Bruce Potter, writing on the Expel blog:
Many companies are only starting to come to grips with privacy thanks to new privacy regimes like the EU’s GDPR and California’s CCPA. And when you come to grips with a regulation, it typically looks a lot like compliance. “What boxes do I need to check in order to be compliant?” you might ask yourself. And once you’re compliant, you’re Good Enough™ and you move onto the next problem.
While taking a compliance-driven approach might feel like the equivalent of hitting an “easy” button, there’s one big problem: It leaves gaps in your org’s privacy posture that you’re probably not even aware of. The “compliance = security” mindset has been a problem for years, and industry analysts and journalists love reminding us after every breach that simply being compliant isn’t enough.
Turns out that privacy is no different.
NIST has made the current draft available (PDF) for feedback. It isn’t the easiest document to read, but it transforms the thinking around privacy from compliance to risk management. That’s a fundamental and critical shift that ought to encourage a greater appreciation by small- and medium-sized companies when it comes to privacy.