Tech startups and general data protection regulation: an empirical exploration of compliance challenges

Abstract

Purpose – This study investigates specific challenges that tech startups in Catalonia face in complying with the General Data Protection Regulation (GDPR) from the perspective of Technology-Organization-Environment (TOE) framework. It also examines how factors such as startup’s size, age, and sector influence compliance experiences. Design/methodology/approach – A mixed-methods approach was employed, combining survey data from 107 Catalonian tech startups with in-depth interviews with senior executives from three startups to provide qualitative insightsfor triangulation. GDPR compliance challenges were analysed using regression analysis and One-Way ANOVA. Findings – The results of the study underscore the interconnected nature of GDPR compliance challenges, revealing that staff training mediates the relationship between regulatory and technical complexities and compliance costs. While compliance costs, regulatory complexity, and technical complexity are viewed as significant challenges of equal importance, staff training is not considered a primary concern for Catalonian startups. Additionally,factorssuch asthe startup’ssize, age, and sectorsignificantly influence how these challenges are perceived and addressed, with smaller, younger, and non-tech startups experiencing greater difficulties. Research limitations/implications – Relatively smallsample size and geographic focus on Catalonia potentially limit generalizability of the findings. Practical implications – The findings have implications for startups, policymakers, and industry regulators, emphasizing the need for simplified regulatory guidance, accessible technical support, and tailored compliance training programs for startups. Originality/value – This study fills a literature gap by applying the TOE framework to explore regulatory adoption challenges by tech startups. It reveals how staff training mediatesthe effect of regulatory and technical complexities on compliance costs highlighting the role of organizational capabilities in regulatory adoption.