The answer is really simple, right? Governments pass laws that mandate certain rules be followed and infuse a punitive measure for those people or organizations not in compliance with the regulation in question. In a carrot-and-stick world, the repercussions exacted by the oversight agency responsible for compliance are all stick and no carrot. Resistance is futile, or something like that.
Data privacy laws perfectly exemplify all this. The European data privacy and protection regulation, GDPR, specifies very clearly how individuals and organizations who collect, process, and store EU citizens’ private data must carry out those processes. It spells out precisely which people or organizations must comply, how they must comply, how to prevent non-compliance through the use of technology and other tools, and of course what the fees and fines can be for violations of this law. Again, the negative incentives force compliance, because businesses really can’t sustain the onslaught of relentless regulators who exist solely to oversee compliance. You might as well fight the tide.
You might be familiar with another incentive for compliance with data privacy laws: ethics and human rights. The legislative bodies passing these types of data privacy laws across the globe often reference privacy as a guaranteed human right. The indiscriminate use of peoples’ personal data and information, especially without explicit permission from the data subject, tramples on that fundamental human right. Businesses can look at data privacy and protection regulations less as something with which they must comply or else, and more as a standard and guideline for good, ethical corporate behavior. For people and organizations whose corporate culture places a high value on proper business ethics, compliance is a no-brainer. It’s just the right thing to do, because at the end of the day these data subjects are human beings, and many of them are or will become your customers. You want to treat them (and their data) right—that’s just good business.
That notion hints at a more self-centered rationale for complying with data privacy and protection regulations: it could be you and your data that somebody mishandles. Each one of us possesses an enormous amount of personal data that identifies, defines, and describes us. In the wrong hands, this PII can wreak havoc within your life, causing financial loss, endless and energy-draining frustration, and even public embarrassment. If you’re in a business that handles other peoples’ private data and you’re struggling with the idea of cutting corners with regards to data processing for any reason whatsoever, just put yourself into those data subjects’ shoes. You’d be lying if you said you wouldn’t mind if that were your data.
In many past cultures, giving up your true name was done very carefully and sparingly, because the thought was that possessing your name gives the recipient some sort of power over you. Superstition? Maybe. How about in a high-tech world? Still superstition? Well, digital information about you in the form of PII gives people an incredible amount of leverage over your life. They can do great things with it, such as extend you credit or provide you with a favorable mortgage, or they can do incredibly damaging things with it, such as steal your identity and ruin your credit. As data subjects, we must all be careful about giving it away, and we must have the right to refuse that or at least be aware of data harvesting when it is happening to our personal data. This is really at the core of data privacy and protection laws.
So why do we comply? Because we have to comply isn’t good enough in a world where digital data about us is so revealing. We should all comply—individuals and businesses alike—because it could be any one of us on the powerless other end of data mishandling. That’s why.