A recent study named “Tech startups and general data protection regulation: an empirical exploration of compliance challenges”, written by our researcher Yelena Smirnova, alongside with Victoriano Travieso-Morales (Geneva Business School – Barcelona Campus) takes a close look at how tech startups in Catalonia are dealing with the challenges of GDPR (General Data Protection Regulation) compliance. By combining survey data with in-depth interviews, the research identifies key obstacles faced by startups and offers practical recommendations for improving regulatory support in early-stage business environments.
Using the Technology-Organization-Environment (TOE) framework, the study analyzes how factors like startup size, age, and sector affect GDPR compliance challenges. It focuses on Catalonia, one of Southern Europe’s leading startup hubs, known for its strong entrepreneurial ecosystem and home to more than 2,100 active startups across diverse sectors.
The findings highlight three major challenges: regulatory complexity, technical complexity, and compliance costs. Interestingly, while many startups did not initially view staff training as a top concern, the research shows that it plays a crucial mediating role. Startups that invest in workforce training are better able to manage GDPR requirements, though this often means higher costs.
In particular, smaller, younger, and non-tech startups reported greater difficulties in achieving compliance. These companies often struggle to interpret legal language, hire specialized staff, or access relevant support. This underscores the need for more inclusive, flexible policy tools that take startup diversity into account.
The study makes several important contributions:
- It shows how investing in internal capabilities, especially staff training, can reduce the burden of regulatory and technical complexities.
- It provides empirical evidence that GDPR compliance challenges vary widely depending on startup characteristics, pinpointing to a need for a more targeted support.
- It suggests practical recommendations for improving institutional support, such as simplifying legal language and making compliance training more accessible, especially for smaller, younger, and non-tech startups.
Although the study is limited to a specific region and a smaller sample size, it makes a strong argument for rethinking how regulatory support is designed to better meet the needs of startups. It also calls for further research on how data protection laws affect entrepreneurship, drive innovation, and shape new business model development.
Ultimately, the Catalonian case illustrates that GDPR compliance can become more than a legal obligation: it can encourage innovation, build trust, and promote responsible use of data in the digital economy. For policymakers, incubators, and regulators, this study provides useful findings that can support the development of a startup ecosystem that is both competitive and privacy-conscious.
Discover more about the UB Business School’s research! Explore the full list of our researchers and their latest research here.
Futher reading (or related article): Smirnova, Y. and Travieso-Morales, V. (2024), “Understanding challenges of GDPR implementation in business enterprises: a systematic literature review”, International Journal of Law and Management, Vol. 66 No. 3, pp. 326-344. https://doi-org.sire.ub.edu/10.1108/IJLMA-08-2023-0170