As privacy professionals, we all know the struggle: how do you really get colleagues to comply with privacy rules? Some swear by strict checklists, others prefer to talk to the manager or process owner. I myself sometimes catch myself reasoning mainly from my own logic. That is precisely why a dissertation I read recently stuck with me. The thesis did not look at the rules themselves, but at the question of why people choose to follow them or not. That got me thinking about my own approach.
Why do some people strictly adhere to privacy rules, while others carelessly ignore or even knowingly violate them? As a privacy professional, you know how important compliance is - but behavior is not always rational. That's why it helps to understand how people perceive rules and why they do or don't follow them.
Thesis "Dealing with rules" by lawyer and researcher Ritsart Plantenga provides insight into how citizens experience rules. Although he examined the adoption of rules in a general sense, the findings are also useful for the privacy professional.
Plantinga's research looks at people's preference systems on two levels: through a broad language analysis and through research among respondents. The first part of the study revealed that people think about rules in different ways: sometimes rationally and policy-oriented, sometimes more instinctively and experientially. If a rule radiates interference or suspicion, resistance is more likely to follow, even if the content of the rule is correct.
In the second part of his research, he found that experiential people are more likely to use words that refer to trust, relationships or emotional involvement. Rational people use more analytical words and words that express certainty, such as certain, necessary and always.
Preference in language use is closely related to how people experience and judge rules. Rationally minded people look primarily at whether a rule is clear, logically constructed and easy to implement. They talk about rules in terms of what works, what it delivers and how efficient it is. People who rely more on feelings find a rule acceptable only if it feels fair to them. They use terms such as trust, fairness and distrust.
He links these two preferences to two types of justice: one is about utility and results (instrumental), the other about trust and recognition (social-emotional). Which of the two carries the most weight varies from person to person. And that is precisely what determines how a person experiences rules and the extent to which he complies with them.
With his research, Plantenga shows that not everyone experiences rules - and thus privacy rules - in the same way. This sounds obvious, but in practice, as privacy professionals, we sometimes forget this. We write policy, provide training or advise administrators with the best of intentions, but we often do so from our own perspective on rules: rational, legally based and focused on compliance.
But the thesis makes clear that there is simply no approach that works for everyone. What works for one person rubs off on another. Where one person mainly wants to know the usefulness of a DPIA or how a register of processing operations prevents future fines, another only feels addressed when you emphasize that careful handling of personal data is a matter of trust and recognition.
For us, this means that privacy is not only about laws and regulations, but also about values, beliefs and motivations. In conversations with employees, you notice the difference: the manager who wants to be reassured that processes are efficient and compliant, versus the professional who wants above all to know how to assure clients of safe and respectful handling of their data.
That diversity requires nuance. It means that training never works the same for everyone and that a policy document only really lands when it touches different perspectives. Sometimes an example of a costly data breach helps to underscore the point. Sometimes a story of lost trust is much more powerful.
Perhaps that is the core of our profession: not just explaining rules, but building bridges between the formal frameworks and the values that drive people. Only then will privacy rules not be seen as a paper obligation, but as something meaningful in practice.