“It is non-negotiable…….. the potential fines are enormous…….individuals can be held personally liable”. So, with all of these compelling reasons, why can it still be challenging to gain traction on your GDPR compliance project? Some years have passed since the GDPR came into force on 25 May 2018, with many heavy fines imposed on UK companies for breaches of the Regulation. In this blog, URM looks at the steps you can take to gain senior management buy-in .
Know your audience
Identify the key stakeholders and establish their goals, objectives and measurements. It is suggested that you consider approaching owners, investors, employees, customers, suppliers and other interested parties. Once you have discovered their requirements, you can then map these against your GDPR project and tailor your ‘pitch’ to address their needs directly. Be prepared to evolve your pitch as you go through this ‘requirements gathering’ process until you have a refined and fully-fledged proposal to present to senior management.
GDPR may be a compliance-led project, but it will help if you can get people excited about it. Try and communicate how it will support the organisation’s strategic goals and what benefits the business will derive, ideally across multiple departments. You need to be fostering a belief that your organisation needs, rather than simply wants or is obliged, to achieve compliance. Note that business framing is more effective than moral framing, which can lead your audience to think that you are questioning their moral character. Instead, emphasise the positives that the GDPR will bring as you reach the sunlit uplands of compliance.
Keep your cool
Attempting to persuade people to support your initiative can be a slow, thankless and frustrating process and it is important to keep your emotions in check. Wherever possible, seek to inspire positive understanding and focus on benefits to the individual or organisation.
Timing is everything
You should be alert to identifying suitable opportunities to sell your GDPR initiative and have the awareness to know when it is not a good time to launch into your pitch. You’re looking to catch the right wave!
You’re not an island
Do not attempt to do this on your own. Seek to build a coalition by identifying those people, both internally and externally, that the organisation trusts. With the ‘blockers’, if you can’t gain their support try, at the very least, to ensure they do not actively obstruct your efforts and work on persuading the fence sitters to pick your side.
Every organisation has its own learning style. Identify what type of information senior management use to make decisions, how they prefer to receive that information, formal vs. informal, etc. Have they launched compliance-led programmes before? Are there any lessons you can learn from that process? At the more senior levels, a formal approach is more likely to achieve results. You may, therefore, wish to start informally as you engage stakeholders, build your coalition and refine your pitch, but then switch to a more formal style as you get closer to the senior decision makers.
Don’t bring me problems…
Throughout the process of gaining senior management buy-in, you should be offering solutions to meeting the GDPR challenges you are highlighting or, at the very least, proposing a sensible process for determining what the approach should be.
This is a process
In spite of what Hollywood films would have us believe, gaining senior management buy-in is the result of a considered process rather than a dramatic one-off, yes/no boardroom pitch. With this in mind, you should:
- Pick your battles – “He will win who knows when to fight and when not to fight”, Sun Tzu, The Art of War. Spend your reputational capital wisely.
- Combine approaches – Treat the tactics above as ingredients. Determine the appropriate recipe for your organisation and use a blend, ideally a little of each, to deliver the change you are looking for.
- Sell it yourself – No one will sell your idea better than you. If you are required to use intermediaries, e.g., a line manager, executive sponsor etc. then try and accompany them or do everything you can to prepare and support them.
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs ROPAs, privacy notices, data retention schedules and training programmes etc.
We discuss the importance of ensuring that your whole organisation can identify a DSAR and the benefits of controlling the entry points of DSARs.
When looking to comply with the General Data Protection Regulation (GDPR), it is always a worthwhile exercise....
Under the UK GDPR, the majority of organisations processing personal data are required to create and maintain a ROPAs