Challenges and Strategies of Business Organisations in Complying with Personal Data Protection and Privacy Laws: A Systematic Synthesis of Empirical Evidence
Petro Gideon Nzowa, Noe Nnko, Franklin Mungulluh, Emmanuel Mkilia, Hamza Malombe, Godbless Gibson Minja, Cesilia Mambile, Augustino MwogosiThis study synthesises empirical evidence on the challenges faced by business organisations in complying with personal data protection and privacy laws and the strategies adopted to overcome them. It addresses a key gap by consolidating understanding of compliance barriers and organisational responses across sectors. Although the review aimed for global coverage, most studies originated from Europe and North America, with limited evidence from Africa, Latin America, and Asia. The findings, therefore, represent available empirical evidence rather than a fully global review. A systematic review was conducted following the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA 2020) framework and the SPIDER tool. Peer-reviewed empirical studies published in English between 2015 and June 2025 were retrieved from Scopus, IEEE Xplore, ACM Digital Library, and Google Scholar. Two reviewers independently screened all records, and the quality was appraised using the Joanna Briggs Institute (JBI) Critical Appraisal Skills Programme (CASP) and Mixed Methods Appraisal Tool (MMAT). Data were synthesised through thematic analysis and descriptive mapping. A total of 17 studies met the inclusion criteria. The results show that compliance challenges in business organisations are multidimensional and interrelated, clustering into three main domains: organisational capacity and culture constraints, techno-regulatory and implementation complexity, and governance, accountability, and data-handling challenges. Key barriers include limited awareness and training, resource constraints, difficulties in integrating compliance into software development, regulatory ambiguity, technological opacity, consent management complexities, weak data governance, and third-party and cross-border data issues. In response, organisations adopt complementary strategies that cluster into preventive design and technical safeguards, risk governance and organisational strengthening, and standardisation and documentation practices. Common mechanisms include privacy-by-design, encryption and access control, risk and incident management, staff training and awareness initiatives, the establishment of data protection officers, and the use of standardised policies and compliance templates. This review offers one of the first empirical syntheses of organisational-level data protection compliance. It moves beyond normative analyses to highlight practical barriers and adaptive strategies while revealing the need for more evidence from underrepresented regions.