve a certain level of deliverables (effectiveness) by the projects (temporary
Temporary organisation (TO)
Temporary organisations are the projects, i.e., a “temporary endeavour undertaken to
create a unique product, service, or result” (PMI, 2017), thus, aiming at covering the gaps
of the permanent organisation found in the Data Protection Impact Assessment (DPIA).
Therefore, with the appropriate conditions and support, (i.e., with the proper
empowerment), leadership and governance can be exercised at all levels of the
So, “empowerment is supported by vertical leadership exercised by the project
manager” (Drouin et al., 2017), and once in place, the organization of the different
elements, to work together efficiently and effectively, are "enabled through learning
dialogs that allow the development and maintenance of shared mental models" (Drouin
et al., 2017).
Finally, it is important to highlight that projects require the specific “application of
knowledge, skills, tools, and techniques to project activities to meet the project
requirements” (PMI, 2017) and to “deliver change” (Turner and Muller, 2003). So, they
consume assets as previously stated.
Temporary performance (TP)
Temporary performance, i.e., the project performance aims at checking conformance
between project deliverables and expected and planned requirements arising from the
needs identified in the Data Protection Impact Assessment (DPIA). These needs should
be satisfied, in order to be implemented a relevant GDPR Privacy Compliance
This aspect is specifically concerned with an internal assessment that is related with
the monitoring and control of the effectiveness obtained at an acceptable cost, i.e. in an
efficient way. Therefore, the main privacy requirements summarized in Table 2 should
be delivered. There are measures associated with these requirements that can be obtained
from the Regulation, the BS10012 and the ISO27001.
Table 2 – Main privacy requirements leading to the effectiveness of the project deliverables
Main privacy requirements considered in
assessing deliverables effectiveness (high-level)
Establish the necessary processes to incorporate
privacy into the organization's governance structure
and culture, e.g., policies, codes of conduct.
Create a privacy record management system, e.g., to
collect and "maintain records of privacy information"
Create a service that internally and externally deals
with the communication of privacy information, e.g.,
policy updates, privacy notices.
Create a data subject access request (DSAR) service.
Create a legal service, e.g., to identify and document
legal basis for processing, contracts review, conditions
for consent, transfers of personal data to a third country.
Create an incident management service.
Create service level agreements (SLAs) and define
roles and responsibilities, e.g., through a RACI model
(responsible, accountable, consulted, and informed).
Implement data protection concerns in the
organisational risk management (ISO31000:2018).
Designate the data protection officer (DPO), e.g., the
DPO informs and advises the controller or processor,
regarding issues concerning the requirements of the
Regulation (Regulation EU, 2016).
Preserve the confidentiality, integrity and availability
Create a document classification plan. Define retention
and destination schedules for personal information.
Implement privacy by design and by default
Create training and awareness programs.
Create service for systematically assess performance.
The answer to what constitutes project success is not simple, because "success may be
measured differently in different types of projects, success can be measured in different
perspectives, at different stages, and in absolute or relative terms" (Samset, 1998).
Therefore, different stakeholders have different perceptions of project success (Chou and
Yang, 2012; Davis, 2014) and “not all the criteria will be appropriate on all projects”
Moreover, the perception of what constitutes project success cannot be valued only by
the conventional triple constraint of time, budget, and scope (internal assessment, as the
necessary condition), but also by the achievement of organisational objectives and
benefits that it brings to stakeholders over different timescales (external perceptions as
the sufficient condition).
At the same time, “reaching agreement of what constitutes project success among
different stakeholders may be challenging to achieve, and it will require constant
communication and negotiation to align stakeholder’s expectations, and to achieve their
interests” (Muller, 2013). However, it is also “important to realize that not all of the
stakeholders may want the project to be successful” (Kerzner, 2017).
Therefore, formal internal assessments must be done to “seek to minimise variation
and to deliver results that meet defined stakeholder requirements” (PMI, 2017). With this
in mind, interested parties may include:
natural persons, i.e., citizens, clients, employees. The Regulation doesn’t define the
concept of natural persons; however, “Recital 27 states that the Regulation does not
apply to the personal data of deceased persons or organisational data, which may
be protected through standard contractual confidentiality clauses” (Macmillan,
Other controllers and processors.
To sum up success appears to be a more robust construction if the requirements from
the GDPR Privacy Compliance Framework are met (effectiveness) in economic
conditions (efficiency) and if the concerns of interested parties expressed by their
perceptions are addressed in a satisfactory way being brought in to the data privacy
Discussion and conclusions
In the context of the General Data Protection Regulation (GDPR), the future
organisational states must include data privacy concerns and regulations. This will avoid
an illegal situation, and so the related fines or even survival threats, in more extreme
situations. It will also improve the ability of the organization to be in business by setting
an adequate environment to build up partnerships. This is a current critical condition to
be accomplished by organisations, which have a high level of organisational maturity
(SEI, 2010). Therefore, they should "engage in rationally designed service interactions
that can consistently lead to win-win value cocreation outcomes", by being able to
construe "models of the past (reputation, trust), present, and future" (Spohrer and Kwan,
Moreover, the organisational enablers of the required change projects (Temporary
Organisations), which are set to assure compliance with the GDPR Privacy Compliance
Framework, were found different from those ones that support the Permanent
Furthermore, the organisational enablers (whether temporary or permanent) were
found as both context and institutional dependent, exhibiting a non-linear relationship.
This means that each enabler assumes a different importance in different organisations
being guided by the principles of the General Data Protection Regulation.
For the purpose of specifically defining the key drivers for project success regarding
the GDPR, the following motivation factors (drivers) were identified:
1. The principles relating to the processing of personal data as outlined in the
Regulation, namely, (a) lawfulness, fairness and transparency, (b) purpose
limitation, (c) data minimisation, (d) accuracy, (e) storage limitation, (f) integrity
and confidentiality, and (g) accountability (Article 5) (Regulation EU, 2016).
2. Security of processing (Article 32) (Regulation EU, 2016).
3. Administrative fines (Article 83(4) and 83(5)) and financial loss (Recital 75)
(Regulation EU, 2016).
4. Damage to the organisational reputation (Recital 75) (Regulation EU, 2016).
5. Limitation on processing (Article 58 (2)(f). Often, people “see the risk of financial
penalties as the major regulatory risk, but being ordered to stop data processing
could be a much more dramatic outcome” (Room, 2018).
As stated in the article, the project’s role is to apply the requirements and to ensure
that they are delivered as set out in the Regulation, thus contributing, to achieve project
This assignment operationalised an exploratory research to address the expected
deliverables of the Data Protection Regulation by considering a contribution coming from
the PMI body of knowledge put within the scope of an original conceptual model
previously introduced by the authors (vide Costa et al., 2017).
It is believed that this might be considered as a contribution to the research in the area,
because guidance to a more systematic implementation procedure might come out, as an
orientation to the practitioner. Perhaps, the merge of several knowledge areas to support
an innovative approach to the phenomenon might be considered as a potential
contribution to theory. Thus, after this conceptual exercise, a few research questions
might be formalised, as follows:
RQ 1 – What are the drivers of the permanent organisation (PO) to be GDPR
RQ 2 – What are the enablers of both permanent and temporary organisations?
RQ 3 – How is success regarding the GDPR defined?
RQ 4 – How is explained the correlation between permanent and temporary enablers,
i.e. how might causality be established?
In summary, it is believed that there is room for further progress by refining the
pursued path, which are good news for arguing for the success of the exploratory exercise
presented in this paper. Thus, the definition of concepts and relationships should be
deepened, by the refining of the semantics supported by a focused literature review. As a
consequence, it is expected that the research questions might be transformed into
propositions or hypotheses and that a process of inquiry may come out to support a
confirmatory research, which should also be concerned with both the usefulness and
feasibility of the outcomes.
As an instance of further complementary developments, one might quote the
consideration of the service science principles. For example, by drawing on existing
theory, it is proposed to develop the conceptual model in a realistic way, by considering
the requirement to evaluate stakeholders’ perceptions by putting their concerns together
using the “Interact-Serve-Propose-Agree-Realize (ISPAR) model of service systems
interaction” (Spohrer et al., 2008).
Another significant recommendation for further work concerns establishing a key
regulatory element of the conceptual model. This will be defined from the enablers nXm
matrix introduced by Costa et al. (2017), which correlates permanent and temporary
enablers by providing what is expected to be the cornerstone of a more robust explanation
for the performance of the GDPR compliance projects.
It is argued for this paper as outlining the first step of a significant contribution to
both theory and research by presenting the design of an innovative and integrative
approach to position and investigate the performance of GDPR projects in the real world.
It is expected that addressing a GDPR project in this way could improve its success and,
therefore, promote a relevant contribution to practice, in the future.
In this way, to investigate the definition of key drivers for project success regarding the
GDPR appears to be confirmed as a significant research gap with scientific interest and
as one of the main conclusions of this exercise. To sum up, it is believed that the chosen
holistic innovative way that was reported to address the identified gap also appears to
have potential for a relevant return to the Project Management area.
Bandura, A. (1986), Social foundations of thought and action: A social cognitive perspective, Englewood
Cliffs, NJ: Princeton-Hall.
BS10012:2017, Data protection - Specification for a personal information management system.
Specification for a personal information management system, The British Standards Institution.
Cavoukian, A. (2013), "Privacy by design", Information and Privacy Commissioner of Ontario, Canada,
Available at: https://www.ipc.on.ca/wp-content/uploads/2013/09/pbd-primer.pdf. Date of latest Access:
Costa, N., Vilas-Boas , J., Almeida, I. (2017), "Key drivers of project management success when applied
to temporary multi-organisations", in Proceedings of 24th EurOMA – Inspiring Operations
Management, Heriot Watt University, Edinburgh, Scotland, 1rst - 5th July.
Chou, J., S., Yang, J., G. (2012), "Project management knowledge and effects on construction project
outcomes: an empirical study", Project Management Journal, Vol. 43, No. 5, pp. 47–67.
Davis, K. (2014), "Different stakeholder groups and their perceptions of success", International Journal of
Project Management, Vol. 32, No. 2, pp. 189–201.
Drouin, N., Muller, R., Sankaran, S., Vaagaasar, A., L., Nikolova, N. (2017), "Balanced Leadership in
Projects: the concept of socio-cognitive-space to support the building of organizational capabilities. The
“Project Hat”", in Proceedings of IRNOP Conference, Boston, MA 11 -14 June 2017.
ISO/IEC27001:2013, Information technology - Security techniques - Information security management
systems - Requirements, ISO/IEC, Switzerland.
ISO31000:2018, Risk management -- Guidelines, ISO.
Kerzner, H., (2017), Project Management Metrics, KPIs, and Dashboards: A Guide to Measuring and
Monitoring Project Performance, Third ed. John Wiley & Sons, Inc., Hoboken.
Lee, D. K., Ventres, S. (1981), “The Nurse: The enabler”, American Journal of Nursing, Vol. 81, No. 3,
Lee, S., Y., Klassen, R., D., (2008), "Drivers and Enablers That Foster Environmental management
Capabilities in Small- and Medium-Sized Suppliers in Supply Chains", Production and Operations
Management, vol. 17, No. 6, pp. 580.
McKenzie, F. D. (2010), "Systems Modeling: Analysis and Operations Research in Sokolowski" in
Sokolowski, J., A.,Banks, C., M. (Ed.), Modeling and Simulation Fundamentals. Theoretical
Underpinnings and Practical Domains, John Wiley & Sons, Inc., Hoboken, New Jersey, pp. 148.
Mller, R., Adersen, E., S., Kvalnes, Ø., Shao, J., Sankaran, S., Turner, J., R., Biesenthal, C., Walker, D.,
Gudergan, S. (2013), “The Interrelationship of Governance, Trust, and Ethics in Temporary
Organizations”, Project Management Journal, Vol. 44, No. 4, pp. 26-44.
Müller, R., Shao, J., Pemsel, S. (2016), Organizational Enablers for Project Governance, Newtown Square,
USA, Project Management Institute.
Photos, M. (2018), "Accountability Requirements", in Ustaran, E., Lovells, H. (Ed.), European Data
Protection Law and Practice, IAPP Publication, pp. 207.
Pinto, J. K., Slevin, D. P. (1988), “Project success: Definitions and measurement techniques“, Journal of
Project Management, Vol. 19, No. 1, pp. 67-72.
PMI (2017), A Guide to the Project Management Body of Knowledge (PMBOK GUIDE), Sixth edition,
Project Management Institute.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data,
and repealing Directive 95/46/EC (General Data Protection Regulation). Available at:
http://data.consilium.europa.eu/doc/document/ST-5419-2016-REV-1/en/pdf. Date of latest Access:
Room, A. (2018), "Security of Personal Data", in Ustaran, E., Lovells, H. (Ed.), European Data Protection
Law and Practice, IAPP Publication, pp. 180.
Room, A. (2018), "Supervision and Enforcement", in Ustaran, E., Lovells, H. (Ed.), European Data
Protection Law and Practice, IAPP Publication, pp. 244.
Samset, K. (1998), Project management in a high-uncertainty situation: Uncertainty, risk and project
management in international development project, Ph.D. Thesis. Norwegian University of Science and
Technology. Faculty of Civil and Environmental Engineering. Department of Building and
Construction Engineering, Trondheim.
Sheikh, R., A., Muller, R. (2014), "The Relationship between Culturally Endorsed Leadership Theory
(CLT)", KSBL working paper series, Karachi School for Business & Leadership, No. 16.
Spohrer, J., Kwan, S. K. (2009), "Service Science, Management, Engineering, and Design (SSMED): an
emerging discipline -- outline and references", International Journal of Information Systems in the
Service Sector, Vol. 1, No. 3, pp. 1–31.
Spohrer, J., Vargo, S., Maglio, P. M., Caswell, N. (2008), "The service system is the basic abstraction of
service science", in Proceedings of the 41st Hawaii International Conference on System Sciences, Vol.
1, No. 14, pp. 6.
Tolbert, P,. S., Hall, R., H. (2016), Organizations Structures, Processes, and Outcomes, Tenth Edition,
TSO (2012), ITIL Foundation Handbook, The Stationery Office and IT Service Management Forum UK.
Turner, R., Müller, R. (2003), “On the Nature of the Project as a Temporary Organisation”, International
Journal of Project Management, Vol. 21, No. 7, pp. 1-8.
Wateridge, J. (1998), "How can IS/IT projects be measured for success?”, International Journal of project
Management, Vol. 16, No.1, pp. 59-63.
Westbrook, N. (2018), "Internet Technology and Communications", in Ustaran, E., Lovells, H. (Ed.),
European Data Protection Law and Practice, IAPP Publication, pp. 319.