From my experience, when a data controller complies with data protection regulations, generally does so with the aim of placing itself in one of the following three levels of compliance which, of course, are cumulative and not exclusive.
Cosmetic compliance
Those responsible for legal advice, when we think about the need to protect personal data, normally do so from a perspective of formal compliance with certain requirements. Not infrequently, these requirements generate forced situations in the relationship between the person in charge and the interested parties. Depending on its implementation, this can impact more or less on the user experience of the service, both positively and negatively. Its purpose is to avoid breaching a law or contract.
This cosmetic compliance It is very evident, among others, in the principle of transparency. A classic example could be the cookie banner that almost any website must display. It is a very important regulatory requirement, but today its motivation lies in formal preventive compliance with sanctions, in guaranteeing corporate reputation and in avoiding organic positioning penalties.
Compliance in the interest of others
On other occasions, the need to protect personal data plays a fundamental role in the guarantee of privacy or other fundamental rights of the interested parties. This is the real reason that gives rise to data protection regulations and about which we should not frivolize. As history has taught us, the indiscriminate processing of personal data can have terrible consequences for people's lives.
In it contemporary European political and social context (perhaps more than one is thinking I'm exaggerating), but during the 1930s and 1940s, census and parish records, synagogue membership lists, tax returns, and police records from Nazi Germany made it tremendously easy to what we now know as the Holocaust. It is difficult for us to experience such a dramatic situation in Europe again.
However, the treatment of certain categories of personal data or the joint processing of certain data (even if they are not sensitive separately) must be subject to special care because, through them, today any of us can be exposed to situations as serious as being scammed, deprived of employment, manipulated politically and commercially, stripped of our privacy, being the subject of identity theft to commit crimes or even suffering from an erroneous medical diagnosis or treatment (imagine a medical history cross-check).
Compliance in self-interest
The last level of compliance, although it has common points With the previous two, it constitutes (in my opinion) a different modality. In this case, the company seeks compliance because, otherwise, its competitive capacity may be seriously affected.
The paradigmatic and most current assumption affects multinational companies whose country of origin does not guarantee an adequate level of security equivalent to that required by European regulations. It's about a bilateral problem of the foreign company, normally a service provider, and in the European company, generally a client.
The foreign company, in order to operate in European territory, has the pressure to comply with European laws and its national laws. In this scenario, many foreign companies (especially cloud service providers) are creating subsidiaries in European territory separating the services offered in Europe from its obligations with the parent company. This strategy, added to a desire for real, transparent and loyal compliance, will play an essential role in the competitive positioning of these suppliers, which in the coming years may bring about a redistribution of the leaders of certain technological sectors.
On the other hand, the European company must be extremely careful in contracting with these foreign companies Well, depending on the data affected by the contracted service (imagine certain business secrets or personal data of national public interest), the lack of guarantee of protection thereof, or access to them by certain foreign authorities, could seriously affect your competition and its business purpose.
If you want to become a highly qualified professional in this field, you can do it in just 12 months with the Master in Compliance and Data Protection Management and you will be able to assume functions of Compliance Director and Data Protection Director.
