Gaining Senior Management Buy-In to GDPR Compliance

21 Jul

“It is non-negotiable…….. the potential fines are enormous…….individuals can be held personally liable”.  So, with all of these compelling reasons, why can it still be challenging to gain traction on your GDPR compliance project?  Some years have passed since the GDPR came into force on 25 May 2018, with many heavy fines imposed on UK companies for breaches of the Regulation.  In this blog, URM looks at the steps you can take to gain senior management buy-in .

Know your audience

Identify the key stakeholders and establish their goals, objectives and measurements.  It is suggested that you consider approaching owners, investors, employees, customers, suppliers and other interested parties.  Once you have discovered their requirements, you can then map these against your GDPR project and tailor your ‘pitch’ to address their needs directly.  Be prepared to evolve your pitch as you go through this ‘requirements gathering’ process until you have a refined and fully-fledged proposal to present to senior management.


GDPR may be a compliance-led project, but it will help if you can get people excited about it.  Try and communicate how it will support the organisation’s strategic goals and what benefits the business will derive, ideally across multiple departments.  You need to be fostering a belief that your organisation needs, rather than simply wants or is obliged, to achieve compliance.  Note that business framing is more effective than moral framing, which can lead your audience to think that you are questioning their moral character. Instead, emphasise the positives that the GDPR will bring as you reach the sunlit uplands of compliance.

Keep your cool

Attempting to persuade people to support your initiative can be a slow, thankless and frustrating process and it is important to keep your emotions in check.  Wherever possible, seek to inspire positive understanding and focus on benefits to the individual or organisation.

Timing is everything

You should be alert to identifying suitable opportunities to sell your GDPR initiative and have the awareness to know when it is not a good time to launch into your pitch.  You’re looking to catch the right wave!

You’re not an island

Do not attempt to do this on your own.  Seek to build a coalition by identifying those people, both internally and externally, that the organisation trusts.  With the ‘blockers’, if you can’t gain their support try, at the very least, to ensure they do not actively obstruct your efforts and work on persuading the fence sitters to pick your side.

Learning styles

Every organisation has its own learning style.  Identify what type of information senior management use to make decisions, how they prefer to receive that information, formal vs. informal, etc.  Have they launched compliance-led programmes before?  Are there any lessons you can learn from that process? At the more senior levels, a formal approach is more likely to achieve results.  You may, therefore, wish to start informally as you engage stakeholders, build your coalition and refine your pitch, but then switch to a more formal style as you get closer to the senior decision makers.

Don’t bring me problems…

Throughout the process of gaining senior management buy-in, you should be offering solutions to meeting the GDPR challenges you are highlighting or, at the very least, proposing a sensible process for determining what the approach should be.

This is a process

In spite of what Hollywood films would have us believe, gaining senior management buy-in is the result of a considered process rather than a dramatic one-off, yes/no boardroom pitch.  With this in mind, you should:

  • Pick your battles – “He will win who knows when to fight and when not to fight”, Sun Tzu, The Art of War.  Spend your reputational capital wisely.
  • Combine approaches – Treat the tactics above as ingredients.  Determine the appropriate recipe for your organisation and use a blend, ideally a little of each, to deliver the change you are looking for.
  • Sell it yourself – No one will sell your idea better than you.  If you are required to use intermediaries, e.g., a line manager, executive sponsor etc. then try and accompany them or do everything you can to prepare and support them.

Thumbnail of the Blog Illustration
Data Protection
Published on
Data Subject Access Requests (DSARs) – The Need for Education and Centralised Processes

We discuss the importance of ensuring that your whole organisation can identify a DSAR and the benefits of controlling the entry points of DSARs.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
Analysis of Fines Imposed by the Information Commissioner’s Office in 2022

When looking to comply with the General Data Protection Regulation (GDPR), it is always a worthwhile exercise....

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
Who Needs a ROPA and Why?

Under the UK GDPR, the majority of organisations processing personal data are required to create and maintain a ROPAs

Read more
Helpful synopsis of current issues and gaps (which I agree with!). Thank you
Webinar 'GDPR - Back to Basics'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.