As implementation of the EU’s General Data Protection Regulation (GDPR) approaches, organizations may be tempted to regard privacy as a regulatory burden and focus solely on mechanisms of compliance. Protecting private information has vital and obvious implications for everyday life, and the only way companies can successfully do this is to create a culture of privacy.

Hacked enterprise data leads to identity theft and fraud. 2017 saw an endless string of breaches, and topping the list was Equifax, which may have left 145 million American consumers vulnerable to identity theft. Other companies and institutions, including the Securities and Exchange Commission and Deloitte, experienced breaches as well. Despite the constant headlines and more sophisticated technologies, a 2017 Identity Fraud Study from Javelin Strategy & Research claims that 15.4 million U.S. consumers had $16 billion stolen from them, which was up from the previous year.

Ultimately, the problem is people — and not just cybercriminals. According to the annual 2017 Verizon Data Breach Investigations Report, 81% of hacking-related breaches succeeded through stolen or weak passwords, and 43% of breaches involved phishing — which often leads to stolen passwords. In addition to these human factors, a leading cause of breaches is unpatched software — that is, information technology (IT) administrators failing to maintain best practices.

The only solution — the only way to change people’s behavior — is to embed privacy in the very fabric of the organization. That’s why Privacy by Design, a decades-old application design and development strategy, is now being discussed as a foundational strategy for entire organizations.

Oh, How The World Has Changed

The original goal of Privacy by Design was developing best practices that ensured application developers were building privacy into their products from the ground up. Even if concern for customer or employee privacy wasn’t the highest priority, there was always profit — it is very expensive to re-engineer privacy into a product following a failure.

Today, these best practices are more important than ever. Increasing amounts of data have created an ever-expanding attack surface, and complex new regulations demand a foundational approach to privacy. In fact, Article 25 of the GDPR is titled “Data Protection by Design and by Default.”Organizations face an ever-growing number of attack vectors related to privacy, including the internet of things (IoT), government and business data over-collection and unread mobile app permissions such as allowing scanner apps to keep and sell the data they scan.

Finally, the use of new technologies is evolving so fast it creates significant legal complexity. Who is at fault when an accident involves a self-driving car? Who can access the data collected by a fitness tracker or medical device implant?