While this may be counter-intuitive, the short answer is yes.
While I can’t point to any specific studies, it does appear that organizations generally view regulations as a burden that requires resources, without much ROI (Return on Investment). Sure, there is an ROI in not getting fined, but since when do we define ROI on the negative side?
Let’s use PCI compliance as an example. Companies will spend a lot of money and resources on being PCI compliant to ensure they are not hit with fines etc. To date, I have never heard a CEO boast that their PCI compliance project will help company growth.
At first glance, GDPR, CCPA, and other compliance regulations seem like an extra, unnecessary burden for the enterprise. We view it as just another cost line in the ‘GDPR Regulation Resource Requirements’ budget. This is mostly because, and probably quite correctly, most organizations view privacy as a fundamentally legal issue.
However, what if we are looking at it the wrong way? Perhaps we shouldn’t be looking at regulations such as GDPR and CCPA as purely legal issues but mainly as security issues. Let’s focus on the practical requirement: Understand where your personal data is and make sure it is secure.
Enterprises want to maximize the amount of personal data they are holding while minimizing their exposure to risk. This is not solely because of regulatory contraventions, but primarily because of the negative publicity that would arise in the circumstances of a breach. Enterprises are looking for company growth, with regulatory compliance being a secondary goal.
Enterprises want to understand the data they are storing, especially their personal data. Only by doing this can they ensure they are meeting the specific needs of each consumer with competitive and differentiated products built for their needs. What they generally strive for is to get maximum efficiency in the way they manage and control the data.
As a consumer, there are many products I want and need for business and personal use. I understand to some extent the benefits in sharing my personal data in order to get the latest offers and incentives that are relevant to me (Hilton Honors, Amex etc). But my expectation from enterprises is that they hold and share the minimum amount of data about me to give me what I need or want.
To sum up my point, both consumers and enterprises have common interests in data security. At closer glance, we are even interested in it for the same reason. We are both interested in the transfer of personal information from consumer to enterprise, and both interested in the strong security of that information. GDPR and CCPA are just here to help us prioritize enforcing it.
It’s about maximizing the personal data you hold while reducing the exposure to risk. Privacy regulations mandate it. Enterprises need it. I demand it.