There’s this discussion going down on the merits of privacy versus security. Whether the one is part of the other, or the other way around, or both. Whereas the smarts are with considering privacy enhanced by good confidentiality settings, cause they see that privacy is an issue of higher (abstraction) order than mere confi; achieved by it but only as infosec are the bricks and mortar when all you wanted is not bricks or so but a wall.
Through which you may reflect on compliance in infosec. Because hardly ever, is that taken to include compliance with the principles and business objectives and conditionsthat include being sparse with hinder to the business. Really, those that truly set only guiding rails not enforcement rails, are the unicorns of the trade. No, not those unicorns, those are just frauds anyway.
You may try to do better; really. It starts with risk … when properly applied, you would notget the remarks about ‘why, it has never happened to us before / what are the odds?’ but might even get better support for some slightly hindering process changes and better (but less end user detectable) ‘infra’ i.e., everything under the users’ level of visibility.
So, I’m not sombering or if, about the eager beaver pervasive prevalence. Because sobering up, wising up, may win the day and may be due…
On the contrary; isn't this 'privacy' business a perfect opportunity to finally demonstrate how we do (... can ...) link up information security to real business issues at the highest GRC levels. Since we shouldn't be passive, and leave the privacy field to be taken over by lawyers jumping into the current Privacy Officer void. Since we *can* translate all the operational and tactical work that we do on privacy, all the way up to strategic levels and still be very concrete. And not have to wait till ill-understandable “guidelines” (shackles) keep us from achieving something.
No more wannabe whining about 'deserving' a seat at the Board table or at least be heard; not asking to be allowed but matter-of-factly showing 'Done.' ... if, not when, you did information security right all the way… Let's go!