A different tack

There are several good reasons for protecting personal information, of which compliance with privacy laws and regulations is just one. 

For example, personal information can be extremely valuable in its own right - a business asset in fact. 

Consider the adverse consequences of personal information being lost or corrupted, perhaps the result of a system/hardware failure, a software bug, an inept or malicious system administrator, malware, ransomware or ....  well anything that can damage/destroy or deny legitimate access to information could of course affect personal information. In a sense, it is "just" information. 

At the same time, its commercial value is strongly linked to its confidentiality. This is why we are invited to pay $thousands for various mailing lists, offers which we either ignore or robustly decline since we are strongly ethical and most certainly not spammers! It's why sales professionals jealously guard their personal contacts. They are truly concerned about identity theft, as opposed to identity fraud. 

Treating personal information as a business asset worth protecting and exploiting puts an unusual slant on privacy. In particular, it emphasizes the commercial value of controls securing personal information, beyond the begrudging 'avoidance of fines' angle. It's also, I believe, a way to increase the pressure on senior management to do what needs to be done in order to secure personal information, even if they are not that fussed about privacy laws - a carrot-and-stick approach.

We'll expand on this and other good reasons to take privacy seriously in the next awareness module.