Introduction
The General Data Protection Regulation (GDPR) has made data handling more critical for companies everywhere, not just in the EU. Many U.S. organizations treat GDPR compliance as a mere checklist of tasks without genuinely changing their data privacy culture and values. This is because the U.S. has historically viewed privacy differently, with a patchwork of regulations for specific data types rather than an overall expectation of privacy.
Organizations can achieve true GDPR compliance by adopting privacy as a core value, addressing the cultural differences and implementing consistent privacy practices over time.Approaches to privacy in the United States
Data privacy in the U.S. are more limited compared to recent laws like GDPR. The U.S. lacks a comprehensive federal law and instead relies on a patchwork of sector-specific and state laws.
The California Consumer Privacy Act (CCPA) is a notable state law with broad privacy rights. U.S. citizens have lower expectations for digital privacy due to concerns about surveillance and data protection failures by various institutions. This contrasts with attitudes in the EU, where privacy is viewed more seriously.
The founding fathers did not explicitly contemplate a right to privacy. In fact, the word “privacy” does not appear anywhere in the Constitution.
Global culture and expectations around privacy
European attitudes towards data privacy differ significantly from those in the U.S. European residents strongly value and expect protection of their personal information, considering privacy as a universal human right. European regulations, like GDPR, prioritize consumer trust and strict data protection laws. This emphasis on privacy may be influenced by historical experiences, such as the Holocaust, and differences in legal systems.
The heightened expectations for data privacy are expanding globally, urging organizations to adopt proactive measures and prioritize data privacy as a core value.
In contrast to the exasperation regarding data privacy in the U.S., European residents are unrelenting in their expectation for protection of personal information.
Designing an organizational culture that values privacy
Data privacy benefits both individuals and organizations. Organizations can gain by collecting less data and disposing of unneeded personal data. Emphasizing data privacy can lead to "defensible disposition," reducing unnecessary costs and risks associated with data breaches.
To create a culture of privacy, organizations should:
- Clearly define their legal, regulatory, privacy, and operating requirements
- Involve all departments and employees in the process
- Secure executive buy-in and active engagement
Applying change management principles helps in cultural transformation, including:
- Preparing for change
- Enacting it through effective communication and training
- Maintaining the focus on privacy over time
A strong culture of privacy leads to compliance with regulations and a commitment to data privacy requirements throughout the organization.
For the full report, download the PDF.
- Data security
- Information governance
- Privacy