Gaining Senior Management Buy-In to GDPR Compliance

|
|
PUBLISHED on
21 Jul
2022

Table of Contents

“It is non-negotiable…….. the potential fines are enormous…….individuals can be held personally liable”.  So, with all of these compelling reasons, why can it still be challenging to gain traction on your GDPR compliance project?  Some years have passed since the GDPR came into force on 25 May 2018, with many heavy fines imposed on UK companies for breaches of the Regulation.  In this blog, URM looks at the steps you can take to gain senior management buy-in .

Know your audience

Identify the key stakeholders and establish their goals, objectives and measurements.  It is suggested that you consider approaching owners, investors, employees, customers, suppliers and other interested parties.  Once you have discovered their requirements, you can then map these against your GDPR project and tailor your ‘pitch’ to address their needs directly.  Be prepared to evolve your pitch as you go through this ‘requirements gathering’ process until you have a refined and fully-fledged proposal to present to senior management.

Packaging

GDPR may be a compliance-led project, but it will help if you can get people excited about it.  Try and communicate how it will support the organisation’s strategic goals and what benefits the business will derive, ideally across multiple departments.  You need to be fostering a belief that your organisation needs, rather than simply wants or is obliged, to achieve compliance.  Note that business framing is more effective than moral framing, which can lead your audience to think that you are questioning their moral character. Instead, emphasise the positives that the GDPR will bring as you reach the sunlit uplands of compliance.

Keep your cool

Attempting to persuade people to support your initiative can be a slow, thankless and frustrating process and it is important to keep your emotions in check.  Wherever possible, seek to inspire positive understanding and focus on benefits to the individual or organisation.

Timing is everything

You should be alert to identifying suitable opportunities to sell your GDPR initiative and have the awareness to know when it is not a good time to launch into your pitch.  You’re looking to catch the right wave!

You’re not an island

Do not attempt to do this on your own.  Seek to build a coalition by identifying those people, both internally and externally, that the organisation trusts.  With the ‘blockers’, if you can’t gain their support try, at the very least, to ensure they do not actively obstruct your efforts and work on persuading the fence sitters to pick your side.

Learning styles

Every organisation has its own learning style.  Identify what type of information senior management use to make decisions, how they prefer to receive that information, formal vs. informal, etc.  Have they launched compliance-led programmes before?  Are there any lessons you can learn from that process? At the more senior levels, a formal approach is more likely to achieve results.  You may, therefore, wish to start informally as you engage stakeholders, build your coalition and refine your pitch, but then switch to a more formal style as you get closer to the senior decision makers.

Don’t bring me problems…

Throughout the process of gaining senior management buy-in, you should be offering solutions to meeting the GDPR challenges you are highlighting or, at the very least, proposing a sensible process for determining what the approach should be.

This is a process

In spite of what Hollywood films would have us believe, gaining senior management buy-in is the result of a considered process rather than a dramatic one-off, yes/no boardroom pitch.  With this in mind, you should:

  • Pick your battles – “He will win who knows when to fight and when not to fight”, Sun Tzu, The Art of War.  Spend your reputational capital wisely.
  • Combine approaches – Treat the tactics above as ingredients.  Determine the appropriate recipe for your organisation and use a blend, ideally a little of each, to deliver the change you are looking for.
  • Sell it yourself – No one will sell your idea better than you.  If you are required to use intermediaries, e.g., a line manager, executive sponsor etc. then try and accompany them or do everything you can to prepare and support them.

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
What is the UK International Data Transfer Agreement and What Are the Implications?

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
6/4/2023
Chatbots and Personal Data: Benefits and Risks

This blog considers at high-level various possible legal ramifications of using Chatbots, especially ChatGPT, concerned with data protection risks.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
22/7/2022
Supply Chain Compliance with the GDPR

This blog focuses on an aspect of the GDPR which can be particularly challenging for a number of organisations.

Read more
We cannot thank URM enough for their help in ensuring our business is GDPR compliant. Both the gap analysis conducted and the in-depth assistance with the ROPA were made much easier and understandable with URM’s help. I would like to give particular thanks to URM's Consultant for providing us with the best guidance and making a famously complex topic comprehensive, and to our Account Manager for helping make sure all our needs were covered.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.