Traditionally, compliance in software and data has been top-down and event-driven – someone from outside of Technology, in response to some regulation, policy, or request, gets involved in how software operates, which open source components are used, or what data is stored or processed where. Not only does this approach fail to scale as the world is awash in more and more software and data, but it also frequently results in reactive damage control and re-development.
When everyone who works to build software or data understands what is or isn’t permissible – and knows when to ask for help proactively – the ensuing product is much less likely to contain problematic code or information. It’s not safe to assume that this is the case, however (though training can certainly help). More likely, many of the people writing code or handling data are unaware of the full spectrum of contractual or regulatory obligations that relate to their work.