Adaptable GDPR Assessment Tool for Micro and Small Enterprises

Emanuel Löffler

, Bettina Schneider

, Andreas Goerre and Petra Maria Asprion

Institute for Information Systems, School of Business, FHNW University of Applied Sciences and Arts Northwestern

Switzerland, Peter Merian-Strasse 86, Basel, Switzerland

Keywords: Data Protection, Micro and Small Enterprises, GDPR Self-assessment, Web Application.

Abstract: The coming into force of the European General Data Protection Regulation (GDPR) has profoundly changed

the data protection landscape. Irrespective of their size, organisations inside and outside of Europe are

challenged to comply with the requirements posed by the GDPR. Especially micro and small enterprises

(MSEs) lack the required internal resources and knowledge to understand the regulation and its implications.

In our study, a simplified self-assessment tool dedicated to the situation of MSEs is designed to act as an

amplifier for the data protection maturity of this target group. Our research is embedded into the H2020 EU

project GEIGER that aims to leverage cybersecurity and data protection of MSEs in Europe. Building upon

Hevner’s design science research, our study results in an open source, easy-to-adapt GDPR self-assessment

web application targeted to the broad, but so-far rather neglected user group of MSEs. Our privacy-by-design

and mobile-first approach ensures the trustworthy handling of user data while focusing on usability.

1 INTRODUCTION

In recent years, the global IT landscape has

undergone a revolution in terms of the processing of

personal data. The Cambridge Analytica scandal put

data protection in the spotlight, highlighting the need

for stronger data protection laws (Davies, 2015).

Consequently, the European Union (EU) reacted with

a new data protection regulation in 2016; after a two

years transitional period, the General Data Protection

Regulation (GDPR) came into effect (Voigt & Von

dem Bussche, 2017). The protection of personal data

is now a fundamental right of every EU citizen.

The data protection legislation in countries that

are not part of the EU, such as Switzerland, are often

based on the principles of GDPR (European

Commission, 2020a). The aim of GDPR is to

strengthen the rights of the individuals over their own

data, to make organizations accountable, and to

provide services without barriers − irrespective where

the individuals or services are located (Tikkinen-Piri,

Rohunen & Markkula, 2018).

https://orcid.org/0000-0001-9469-5146

https://orcid.org/0000-0001-8460-3658

https://orcid.org/0000-0001-6582-5087

https://project.cyber-geiger.eu

GDPR applies to organisations of any size that

process personal identifiable data from EU citizens

(Voigt & Von dem Bussche, 2017). However, the

regulation is written in legal language and is full of

technical terms. Especially micro and small

enterprises (MSEs), which are essential for the

European economy (European Commission, 2020b),

struggle to understand how they can comply with the

regulation and what it means for their business

(GDPR.EU, 2019). This is a severe issue since fines

as consequence of non-compliance are harsh and

every EU citizen can file a lawsuit in case of a GDPR

violation (Voigt & Von dem Bussche, 2017).

The EU-funded project GEIGER

aims to help

MSEs coping with the risks that are coming with the

ongoing digitalization. One of the project’s targets is

to develop a so-called ‘GEIGER Indicator’, which

shows the current cybersecurity and privacy risks and

allows the user to take simple countermeasures. In

alignment with the classification published by the

European Union Agency for Cybersecurity (ENISA,

2021), the GEIGER project covers the main

cybersecurity threats; data protection and GDPR

Löfﬂer, E., Schneider, B., Goerre, A. and Asprion, P.

Adaptable GDPR Assessment Tool for Micro and Small Enterprises.

DOI: 10.5220/0011014200003179

In Proceedings of the 24th International Conference on Enterprise Information Systems (ICEIS 2022) - Volume 2, pages 301-308

ISBN: 978-989-758-569-2; ISSN: 2184-4992

301

compliance are regarded as an essential aspect. The

present study is embedded in the GEIGER research.

The challenge of MSEs to achieve GDPR

compliance is well known and documented

(Schweizerischer KMU Verband, 2020; GDPR.EU,

2019). As this target group is large and shows an

immense diversity, tailored support is still a need. To

help MSEs to be compliant with GDPR, self-

assessment tools have been created helping to

conduct an initial positioning. Nevertheless, many

enterprises do not know where to start and how to

identify the crucial parts of the regulation for their

business. They are overwhelmed by the complexity

of the procedures to assess data protection maturity.

One significant cause can be found in the fact that the

existing self-assessment tools are written using

formal language and technical terms. There is a lack

of fit for the target group of MSEs.

To close this gap, an easy-to-use and easy-to-

understand ´GDPR self-assessment tool´ dedicated to

MSEs could simplify the path to compliance and to

foster a positive perception of data protection. The

challenge is to find the balance between simplicity

and informative value. With our research to design

and develop an adaptable GDPR self-assessment web

application, we aim to contribute to the data

protection journey of MSEs.

As methodological approach, design science

research (DSR) has been used. The approach intends

to attain expertise and comprehension of a problem

domain, as well as its solution in the development and

application of an artifact (Hevner et al., 2004). The

target of DSR is to support research that is close to

the environment, in which a problem should be

solved; thus, it should be a applied-oriented approach.

The environment is examined to identify a problem,

which results in business needs for the artifact. The

knowledge base is examined to extract foundations

and methodologies of prior research to end up with

applicable knowledge for the development of the

artifact. After creating a prototype, the artifact needs

to be evaluated and refined based on the insights of

the environment and knowledge base. Once the

artifact is set for field testing, it is applied in the

environment. As soon as the research provides new

findings, extensions of the knowledge base can be

provided. At the end of the research, the findings need

to be communicated in an appropriate way (Hevner et

al., 2004).

Our research follows the suggested steps of the

DSR process. First, the problem identification is

Even though Brexit has changed the relationship to the

EU, the material is still valid.

completed through research on GDPR and MSEs in

Europe; it is enhanced through an expert interview

with the managing director of a data protection

advisory firm operating in Germany. Based on the

analysis of existing work (section 2), the goals the

artifact is intended to achieve are defined applying the

principles of the Kano model (Matzler et al., 1996).

Next, the GDPR self-assessment web application is

designed and developed using a ´mobile-first´

approach (section 3). The prototype is tested in an

appropriate environment (section 4). The evaluation

is based on prior defined requirements and insights of

the demonstration phase. It ends with conclusions and

an outlook (section 5).

2 EXISTING WORK

Various GDPR self-assessment tools exist and are

suitable for different target groups. Three solutions –

(1) a professional self-assessment by the British

Information Commissioner Office (ICO), (2) a more

playful self-assessment provided by the Bavarian data

protection body BayLDA, and (3) an Online Check

from a Swiss national federation − have been selected

to be elaborated in more detail. They have been

chosen as they are published by data protection

authorities (DPAs) that offer rich guidance for MSEs

and must adhere high content quality standards.

Moreover, they were complementary regarding their

design, allowing for a juxtaposition of these

approaches as a canvas for the development of our

MSE-oriented artifact. The descriptions of the tools

are followed by an assessment identifying potential

gaps and building the base for the objectives of our

newly created self-assessment web application.

2.1 British ICO

The British ICO provides an extensive repository of

GDPR-related resources for a spectrum of users

. A

set of checklists aimed at MSEs offers a collection of

tools for the measurement of GDPR compliance. It

consists of eight questionnaires tailored to the

following various fields of activity. Our focus lay on

a tool dedicated for MSEs and sole traders.

The questionnaire opens with a short description

of the tool’s focus and hints towards an initial

assessment to see if GDPR applies to the

organisation. From there, a set of nine short questions

leads the participant to answer with the predefined

ICEIS 2022 - 24th International Conference on Enterprise Information Systems

302

answers – ‘Yes’, ‘No’ and ‘In Part’. The option ‘Yes’

is preselected for all questions. Upon submission, the

participant will be provided with an overview of the

answers and additional details (suggested actions and

further readings). The results can be downloaded for

documentation, which suggests data processing on

the server side. However, there is no dedicated

information on whether the data that was entered is

retained or utilized by the ICO.

Assessment: The GDPR self-assessment for

small businesses and sole traders by the ICO is strong

in terms of content. The questions are covering the

relevant aspects of GDPR; the additional information,

the suggested actions and the further readings provide

informational value. Yet, there are some areas for

improvement. First, the questionnaire requires prior

knowledge. Second, the self-assessment could be

more engaging. In terms of the user interface, the

questionnaire is well-structured but does not have any

element or effect which would raise the user’s

attention. Third, it could be an issue that all the radio

buttons are pre-ticked for the answer ‘Yes’. By one

single click on the ‘submit’-button, the self-

assessment can be finished, whereas the user will not

benefit from recommended actions.

2.2 BayLDA Road to GDPR

The DPA of the German federal state of Bavaria

provides a self-assessment tool for any size of

business based on a set of 28 questions (BayLDA,

n.d.). The tool is available in German and English

language. The single-choice answers are not limited

to ‘Yes’/’No’ but provide three elaborated options to

choose from. This requires the users to think about the

questions deeply and to get an impression of GDPR’s

intentions. The questions are subdivided into five

categories of varying value for the final evaluation.

The category of ‘privacy engineering’ is prioritized,

which suggests an implicit target group of larger

enterprises with a complex interplay of systems and

processes.

The tool is decorated with maps of EU member

states without further connection to the context. A

progress bar is displayed as a ‘distance’ on the

figurative ‘Road to GDPR’ that shows how much of

the assessment has already been completed. This

lends the tool a feeling of playing a game.

Assessment: Similarly to ICO, the tool is strong in

terms of content. The BayLDA’s self-assessment uses

the concept of gamification. The ‘Journey through

Europe’-theme emphasises the playful approach.

Overall, this is contributing to a pleasant user

experience and is strengthening the learning effect. The

varying answers encourage the user to reflect more in

detail and decide on its enterprise’s response to the

newly found compliance requirements. However, the

questions are challenging. Unexperienced users may

get frustrated by the complexity of the questions. This

is a risk for the value of the assessment, as interrupted

sessions will not end with the result page.

2.3 Economiesuisse Online Check

Economiesuisse is a national federation representing

the interests of the mainly MSE-based Swiss business

community. It serves as a link between politics,

business, and society. The Federal Data Protection

and Information Commissioner of Switzerland (short:

EDÖB) recommends the Online Check by

Economiesuisse (EDÖB, 2020).

The Online Check is accessible via a public

website and organized as a questionnaire based on

´surveymonkey´ (economiesuisse, n.d.). The tool

consists of two parts. As Switzerland is not part of the

European Union, it starts with an assessment of the

applicability of GDPR. The second part of the tool

provides the main assessment. It contains 15

questions addressing both technical and

organizational aspects. The technical questions

revolve around systems, applications, and services

used for data processing. From organizational the

side, aspects such as access rights, policies, controls,

or third-party contracts are focussed. Some questions

are comprehensive and require prior knowledge.

Regarding the tool handling, the assessment is

organized using closed questions with ‘Yes’, ‘No’, or

‘In Part’ as options. Every question requires a reply

before the test can be finished. At the beginning, the

estimated time for completing the test is indicated and

the progress on completing is displayed. The test

results in a summary statement and a displayed

percentage of achieved points. The questions and

answers can also be reviewed by the user.

Assessment: The content of the Online Check is

well adapted to the needs of Swiss businesses. Only

once the applicability is confirmed, the main

assessment starts. The 15 main questions address a

broad range of GDPR topics, are however not

categorized and do not refer to any articles or further

information. Even though the majority of questions

are formulated using simple terms, pre-knowledge is

required. The conciseness and short duration are

strengths fitting well to the scarce resources of MSEs.

However, the result does not provide a clear guidance

as it lacks appropriate recommendations. The

handling of the web questionnaire could be improved

as it requires pop-ups to be allowed.

Adaptable GDPR Assessment Tool for Micro and Small Enterprises

303

2.4 Summary of Existing Tools

In summary, two of the three analysed tools (ICO and

BayLDA) are geared towards fully assessing

compliance, and to this aim to include most aspects

of GDPR, leading to a potentially overwhelming

experience for users without prior knowledge on the

regulation. The third analysed tool offered a short

questionnaire to be completed within few minutes.

Yet, the applicability of the assessment results is

rather limited. The tool provided by Economiesuisse

is a counterweight to this in providing a small number

of answers that can be quickly assessed. However, it

exposes some technical issues in requiring browser

pop-up permissions and the results provided to users

contain no actionable steps.

The target group of this study are MSEs in Europe

that do not possess in-house data protection expertise.

Rather, we want to reach lay people. Our goal is an

encouragement to take the first steps towards GDPR.

Hence our design approach focusses on accessible

language, to avoid discouragement through

overwhelming language, and on a short completion

time and actionable take-away message for the users.

The previously assessed tools either have drawbacks

in being too extensive for hesitant users or they lack

guidance for future steps after the initial assessment.

Our tool aims at filling the gap between these two

approaches.

3 GEIGER MSE GDPR

SELF-ASSESSMENT TOOL

The goal of our to be developed application is to offer

MSEs a free-of-cost tool to assess their data

protection maturity level with little/no prior

knowledge. The target audience are mainly MSEs, as

large businesses may want more detailed resources to

provide immediate insight into the full scope of the

regulation. Referring to the GEIGER project, we are

targeting a ‘general MSE-related data protection

behaviour’ competence level. This means a general

set of business-related data protection issues, relevant

for data protection laymen is to be addressed

(Remmele and Peichl, 2021).

3.1 Requirements Definition

Our solution must fulfil ten requirements releasable

as self-assessment without further guidance. The

requirements were derived from an analysis of

existing work and an expert interview. Each of the

requirements belong to a specific topic and category

corresponding to the Kano Model (Matzler et al.,

1996). The different categories are ‘Must-Be’ (M),

‘One-Dimensional’ (O) and ‘Attractive’ (A):

1. The user shall be able to adapt the content of

the web application easy. (Maintenance/M).

2. The web application shall not store any

personal data about the user on the server by

design. (Data Privacy/M).

3. The web application shall be built in a way

that allows simple hosting (Hosting/M).

4. The user shall be able to conduct the

assessment on multiple device types (User

Experience/O).

5. The user shall be able to conduct the self-

assessment with little to no prior knowledge

(User Experience/O).

6. The user shall receive an evaluated overall

result corresponding to the answers given

(User Experience/O).

7. The user shall receive feedback on which

aspects of data protection they could

improve (User Experience/O).

8. The user shall be provided with feasible

quick actions for improving the data

protection maturity level of the company

(User Experience/O).

9. The user shall be visually pleased by the web

application (User Experience/A).

10. The user shall be provided useful links to

learn about data protection (User

Experience/A).

Data privacy is required due to both the sensitive

nature of information that is to be entered into the tool

and as a support to the credibility of a tool that

advocates for minimized data collection.

Hosting (the provision of the assessment files to

the user) was defined to be offline-first, thus no server

that processes data outside the user’s device is

allowed for the application to work.

User experience is a key factor on whether the

target group is interested in using the web application.

This aspect is elaborated in more detail in the next

section.

3.2 Design Choices

User experience is defined as “user’s perceptions and

responses that result from the use and/or anticipated

use of a system, a product or service” (ISO, 2018). As

this is a broad definition, it is worth noting the

possible options to improve the user experience of the

web application. Apart from basic factors like the

ICEIS 2022 - 24th International Conference on Enterprise Information Systems

304

availability of the web application, the user

experience is strongly influenced through the web

application’s content and user interface (Smith,

2017). Since the content should be easily adaptable

and might hence be subject to change, the

development of a well-designed user interface

became important. The user interface of the web

application is shown in figure 1.

The user interface must be easy to use with control

elements that are suitable for multiple devices (i.e.,

smartphone, tablet, notebook, and desktop). A

mobile-first approach was chosen for the

development of the prototype, desktop usability (e.g.

text width) was adjusted after the initial design. To

adjust the look – mainly increasing the size of the

different elements – for notebook and desktop

screens, CSS media queries are used. The colour

scheme is derived from the style guide of the

GEIGER project, yet slightly adjusted to match the

overall look of the web application. The content is

placed in white boxes to achieve a solid visual

structure, while the background of the web

application is dark. The colour blue is mainly used to

highlight user interactions (e.g., click on a checkbox

or click on a dropdown item).

The web application consists of three different

pages (i.e., landing page, assessment, and result). The

landing page welcomes the user, delivers basic

information, and provides a button to start the

assessment. The assessment can be conducted on the

second page. The assessment page starts with a

header before each question is displayed. Every

question is placed in its own section to improve the

structure of the page. There are four answer options

for each question (i.e., ‘Yes’, ‘No’, ‘In Part’,

‘Unknown’), which restricts the application in its

existing form to closed questions for the assessment.

As the target group of the web application is

expected to have little or no prior knowledge about

data protection and GDPR, the provision of additional

information is crucial to deliver a value-adding web

application. This is achieved through a dropdown

element, which expands on click to display additional

information. The dropdown offers three different

sections (i.e., more information, case example, GDPR

article), which can be filled with content matching

each question. The questions are created dynamically,

depending on the number of questions the

administrator wants to use for the assessment.

Therefore, it is important that they are structured in a

uniform way. Once all the questions are answered by

the user, the assessment can be evaluated by a click

on the ‘Evaluate’-button at the bottom of the page. If

a question is left unanswered, an alert informs the

user that the questions are not yet ready for

evaluation. The unanswered questions are

highlighted, and the user can complete the

assessment.

Figure 1: Screenshot of the final page of the app.

As soon as the assessment is completed correctly

(i.e., one answer per question), the user will be

redirected to the final page, which displays the

achieved result. The first section displays the overall

rating. The second section displays a graphic, which

shows the need for action of the user according to the

given answers with three possible states (i.e., little

need for action, moderate need for action, strong need

for action), followed by a small text and an

explanation of the different zones of the graphic.

Depending on the answers, the user should be

provided with aspects to improve on and feasible

quick actions. To achieve a consistent look-and-feel

throughout the web application, the same dropdown

components as for the additional information in the

question section have been used. Each dropdown

contains a text and a link, which can be adjusted by

the administrator of the web application. An

appealing user interface is only the basis for a

pleasant user experience (Smith, 2017). The value of

the web application for its target group strongly

depends on the content. Nevertheless, the developed

user interface of the web application is providing the

administrator with a lot of options to place content in

a convenient way.

Adaptable GDPR Assessment Tool for Micro and Small Enterprises

305

The interface components were selected in a

certain amount of alignment with the ICO-tool

approach. Specifically, the concept of providing

simple ‘Yes’/’No’ and ‘In Part’-answers allowed for

a faster but complete run-through of the tool while

providing additional information as needed through

expandable fields with descriptions and examples.

Learning from the ICO self-assessment, no pre-

selection of an answer was made, enforcing an active

interaction with each question before the user can

proceed to the results page.

3.3 Development Process

The first step of the development process was the

selection of fundamental technologies, i.e.,

programming languages and environments. With a

smartphone-oriented perspective but universal

executability in mind, a web-based approach was

suitable. The subsequent development process was

conducted in three phases.

3.3.1 Applied Technologies

For the development of the web application, a set of

technologies was chosen. Basic programming

languages were in part extended with libraries,

predefined collections of programming functions that

reduce work effort for programmers. The content

structure of the app was developed in HTML. The

user interface design that styles HTML documents

was added with the default language CSS, under the

inclusion of two libraries: Bootstrap and MDB.

Functionality was implemented in JavaScript,

extended with the jQuery library. All libraries are

included with the tool to avoid third-party tracking.

Content data is stored in the JSON format which can

be edited without programming knowledge. These

well-established technologies allow compatibility

with most common end-user systems by means of a

web browser. Furthermore, all data processing is done

in the browser, thus keeping all data entered into the

app confidentially stored on the end-user device.

During the development phase, emphasis was

placed on allowing subsequent enhancement and

modification by research staff not belonging to the

original project group. To facilitate modification and

development of the application, its components were

documented in detail. For content editors, the data

structure was programmed in a way to allow

modifications without programming knowledge.

https://community.cyber-geiger.eu/games/GDPRcheck/

3.3.2 Development Process

In the development phase, for the questionnaire

design, a set of four possible answers on any question

was predefined (‘Yes’, ‘No’, ‘In Part’, ‘Unkown’).

These options were chosen to give users a fast way of

providing answers, as opposed to the verbose

approach of the BayLDA tool. A first set of questions

was derived from the ICO assessment tool for testing.

Short feedback from an expert interview was included

in form of two additional fields for each question.

Two methods for determining the self-assessment

score were developed. They can be chosen as an

option by the maintainer providing the application by

means of a dedicated configuration file. One method

calculates a percentage of correct answers and does

not punish negative answers, resulting in a range

between 0% and 100%. In the second method,

negative answers are penalized with a point deduction

and rated with a score that can reach the negative

range. In a subsequent development cycle, non-

essential functionality was added, such as the

dynamic loading of questions from the content file to

facilitate changes on the self-assessment questions.

Most importantly, the interface was adapted to be

displayed in a well-readable manner on wide screens,

which were initially neglected in the mobile-first

approach. While on phones, paragraphs were

wrapped due to a narrow screen, this behaviour had

to be enforced on wide screens that would otherwise

show very long text lines and empty space, giving the

app an unfinished look. The final tool is available

through a website operated by the GEIGER project

4 EVALUATION

4.1 Technical Evaluation

Functionality and the user interface of the prototype

were continuously tested during the development

process using Google Chrome (V 91.0.4472.124). At

the end, the web application was tested on other

browsers: Microsoft Edge (V 91.0.864.67) and

Mozilla Firefox (V 90.0). Mobile screens were

simulated with Chrome developer tools were used to

test the user interface on different screens of mobile

devices. At the time of the technical evaluation phase,

no issues became apparent.

ICEIS 2022 - 24th International Conference on Enterprise Information Systems

306

4.2 Field Test

Field tests are necessary to gain data about the

acceptance of a prototype. A qualitative approach

with selected test subjects was chosen and five

questions were tested to lay focus on the user

interaction. The assessment questions were

formulated in a more colloquial style. The following

questions were selected for field testing:

1. Do you treat personal data as a good that you

borrowed rather than a good that you own?

2. Do your processing activities which involve

personal data have a basis on GDPR?

3. Are you transparent towards your data

subjects about processing activities which

include their personal data?

4. Do you delete personal data at the end of the

processing activity for which the data has been

used?

5. Do you have processes in place which ensure

that personal data is stored securely, both hard

copies and digital data?

The field tests with the application were

conducted in physical presence. The participants gave

feedback while conducting the test and were able to

ask questions if something was unclear. An online

survey was set up for anonymized feedback. After the

field tests were conducted, a qualitative analysis to

figure out the key findings of the test ensued.

To achieve valuable and accurate results, it was

paramount to find test subjects that own or are

planning to own a MSE and have little or no prior

knowledge about data protection. In table 1, the

background of the test subjects is outlined. To

maintain privacy, no personal data about the test

subjects is displayed. The age span of the test subjects

was between 23 and 62 years, with three females and

seven males as part of the test group.

Table 1: Background of the test subjects.

Background Data Protection

Knowled

GDPR

Knowled

ME (

akery) Yes No

SE (

octor) Yes No

(

ardenin

Yes No

(

3D-

rintin

Yes No

(

finance service

)

Yes No

ME (shoe store) Yes No

ME (

estaurant) Yes No

SE (construction) Yes No

(

hairdresser

)

No n.a.*

(

clothin

store

)

Yes No

ME = micro enterprise, SE = small enterprise

* Swiss organisation, exclusively operating in Switzerland

The feedback for the web application was

predominantly positive. Most test subjects were

impressed by the web application and enjoyed the

user experience. The result page received a lot of

attention, especially the visualisation of the need for

action and the quick actions. Minor adjustments in

font size and page margins. Nine out of ten test

subjects would like to use the web application to

assess the data protection maturity of their enterprise.

Some practical insights also pointed out

weaknesses. Even though most test subjects have

responded that they could answer the questions, they

needed support to get started using the tool. The

language choice contributed to a lack of clarity of the

questions; the field tests revealed that English skills

cannot be expected from every user in the German-

speaking test region. An introduction for the topic of

data protection and GDPR would be also helpful to

prepare the users for the questions.

5 CONCLUSION AND OUTLOOK

This research resulted in a functional prototype for a

self-assessment tool to check the data protection

maturity of an MSE. In addition to the development

of a prototypical web application, we could provide a

concise presentation of the challenges of GDPR

compliance for MSEs. The developed and evaluated

artifact advances the state-of-the-art and is a value

proposition for MSEs in Europe for the following

reasons. The MSE GDPR Self-Assessment is a

customizable platform that supports easy adaptation

of contents and translation. It is flexible to be used in

diverse contexts. The solution follows a privacy-by-

design approach. Regarding the organization of

content, it fosters both, an easy and actionable tool,

building upon and putting forward the strengths of the

existing GDPR assessment tools. In the final product,

the questions are foreseen to be light and short, based

on predefined standardized answers. Over-

simplification is avoided by offering dedicated

sections for information, examples, and links to

selective information. Further, the assessment results

are not limited to a number or percentage but

visualized in form of a traffic light and actionable

recommendations are provided.

A follow-up project could span the period from a

prototype to publishing the final application. Two

areas will be researched in future: First, the web

application will be enhanced to further improve ease-

of-use (work on partly achieved requirements and

results from the evaluation phase). Although our

study has helped to create an artifact that balances

Adaptable GDPR Assessment Tool for Micro and Small Enterprises

307

simplicity and informative value, continued efforts

are needed to improve the comprehensibility of the

self-assessment questions. Second, we strive to

conduct further research on the adaptability of the

tool content; the unique potential of our prototype lies

in the adaptability of the assessment questions. Since

the target group of MSEs is broad, a self-assessment

is relevant only if it can be tailored to the particular

business situation. With our open-source solution and

the possibility to modify the content with

straightforward structured JSON files, we have laid a

foundation. Further research is needed to extend and

evaluate this adaptability. Once the web application

will be publicly accessible, a quantitative evaluation

could enhance the qualitative one conducted.

ACKNOWLEDGEMENTS

This work was made possible with funding from the

European Union’s Horizon 2020 research and

innovation programme, under grant agreement No.

883588 (GEIGER). The opinions expressed and

arguments employed herein do not necessarily reflect

the official views of the funding body

REFERENCES

BayLDA. (n.d.). Road to GDPR - Self assessment.

Retrieved from www.lda.bayern.de/tool/start.html#

economiesuisse (n.d.). Datenschutz "Online Check".

Retrieved from www.economiesuisse.ch/de/daten

schutz-online-check

EDÖB (2020). Tipps zur DSGVO. Retrieved from

www.edoeb.admin.ch/edoeb/de/home/aktuell/rgpd-

last-minute.html

ENISA (2021). ENISA threat landscape 2021. Retrieved

from www.enisa.europa.eu/publications/enisa-threat-

landscape-2021

European Commission (2020a). Data protection as a pillar

of citizens’ empowerment and the EU’s approach to the

digital transition - two years of application of the

General Data Protection Regulation. Retrieved from

https://eur-lex.europa.eu/legal-

content/EN/ALL/?uri=COM:2020:264:FIN

European Commission (2020b). Unleashing the full

potential of European SMEs. Factsheet. Retrieved from

https://ec.europa.eu/commission/presscorner/detail/en/

fs_20_426

Davies, H. (2015). Ted Cruz Using Firm That Harvested

Data on Millions of Unwitting Facebook Users. The

Guardian, 11 December 2015. Retrieved from

www.theguardian.com/us-news/2015/dec/11/senator-

ted-cruz-president-campaign-facebook-user-data

GDPR.EU (2019). GDPR Small Business Survey (Issue

May). Retrieved from https://gdpr.eu/2019-small-

business-survey/

Hevner, A. R., March, S. T., Park, J., & Ram, S. (2004).

Design science in information systems research. MIS

Quarterly: Management Information Systems, 28(1),

75–105. https://doi.org/10.2307/25148625

ICO (n.d.). How well do you comply with data protection

law: an assessment for small business owners and sole

traders. Retrieved from https://ico.org.uk/for-

organisations/sme-web-hub/checklists/assessment-for-

small-business-owners-and-sole-traders/

ISO (2018). Ergonomics of human-system interaction - Part

11: Usability: Definitions and Concepts. ISO 9241-

11:2018(En). www.iso.org/obp/ui/#iso:std:iso:9241:-

11:ed-2:v1:en

Matzler, K., Bailom, F., Sauerwein, E., & Hinterhuber, H.

H. (1996). How to delight your customers. Journal of

Product & Brand Management, 5(2), 6–18.

https://doi.org/10.1108/10610429610119469

Remmele, B., & Peichl, J. (2021, August). Structuring a

Cybersecurity Curriculum for Non-IT Employees of

Micro-and Small Enterprises. In The 16th International

Conference on Availability, Reliability and Security

(pp. 1-7).

Schweizerischer KMU Verband. (2020). KMU Report

2020. Retrieved from www.kmuverband.ch/kmu

report2020.html

Smith, A. (2017). What is User Experience? What Makes a

Good UX Design? https://blog.prototypr.io/what-is-

user-experience-what-makes-a-good-ux-design-b404b

b933bd0

Slade-Silovic, O. (2018). 5 Reasons Why Video Content

Works Better Than Text. Covideo. Retrieved from

https://www.covideo.com/why-video-content-works-

better-than-text/

Tikkinen-Piri, C., Rohunen, A., & Markkula, J. (2018). EU

General Data Protection Regulation: Changes and

implications for personal data collecting companies.

Computer Law & Security Review, 34(1), 134-153.

Voigt, P., & Von dem Bussche, A. (2017). The EU General

Data Protection Regulation (GDPR). A Practical Guide,

1st Ed., Cham: Springer International Publishing, 10,

3152676.

ICEIS 2022 - 24th International Conference on Enterprise Information Systems

308