Gaining Senior Management Buy-In to GDPR Compliance

21 Jul

Table of Contents

“It is non-negotiable…….. the potential fines are enormous…….individuals can be held personally liable”.  So, with all of these compelling reasons, why can it still be challenging to gain traction on your GDPR compliance project?  Some years have passed since the GDPR came into force on 25 May 2018, with many heavy fines imposed on UK companies for breaches of the Regulation.  In this blog, URM looks at the steps you can take to gain senior management buy-in .

Know your audience

Identify the key stakeholders and establish their goals, objectives and measurements.  It is suggested that you consider approaching owners, investors, employees, customers, suppliers and other interested parties.  Once you have discovered their requirements, you can then map these against your GDPR project and tailor your ‘pitch’ to address their needs directly.  Be prepared to evolve your pitch as you go through this ‘requirements gathering’ process until you have a refined and fully-fledged proposal to present to senior management.


GDPR may be a compliance-led project, but it will help if you can get people excited about it.  Try and communicate how it will support the organisation’s strategic goals and what benefits the business will derive, ideally across multiple departments.  You need to be fostering a belief that your organisation needs, rather than simply wants or is obliged, to achieve compliance.  Note that business framing is more effective than moral framing, which can lead your audience to think that you are questioning their moral character. Instead, emphasise the positives that the GDPR will bring as you reach the sunlit uplands of compliance.

Keep your cool

Attempting to persuade people to support your initiative can be a slow, thankless and frustrating process and it is important to keep your emotions in check.  Wherever possible, seek to inspire positive understanding and focus on benefits to the individual or organisation.

Timing is everything

You should be alert to identifying suitable opportunities to sell your GDPR initiative and have the awareness to know when it is not a good time to launch into your pitch.  You’re looking to catch the right wave!

You’re not an island

Do not attempt to do this on your own.  Seek to build a coalition by identifying those people, both internally and externally, that the organisation trusts.  With the ‘blockers’, if you can’t gain their support try, at the very least, to ensure they do not actively obstruct your efforts and work on persuading the fence sitters to pick your side.

Learning styles

Every organisation has its own learning style.  Identify what type of information senior management use to make decisions, how they prefer to receive that information, formal vs. informal, etc.  Have they launched compliance-led programmes before?  Are there any lessons you can learn from that process? At the more senior levels, a formal approach is more likely to achieve results.  You may, therefore, wish to start informally as you engage stakeholders, build your coalition and refine your pitch, but then switch to a more formal style as you get closer to the senior decision makers.

Don’t bring me problems…

Throughout the process of gaining senior management buy-in, you should be offering solutions to meeting the GDPR challenges you are highlighting or, at the very least, proposing a sensible process for determining what the approach should be.

This is a process

In spite of what Hollywood films would have us believe, gaining senior management buy-in is the result of a considered process rather than a dramatic one-off, yes/no boardroom pitch.  With this in mind, you should:

  • Pick your battles – “He will win who knows when to fight and when not to fight”, Sun Tzu, The Art of War.  Spend your reputational capital wisely.
  • Combine approaches – Treat the tactics above as ingredients.  Determine the appropriate recipe for your organisation and use a blend, ideally a little of each, to deliver the change you are looking for.
  • Sell it yourself – No one will sell your idea better than you.  If you are required to use intermediaries, e.g., a line manager, executive sponsor etc. then try and accompany them or do everything you can to prepare and support them.

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Published on
Is AI the Answer to Managing DSARs?

Some organisations are using artificial intelligence (AI) to help respond to DSARs. But can AI provide a full and robust solution?

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
UK International Data Transfer Agreement

DTA and the UK Addendum to the current European Commission’s SCCs re the next steps in providing a transfer tool for complying with the UK GDPR.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
BS 10012:2017 – What are the Benefits and How Do I Achieve Certification

BS 10012 is a standard which has been developed to enable organisations to implement a personal information management system (PIMS).

Read more
Very Enjoyable and Informative. Thank you!
Webinar 'GDPR - Back to Basics'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.