Toward a Taxonomy of Corporate Data Protection Malpractices and Their Causal Mechanisms: A Regulatory View

Haiping Zhao, Na Jiang*, Zhao Cai, Eric T.K. Lim, Chee-Wee Tan

*Corresponding author for this work

Research output: Contribution to journalJournal articleResearchpeer-review


Corporate data protection malpractices are not uncommon, especially in contemporary technological environments. Embracing a regulatory view, this study attempts to advance a taxonomy of prevailing corporate data protection practices and their causal mechanisms by analyzing cases where organizations were fined for violating data protection legislation. Selecting the General Data Protection Regulation (GDPR) enacted by the European Union (EU) as our benchmark, this study employs an iterative taxonomy development technique as guidance and conducts a thematic analysis on 875 cases of GDPR enforcement. In so doing, we derive a conceptual model comprising 6 focal categories and 28 subcategories of prevailing corporate data protection malpractices existing within organizations as well as 4 main categories and 22 subcategories of causal mechanisms underlying these identified malpractices. Empirical findings from this study not only reinforce corporate data protection malpractices established in prior research, but they also yield novel malpractices which have been neglected in previous work. From a pragmatic standpoint, this study yields invaluable insights into the prevention and resolution of corporate data protection malpractices for practitioners.
Original languageEnglish
JournalJournal of Information Technology
Issue number3
Pages (from-to)319-333
Number of pages15
Publication statusPublished - Sept 2023

Bibliographical note

Published online: January 26, 2023.


  • Corporate data protection malpratice
  • Casual mechanismsm
  • Regolatory view
  • GDPR
  • Data protection regulation
  • Taxonomy development

Cite this