Abstract
This study synthesises empirical evidence on the challenges faced by business organisations in complying with personal data protection and privacy laws and the strategies adopted to overcome them. It addresses a key gap by consolidating understanding of compliance barriers and organisational responses across sectors. Although the review aimed for global coverage, most studies originated from Europe and North America, with limited evidence from Africa, Latin America, and Asia. The findings, therefore, represent available empirical evidence rather than a fully global review. A systematic review was conducted following the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA 2020) framework and the SPIDER tool. Peer-reviewed empirical studies published in English between 2015 and June 2025 were retrieved from Scopus, IEEE Xplore, ACM Digital Library, and Google Scholar. Two reviewers independently screened all records, and the quality was appraised using the Joanna Briggs Institute (JBI) Critical Appraisal Skills Programme (CASP) and Mixed Methods Appraisal Tool (MMAT). Data were synthesised through thematic analysis and descriptive mapping. A total of 17 studies met the inclusion criteria. The results show that compliance challenges in business organisations are multidimensional and interrelated, clustering into three main domains: organisational capacity and culture constraints, techno-regulatory and implementation complexity, and governance, accountability, and data-handling challenges. Key barriers include limited awareness and training, resource constraints, difficulties in integrating compliance into software development, regulatory ambiguity, technological opacity, consent management complexities, weak data governance, and third-party and cross-border data issues. In response, organisations adopt complementary strategies that cluster into preventive design and technical safeguards, risk governance and organisational strengthening, and standardisation and documentation practices. Common mechanisms include privacy-by-design, encryption and access control, risk and incident management, staff training and awareness initiatives, the establishment of data protection officers, and the use of standardised policies and compliance templates. This review offers one of the first empirical syntheses of organisational-level data protection compliance. It moves beyond normative analyses to highlight practical barriers and adaptive strategies while revealing the need for more evidence from underrepresented regions.
Plain Language Summary
As businesses rely more on digital tools and technologies, they collect and use more personal data. To protect people’s privacy, governments have introduced laws that require companies to manage personal data responsibly. But many businesses find it difficult to follow these laws in practice. This study looked at research from different countries to understand the problems businesses face when trying to comply with data protection rules and how they are trying to solve them. We reviewed 17 studies published between 2015 and 2025. These studies covered companies of different sizes and sectors, including healthcare, finance, and technology. The findings show that businesses often struggle with unclear rules, lack of staff training, high costs, and complicated technical systems. Small companies in particular face major challenges due to limited budgets and a shortage of experts who understand data protection laws. Some companies also find it hard to work with new technologies like artificial intelligence (AI) and systems that involve sharing data across borders. These tools can make it more difficult to explain how data is used or to follow different laws in different countries. To overcome these challenges, many organizations are training staff, hiring data protection officers, using ready-made templates for compliance, and building privacy protections into their systems from the start. These steps can help companies better manage personal data and follow the law. This review shows that while progress is being made, there are still gaps, especially in parts of the world where data protection laws are new or still developing. More support, clearer guidance, and further research are needed to help businesses, especially small ones, keep personal data safe and stay within the law.
Introduction
In an era where digital transformation and technological advancements are reshaping the global economy, personal data has become one of the most valuable assets for business organisations. The widespread use of digital platforms, cloud services, big data analytics, Internet of Things (IoTs), and artificial intelligence (AI) has led to an exponential increase in the collection, storage, and processing of personal data. As data volumes grow and digital ecosystems expand, concerns over personal data protection and privacy have become increasingly urgent (Aridor et al., 2023). Consequently, personal data protection and privacy are now central components of ethical, legal, and operational considerations within modern businesses.
Over the past two decades, governments worldwide have enacted data protection and privacy legislation aimed at safeguarding individual rights and enforcing organisational accountability (Lim & Oh, 2025). For instance, the European Union’s General Data Protection Regulation (GDPR) 2018 set a global benchmark, influencing legislative developments in several regions, including Asia, the Americas, and Africa (Corning, 2024; Farhad, 2024). Notably, in the United States, the California Consumer Privacy Act (CCPA) has established robust rights around data access and deletion for consumers. Similarly, Brazil’s Lei Geral de Proteção de Dados (LGPD) represents a comprehensive regulatory approach in Latin America. Other countries, including India, South Korea, and Japan, have also introduced or revised data protection laws to strengthen user rights and ensure compliance with cross-border data flows.
This global momentum has been mirrored across Africa, where data protection has increasingly gained prominence on both national and regional policy agendas. While the African Union Convention on Cyber Security and Personal Data Protection provides a continental framework (Malabo Convention), its ratification and implementation remain uneven (Chichaibelu et al., 2023). Nevertheless, several African countries have made significant strides in establishing national-level personal data protection legislation and regimes that reflect both global best practices and local governance needs. For example, Nigeria made significant progress in 2019 by enacting the Nigeria Data Protection Regulation, a key step toward formalising data governance and aligning with international standards (Chichaibelu et al., 2023). That same year, Kenya passed its Data Protection Act, while Uganda adopted the Data Protection and Privacy Act, demonstrating a regional shift toward comprehensive legal frameworks for personal data protection (Shao et al., 2024). Tanzania followed in 2022 with the enactment of its Personal Data Protection Act, further underscoring the growing recognition of data governance as a foundational element of the national digital economy (Mwogosi & Simba, 2025). In South Africa, similar legislative efforts emerged around the same period, notably with the adoption of data protection laws in 2021 (Brand et al., 2023).
Despite these legislative advancements, many business organisations, which serve as the primary implementers of these data protection laws, continue to face significant challenges in translating regulatory provisions into actionable and sustainable compliance measures (Blind et al., 2024; Prastyanti & Sharma, 2024). Legislations often provide broad principles and requirements, but organisations must operationalise these within complex and dynamic business environments. Issues such as limited institutional capacity, evolving technology, lack of skilled personnel, and inconsistent interpretations of legal requirements frequently hinder effective implementation (Cate, 2025; El-Gazzar & Stendal, 2020; Smirnova & Travieso-Morales, 2025). These barriers are further compounded in regions where data protection is still an emerging field, leading to variability in compliance practices and enforcement.
While existing research has shed light on specific issues, individual studies have explored organisational readiness or sector-specific efforts, and there is a noticeable lack of a comprehensive synthesis that focuses explicitly on the global challenges business organisations face in complying with personal data protection and privacy laws (Smirnova & Travieso-Morales, 2025; Zaguir et al., 2024). Much of the existing literature is fragmented across legal, technical, and policy domains or is primarily normative, offering limited insight into how compliance is experienced in practice (Granata et al., 2024; Klymenko et al., 2023). Empirical studies that document the operational, financial, and institutional difficulties businesses encounter are often isolated or context-specific. As a result, there is limited consolidated guidance to help organisations, particularly those operating in diverse regulatory environments, navigate the practical complexities of compliance and respond effectively to evolving legal obligations.
To address this critical knowledge gap, this study consolidates global evidence on the challenges faced by business organisations when implementing personal data protection and privacy requirements. Furthermore, the study aims to uncover and analyse the strategies these organisations adopt to overcome compliance challenges. The study draws specifically on empirical research that examines organisational-level barriers, operational constraints, and structural limitations that hinder effective compliance, as well as the strategies employed to address these challenges.
This review is grounded in an integrated theoretical perspective that draws on socio-technical systems (STS) theory, the Technology–Organisation–Environment (TOE) framework, and institutional theory to interpret organisational compliance with personal data protection and privacy laws. STS theory highlights the interdependence between technological infrastructures and organisational social structures, recognising that effective data protection compliance requires the alignment of technical controls, organisational processes, and human practices. The TOE framework further provides a structured basis for examining how organisational readiness, technological capability, and external regulatory environments collectively shape compliance behaviour within business organisations. Complementing these perspectives, institutional theory explains how coercive regulatory pressures, normative expectations, and mimetic responses influence the adoption and institutionalisation of data protection practices. Taken together, these theoretical lenses offer a coherent foundation for understanding data protection compliance as a socio-technical and institutional process shaped by the interaction of organisational capacities, technological systems, and regulatory contexts.
The following research questions guided the study:
What challenges have been reported by business organisations globally in their efforts to comply with personal data protection and privacy laws?
What strategies do business organisations use to address the challenges they encounter when implementing personal data protection and privacy compliance measures?
Although this review employed a global search strategy, the included studies were predominantly from developed economies, particularly Europe and North America. This imbalance reflects both the maturity of privacy legislation in these regions and the limited availability of peer-reviewed empirical research from developing countries. Consequently, the scope of this synthesis should be understood as mapping the available global evidence rather than providing exhaustive geographical representation.
The remainder of the paper is organised as follows: Section 2 outlines the review methods, including the eligibility criteria, search strategy, and data extraction approach. Section 3 presents the synthesis results, highlighting key organisational challenges reported across the included studies. Section 4 presents a critical discussion of the findings, their implications, the study's limitations, and directions for future research. Finally, Section 5 concludes the study.
Methods
Design and Protocol Registration
This systematic review followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) 2020 guidelines (Page et al., 2021). The SPIDER tool (Sample, Phenomenon of Interest, Design, Evaluation, Research Type) was used to frame the review question and guide inclusion criteria. SPIDER is particularly suited for synthesising evidence from qualitative and mixed-methods studies, which aligns with this study’s aim to explore complex organisational challenges beyond what purely quantitative metrics can capture (Cooke et al., 2012).
This review was not prospectively registered in a systematic review registry such as PROSPERO. The decision not to register was primarily due to the exploratory nature of the topic and the absence of a dedicated registry category for organisational and regulatory compliance reviews at the time the study commenced. Nonetheless, the full methodological protocol was documented internally and followed rigorously throughout the review process to ensure transparency and consistency. Retrospective registration is planned to enhance traceability, transparency, and comparability in future updates. Table 1 shows how the SPIDER elements guided the search strategy, selection criteria, and data extraction.
Operationalisation of Inclusion and Exclusion Criteria.
Source. Authors’ work adapted from Cooke et al. (2012).
Eligibility Criteria
To ensure methodological rigour and relevance, this review included studies that met the following criteria: (i) examined challenges experienced by business organisations in complying with personal data protection or privacy legislation; (ii) were published in English between January 2015 and June 2025; and (iii) presented empirical findings derived from qualitative, quantitative, or mixed-methods research. Studies that did not meet the inclusion criteria were excluded from the analysis. A detailed summary of the inclusion and exclusion criteria, based on the SPIDER elements, is provided in Table 2.
Inclusion and Exclusion Criteria for Study Selection Based on SPIDER Framework.
Source. Authors’ formulation.
Information Sources
A comprehensive literature search was conducted across four major academic databases: Scopus, IEEE Xplore, ACM Digital Library, and Google Scholar. These sources were selected to ensure broad coverage of multidisciplinary and technical literature relevant to data protection compliance. However, despite the omission of certain databases such as Web of Science, ProQuest, and ABI/INFORM, which are core sources for business and management research, specific measures were taken to minimise the risk of selection bias. These included using multidisciplinary databases (Scopus, IEEE Xplore, ACM Digital Library, and Google Scholar), as well as manually screening the reference lists of included studies to capture any potentially overlooked publications. Nevertheless, the omission of the above databases is recognised as a methodological limitation. In future iterations of this review, complementary databases such as Web of Science, ProQuest, and ABI/INFORM will be incorporated to strengthen coverage and ensure broader representation of business and organisational literature.
Search Strategy
The search strategy was developed using a combination of controlled vocabulary (such as database-specific subject headings) and free-text terms, guided by the SPIDER framework to ensure conceptual alignment with the review objectives. The strategy aimed to comprehensively identify empirical studies reporting on the challenges that business organisations face in complying with global personal data protection and privacy regulations.
Boolean operators (AND, OR), truncation symbols (example *), and phrase searching techniques were applied to enhance the precision and recall of search results across databases. A summary of the key search strings and results for each database is provided in Table 3.
Summary of Search Strings and Results Across Databases.
Source. Authors’ work.
Selection Process
All records retrieved from the database searches were exported into Mendeley reference management software. Duplicate entries were first removed automatically and then manually verified to ensure data accuracy and integrity. The screening process proceeded in two main stages. First, titles and abstracts of all unique records were independently screened by two reviewers to assess their relevance based on the pre-defined eligibility criteria. Studies that clearly did not meet the inclusion criteria, such as those focusing on individuals instead of organisations or those unrelated to personal data protection, were excluded at this stage.
Second, the full texts of potentially eligible studies were retrieved and thoroughly reviewed. At this stage, any remaining uncertainties regarding a study’s inclusion were carefully evaluated against the SPIDER-based inclusion framework. All screening and selection steps were conducted independently by two reviewers.
During the screening process, any discrepancies between the two reviewers regarding study eligibility were first discussed to reach a mutual agreement. If consensus could not be achieved after discussion, the issue was referred to a third reviewer who acted as an independent arbiter. All decisions and justifications were recorded systematically, and the full selection process was documented using a PRISMA flow diagram.
Data Collection Process
A structured and piloted data extraction form was used to systematically collect relevant information from each included study. The form was designed to ensure a consistent and comprehensive approach to data capture, aligning closely with the review objectives and the SPIDER framework. The extracted information included the title of the study, the names of the authors, and the year of publication, along with the country or countries covered, the type of publication, and general study characteristics. Additional elements included the study's aim or purpose, study design or methodology, sector or industry focus, and organisational type. The reviewers also documented the sample description, data collection methods employed, and key findings reported.
Furthermore, particular attention was paid to identifying and summarising reported challenges, evaluating barriers to compliance, factors influencing compliance outcomes, and any strategies described by organisations to address these challenges. Data extraction was performed independently by two reviewers to enhance reliability. Any discrepancies or disagreements during the extraction process were resolved through discussion, and a third reviewer was consulted when necessary.
Risk of Bias Assessment
To ensure methodological quality and reduce the risk of bias in the synthesis process, all included studies were critically appraised using established tools appropriate to their design. Quantitative studies were assessed using the Joanna Briggs Institute (JBI) critical appraisal checklists, which evaluate key aspects such as study validity, reliability, and relevance (Barker et al., 2023). Qualitative studies were appraised using the Critical Appraisal Skills Programme (CASP) tool, which focuses on research rigour, credibility, and relevance (Humayoun et al., 2024). For mixed-methods studies, the Mixed Methods Appraisal Tool (MMAT) was employed, allowing for integrated assessment across qualitative and quantitative components (Hong et al., 2018). All appraisals were conducted independently by two reviewers. Any discrepancies in judgment were resolved through discussion, and if necessary, a third reviewer was consulted to reach a consensus.
Data Synthesis
Data synthesis was conducted on the final set of seventeen empirical studies that met all predefined eligibility, screening, and quality appraisal criteria, using a two-stage approach that integrated descriptive mapping and inductive thematic analysis within a narrative synthesis framework. This strategy was selected because of heterogeneity in study designs and the limited comparability of quantitative data across the included studies.
The first stage involved a comprehensive descriptive mapping of the included studies to contextualise the evidence base. Key characteristics of each study were systematically extracted, including year of publication, geographic focus, organisational type and sector, study design, and data collection methods. This mapping provided a foundational overview of the diversity, scope, and methodological profiles of the studies, enabling a better understanding of the contexts within which compliance challenges were reported.
In the second stage, an inductive thematic analysis was undertaken to identify and interpret the challenges faced by business organisations in complying with personal data protection and privacy legislation. This process began with line-by-line open coding of the extracted textual data. Codes were developed inductively and captured both explicit findings and underlying meanings related to compliance barriers.
The generated codes were then reviewed and clustered into higher-order conceptual categories based on their semantic similarity, frequency of occurrence, and analytical relevance. Through iterative analysis and constant comparison, these categories were refined into core themes representing the most recurrent and significant challenges encountered by organisations.
Two reviewers independently conducted the coding and categorisation processes, ensuring methodological transparency and reducing the risk of interpretive bias. Any discrepancies in theme identification were resolved through discussion, and, where necessary, consultation with a third reviewer was made.
While a limited number of studies reported quantitative results, these data varied in scope and design. As such, a formal meta-analysis was not conducted. Instead, the quantitative findings were synthesised descriptively to illustrate and reinforce key themes derived from the qualitative analysis, thereby offering additional insight into the prevalence and severity of certain challenges.
The results of the thematic analysis were presented in two complementary formats. First, a summary table was constructed, aligning each identified theme with representative codes and citing the relevant studies from which the findings were drawn. Second, a word cloud visualisation was developed to depict the frequency and prominence of key terms and concepts across the entire body of included literature. The relative size of each word in the cloud reflected its prevalence, providing an accessible overview of the dominant challenges in organisational personal data protection compliance.
Reporting Bias and Certainty Assessment
To assess the potential for reporting bias within the included studies, the Risk of Bias in Systematic Reviews (ROBIS) framework was applied. This tool facilitated a structured evaluation of bias across the review process, focusing on domains such as study identification, selection, data collection, and synthesis. Each domain was assessed for the presence of bias, and an overall judgment was made regarding the risk of bias in the body of evidence.
In parallel, the certainty of evidence for each major thematic finding emerging from the synthesis was evaluated using the GRADE-CERQual (Grading of Recommendations Assessment, Development, and Evaluation-Confidence in the Evidence from Reviews of Qualitative Research) approach. This framework considers four key components: methodological limitations, coherence of findings, adequacy of data, and relevance to the review question, to judge the overall confidence in each thematic category.
Results
Study Selection
A total of 18,361 records were identified through comprehensive database searches, including Scopus (381), IEEE Xplore (32), ACM Digital Library (80), and Google Scholar (17,868). Following the automatic and manual removal of 5 duplicate records and the exclusion of 18,180 clearly ineligible entries, 176 unique records remained for screening.
Two reviewers independently screened titles and abstracts of these records. During this stage, 137 studies were excluded because they did not meet the predefined eligibility criteria, most commonly due to a lack of focus on organisational compliance challenges, irrelevance to data protection laws, or the absence of original empirical findings.
Subsequently, the full texts of 39 potentially eligible studies were retrieved and thoroughly examined. After applying the SPIDER-based inclusion criteria, 22 studies were excluded. The primary reasons for exclusion at this stage were failure to meet the empirical research requirement and a lack of focus on organisations.
Ultimately, 17 studies satisfied all inclusion criteria and were retained for the final synthesis. The detailed process of study selection is summarised in Figure 1 (PRISMA 2020 flow diagram).

PRISMA 2020 flow diagram.
Study Characteristics
The included studies were published between 2017 and 2025 and covered diverse geographic regions, including Portugal, the United States of America, Switzerland, Spain, Austria, the United Kingdom, Sweden, Algeria, Malaysia, Italy, Germany, Croatia, Canada, and Brazil. Types of organisations identified were Small and Medium-Sized Enterprises (SMEs), Non-Governmental Organisations (NGOs), and public and private organisations. In addition, a range of sectors, including Information and Communication Technology (ICT), finance, healthcare, education, manufacturing, retail, and consumer technology, were also identified. Methodological designs comprised 8 qualitative, 4 quantitative, and 5 mixed-methods studies. The most common data collection methods used in the identified studies include interviews, surveys, and panel discussions. A summary of study characteristics is provided in Table 4.
Summary of Study Characteristics.
Source. Extracted and summarised from included studies.
Notably, despite the global inclusion criteria, none of the identified studies originated from Sub-Saharan Africa or Latin America, highlighting significant research gaps and regional disparities in empirical evidence.
Risk of Bias in Studies
The risk of bias was assessed using the appropriate tools: JBI for quantitative studies, CASP for qualitative studies, and MMAT for mixed-methods studies. In general, 7 studies were rated as moderate and 10 as low based on criteria such as methodological rigour, clarity of reporting, and relevance to the review objectives.
Results of Individual Studies
The 17 studies included in this review revealed a diverse but overlapping set of challenges that business organisations face when complying with personal data protection and privacy laws. Rather than being isolated, these challenges often intersect across technical, organisational, legal, and contextual dimensions. To provide analytical clarity, the findings were grouped into several thematic domains: organisational and governance constraints, technical implementation and tooling gaps, privacy risk management and strategic alignment, human capacity and training limitations, and sectoral and context-specific variability.
A recurring theme across multiple studies was the lack of organisational preparedness and governance structures necessary to support compliance efforts. In particular, many SMEs struggled with unclear internal policies, poor documentation practices, and limited leadership engagement in personal data protection initiatives. This was evident in studies such as those by Leite et al. (2022), Brodin (2019), and Freitas and da Silva (2018), which highlighted challenges related to embedding GDPR principles in development processes, the absence of a compliance culture, and the lack of institutional support.
From a technical perspective, implementation and tooling challenges were widespread as well. Several studies, including those by Li et al. (2022), Granata et al. (2024), and El-Gazzar and Stendal (2020) noted difficulties in operationalising privacy requirements, automating compliance testing, and aligning legal mandates with the design of emerging technologies like AI, blockchain, and federated learning (FL). The technical complexity was often compounded by insufficient interoperability, weak infrastructure, and reliance on manual systems.
Another domain of concern was privacy risk management and strategic alignment. Studies by Lieftink et al. (2024), Cate (2025), and Klymenko et al. (2023) underscored the tension between innovation and compliance, particularly in high-stakes environments such as healthcare and AI. These studies revealed how uncertainty in legal interpretations, distributed responsibilities in federated systems, and the absence of standardised frameworks made it difficult for organisations to assess and manage personal data protection risks effectively.
The human capacity and training limitations domain was a prominent barrier in multiple studies, especially among SMEs and organisations in low-resource settings. Lack of staff awareness, inadequate training, and absence of dedicated roles like DPOs were frequently mentioned (Mladinić et al., 2023; Oyetunji, 2024; Smirnova & Travieso-Morales, 2025). These deficits often result in weak enforcement of compliance policies and inadequate documentation practices.
Finally, sectoral and context-specific variability shaped how challenges manifested and were addressed. For example, public institutions in Malaysia Chua et al. (2017) showed lower compliance levels compared to private entities due to poor standardisation and weak enforcement. Similarly, organisations in developing countries like Algeria (Benkaddour & Guettal, 2025) SMEs in Portugal and Croatia faced resource shortages and limited legal clarity, which significantly hampered their ability to implement compliance measures effectively. Table 5 summarises these studies.
Thematic Domains.
Source. Authors’ thematic synthesis.
Results of Syntheses
Thematic Synthesis
Thematic synthesis was conducted on the seventeen studies that satisfied all eligibility and quality assessment criteria, following a structured screening and selection process. Codes and themes were derived iteratively to ensure that only evidence directly related to organisational compliance with personal data protection and privacy laws was included in the final analytical framework. The detailed coding structure, including representative codes, corresponding themes, and source studies, is presented in Appendix A.
Challenges Reported by Business Organisations
The evidence from the included studies shows that challenges encountered by business organisations in complying with personal data protection and privacy laws are diverse but conceptually related across several thematic domains. While individual studies report specific barriers, the synthesis reveals recurring patterns linked to organisational capacity and culture, techno-regulatory and implementation complexity, and governance and data-handling practices. As presented in Table 6, these clustered themes provide a structured overview of the key issues identified in the literature, highlighting how knowledge gaps, resource constraints, regulatory ambiguity, technological integration challenges, and data governance limitations collectively influence organisational compliance efforts.
Clustered Synthesis of Challenges Faced by Business Organisations in Complying with Personal Data Protection and Privacy Laws (n = 17).
Source. Authors’ work.
The reviewed studies consistently indicate that organisational capacity limitations constitute a fundamental barrier to effective compliance with personal data protection laws. Business organisations often demonstrate significant gaps in knowledge and awareness, with low levels of privacy literacy and insufficient training hindering their ability to interpret and implement regulatory requirements (Leite et al., 2022; Li et al., 2022; Oyetunji, 2024). These gaps are closely linked to the absence of a strong compliance culture and limited institutional readiness, particularly among SMEs and resource-constrained firms. Financial and operational constraints further exacerbate these challenges, as organisations struggle to allocate adequate budgets for compliance tools, specialist personnel, audits, and continuous training (Brodin, 2019; Freitas & da Silva, 2018; Granata et al., 2024; Li et al., 2022; Mladinić et al., 2023). In addition, limited organisational preparedness and weak internal capacity, including insufficient staff training and inadequate resource allocation, reduce organisations’ ability to integrate personal data protection practices into routine operations (Poritskiy et al., 2019; Smirnova & Travieso-Morales, 2025). Collectively, these findings suggest that compliance challenges are strongly rooted in internal organisational culture, skills, and resource readiness rather than purely technical shortcomings.
Another major cluster of challenges concerns the complexity of integrating personal data protection requirements into evolving technological and regulatory environments. Several studies highlight persistent difficulties in embedding compliance into software development processes, particularly when privacy considerations are not incorporated early in the system lifecycle or when organisations rely on rigid development models such as the waterfall approach (Leite et al., 2022; Li et al., 2022). At the same time, organisations face increasing technical and regulatory complexity due to high data volumes, opaque AI systems, and the need to navigate overlapping legal frameworks across jurisdictions (Cate, 2025; El-Gazzar & Stendal, 2020; Klymenko et al., 2023; Schäfer et al., 2023; Smirnova &Travieso-Morales, 2025). The lack of clear guidelines and standardised frameworks further complicates aligning technical solutions with legal requirements, leading to uncertainty and inconsistent implementation practices (Granata et al., 2024; Klymenko et al., 2023; Lieftink et al., 2024). Moreover, the adoption of emerging technologies such as AI and federated learning introduces additional concerns related to trust, transparency, and accountability, as system opacity makes it difficult for organisations to explain automated decision-making processes and ensure lawful data handling (Lieftink et al., 2024). These interconnected technological and regulatory pressures collectively increase implementation difficulty and elevate the risk of non-compliance.
The synthesis also reveals that governance structures, accountability mechanisms, and data management practices represent critical areas of concern for organisational compliance. Consent management remains particularly complex where legal provisions are ambiguous and operational systems are not designed to handle dynamic consent requirements, resulting in difficulties in obtaining, recording, and updating valid consent across layered processing environments (Brodin, 2019; Mladinić et al., 2023; Schäfer et al., 2023). In addition, organisations frequently encounter challenges in maintaining reliable data management practices, including unclear data ownership, fragmented storage infrastructures, poor classification systems, and limited capacity to ensure data accuracy, erasure, and traceability (Julakanti et al., 2025; Lieftink et al., 2024; Poritskiy et al., 2019). Weak enforcement and compliance-monitoring mechanisms in some regulatory contexts further reduce the perceived urgency to adhere, as organisations face uncertainty about regulatory expectations and the consequences of non-compliance (Benkaddour & Guettal, 2025; Chua et al., 2017). These governance issues are compounded by the complexities of the third-party and international data processing, where subcontractors, cross-border data flows, and decentralised technological architectures create additional accountability and oversight challenges (El-Gazzar & Stendal, 2020; Poritskiy et al., 2019). Generally, limitations in governance clarity, accountability structures, and data-handling systems significantly constrain the consistent and effective implementation of personal data protection compliance within business organisations.
Strategies Business Organisations Use to Address the Challenges
The strategies identified across the included studies reflect a set of complementary organisational, technical, and governance-oriented responses adopted to address the multifaceted challenges of personal data protection compliance. As summarised in Table 7, these strategies are not implemented in isolation but tend to align with the nature of the barriers organisations face, particularly regarding capacity limitations, technological risks, and governance requirements. The synthesis indicates that business organisations commonly rely on preventive technical safeguards, risk governance and organisational strengthening measures, and standardisation and documentation practices to enhance their compliance capabilities and ensure more consistent adherence to personal data protection and privacy regulations.
Clustered Synthesis of Strategies Adopted by Business Organisations to Address Compliance Challenges.
Source. Authors’ work.
The reviewed studies show that many business organisations adopt preventive and technically oriented measures to strengthen compliance with personal data protection and privacy laws. A key approach is the application of privacy-by-design and privacy principles, in which data protection requirements are embedded into system architecture and development lifecycles from the early stages (Cate, 2025; Leite et al., 2022; Schäfer et al., 2023). By integrating privacy considerations such as data minimisation, purpose limitation, and consent mechanisms into technical workflows, organisations are better able to align operational processes with regulatory expectations. In addition, encryption and access control mechanisms are widely implemented to secure personal data during storage and processing, including role-based access controls, authentication systems, and encryption protocols, to prevent unauthorised access and enhance data confidentiality (Benkaddour & Guettal, 2025; Cate, 2025). These technical safeguards function as proactive compliance tools that reduce exposure to breaches while supporting accountability and audit readiness within organisational data protection practices.
Another major cluster of strategies focuses on strengthening organisational resilience through structured risk management and internal capacity development. Risk and incident management practices, including formal risk assessments, vulnerability evaluations, and incident response protocols, are increasingly adopted to identify compliance risks and ensure timely mitigation in the event of breaches or policy failures (Cate, 2025; Julakanti et al., 2025). Alongside this, organisations invest in training and awareness initiatives aimed at improving staff understanding of legal obligations and responsible data-handling practices (Brodin, 2019; Chua et al., 2017; Oyetunji, 2024; Poritskiy et al., 2019; Smirnova & Travieso-Morales, 2025). Such initiatives include targeted training for developers, employee awareness programmes, and public education efforts to enhance transparency and trust. Furthermore, the establishment of Data Protection Officers (DPOs) and formal governance structures has been identified as a critical organisational response, as these roles provide oversight, consistent interpretation of regulatory requirements, and coordination of compliance activities across departments (Julakanti et al., 2025; Poritskiy et al., 2019; Schäfer et al., 2023; Smirnova & Travieso-Morales, 2025). Collectively, these measures strengthen internal governance and enhance organisational readiness to manage complex data protection obligations.
The synthesis also indicates that organisations increasingly rely on standardisation and structured documentation to improve clarity and consistency in compliance implementation. The development and use of standardised policies, privacy notices, and regulatory templates, such as Data Protection Impact Assessments (DPIAs), help streamline compliance processes and ensure alignment with legal and industry standards (Brodin, 2019; Cate, 2025; Chua et al., 2017; Julakanti et al., 2025). These structured policy frameworks provide organisations with clear reference points for interpreting regulatory requirements and reducing ambiguity in operational decision-making. By institutionalising standardised documentation and policy development processes, organisations enhance transparency, facilitate monitoring and auditing, and promote more consistent application of personal data protection principles across organisational units and regulatory contexts.
Quantitative Summary
Among the 17 studies included in the review, four employed primarily quantitative approaches, and five employed mixed-methods approaches with a quantitative component, enabling numerical assessment of compliance practices, challenges, and organisational behaviours.
For example, Poritskiy et al. (2019) conducted a survey of 286 ICT organisations in Portugal, revealing that audits, technical complexity, and managing subcontractors were among the most significant barriers to GDPR implementation. Similarly, Mladinić et al. (2023) reported that only 37.68% of SMEs in Croatia felt adequately informed about GDPR, with limited use of key compliance tools such as DPIA and breach reporting mechanisms.
Oyetunji (2024) carried out a cross-sectoral survey that identified a strong positive correlation between awareness and compliance performance, highlighting the impact of training and budgeting. In another study, Chua et al. (2017) assessed 168 privacy policies across sectors in Malaysia and found that compliance levels were generally low, especially in government-owned organisations, due to poor standardisation and a lack of enforcement mechanisms.
Across these quantitative findings, consistent trends emerged: resource limitations, low awareness, and organisational readiness were key predictors of non-compliance. Moreover, sectoral differences (for example, public vs. private, tech vs. healthcare) were evident in how organisations approached and prioritised privacy compliance. To facilitate comparison among the quantitative and mixed-methods studies, a brief cross-study summary is presented in Table 8.
Comparative Summary of Quantitative or Mixed-methods Results.
Source. Authors’ work.
Because the quantitative studies included in the review differed widely in design, outcome measures, and analytical focus, statistical aggregation through meta-analysis was neither appropriate nor methodologically valid. The narrative synthesis approach was therefore adopted to ensure interpretive consistency across diverse study types.
Heterogeneity and Subgroup Analyses
Subgroup analysis across the included studies revealed clear patterns of heterogeneity in the types of challenges experienced by organisations, influenced primarily by size, regional context, and sectoral affiliation.
Studies focusing on SMEs, particularly in resource-constrained settings, consistently reported limited financial and human capacity, inadequate training, and low levels of data protection laws awareness as dominant barriers to compliance (Freitas & da Silva, 2018; Li et al., 2022; Mladinić et al., 2023). These constraints were particularly acute in non-ICT SMEs and those operating in developing or transitional economies, where the absence of formal procedures and guidance hindered compliance efforts.
In contrast, studies involving larger enterprises or organisations in developed economies highlighted regulatory complexity, conflicts between legal and technical frameworks, and cross-jurisdictional compliance demands as key concerns (Cate, 2025; Klymenko et al., 2023; Lieftink et al., 2024). These organisations were more likely to encounter challenges related to the interpretation of overlapping international standards, aligning innovation with compliance, and the burden of implementing advanced, privacy-preserving technologies across distributed systems.
Sensitivity Analyses
To assess the robustness of the thematic findings, sensitivity analyses were conducted by systematically excluding studies rated low quality during the risk-of-bias assessment. This process aimed to determine whether excluding lower-quality evidence would significantly impact the thematic categories and their interpretation. The results of the sensitivity analysis demonstrated that the core themes, such as organisational capacity gaps, regulatory complexity, and organisational constraints, remained consistent in both their presence and explanatory depth. This stability suggests that studies of lower methodological rigour do not unduly influence the synthesised findings, thereby reinforcing the credibility and reliability of the overall analysis. Including two preprints in the dataset did not significantly alter the thematic structure or direction of the quantitative indicators.
Reporting Biases
Potential reporting bias was evaluated using the ROBIS framework, which allowed for a structured assessment across key domains, including study identification, selection, data collection, and synthesis. The overall risk of bias due to selective reporting or omission of critical findings was judged to be low to moderate across the included studies. While some variability in the depth of reporting was noted, particularly in older or regionally focused studies, no consistent patterns of systematic underreporting or outcome suppression were detected. These findings suggest that the body of evidence used in this review provides a generally reliable and transparent account of organisational challenges and compliance practices.
Certainty of Evidence
The certainty of evidence underpinning each major thematic finding was assessed using the GRADE-CERQual approach. This evaluation considered four core domains: methodological limitations, coherence of findings, adequacy of data, and relevance to the review question. Most thematic categories, such as organisational capacity gaps, regulatory complexity, and data management challenges, were judged to have moderate to high confidence, supported by consistent findings across multiple studies, rich and detailed data, and methodologically sound designs.
However, the level of confidence in themes emerging from underrepresented sectors, particularly those involving emerging technologies or region-specific regulatory contexts, was downgraded to low to moderate. This adjustment was primarily due to the limited adequacy of the data and its contextual relevance, reflecting gaps in sector-specific evidence rather than inconsistencies in the findings themselves.
Discussion
This section interprets the main findings of the review in light of the research objectives and theoretical perspectives, highlighting their analytical significance, interconnections, and implications for organisational practice and policy.
Interpretation of Findings
This review synthesises empirical evidence on the challenges faced by business organisations in complying with personal data protection and privacy laws, as well as the strategies adopted to overcome them. Viewed through the lenses of socio-technical systems (STS) theory, the Technology–Organisation–Environment (TOE) framework, and institutional theory, the findings reveal that data protection compliance is a dynamic, multi-layered process shaped by interactions between technological infrastructures, organisational capacities, and regulatory environments.
While earlier reviews have identified comparable operational and regulatory barriers, the present synthesis advances the field by moving beyond descriptive accounts. It systematically connects these challenges to socio-technical misalignments and institutional pressures, offering an explanatory perspective on why compliance difficulties persist across organisational contexts rather than merely describing them.
A central pattern emerging from the evidence is the persistent organisational capacity gap in knowledge, skills, and institutional readiness. From an STS perspective, these deficits illustrate a misalignment between the social and technical subsystems that underpin compliance performance. In many organisations, especially small and medium-sized enterprises (SMEs), the technical systems for data handling are advanced, yet the human and procedural elements remain weak. The lack of a privacy-aware culture, limited training, and absence of compliance leadership hinder the effective integration of regulatory requirements into everyday operations (Leite et al., 2022; Li et al., 2022; Oyetunji, 2024). This imbalance demonstrates that technology alone cannot guarantee compliance without concurrent social and organisational adaptation.
The integration of privacy-by-design principles into system development proved particularly difficult, aligning with the organisational component of the TOE framework. Embedding privacy into software lifecycles requires structural and managerial adjustments, such as cross-functional collaboration, developer training, and consistent managerial support, which many firms lack. For SMEs operating under resource constraints, compliance becomes reactive rather than strategic, as studies show a reliance on minimal policy documentation rather than on systematic process integration (Li et al., 2022).
Technical and regulatory complexity further exemplifies the “environment” dimension of the TOE framework. Organisations operate within overlapping legal regimes and rapidly evolving technological contexts, creating uncertainty and implementation fatigue (Cate, 2025; Smirnova & Travieso-Morales, 2025). Particularly in sectors where innovation and compliance intersect, such as health technology and financial services, firms struggle to balance rapid product development with the need for demonstrable accountability. These findings affirm institutional theory’s assertion that external coercive pressures shape organisational behaviour, in this case from regulators and market expectations, as well as by mimetic tendencies to emulate perceived best practices.
Equally, the absence of clear regulatory guidelines and standards constrains institutional conformity. Where legal frameworks are ambiguous or unevenly enforced, organisations interpret compliance obligations inconsistently, resulting in fragmented and sometimes symbolic compliance (Granata et al., 2024; Klymenko et al., 2023). Institutional theory helps explain this variation: in weakly institutionalised environments, organisations often adopt minimal or imitative compliance postures, treating data protection as an administrative requirement rather than a strategic objective.
Challenges of trust, transparency, and accountability in AI and federated learning (FL) systems highlight the deep interplay between technical opacity and regulatory expectations. From a socio-technical standpoint, these “black-box” technologies blur the boundary between human oversight and machine autonomy, complicating accountability structures and compliance verification (Lieftink et al., 2024). These findings illustrate the need for adaptive governance models where human judgment, algorithmic auditability, and regulatory compliance co-evolve.
Financial and resource constraints, particularly among SMEs, remain the most tangible organisational barrier. TOE’s organisational dimension explains this through differences in resource endowment and managerial capability. Firms with limited budgets often struggle to appoint data protection officers (DPOs), invest in encryption technologies, or conduct regular audits (Freitas & da Silva, 2018; Mladinić et al., 2023). The disparity in resource distribution suggests that compliance maturity is unevenly scalable across organisational sizes and regions.
Despite these challenges, several promising strategies were identified. Organisations that institutionalised training programmes, appointed DPOs, and implemented privacy-by-design principles demonstrated stronger alignment between social and technical subsystems – an indicator of higher STS maturity. The use of standardised templates and policy frameworks, meanwhile, reflects the institutional diffusion of best practices and the emergence of isomorphic pressures driving convergence toward recognised norms (Brodin, 2019; Poritskiy et al., 2019).
However, the scalability and transferability of these successful practices remain contingent upon contextual factors. In developed economies, compliance interventions benefit from well-resourced institutions, established legal ecosystems, and robust enforcement mechanisms. Conversely, in developing or transitional contexts, weak regulatory capacity, limited funding, and low technical expertise hinder replication of such models. From a TOE perspective, the environmental conditions, regulatory maturity, infrastructural readiness, and market incentives determine whether these strategies can be feasibly adapted. This implies that policy learning should focus not on direct transplantation of EU-style frameworks, but on modular adaptation that reflects local institutional realities.
The synthesis reinforces that compliance with personal data protection laws is neither purely legal nor purely technical. It is an evolving socio-technical and institutional process in which effectiveness depends on the interplay among organisational capacity, leadership commitment, regulatory coherence, and the external environment. Integrating these theoretical perspectives clarifies why compliance success varies across contexts and provides a conceptual foundation for designing scalable, context-responsive interventions.
Although the review adopted a global search strategy, the geographical distribution of available studies reflects a concentration in developed regions, particularly Europe and North America. The findings should therefore be interpreted as a synthesis of existing empirical evidence rather than a comprehensive global analysis. This limitation highlights the continuing scarcity of empirical research from Sub-Saharan Africa, Latin America, and large parts of Asia, and reinforces the need for future studies that capture the organisational experiences of under-represented regions.
Study Implications
The findings of this systematic review have important theoretical, practical, and policy implications for understanding and improving organisational compliance with personal data protection and privacy laws. Together, they demonstrate that compliance is not a static legal obligation but an adaptive socio-technical process that evolves within organisational and institutional constraints.
Theoretical Implications
The review advances theoretical understanding by applying and integrating three complementary perspectives, STS theory, the TOE framework, and institutional theory, to the domain of data protection compliance. STS theory illuminates how misalignments between the technical and social subsystems (for instance, advanced IT infrastructure without adequate staff capacity or governance support) contribute to implementation failures. TOE provides an analytical structure for understanding how organisational readiness and environmental pressures jointly influence compliance outcomes. Institutional theory adds explanatory value by revealing how normative and coercive pressures shape organisational conformity and symbolic adoption of data protection norms.
By linking these perspectives, the study demonstrates that compliance maturity arises when technical capability, organisational competence, and institutional legitimacy reinforce one another. This theoretical synthesis encourages future research to move beyond descriptive accounts of regulatory adherence toward explanatory models that capture the dynamic interactions among technology, governance, and institutional context. It also opens avenues for comparative studies examining how different regulatory environments condition the evolution of socio-technical compliance systems.
Practical Implications
From a practical standpoint, the findings underscore that compliance should be viewed as an ongoing organisational transformation process rather than a one-time regulatory task. Businesses, particularly SMEs, need to embed privacy considerations into their operational and design practices by integrating privacy-by-design principles and establishing sustained staff training programmes. The evidence shows that appointing dedicated data protection officers (DPOs), formalising governance structures, and using standardised compliance templates lead to measurable improvements in internal accountability and documentation practices.
Equally, cross-functional collaboration between IT, legal, and executive units is essential to align technical implementation with policy intent. For organisations adopting emerging technologies such as AI or federated learning, compliance should include algorithmic transparency measures and explainability protocols that align with the accountability principles of data protection law. These operational strategies translate the theoretical insight of the STS and TOE frameworks into actionable steps that bridge technological systems, organisational structures, and human competencies.
Policy Implications
The evidence from this review underscores that effective personal data protection compliance requires a shift from prescriptive legal enforcement to adaptive, context-aware governance. The findings reveal that both policymakers and organisational managers have critical, but distinct, roles in translating regulatory intent into sustainable compliance practice.
Policy Implications
The findings have significant implications for policymakers and regulatory authorities. The evidence highlights the need for clearer and more context-specific guidance to support compliance, particularly for SMEs and organizations operating in complex or multi-jurisdictional environments. Regulators should develop simplified documentation, sector-based compliance toolkits, and digital training programs tailored to industry needs. The review also highlights the importance of collaborative governance structures, such as regulatory sandboxes and multi-stakeholder consultation forums, which foster innovation while ensuring compliance. Developing sector-specific guidelines, advisory platforms, and simplified compliance tools can help bridge the gap between legislation and practice. Meanwhile, regional cooperation can support the harmonisation of standards across borders.
In developing countries, where data protection legislation is relatively new, regulatory bodies should prioritise awareness campaigns, institutional partnerships, and capacity development to build early-stage compliance readiness. Governments must also ensure that data protection authorities are adequately resourced and empowered to enforce the law effectively. Additionally, supporting local research and innovation in privacy-friendly technologies can help design sustainable and context-appropriate data protection frameworks suited to local realities.
Managerial Implications
At the organisational level, the findings highlight the need for managers to treat compliance as a component of strategic governance rather than a legal afterthought. First, leadership engagement must be institutionalised through clear accountability structures. Senior executives should integrate data protection performance indicators into organisational risk management and corporate governance systems.
Second, managers should invest in internal capability development by embedding privacy-by-design principles within product development lifecycles, establishing formal training pathways, and designating data protection officers (DPOs) with cross-departmental authority. Empirical evidence from the review demonstrates that organisations with empowered DPOs and continuous staff training exhibit higher compliance consistency and resilience against regulatory changes.
Third, organisations need to develop adaptive compliance systems that can scale with technological and regulatory evolution. This involves using automation for consent tracking, breach reporting, and data mapping, supported by clear documentation and audit trails. From a TOE perspective, these measures strengthen the organisational and technological pillars simultaneously, enabling firms to manage compliance dynamically rather than reactively.
Finally, cross-sector collaboration, through industry associations, public–private forums, or regional compliance networks, should be prioritised to share best practices and lower individual compliance costs. For firms operating across borders, establishing multi-jurisdictional compliance teams and aligning with recognised standards, such as ISO/IEC 27701, can enhance consistency and trustworthiness in global operations.
Study Limitations and Future Direction
The following subsections outline key methodological and contextual constraints of the review, as well as opportunities for advancing future research in this evolving field.
Study Limitations
Although this review adhered to rigorous methodological procedures guided by the PRISMA 2020 statement and the SPIDER framework, several limitations should be acknowledged to ensure transparency and contextual accuracy.
First, the evidence base was relatively small, comprising only seventeen studies. This limited pool restricts the breadth of conclusions that can be drawn and makes it difficult to generalise the findings across global regions. The included studies were heavily concentrated in Europe and North America, with little representation from Sub-Saharan Africa, Latin America, or large parts of Asia. Consequently, the claim of a truly global review should be interpreted cautiously; the findings represent the available empirical evidence rather than a comprehensive cross-regional account.
Second, the scope of literature sources introduces a potential selection bias. The review relied on four major databases, such as Scopus, IEEE Xplore, ACM Digital Library, and Google Scholar. While these provided substantial multidisciplinary coverage, they excluded key business and management databases such as Web of Science, ProQuest, and ABI/INFORM. Despite mitigation measures such as reference list screening and use of broad search terms, this omission likely contributed to the regional imbalance observed in the final sample.
Third, the review was limited to English-language publications. This language restriction may have excluded relevant studies published in languages other than English, particularly in regions with developing data protection frameworks. As a result, the review exhibits a linguistic bias that further narrows its geographical representativeness.
Fourth, while quantitative data were included in several studies, heterogeneity in design, outcome measures, and reporting styles prevented the use of statistical synthesis or meta-analysis. Instead, quantitative findings were summarised narratively to complement the thematic synthesis. This choice enhances interpretive richness but limits the ability to compare or measure effect sizes systematically.
Fifth, the review was not prospectively registered in a systematic review registry such as PROSPERO. The main reason was the exploratory nature of the topic and the absence of a suitable registry category for organisational and regulatory compliance reviews at the time of commencement. Nevertheless, the methodological protocol was developed in advance, documented internally, and followed consistently throughout the review to safeguard transparency and rigour.
Finally, the limited evidence and regional imbalance imply that the results are more characteristic of a structured scoping synthesis than a comprehensive global systematic review. The findings, therefore, offer conceptual and practical insights rather than definitive global generalisations.
Future Research Directions
Future studies should aim to overcome these limitations by broadening both methodological and contextual coverage. Expanding the search to include additional databases, such as Web of Science, ProQuest, and ABI/INFORM, and incorporating grey literature, government reports, and industry white papers would capture a more diverse and practice-oriented evidence base. Including non-English publications and studies from underrepresented regions, especially Sub-Saharan Africa, Latin America, and parts of Asia, would enhance the representativeness and cultural validity of future syntheses.
There is also a clear need for more empirical research exploring how organisational characteristics and contextual factors influence compliance performance. Mixed-methods approaches that combine quantitative indicators (for example, compliance maturity scores, audit outcomes, or resource allocation data) with qualitative insights (such as managerial perceptions and governance processes) would strengthen explanatory power. Comparative multi-region studies could also test the transferability of successful interventions, such as data protection officer roles or privacy-by-design models, across differing institutional and economic environments.
From a theoretical standpoint, future research should continue to integrate and test frameworks such as socio-technical systems theory, the TOE model, and institutional theory. Doing so can illuminate how internal capabilities, external pressures, and technological innovations interact to shape compliance behaviour across contexts.
Lastly, future systematic reviews should consider prospective registration and publication of protocols to enhance reproducibility and scholarly transparency. As the global landscape of data protection evolves, iterative and region-specific reviews will be essential to track emerging compliance trends, measure the impact of regulatory reforms, and support policy harmonisation across jurisdictions.
Contributions of the Study
This study makes several significant contributions to scholarship and practice in the field of data protection and organisational compliance.
First, it provides one of the few empirical syntheses of organisational-level evidence on personal data protection and privacy compliance. By systematically analysing findings from seventeen peer-reviewed studies, the review consolidates dispersed insights from legal, technical, and managerial perspectives, offering an integrated understanding of how businesses experience and respond to compliance demands.
Second, the study contributes theoretically by advancing a multi-framework perspective that integrates socio-technical systems theory, the Technology–Organisation–Environment (TOE) model, and institutional theory. This synthesis moves beyond descriptive listings of barriers to explain why and how compliance challenges emerge at the intersection of technology, organisational capacity, and regulatory context. The framework provides a conceptual foundation for future empirical testing and model refinement.
Third, the review contributes methodologically by demonstrating the applicability of the PRISMA and SPIDER frameworks to organisational and regulatory compliance research, a domain that is often dominated by conceptual or legal analyses rather than systematic evidence synthesis.
Fourth, the findings have practical and policy relevance. They identify concrete organisational strategies such as appointing data protection officers (DPOs), embedding privacy-by-design principles, and adopting standardised compliance templates. They also generate actionable policy recommendations, including context-specific regulatory toolkits, sector-based capacity-building programmes, and the use of regulatory sandboxes to encourage innovation while maintaining accountability.
Finally, by highlighting regional and linguistic imbalances in the existing evidence, the study establishes an agenda for future research that prioritises inclusivity, cross-regional collaboration, and the adaptation of compliance models to resource-constrained environments. In doing so, it provides a foundation for both scholarly inquiry and evidence-informed policymaking in emerging data protection regimes.
Conclusion
This review synthesises empirical evidence on the organisational challenges of complying with personal data protection and privacy laws, as well as the strategies employed to address them. Although based on a limited set of seventeen studies, mostly from Europe and North America, it provides a coherent analytical account of how regulatory complexity, organisational capacity, and technological change interact to shape compliance outcomes.
By integrating socio-technical systems theory, the TOE framework, and institutional theory, the study moves beyond description to explain why compliance remains uneven across contexts. It demonstrates that effective compliance arises when technical capability, organisational readiness, and regulatory coherence are aligned within supportive institutional environments.
The review highlights that persistent gaps, particularly in developing regions, reflect structural inequalities in resources, enforcement, and expertise. It calls for evidence-informed policy design, targeted capacity building, and adaptive governance models that recognise these disparities.
Ultimately, the study contributes both a conceptual and empirical foundation for advancing global understanding of data protection compliance. Future research should expand geographical coverage, include multilingual evidence, and develop context-responsive frameworks that link compliance effectiveness with organisational resilience and digital trust.
Declaration Statements
Protocol Registration
This review was not prospectively registered in a systematic review registry such as PROSPERO. The authors acknowledge the value of registration in enhancing transparency and reducing duplication and recommend it for future related syntheses. A formal review protocol was not publicly posted or published prior to conducting the review. However, the methods were carefully pre-defined in line with the SPIDER framework and were rigorously followed throughout the review process to maintain consistency and methodological integrity. No protocol amendments occurred during the review. The eligibility criteria, data extraction procedures, synthesis strategy, and risk of bias assessments were adhered to as initially planned.
Footnotes
Appendices
Acknowledgements
The authors express sincere gratitude to the Personal Data Protection Commission (PDPC) of Tanzania for institutional support, technical insights, and access to relevant documentation that made this review possible.
ORCID iDs
Ethical Considerations
This study was based exclusively on publicly available and previously published literature and did not involve human participants, primary data collection or identifiable personal information. Therefore, ethical approval and informed consent were not required. Nevertheless, established principles of research and publication integrity were observed, including accurate citation of sources, faithful representation of the findings of the included studies and avoidance of plagiarism.
Consent to Participate
Informed consent was not required for this study as no new data were collected directly from human participants.
Author Contributions
Conceptualisation: Noe Elisa, Petro Nzowa.
Methodology: Cesilia Mambile, Augustino Mwogosi.
Data Extraction and Analysis: Franklin Mungulluh, Godbless Minja, Hamza Malombe.
Writing – Original Draft: Cesilia Mambile, Augustino Mwogosi.
Writing – Review and Editing: Noe Elisa, Petro Nzowa, Emmanuel Mkilia.
Supervision: Petro Nzowa, Emmanuel Mkilia.
All authors read and approved the final manuscript.
Funding
The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: Institutional support was provided by the Personal Data Protection Commission of Tanzania.
Declaration of Conflicting Interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Data Availability Statement
All data extracted and analysed during this review are available from the corresponding author upon reasonable request. The data extraction form, thematic coding structure, and synthesis tables are stored locally and can be shared to support transparency and potential replication. No custom analytical code was used, as the synthesis relied on qualitative thematic techniques and descriptive statistics.
