Whether you attribute the emergence of sweeping data privacy laws to citizen backlash or simply a coming of age, organizations everywhere are becoming aware of the fact that persons’ privacy rights matter, and that ignoring these rights can land an organization in hot water. For the most part, organizations are being forced to change their practices, their information systems, and sometimes even their business models to align with the new reality: organizations must be transparent about how they obtain, collect, process, and pass on personal information.
Governance is management’s sharpest tool for getting things done. With regards to privacy laws such as GDPR and CCPA, organizations have put governance structures in place to oversee the transformation in their business processes and information systems from practices of opaqueness to practices of transparency. In many cases, this transformation meant an about-face on internal practices. Indeed, this has prompted numerous (dare I say the majority of) organizations to “discover” how they are using personal information internally, as though the proverbial foxes have been in charge of the henhouse.
Simply put, privacy governance is all about keeping organizations out of trouble with regulators, outraged citizens, and the courts. Many organizations have had no desire to change their business models, and many complain that it will hurt them financially. Just as the U.S. Do-Not-Call lists have curbed the use of unsolicited “robo-calls” to citizens, privacy laws will forever alter business models that include mining and monetizing personal data behind the dark curtains of organizations’ marketing machines.
— excerpt from an upcoming book on information privacy
Peter H. Gregory 