The Ethical Side of Data Privacy Compliance

None of us likes to be told what to do. Especially when what we’re being told (or ordered) to do is tedious, expensive, unexciting, or counter to productivity or forward momentum, we just aren’t inclined to comply so willingly. We immediately push back and find reasons both legitimate and not-so-legitimate to support our disinclination. When finally forced, many of us then put in a faint-hearted effort at token compliance and hope for the best. Let’s face it, that’s human nature.

But really, who enjoys being a stickler and restricting groceries to only 15 items when using the express checkout lane at the grocery store, or devoutly observing the speed limit on the interstate when it’s clearly too slow to keep traffic moving efficiently? We can always find excuses for not complying. “Come on, it’s only 22 items—what’s the difference?” Ever been there? Or maybe, “we’re running late, but not if I open it up on the highway between here and there!” Yeah, we’ve all been there…

The point is, for any given rule, regulation, or mandate, we can always discover seemingly legitimate reasons for not complying and can subsequently devise a compelling justification for every single one of them. Again, it’s just human nature, though learning how to come up with convincingly logical justifications in any circumstance is certainly an acquired (and sometimes handy) skill.

Sponsorships Available

Sponsorships Available

Sponsorships Available

And that’s what I want to focus on, the issue of logic versus ethics in situations demanding conformance with a rule. Trust me, I’ve been known to come up with some pretty compelling and seemingly logical reasons for doing (or not doing) something. Only 15 items in this lane? Oh sorry, my eyeglass prescription is getting pretty bad, and well, now I’ve got all my items up on the counter so it will be less disruptive if I just stay here and make sure not to do it again. Thanks, sorry, bye (cue the innocent, slightly befuddled smile across the face here).

As someone who has friends in law enforcement, I can only say that I won’t go into detail about the zany reasons people give for speeding or fudging on stop signs, but people do it all the time. Sure, they sound reasonable and sometimes even logical. I mean, everybody has to go to the bathroom badly at some point, right? Yes, yes, totally understandable and logical, but that’s really beside the point, isn’t it? Speeding is speeding, and it’s definitely against the law, no matter how arbitrary that speed limit number seems to be, or how badly one needs to use the facilities.

What really matters, I believe, is looking at compliance from an ethical standpoint. By taking up a spot in the express checkout lane that you really shouldn’t, you may be making that elderly person behind you who has trouble standing for long periods wait just a little longer. Not cool. More alarmingly, by deciding to exceed speed limits or overlooking safety on the road, you could imperil not only yourself but others, doing real physical harm in the instance of an accident you might cause. It may be logical to assert that you were feeling ill and were trying to find a rest area as quickly as possible, hence the speeding, but it’s more ethical to obey the rules to keep everyone as safe and sound as can be. Try that previous excuse on an officer—my prediction is you’re probably still getting a ticket, or at least a strongly worded warning.

Which brings me back to my main topic of the ethics (not the logic) of complying with data privacy rules, regulations, and mandates. Much of the messaging around data privacy and compliance seems to be fear-based, both from agencies enforcing rules as well as vendors trying to help you comply with them. Look, I’m just saying the obvious: a lot of vendors—and we’re not excusing ourselves here—sometimes put forward some sobering and somewhat fearful messages about the steep costs of a data breach in the instance that your organization experiences one (or more). That’s all indubitably true and easily provable.

Just look at the tech news on any given day. Chances are you will hear about the fallout and repercussions of high-profile incidents: the millions spent in triaging the situation, the millions more spent in putting into place better preventative measures, the millions more spent in legal fees and regulatory fines, and the many millions more lost in brand reputation. Not to fear-monger overly much, but those are all likely scenarios following a highly publicized breach of your organization if lots of sensitive private data becomes public. If your business looks at things from the practical and financial vantage point, then you need to do whatever it takes to be reasonably sure that you can 1) prevent a breach, or 2) mitigate the fallout of a breach so that sensitive data won’t be disclosed. This is a logical case for compliance.

You know where I am going here, but as we’re not in the proverbial express checkout lane, we have time to go there at leisure nonetheless. What about the ethical responsibilities that your organization has to fulfill the promise of data safety to all those data subjects (employees, partners, customers, prospects) whose private and sensitive data you collect, process, and/or store? That should compel you far more than the fearful financial repercussions, logical as they are.

All you really need to do, if you’re a decision-maker who can allocate more time and resources (and budget) to auditing and improving your data security controls, is ask yourself how you would feel if your hospital, or therapist, or insurance agency, or favorite clothing retailer unwittingly (or wittingly, as sometimes occurs) enabled a data breach to occur with your private data among the compromised data set? Well, that’s how your employee or partner firm feels. That’s how your customers feel. That’s how they all feel when it happens to them. The damage is personal, it’s significant, and it plain and simple hurts them and negatively affects lives in many different ways. This is the ethical argument for doing every single thing you can to comply with data privacy rules—not because it’s logical (though it most certainly is) but more importantly because it’s ethical. It’s simply the right thing as a responsible organization to do, regardless of any other valid argument.