1. Introduction

The rapid development of information technology combined with the effort of firms to gain an edge in the competitive digital business environment has resulted to the accumulation of an enormous amount of personal data (e.g. Chen et al., 2012). Personal data analysis enables enhanced customized and personalized services to customers with significant benefits for firms in terms of increased revenues (Acquisti and Varian, 2005), customer loyalty (Ball et al., 2006) and competitive advantage (Erevelles et al., 2016). Nevertheless, data protection remains a key responsibility for firms to capitalize the value of personal data (e.g. Schwaig et al., 2013; Chang et al., 2018).

As data are included among the most valuable company assets, information security and privacy are becoming crucial factors for firm continuity and sustainability (Juma'h and Alnsour, 2020). The adoption of lax data security measures increases the risk of data breaches, which can negatively impact firm reputation and result in customer loss and reduced revenues (e.g. Lending et al., 2018; Campbell et al., 2003). On the contrary, the firm's effective relationship between big data analytics and its ability to manage data security can leverage service supply chain innovation capability and performance (Fernando et al., 2018).

Firms are required to protect personal data to adhere to the well-established EU data protection legislation, with the General Data Protection Regulation (EE) 2016/679 (GDPR) being the most important change in 20 years. The implementation of the GDPR in alignment with firms' business goals and objectives can be effectively achieved with the use of the ISO standards such as ISO 9001 as a methodology and ISO 27001 as a proof of compliance (Tzolov, 2018). Such GDPR compliance may offer performance benefits in terms of competitive advantage and operational efficiency (e.g. Almeida Teixeira et al., 2019).

The ISO 9001 is a certifiable quality management systems (QMS) standard enjoying a remarkable worldwide acceptance with approximately 1,000,000 valid certifications across 201 countries (e.g. Rodriguez-Arnaldo and Martínez-Lorente, 2021). Implemented QMS standards, such as ISO 9001, can be audited and certified by independent third-party organizations, i.e. the Certification Body (CB), to assess whether a QMS complies with the applicable requirements and the intended results are achieved (Fonseca et al., 2017). The internationally recognized CB accreditation strengthens the confidence that the certification awarded to the firm by the CB serves as a proof of the firm's successful implementation and application of ISO 9001 (Blind et al., 2018). The continuance of the certification is subject to successful annual surveillance audits and periodic recertification audits every three years where firms are called to decide whether to renew or abandon their certification (Clougherty and Grajek, 2023).

Since its introduction in 1987, ISO 9001 has undergone successive revisions in 2000, 2008 and 2015. An important update of ISO 9001, first introduced in the 2008 version and retained in the 2015 version, is the explicit inclusion of personal data in the context of “customer property” (clause 7.5.4 in the 2008 version and 8.5.3 in the 2015 version). This indicates that quality management is extended to data protection.

The European diffusion of ISO 9001 witnessed a rising course from 1993 to its peak in 2010 and was followed by a steady decrease in certification numbers with the highest worldwide decline in 2017, except for the area of East Asia and Pacific (Mastrogiacomo et al., 2021). The trend of firms to decertify from ISO 9001 has increased in the last decade with an average of 60,000 worldwide withdrawals per year (Cândido et al., 2021). Throughout this period, several certification aspects have been extensively explored including organizational and operational benefits, implementation barriers and performance impact. Both the extensive research on the performance impact of the certification and the still limited research on the performance impact of decertification are not consensual as to their direction. The former research reports both positive (e.g. Gallego and Ramírez, 2023; Siougle et al., 2019) and weak or negative (e.g. Nurcahyo et al., 2020; Martinez-Costa and Martinez-Lorente, 2007) impact of certification on performance, and the latter both negative (e.g. Sansalvador and Brotons, 2015; Alič, 2014) and no repercussion (e.g. Cândido et al., 2016) of decertification on performance. This calls for further research on the performance impact of ISO 9001, considering the key role of strategic data handling for quality management in the technological revolution of Industry 4.0 (Fonseca et al., 2021; Sony et al., 2020).

The relationship between data protection and firm performance is examined by prior literature mainly from the perspective of the, mostly, negative effect of data breaches on performance (e.g. for a review see Tripathi and Mukhopadhyay, 2020). Our approach is to address data protection from the perspective of compliance to the data security requirements of GDPR (e.g. Almeida Teixeira et al., 2019; Diamantopoulou et al., 2019) and investigate its influence on the certification–performance relationship.

To the best of our knowledge, no existing research has empirically tested the relationship between ISO 9001, data protection and firm performance. To fill this gap, our study pursues a twofold objective. Its first goal is to explore the impact of ISO 9001 on data protection by examining whether certified firms address more effectively the obligation to adopt data security measures in comparison to the non-certified. Its second goal is to explore whether the impact of ISO 9001 on firm's financial performance is affected by the level of data protection.

The research analysis is based on firm-level financial and survey data from a sample of 96 ISO 9001 certified and non-certified firms traded at the Athens Stock Exchange (ASE) that responded to a structured questionnaire. To perform our research objectives, we developed and empirically tested our theoretical model using the technique of structural equation modeling – hereafter referred to as SEM. In addition, we follow a difference-in-differences – hereafter referred to as diff-in-diff – econometric modeling approach to estimate financial performance differences between certified and non-certified firms accounting for the level of data protection.

The remainder of the study is structured as follows. Section 2 provides the literature review and hypothesis development. Section 3 presents the research design and methods, including data collection and sample description. Section 4 discusses the empirical results. Section 5 provides an overview of the results and discusses limitations and future research suggestions. Section 6 concludes the study.

2. Literature review and hypothesis development

The literature review is organized in two parts. The first one, section 2.1, is devoted to the analysis of the major data security requirements while the second one, section 2.2, presents the interplay between ISO 9001, firm performance, and data protection.

2.1 Major GDPR personal data security requirements

At the beginning of our study in 2015, the GDPR was already released to the public, as early as January 2012, marking the reform of the whole EU data protection legislation. Its publicly available version was provisionally agreed in 2015 and contained the same security provisions as the version finally adopted in 2016 (Tankard, 2016). A two-year transitional period was established to allow firms to implement the necessary changes and achieve compliance in the meantime until its enforcement on 25th May 2018. The Data Protection Directive 95/46/EC, although still in force in 2015 and accepted as a well-known metric for data protection, was no longer considered adequate enough to meet the rapid technological advancements in data processing (e.g. Tikkinen-Piri et al., 2018).

Data security constitutes a continuous and uninterrupted demanding data protection requirement as established in the pre-GDPR legislation and incorporated into the GDPR accountability framework. “A high level of accountability corresponds to a high level of data security”, which is implemented by firms and trusted by users (Prüfer, 2018).

More specifically, the GDPR establishes data security among the fundamental data protection principles (article 5(1f)) and the core obligations of data controllers (article 32). The establishment of appropriate data protection policies (article 24(2)) constitutes an important dimension of data security. The information security policy is fundamental for the implementation of the envisaged security measures. GDPR compliance also requires the development of a data protection policy distinct from the security policy (e.g. Lambrinoudakis, 2018). A well-established privacy policy with adequate and clear security statements enhances users trust and reflects the effectiveness of firms in data protection (Chang et al., 2018).

Another important data security dimension (articles 33–34, recital 87) relates to the establishment of appropriate procedures allowing the timely detection and proper handling of data breaches (e.g. Tikkinen-Piri et al., 2018). Preventing data breaches or reacting in a timely way are important elements of any data security policy (Art.29 WP, 2017).

Furthermore, the GDPR requires from all firms the adoption of procedures to integrate appropriate technical and organizational measures from the early stages of design and development of applications, software, and systems to meet the data protection by design principle (article 25, recital 78). Data protection must be considered from the beginning of the security planning process (e.g. Tankard, 2016) and embedded into the design of information systems (e.g. Tikkinen-Piri et al., 2018).

The GDPR also supports the clear definition of roles related to data security and their respective responsibilities (article 32(4)). The role of the Data Protection Officer (DPO) (articles 37–39, recitals 77, 97) is considered a cornerstone in achieving accountability. While the DPO designation in not mandatory in all cases for the private sector, its voluntary designation is encouraged (Art.29 WP, 2016). The overview of the DPO role on data and technologies allows becoming central for data security throughout the firm (Zerlang, 2017). Another key-role is that of the security officer which needs to collaborate with the DPO for the implementation of appropriate data security measures (ENISA, 2016). This is the role most likely to be replaced following a data breach (Lending et al., 2018).

Moreover, the GDPR emphasizes the obligation of firms to adopt security measures to ensure that access to personal data is authorized, proportionate and justified for the fulfillment of the respective responsibilities according to the instructions of the data controller (article 32(4), recital 39). Firms should take measures to ensure authorized access to data such as unique user identification, application of minimum authentication mechanism, periodical review of assigned access privileges and data access logging (ENISA, 2018).

Another important dimension of data security is the application of core risk mitigating techniques, depending on the level of risk, that can reduce the risks to data subjects and assist firms to meet their data protection obligations (article 32(1a), recital 28). Pseudonymization can reduce the risk of direct identification of the data subjects (Art.29 WP, 2014) while encryption can reduce the intelligibility of data (ENISA, 2016). Pseudonymization can be based on encryption that should be used to protect data in transit and when stored (Tankard, 2016). Anonymization can mitigate the risks by rendering the personal data no longer identifiable in an irreversible way.

Based on the above analysis, we group the above major requirements into three meaningful key-components that cover significant distinct dimensions of data security. These components along with their associated concepts are displayed in Table 1 and form the basis for the construction of the structured questionnaire and the formulation of the models for testing the study's hypotheses.

Appendix 1 presents the mapping of the abstracted GDPR requirements into the relevant controls of the widely accepted ISO/IEC 27001/27002 security standards that can be implemented by firms. Such standards enable firms to embed best practices in their procedures by applying appropriate data security measures (e.g. Tankard, 2016) thus facilitating GDPR compliance (e.g. Diamantopoulou et al., 2019).

2.2 ISO 9001, firm performance and data protection

ISO 9001 was first issued in 1987 and reviewed in 1994 to clarify preventive and mandatory documentation requirements. The following ISO 9001 edition was issued in 2000, adopting the process approach and was subject to a mild revision in 2008 to make the requirements more explicit. The current ISO 9001 edition was published in 2015. It is structurally supported by the Annex SL, which emphasizes the need to monitor the context and evaluate the stakeholders that influence the organization, focusing on a business and process approach with more flexibility and less focus on documentation (Fonseca et al., 2023; Astrini, 2021; Wilson and Campbell, 2020).

Throughout these consecutive revisions, an issue of debate among researchers concerns the performance impact of ISO 9001. This is mainly related to research evidence supporting a positive impact of ISO 9000 on firm performance (e.g. Gallego and Ramírez, 2023; Siougle et al., 2019; Chatzoglou et al., 2015; Gotzamani and Tsiotras, 2001) in contrast to evidence reporting weak or decreasing impact (e.g. Nurcahyo et al., 2020; Lo and Yeung, 2018; Karapetrovic et al., 2010; Martinez-Costa and Martinez-Lorente, 2007).

Recent review studies in the field analyze the inconclusive certification-performance relationship. Astrini (2021), focusing mainly on the research methods of 87 articles published in peer-reviewed scholarly journals, reported that the positive relationship between ISO 9001 and performance is supported by most cross-sectional studies (69%) while most longitudinal ones (77%) did not find such connection. Sfreddo et al. (2021), reviewing 57 studies selected from seven databases, reported that most studies indicate a positive relationship between ISO 9001 and operational (53%) and market (35%) performance. This is not the case for economic-financial performance, as the majority of the reviewed studies (37%) did not find such relationship. However, such relationship can be inferred as tending to be positive considering that economic-financial performance depends on the market and operational performances. Kumar et al. (2018), reviewing 263 studies in 17 reputed journals from 2000 to 2017, reported that 10% of the reviewed studies examining the relationship between implementation of quality management systems and firm performance found no or negative relationship. However, this is not true for ISO 9001 as more than 30% of these studies didn't find a positive impact. Fonseca et al. (2017), after reviewing scientific articles published from 1996 to April 2017, concluded that there is a fairly positive relationship between management systems certification and economic, financial or stakeholder results while acknowledging some results dispersion and inconsistency.

On the positive stream of existing literature, Gotzamani and Tsiotras (2001) found that ISO 9000 offers operational benefits and significant improvements to firm performance while boosting quality culture and commitment. Thus certification constitutes a first good step towards total quality management. In the same vein, Hernandez-Vivanco et al. (2019) reported that ISO 9001 is a significant driver in firm performance improvement being the first standard adopted and the common factor in multiple certification combinations. Similarly, Chatzoglou et al. (2015) concluded that ISO 9000 can be a valuable strategic initiative as it is directly associated with improvements in overall financial performance and quality awareness. Gallego and Ramírez (2023) reported that the benefits of ISO 9001 on higher productivity, enhanced labor efficiency, sales and innovation are independent of firm size, location and industry of operation. Furthermore, Siougle et al. (2019) found that ISO 9001 has a positive impact on the financial and operating performance of firms, either certified before or while being listed. The authors further reported that the certification benefits when maintained in the long run are consistently updated by the inherent upgrades of the successive 2000 and 2008 ISO 9001 versions.

On the other hand, several studies have provided evidence of non-significant, weak or negative ISO 9001 impact on various aspects of firm performance outcomes. Karapetrovic et al. (2010) reported that the benefits of ISO 9000 in improving financial results and customer satisfaction quickly decreased over time. However, the authors also reported that despite the decrease, the certification benefits still remain important. Along the same lines, Martinez-Costa and Martinez-Lorente (2007) found that ISO 9000 has a negative effect on company results as certified firms obtained less earnings and ROA post-certification. Furthermore, Lo and Yeung (2018) reported that the performance of certified firms in terms of sales revenues increased steadily with the increasing institutionalization of ISO 9000. However, the authors also reported that, at the same time, certified firms experienced significant deterioration in operational efficiency and shareholder value. Nurcahyo et al. (2020) found that only 23% of the public healthcare centers certified to ISO 9001 can be categorized as technically efficient. The maturity level of the quality management system, as measured by the number of re-certifications experienced by each center, does not have a significant impact on efficiency either. These results are attributed mainly to differences in the ISO implementation methods, external motivation in implementing ISO 9001, and the adoption of the re-certification compliance audit approach, instead of the performance audit. In the same vein, Lindlbauer et al. (2016) found that ISO 9001 has a significant negative impact on efficiency in the certification year and the year before, as well as in the re-certification year and the year after.

More recent research has focused on the ISO 9001 certification withdrawal phenomenon. As mentioned in Cândido and Ferreira (2022), only three (3) of the almost ten (10) existing decertification studies examine the impact of the certification withdrawal on firm performance, without reaching consensus. Two of them reported that decertification has a negative impact on firm performance that can lead to decreases in business performance (Alič, 2014) as well as the value of the firm (Sansalvador and Brotons, 2015), while the third study (Cândido et al., 2016) found that surviving decertified firms do not show any loss of performance or competitiveness. Low economic performance is not the reason why firms decertify (Cândido et al., 2021). Certification barriers seem a stronger motivation for a decertification in comparison to low benefits (Cândido and Ferreira, 2023). In any case, the withdrawal of ISO 9001 can be explained by the joint consideration of pre-certification, certification, decertification, and post-decertification aspects (Ferreira and Cândido, 2021).

Several factors can influence the impact of ISO 9001 on firm performance such as motivations for certification (e.g. Nair and Prajogo, 2009), how firms initially prepare for the certification (e.g. Esgarrancho and Cândido, 2020), the subsequent degree of standard internalization that firms achieve (e.g. Tarí et al., 2019), and recently the expected performance of firms after decertification (e.g. Cândido and Ferreira, 2022). Despite the extensive research on ISO 9001, the relationship between quality certification and data protection has been scarcely studied. Caballero et al. (2012) found that all changes and decisions on the security and quality of personal data in health care services should be consistent with the firm's quality management system. Lins et al. (2022) found that online vendors are motivated to adopt various security and privacy certifications in order to signal data protection and increase legal compliance.

Overall, ISO 9001 is the first and most popular certification adopted by firms. Even if there is still room for discussion and further research, it is less arguable that ISO 9001 is associated with organizational and performance benefits (e.g. Hernandez-Vivanco et al., 2019; Fonseca et al., 2017). As GDPR compliance will significantly impact firms, due to the substantial changes and adaptations required (e.g. Almeida Teixeira et al., 2019), we assume that ISO 9001 will have a positive effect on this direction. Thus, H1 is developed as follows:H1.

ISO 9001 certification is positively related to the protection of personal data.

Another issue inadequately explored is the relationship between data protection and firm performance, in particular, whether compliance to the GDPR requirements for implementation of appropriate security measures for data protection affects performance. In a changing business environment, evaluating data gathered from various sources across the ecosystem and ensuring that data is treated and used in an ethical way are major elements for novel Business Excellence Models such as the EFQM 2020 towards sustaining competitive advantage and enabling firm performance improvement (Fonseca, 2022). The firm's effective ability to manage data security in big data analytics and eliminate security issues in data governance has a positive and significant impact on supply chain service innovation capability and performance (Fernando et al., 2018). On the contrary, customer vulnerability, due to data access practices and data security breaches, has a negative impact on firm performance, which can be mitigated by more transparent data management policies (MartinBorah and Palmatier, 2017). Data security and privacy concerns are among the most crucial factors preventing firms from leveraging the business value of data analytics in order to enhance performance (Perdana et al., 2021). Firms may attain several benefits by GDPR compliance such as more credible data management, cost reduction and increase in reputation and competitiveness (Almeida Teixeira et al., 2019).

To the best of our knowledge, the effect of data protection on the link between ISO 9001 and firm performance has not yet been empirically explored. Considering that existing literature corroborates proper data management, data security and ISO 9001 as factors with a positive influence on firm performance, we expect that the level of data protection will positively affect the certification-performance relationship. Thus H2 is stated as follows:H2.

The level of personal data protection has positively affected the impact of ISO 9001 certification on firm performance.

3. Research design and methods

3.1 Survey questionnaire and measurement development

A questionnaire survey was conducted to gather data pertaining to security measures adopted by the responding firms for data protection. The questionnaire development approach, detailed in Appendix 2, is discussed in this subsection.

The questionnaire structure is along the lines of the literature review presented in section 2. Furthermore, the items included were examined by two academics, while five firms were asked for their opinion (e.g. Maiga et al., 2015). The questionnaire items were revised based on the feedback of the above participants. Respondents were asked to indicate their level of agreement with each item statement using a three-point Likert scale: “1 = disagree”, “2 = not sure” and “3 = agree” considering existing studies that examine different options in Likert scales (e.g. Matell and Jacoby, 1971; Schutz and Rucker, 1975; Chang, 1994).

The items of the questionnaire were grouped into the relevant underlying constructs of the measurement model (e.g. Kline, 2016). Appendix 2 lists survey questionnaire, constructs, items used for each measure and their sources from the ISO/IEC 27001/27002 standards.

3.2 Sample and data collection

The target sample initially contained all firms listed at ASE in 2015. Financial firms, firms with negative book value of equity (Fama and French, 1992) and firms without available financial performance data were excluded. A number of 186 firms matched the above criteria and were used in the data collection process.

The firms' performance indicators were collected from the DataStream database. Various publicly available sources (such as the websites of listed firms, annual reports, the web sites of certification agencies operating in Greece, certification announcements in the press, direct contacts with firms and library archives for the older firms [1]) were used to manually collect and crosscheck information on the validity of the ISO 9001 certifications contained in the final dataset (e.g. Hernandez-Vivanco et al., 2019).

A web-based questionnaire was emailed to the firm's security manager or, if not available, the IT manager to collect the survey data pertaining to the adoption of security measures. We received 96 completed questionnaires, of which 72 certified firms and the rest from non-certified. The response rate was 54%, which is considered quite satisfactory. Respondents came from the following industries: 68% from the manufacturing sector while 32% from the service sector; 28% from the high-technology sector while 72% from the low-technology sector. Regarding size, 41% of the respondents employed less than 200 employees, 28% between 200 and 500 employees, while 31% had more than 500 employees.

The sample size required for SEM evaluation depends on model complexity and many other factors (e.g. normality of the data, missing patterns, number of constructs). Non-complex SEM models, as in our case, can be meaningfully estimated even if the sample size is quite small (Hoyle, 1999; Marsh and Hau, 1999). Our sample size almost reaches the threshold of 100 as proposed by Hair et al. (2010) for models with 5 or less constructs and considered “fair” for testing SEM model fit as suggested by Ding et al. (1995). Furthermore, our sample size satisfies the “ten-times” rule-of-thumb, a widely used recommendation in the PLS-SEM literature (Hair et al., 2011). According to this approach, the sample size should be greater than ten times the largest number of arrows directed at any dependent variable in the structural model. In our model, the second-order construct has the largest number of 4 inner-directed paths, suggesting a minimum sample size of 10 × 4 = 40 observations. In particular, our sample size exceeds the minimum of 64 that is required for the maximum number of 4 arrows pointing at a latent variable as suggested in the guidelines by Marcoulides and Saunders (2006).

A significant aspect to be considered is that our sample was gathered from highly ranked and knowledgeable respondents, i.e. the security manager or if not available the IT manager, and consists of completed responses without any missing data. Therefore, it is not subject to issues that can weaken the SEM results such as the amount of missing data (Muthén and Muthén, 2002). Furthermore, according to Kline (2016), small sample sizes are acceptable when the population studied is restricted in size. In our case, the target population consists, in total, of 210 firms publicly traded at the ASE. Since our sample size represents 46% of the entire population, it can be considered as adequate.

In addition, we conducted a post hoc power analysis (Muthén and Muthén, 2002) with parameter values from our model. The analysis with the observed R² at 0.27, the probability level at 0.05%, the number of predictors at 4 and the sample size of 96 determined an observed statistical power of 99.8% to detect significant effects. This statistical power provides reasonable confidence that our analysis is adequately powered with our sample size.

3.3 Non-response bias

The non-response bias was assessed in this study by comparing early and late responses (e.g. Maiga et al., 2015). The t-test for mean score differences in the responses between firms that returned the completed questionnaire after the initial email (early responses) and those that did so following the reminding email (late responses), showed no statistically significant differences.

Moreover, a phone call made to firms that didn't respond at all revealed that the main reasons for non-response were lack of time, unwillingness to disclose confidential security information and the firm's policy to abstain from surveys. It is likely that non-respondents would have provided similar answers to the respondents as there are no significant differences in their structure and interest when compared to the ones that completed the survey (e.g. Terziovski et al., 1997). Therefore, the above evidence indicates that non-response bias is not a major concern for this study.

3.4 Structural model specification and estimation

To test H1, the structural model in Figure 1 is developed and evaluated using SEM. We use a dummy variable with the value of 1 for certified firms and 0 otherwise to capture the direct impact of ISO 9001 on data protection. Three control variables are included to reflect firm-level characteristics with an important role in the firm's economic development and potentially related to the adoption of data security measures. The first is firm size measured by the logarithm of total assets (SIZE). The second is common risk factor measured by the book-value to market-value ratio (BV/MV) (Fama and French, 1995). The third is a technological intensity dummy with the value of 1 for firms in high-technology and 0 for those in low-technology industries (see Eurostat, 2009 for the classification of firms into high- and low-technology industries).

Data protection is modeled as a second-order construct measured by three first-order constructs PPR, ACM, and RRT. We follow the “two-step” paradigm outlined by Gerbing and Anderson (1988) for the estimation firstly, of the measurement model and secondly, of the full structural model which simultaneously contains measurement and structural relations (e.g. Maiga et al., 2015).

The assessment of the measurement model takes place at the first- and the second-order construct levels using Confirmatory Factor Analysis (CFA) with the maximum likelihood estimation technique. At the first stage, a CFA-SEM measurement model is specified comprising concurrently the first-order constructs that are all covaried with each other. At the second stage, a CFA-SEM model is also specified to assess the relationship between the first-order constructs and the hypothesized second-order construct (e.g. Byrne, 2001).

After measurement model assessment, the structural model is specified and evaluated to test H1. When acceptable model fit is achieved, the significance of the path coefficient between ISO 9001 and the second-order construct is examined to assess the certification impact on data protection.

The assessment of both the measurement and structural models to ascertain how well they fit or adequately describe the data, is based on some of the most commonly used fit indices. The indices reported at a minimum include (Kline, 2016): the chi-square statistic χ² and its ratio to the model degrees of freedom (χ²/df), the Root Mean Square Error of Approximation–RMSEA, the Comparative Fit Index-CFI and the (Standardized) Root Mean Square Residual–(S)RMR. Other fit indices include the Tucker–Lewis Index-TLI (or non-normed fit index-NNFI) and the Incremental Fit Index-IFI. To support model fit, the following cutoff criteria should be met: χ²/df < 2; RMSEA < 0.06; CFI > 0.90; (S)RMR < 0.10; TLI or NNFI > 0.90; IFI > 0.90 (e.g. Hair Jr. et al., 1998).

The reliability and validity of the model constructs is determined through the assessment of multicollinearity, reliability, convergent and discriminant validity (e.g. Kline, 2016). The non-existence of multicollinearity is indicated when correlations between the questionnaire items are not higher than 0.9 (Hair Jr. et al., 1998). Construct reliability can be evaluated by assessing that the Cronbach's alpha coefficients of the constructs exceed the minimum threshold of 0.7 (Nunnally, 1994). Convergent validity allows evaluating whether a set of items is related to the same construct and can be evaluated using the following criteria: a) the magnitude of the item loadings exceeding the cut-off point of 0.5, b) the Average Variance Extracted (AVE) reaching the minimum point of 0.5 and c) the composite reliability (CR) exceeding 0.6–0.7. Discriminant validity allows assessing whether the constructs are different from each other thus capturing different aspects and is evaluated based on the recommendation of Fornell and Larcker (1981) that the square root of the AVE for each construct is greater than the correlations between that construct and the other constructs.

3.5 Diff-in-diff equation specification and estimation

H2 examines whether the impact of ISO 9001 on firm performance is affected by the data protection level. To test H2, we apply the diff-in-diff approach as more suitable for the type of data collected for the purpose of this study [2]. This approach enables testing for statistically significant differences among various groups within a single econometric equation that may take the following form:(1)${MV}_i={\beta }_0+{\beta }_1{ISO}_i+{\beta }_2{DP\mathrm{L}\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{l}}_i+{\beta }_3{ISOxDP\mathrm{L}\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{l}}_i+{\gamma \mathrm{C}\mathrm{o}\mathrm{n}\mathrm{t}\mathrm{r}\mathrm{o}\mathrm{l}\mathrm{s}}_i+e_i$where the outcome variable MV represents the market value of firm i at year end. We use MV to capture firm's financial performance for a number of reasons. MV is included among the commonly used measures of firm performance in existing studies (Ahamed et al., 2022) and is found to be the most suitable measure of firm performance (Hussain et al., 2019). By representing the firm's financial position, it can provide an indication of the perceptions that investors have regarding the firm's prospects (Ahamed et al., 2022). Market performance measures reflect investors' expectations and are more forward-looking in contrast to accounting measures that use historical data and can be subject to managerial manipulation and differences in accounting procedures (Wang and Shailer, 2015). ISO is a dummy variable with value 1 for ISO 9001 certified firms and 0 otherwise. DPLevel is another dummy with value 1 for firms with “above average” or “strong” data protection level and 0 for firms with “below average” or “weak” level.

More specifically, to create the DPLevel dummy we use the score of each firm on the second-order construct as calculated from the estimation of the structural model depicted in Figure 1. Then we calculate the mean value of the firms' scores and use it to divide the final dataset into two subgroups. The first subgroup contains firms with “above average” or “strong” data protection level, i.e. the firms that scored above the average mean value of the final dataset. The second group contains firms that scored below the sample mean and have “below average” or “weak” data protection level. The term Controls represents a vector of three control variables that may influence firm performance and the adoption of ISO 9001: firm size measured by the logarithm of total assets (SIZE), firm's debt financing measured by the total debt-to-common equity ratio (DEBT/EQ), and a common risk factor measured by the book-value to market-value ratio (BV/MV).

Coefficient β₁ of equation (1) measures the mean difference in the outcome variable between certified and non-certified firms with “weak” data protection level. The sum of coefficients β₁+β₂ shows the estimated mean difference in the outcome variable between certified and non-certified firms with “strong” data protection level. Coefficient β₂ shows the difference in the outcome variable of non-certified firms with “strong” level relative to the non-certified with “weak” level. The sum of coefficients β₂+β₃ represents the difference in the outcome variable of certified firms scoring “strong” level relative to the certified scoring “weak” level. Coefficient β₃ shows whether the data protection level differentiates the ISO 9001 impact on firm performance between the two groups (certified versus non-certified).

4. Empirical results

4.1 Measurement model

The measurement model is tested by performing a CFA-SEM analysis at the first-order level with the statistical results giving acceptable fit indices (χ² = 128.598, df = 114, p = 0.166; χ²/df = 1.128; RMSEA = 0.037; RMR = 0.013; CFI = 0.967; TLI = 0.961, IFI = 0.969).

Content validity of the first-order constructs can be considered to be adequate since the questionnaire items were derived from a thorough review of existing literature sources (see section 2). Multicollinearity does not seem to be a serious concern as the results suggest that all the inter-item correlation coefficients for all the first-order constructs were less than the cut-off point of 0.9 (see Appendix 3). Furthermore, the Cronbach's alpha reliability coefficients presented in Table 2, suggest that the first order-constructs were composed of reliable items, as they exceeded the minimum threshold point of 0.7.

All estimated item loadings on the first-order constructs have a positive sign, are statistically significant (at p-values < 0.001), and greater than the minimum value of 0.5. The AVE for all constructs is greater than the minimum point of 0.50 and their CR ranged between 0.81 and 0.84, as presented in Table 2. Furthermore, discriminant validity is accessed by detecting no cross-loadings between item loadings and constructs, i.e. the items of one construct were not highly loading on any other construct. As shown in Table 2, the square root of the AVE for any two constructs is greater than the correlation between these two constructs. Therefore, convergent and discriminate validity of the first-order constructs can be reasonably asserted for this study.

Next, the measurement model is assessed at the overarching level yielding acceptable fit indices. The loadings of the first-order constructs on the second-order one have a positive sign, are statistically significant (at p-values < 0.001), and greater than the minimum value of 0.5. Furthermore, the AVE of the second-order construct (0.5930) is greater than the minimum point of 0.50 and the CR is 0.8043, also greater than the average point of 0.7.

Additionally, the statistically significant path coefficients from the three first-order constructs to the second-order one (PPR = 0.811***, p = 0.000; ACM = 0.951***, p = 0.000; RRT = 0.484***, p = 0.004) and the R² of the first-order constructs (R² = 0.66 for PPR, R² = 0.91 for ACM, R² = 0.23 for RRT) suggest that each of them contributes significantly to the creation of the overarching construct (see Appendix 4).

4.2 Structural model

To test H1, the structural model presented in Figure 1 is evaluated using SEM, after the assessment of the measurement model. First, the fit of the structural model is assessed to determine whether it can adequately represent the data. The statistical results of the CFA-SEM suggest acceptance of model fit (χ² = 186.503, df = 178, p = 0.316; χ²/df = 1.048; RMSEA = 0.022; CFI = 0.982; TLI = 0.978; RMR = 0.025). Second, the links of the structural model are evaluated (see Appendix 4). Table 3 presents the results from estimating H1.

The positive and significant coefficient of the path ISO 9001 certification → Personal Data Protection (coefficient = 0.091**, p < 0.05) suggests that ISO 9001 has a positive and statistically significant effect on data protection, thus supporting H1. The estimates of the control variables indicate that size exhibits no significant effect in explaining the data protection level. The negative estimate of the BV/MV ratio (coefficient = −0.018**, p < 0.05) indicates that firms with high BV/MV (a low stock price relative to book value) tend to have lower data protection level. The positive estimate of technological intensity dummy (coefficient = 0.088**, p < 0.05) indicates that high-technology firms tend to have higher data protection level.

To account for the fact that our model includes binary among the categorical variables, the Bayesian approach was also applied, as described in Byrne (2009), for estimating CFA-SEM models with this type of data (e.g. Depaoli and Clifton, 2015; Thanoon et al., 2017). This allows comparing the estimated values derived from both, the maximum likelihood and Bayesian approaches, to the analysis of the same model (Byrne, 2009). The results from the Bayesian estimation remained qualitatively similar compared to the results from the maximum likelihood estimation, supporting the findings of our study [3].

4.3 Diff-in-diff Econometric Analysis

The diff-in-diff model specified in section 3.5 by equation (1) allows the hypothesis testing for performance differences between certified and non-certified firms accounting for the data protection level. Estimation was carried out by ordinary least squares at the firm-level. The results from the estimated model are presented in Table 4 below and can be summarized as follows:(2)$\begin{array}{ccc}{MV}_i=-2.1243-0.1164ISO& -0.1783DPLevel& +0.3537ISO\mathrm{x}DPLevel\\ (-1.07)& (-1.40)& (2.03**)\\ +0.2026SIZE& -0.0423DEBT/EQ& -0.0020BV/MV{+\mathrm{e}}_{\mathrm{i}}\\ (2.85***)& (-2.19**)& (-1.86*)\end{array}$

Figures in parentheses denote the t-statistic values and the stars the level of significance (* = 10%, ** = 5%, *** = 1%). The upper part of Table 4 contains the parameter estimates of the dummy variables (ISO, DPLevel) and combined effects among them, along with their significance levels required for the relevant hypotheses testing as explained below. The lower part presents the parameter estimates of all control variables.

The above estimates indicate a positive and statistically significant coefficient of the interaction term $ISO\times \mathrm{D}\mathrm{P}\mathrm{l}\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{l}$ (β₃ = 0.3537**, significant at 5%), suggesting that certified firms with “strong” data protection level outperform the market. The coefficient estimate of the ISO dummy (β₁ = −0.1164) is statistically insignificant indicating no differences in the average MV between certified and non-certified firms with “weak” data protection level. It seems that the market does not recognize additional value on firm's growth prospects on the presence of inadequate data security. In addition, no significant differences in the average MV are found between firms with “weak” and “strong” data protection level in the group of non-certified firms as evidenced by the insignificant coefficient of the DPlevel dummy (β₂ = −0.1783).

By contrast, the positive and significant sum of coefficients ${\beta }_1+{\beta }_3$ (= 0.2373*, significant at 10%, see results in Table 4) suggests that certified firms with “strong” data protection level exhibit larger MV relative to the non-certified at equal data protection level. Furthermore, the positive and statistically significant sum of coefficients ${\beta }_2+{\beta }_3$ (= 0.1753*, significant at 10%) indicates that a “strong” data protection level is related to an increase in the MV of certified firms in comparison to the certified with “weak” level.

Regarding the impact of the control variables, the estimates indicate a positive and statistically significant effect from SIZE (β₄ = 0.2026***, significant at 1%) on firm performance reflected by the MV. As leverage shows the firm's ability to finance debt, the negative DEBT/EQ estimate (β₅ = −0.0423**, significant at 5%) implies that high leverage can possibly be associated with lower MV. The BV/MV ratio reflects the risk that the market gives to the value of the firm's net assets (Fama and French, 1995). Thus, the estimate (β₆ = −0.0020*, significant at 10%) indicates that firms with high BV/MV tend to have lower earnings on assets and MV.

5. Discussion

Our study seeks to contribute to existing literature by exploring the link between quality certification, personal data protection, and firm performance. A major gap in the literature is the absence of a model connecting GDPR compliance with ISO 9001 in order to evaluate their combined effect on firm performance. The major goal of this study is to fill this gap and extend the research further on by providing new empirical evidence on the positive influence of data protection on the performance of ISO 9001 certified firms.

A “strong” level of data protection enhances the positive impact of ISO 9001 on firm performance. Our findings are in line with existing studies highlighting the importance of addressing data protection concerns, including data security, to gain business value (e.g. Schwaig et al., 2013; Chang et al., 2018). Also, our evidence is consistent with existing studies reporting performance benefits due to proper data management policies (e.g. MartinBorah and Palmatier, 2017) and effective data security practices (e.g. Fernando et al., 2018). Ensuring data security in accordance with the data protection legislation is essential element for firms to enhance performance by leveraging data analytics (e.g. Fernando et al., 2018; Perdana et al., 2021). Furthermore, our findings on the positive performance effect of data security compliance are in line with Almeida Teixeira et al. (2019) reporting several business benefits through GDPR compliance. Attaining GDPR compliance objectives by implementing appropriate data security measures in the areas of PPR, ACM and RRT based on the relevant controls of the ISO/IEC 27001/27002 standards (e.g. Diamantopoulou et al., 2019) can assist firms to leverage the business benefits of ISO 9001 on firm performance.

Additionally, our findings corroborate and reinforce the evidence from existing studies on the performance benefits deriving from the ISO 9001 certification (e.g. Gallego and Ramírez, 2023; Chatzoglou et al., 2015). Taking into consideration or improving the firm's data protection level when planning and preparing for ISO 9001 can facilitate a more coherent approach towards successful implementation (e.g. Esgarrancho and Cândido, 2020). Firms benefit from ISO 9001 when its implementation is seen as a strategic decision maintained in the long run (e.g. Hernandez-Vivanco et al., 2019), supporting in turn consistent long-term GDPR compliance in alignment with firms' business goals and objectives (Tzolov, 2018). The inherent upgrades of the successive ISO 9001 versions which incorporate data protection into quality management practices can consistently and significantly impact on firm performance in the long run (e.g. Siougle et al., 2019). The positive impact of effective GDPR compliance on the performance of certified firms can be seen as a strong motivation for ISO 9001 acquisition and continuation, discouraging firms from a decertification decision (e.g. Ferreira and Cândido, 2021).

With the advent of digitalization in the Industry 4.0 era, the ever-increasing importance of data is emphasized in Novel Business Excellence Models such as the EFQM 2020, aiming to simultaneously deliver performance and ensure transformation, creating enduring value for its key stakeholders, and achieving remarkable results (Fonseca, 2022). Therefore, there is a need to ensure that data is appropriately used across the value chain to avoid losing stakeholders' trust and destroying value (Fonseca, 2022). A common objective shared between quality management models and Industry 4.0 is the improvement of firm performance. Our findings indicate that a “strong” data protection level can contribute significantly towards this direction.

The growth of technologies in Industry 4.0 has significantly impacted traditional quality management. Quality 4.0 (or Q4.0) has emerged as the combination of quality management and improvement models, and approaches with technology to foster critical competencies and factors for organizational success. Therefore, data from value chain stakeholders, intelligent sensors, automation, and big data are required to support the improvement methodologies such as Six Sigma or provide data for high-level Total Quality Management (TQM) and business excellence models (Sony et al., 2020; Fonseca et al., 2021). Our findings indicate that high-technology firms tend to have a higher level of GDPR data security compliance which can foster effective use of technology in Q4.0 for enhancing the effect of quality management on firm performance.

Our findings raise several implications from the managerial perspective. It is of great interest for managers to have a better understanding of the factors positively affecting firm performance. Data security compliance is an enabler of performance enhancement for certified firms indicating that investment in both quality certification and data protection is a way to improve performance. To effectively do so, managers need to be aware of influential industry-specific factors such as the higher data security level of firms in high-technology industries relative to those in low-technology. Also, managers when contemplating the decision whether to renew or abandon ISO 9001, should take into consideration the firm's data protection level as it affects the impact of certification on performance.

The findings of our study should be interpreted considering its limitations. The questionnaire data regarding the security measures adopted by the responding firms were collected in the pre-GDPR period, when GDPR was provisionally agreed but not yet put into force. To effectively address the regulatory reform, we considered the already publicly available GDPR provisions along with the well-founded data security requirements in the pre-GDPR legal framework and guidance as supported by the ISO/IEC 27001/27002 standards. Our results provide useful insights into the preparedness of firms regarding GDPR implementation which facilitates their demanding compliance activity (e.g. Diamantopoulou et al., 2019). To be successful and bring several positive effects, the GDPR compliance activity should be seen as a long-term process that fully becomes an integral part of the organization (e.g. Perry, 2019).

In an effort to raise confidence in our findings we extended the analysis in two ways. First, in addition to the maximum likelihood estimation we performed the Bayesian estimation approach to account for the fact that our sample contains categorical and binary variables. The results from the latter method, qualitative similar to those of the former one, strengthen our empirical findings. Second, we examined whether our relatively small sample size of 96 is sufficient for SEM analysis. As elaborated in section 3.2, our sample size satisfies the minimum requirements reported in the literature for evaluating SEM models, especially considering that it is derived from the restricted in size population of firms listed at ASE (e.g. Kline, 2016). In addition, the post hoc power analysis indicated that our model is adequately powered to detect significant effects. With the increasing use of SEM, further research is encouraged on sample size requirements and other methodological considerations. The proportion of certified firms relative to the non-certified in our final sample is high because it follows the relevant distribution in the entire population as our initial target sample contained all listed firms. Future research can replicate and extend the present study in other settings with different industry classifications and sampling, including data from non-listed firms and from more countries as well as additional measures of firm performance to establish robustness of the empirical findings.

From an econometric point of view, a possible longitudinal analysis would increase the validity of the results as it may reduce the potential bias of cross-sectional design. Also, future research may extend this study in the post-GDPR period using our results as a basis for comparison from pre-to post-GDPR. Furthermore, future studies may explore the research objective using data from certification to other standards such as ISO/IEC 27001. Finally, the data security measures developed in this study are representative but not exhaustive of the major provisions of the data protection framework. Future work may extend the examined three-dimensional consideration of data security by including additional security aspects and relevant constructs in the conceptual model.

6. Conclusions

Our study explored the effect of data protection on the relationship between ISO 9001 and firm performance. In the absence of existing research in this area, we developed a measurement model for the concept of data security based on the analysis of the major security requirements of the data protection legislation and their mapping to the relevant controls of the ISO/IEC 27001/27002 standards. We used SEM to assess the impact of ISO 9001 on data protection and a diff-in-diff econometric approach to estimate performance differences between certified and non-certified firms accounting for the data protection level.

The findings indicate three core distinct security dimensions related to PPR, ACM and RRT as essential elements of data security. The findings also reveal a positive and statistically significant impact of ISO 9001 on data security. Certified firms are more likely to uphold data security relative to the non-certified, indicating that the benefits deriving from quality implementation can enable more effective organization and management of data protection. The data further suggest a positive relationship between data security and high-technological intensity. Moreover, the empirical evidence suggests that the data protection level has a significant impact on the financial performance of certified firms. Certified firms with “strong” data protection level exhibit higher performance relative to both, non-certified at equal level and certified at “weak” level.

Overall, our results provide a better understanding and useful insights to both managers and researchers, as argued in the Discussion section, the former for successfully adopting data protection and quality certification towards enhanced firm performance and the latter for motivating further investigation about the business benefits of data protection.

The authors would like to express their gratitude to the reviewers for their insightful, highly constructive comments and suggestions that helped them improve the quality of the manuscript.

Notes

1.Chatzoglou et al. (2015) reported that the manual collection of certification data is necessary as no official database exists in Greece containing information about ISO 9001 certified firms.

2.A detailed description of the diff-in-diff approach is provided by Athey and Imbens (2006).

3.The Bayesian estimation results are the following:

ISO 9000 → Personal Data Protection: 0.089** (p < 0.05)

Firm size→ Personal Data Protection: 0.018 (ns)

Technological intensity→ Personal Data Protection: 0.086** (p < 0.05)

BV/MV→ Personal Data Protection: −0.017** (p < 0.05).

Figure 1

Hypothesized structural model

[Figure omitted. See PDF]

Figure A1

Measurement and structural SEM model estimates

[Figure omitted. See PDF]

Key-components of data security dimensions and associated concepts

Source(s): Author own creation

Reliability, convergent and discriminant validity statistics

Note(s): The (italic) diagonal values are the square root of AVE for each construct. PPR, ACM, and RRT are defined in Table 1

Source(s): Author own creation

Structural estimates for H1 (including regression path coefficient)

Note(s): For description of variables refer to section 3.4

Source(s): Author own creation

Estimation results of the diff-in-diff equation: ${MV}_i={\beta }_0+{\beta }_1{\mathrm{I}\mathrm{S}\mathrm{O}}_{\mathrm{i}}+{\beta }_2{\mathrm{D}\mathrm{P}\mathrm{L}\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{l}}_i+{\beta }_3{\mathrm{I}\mathrm{S}\mathrm{O}\times \mathrm{D}\mathrm{P}\mathrm{L}\mathrm{e}\mathrm{v}\mathrm{e}\mathrm{l}}_1+{\beta }_1{\mathrm{C}\mathrm{o}\mathrm{n}\mathrm{t}\mathrm{r}\mathrm{o}\mathrm{l}\mathrm{s}}_1+{\mathrm{e}}_1$

Survey questionnaire, construct operationalization, and measures

Source(s): Author own creation

Correlation coefficients of the questionnaire items

Note(s): *Correlation is significant at the 0.05 level (2-tailed)

Source(s): Author own creation