GDPR: Creating a Culture of Privacy

We’ve recently explored how organisations are beginning to experience the repercussions of GDPR non-compliance, including fines and damage to reputations. Many are coming to understand the cost of controlling data and the impact it can have on a variety of business units. What seems less clear is how to implement controls to ensure compliance and just how far-reaching data controls extend throughout the organisation. The key to compliance, and to avoiding fines or damage to reputation, perhaps lies in something the regulation does not explicitly mention: culture.

Organisations that consider GDPR compliance to be just another business requirement are missing the enormous shift in culture it represents. Think of it this way: For decades there was little oversight in the collection and sharing of personal data. Consumers grew accustomed to giving away their personal information—and any rights to its monetization by others—in exchange for free email, social media platforms, or special offers they understood as limited in time and scope. Their relationships with these companies created mutual benefit and changed the very nature of society—a seismic shift in how we consume and communicate information.

Now comes an equally disruptive shift—one in which the changes to our thinking are just being realized. Consumers now have the legal right to know how their data is being used. As data collectors and brokers, we must now be prepared to fully account for data, specifically its collection, exchange, storage, and destruction. Many organisations will have to reexamine entire business models.

Such a disruptive shift then requires a cultural shift within your organisation, a transformation from data collection to data protection. To be successful, organisations must create a pervasive culture of privacy, one that crosses multiple business units and processes. Everyone must come to understand the value of data in new and changing ways. It’s as if a key resource for doing business suddenly became scarcer, more valuable, more difficult to transport and a new potential liability.

Sales divisions may need to reconsider partnerships where data is exchanged or sold with third parties. Accounting departments may need to prepare for the cost of responding to consumers who request information or ask to be removed from databases. Developer teams may need to consider new security, storage, and retrieval structures in their designs. The fastest, most efficient way to ensure continuity is to create a culture of privacy throughout the organisation.


Discover how Armor Automated Security and Compliance provides industry-leading cloud security posture management (CSPM) capabilities to continuously discover, assess, and report on security and compliance controls in place across your public cloud environments.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals