Does personal data protection matter for ISO 9001 certification and firm performance?

PurposeThis study explores the link between ISO 9001 certification, personal data protection and firm performance using financial balance sheet and survey data. The security aspect of data protection is analyzed based on the major requirements of the General Data Protection Regulation and mapped to the relevant controls of the ISO/IEC 27001/27002 standards.Design/methodology/approachThe research analysis is based on 96 ISO 9001-certified and non-certified publicly traded manufacturing and service firms that responded to a structured questionnaire. The authors develop and empirically test their theoretical model using the structural equation modeling technique and follow a difference-in-differences econometric modeling approach to estimate financial performance differences between certified and non-certified firms accounting for the level of data protection.FindingsThe estimates indicate three core dimensions in the areas of "policies, procedures and responsibilities," "access control management" and "risk-reduction techniques" as desirable components in establishing the concept of data security. The estimates also suggest that the data protection level has significantly impacted the performance of certified firms relative to the non-certified. Controlling for the effect of industry-level factors reveals a positive relationship between data security and high-technological intensity.Practical implicationsThe results imply that improving the level of compliance to data protection enhances the link between certification and firm performance.Originality/valueThis study fills a gap in the literature by empirically testing the influence of data protection on the relationship between quality certification and firm performance.