While this may be counter-intuitive, the short answer is yes.
While I can’t point toany specific studies, it does appear that organizations generally viewregulations as a burden that requires resources, without much ROI (Return on Investment).Sure, there is an ROI in not getting fined, but since when do we define ROI onthe negative side?
Let’s use PCIcompliance as an example. Companies will spend a lot of money and resources onbeing PCI compliant to ensure they are not hit with fines etc. To date, I havenever heard a CEO boast that their PCI compliance project will help company growth.
At first glance, GDPR,CCPA, and other compliance regulations seem like an extra, unnecessary burdenfor the enterprise. We view it as just another cost line in the ‘GDPRRegulation Resource Requirements’ budget. This is mostly because, and probablyquite correctly, most organizations view privacy as a fundamentally legalissue.
However, what if we arelooking at it the wrong way? Perhaps we shouldn’t be looking at regulationssuch as GDPR and CCPA as purely legal issues but mainly as security issues. Let’sfocus on the practical requirement: Understand where your personal data is andmake sure it is secure.
Enterprises want tomaximize the amount of personal data they are holding while minimizing theirexposure to risk. This is not solely because of regulatory contraventions, but primarilybecause of the negative publicity that would arise in the circumstances of abreach. Enterprises are looking for company growth, with regulatory compliancebeing a secondary goal.
Enterprises want to understandthe data they are storing, especially their personal data. Only by doing thiscan they ensure they are meeting the specific needs of each consumer withcompetitive and differentiated products built for their needs. What they generallystrive for is to get maximum efficiency in the way they manage and control thedata.
As a consumer, thereare many products I want and need for business and personal use. I understandto some extent the benefits in sharing my personal data in order to get thelatest offers and incentives that are relevant to me (Hilton Honors, Amex etc).But my expectation from enterprises is that they hold and share the minimumamount of data about me to give me what I need or want.
To sum up my point,both consumers and enterprises have common interests in data security. Atcloser glance, we are even interested in it for the same reason. We are bothinterested in the transfer of personal information from consumer to enterprise,and both interested in the strong security of that information. GDPR and CCPAare just here to help us prioritize enforcing it.
It’s about maximizingthe personal data you hold while reducing the exposure to risk. Privacyregulations mandate it. Enterprises need it. I demand it.