10 insights from ‘Defining roles and responsibilities’ best practices webinar with PANDORA

The world of governance, risk, and compliance can be complex. To help you navigate the challenges and realities of your compliance solution and add value to your work, our new webinar series Compliance Best Practices asks a range of leading experts to share their best practices and tips for success.

We launched our series this week with the mastermind behind PANDORA’s global privacy program – Clara Kromann.

Interviewed by Complyon CEO and Co-founder Julie Suhr, Clara was invited to explore the topic of how to plan and implement a successful compliance management program, with a particular focus on how to identify relevant roles and responsibilities from the start.

You can watch the full webinar here or find our top ten insights below. 


But first, let us introduce our webinar guest… 

Clara, Attorney-at-law for PANDORA, joined the global jewellery brand in 2018 with the initial task of implementing GDPR and privacy policies into the organisation. 

Working largely on her own, in a non-process driven and unregulated enterprise, Clara adopted a number of strategic and creative ways to improve the understanding and commitment to compliance within the business. 

The result of her approach was the launch and development of PANDORA’s global privacy program. which is currently implemented internationally by a newly formed compliance team, with Clara now guiding and advising the business on all things privacy, digital and technology-related. 

With her experience of building a successful compliance program from the ground up in a non-regulated sector, Clara was our go-to guest to discuss the challenges of communicating responsibilities relating to compliance and the benefits that occur when this is done consistently throughout an enterprise.

Read on for ten major insights we gained from Clara in our first-ever Compliance Best Practices webinar. 

1. Establishing roles and responsibilities is the foundation of a successful compliance program

One of the reasons Clara was a keen participant in our series was her enthusiasm for the webinar’s topic. “I think [roles and responsibilities] is one of the most central topics for anyone who is building or in the middle of implementing any type of program,” said Clara, “it’s one of the ground pillars of compliance activity.” 

Drilling down into why the subject is so important, Clara explained that defining roles and responsibilities provides organisations with the foundations needed to ensure that you create a “sustainable compliance program” that lives on and keeps developing. 

This step introduces the necessary accountability to your program, ensuring it doesn’t end up in a place where you create and define a great set of activities but then have no one to drive them, grow them and keep them compliant. 

2. Building a sustainable compliance plan needs to consider three main components

When asked about what advice she would give to those establishing a new, sustainable program with the hope of long-term impact, Clara replied: “I think it’s extremely important to know your organisation and for me, that meant focusing on three areas: culture, ways of working and strategic direction.”  

She built on her these focus points with the below questions:

  • Culture: Who does your company employ? What is the culture among staff? Is there a compliance-driven culture?

    If, like PANDORA, your business operates in a non-regulated industry, can you identify what else drives workplace culture?
  • Ways of working: What are your ways of working? How do different people or departments work in your organisation? Are you a very process-driven organisation? Or are you not? 
  • Strategic direction: What is your strategic direction? Where are you going? What is the driver behind the business? For some companies, compliance will be a huge driver, whereas others, for example, will be driven by sales.

With these three areas covered, you have a much better baseline for defining what makes sense for your business’ governance framework and can help you establish what actions you need to take next.

3. Switch your legal mindset for a strategic one 

Clara continued to stress the value of strategic direction, which she deemed “the most important factor” when looking into roles and responsibilities, but warned strategic thinking doesn’t necessarily come naturally to everyone working in compliance.

Typically, many of us in the sector come from legal or compliance backgrounds, which provides many benefits, but, according to Clara, has one major drawback:

“Coming from a legal background, I haven’t been trained to think very strategically from the outset. I think that it’s important to maybe throw a bit of that legal/compliance mindset away, put on your best management and strategic consultancy hat and really look into what drives your business.”

Activating your strategic mindset means you can align with what drives your management team, allowing you to then find ways to tap into those goals and get the necessary attention and buy-in that you need. 

For instance, at the time Clara began planning her program, PANDORA was in the middle of a huge turnaround program to become an extremely data-driven brand that champions best-in-class practices. 

Clara looked at specific KPIs, such as the push for greater personalisation, and incorporated those projects into her program to give her plan weight and relevance.  

“Look for what you can find that connects with your business agenda”, advises Clara. “Find documentation, or whatever is put to the stakeholders and… dive into that.” 

4. Get to know your C-suite one-on-one

In addition to aligning compliance activities with specific business drivers, Clara also took the time to really get to know and understand her C-suite before assigning her programme’s roles and responsibilities.

“I sat down with identified stakeholders in top management and had one on one interviews with them to understand – what drives them personally? What are their KPIs? What is on their particular agenda that I can utilise and tap into?”

Taking the time to speak to management individually also gave Clara the opportunity to explain how her program could help her colleagues reach their goals in a safe, compliant manner, gaining key support for her initiatives.

Getting to know your senior team says Clara, also reveals the best recruits for your program:

“Make sure you understand [your management]. Then you know who will be great stakeholders in terms of roles and responsibilities going forward. Because, if you can understand what their agenda is, you already know who in your business is the most compliance-driven”.

5. Buy-in from C-suite is integral to the success of any compliance plan

If anyone was in doubt as to the importance of securing C-suite support, Clara echoed a key belief we hold at Complyon, saying: “[Setting the] tone from the top is absolutely essential.”

“When it comes to getting commitment from the individuals in your organisation, you need your management to be the ones that stand up and set the tone. If they are not ready to work and formulate the direction, you’re unlikely to ever get buy-in from the rest of the organisation, especially [further] down in your organisation.”

Clara explained a lack of management support creates two kinds of people. There are those who understand what you’re doing and “from the good of their heart” might take on some responsibility and implement your activities, despite themselves being at 100% capacity. Then, there are those who, without management involvement or any incentives, will question your work and its relevance to them, which does not bode well for the success of your program. 

6. Offer a variety of ‘carrots’ 

When asked by webinar host Julie Suhr about her thoughts on practical measures businesses could take to increase buy-in from the entire organisation, including those who don’t feel compliance is “the most interesting topic”, Clara responded:

“I think you can talk about the carrot and the stick [approach]. You will have some people who are very much purpose-driven, who understand the purpose behind what we’re doing and the importance of it. And that’s really great – they already see the carrot.

But there will also be a need for other carrots for what [some] people will look at as the stick, which I think is embedding compliance-related KPIs or goals into performance evaluations and personal development reviews.”

Speaking of her experience at PANDORA, as well as knowledge of other companies that are mature in their compliance journey, Clara suggested that if you want to increase commitment, you should set specific goals that tap into your program agenda and make sure these are applied throughout the organisation, from the bottom to top management. 

“I can assure you”, confirmed Clara, “if that is done, you will 100% achieve what you set out to.” 

7. Choosing between a centralised vs a decentralised compliance team is company-dependent 

The webinar also touched on the much-debated topic of whether compliance teams should operate as centralised or decentralised teams. 

Reminding us that there is “no golden nugget” when it comes to opting for a decentralised or centralised model, Clara spoke of the need to examine your company’s structure. 

“In general, at least from my experience, if you have an extremely process-driven organisation with a compliant culture and employees who are very used to working with frameworks, it works really well [to have] a centralised organisation. 

In relation to Pandora, we didn’t have a very compliance-driven culture or process orientated organisation. So what we did and what we actually still have today is a very decentralised organisation where we have privacy people in the various functions.”

Clara believes the benefit of this decentralised structure allows companies to have compliance people truly embedded within the organisation. People are close to the action and, therefore, more able to pick up on what is happening in real-time and report back. 

Adding her insights to the topic, Julie agreed, saying: “What I’ve seen from our customers is that it makes sense to start up being very centralised and then maybe pushing that out and being more decentralised as you [develop].”

8. Securing compliance buy-in takes time

Regarding timelines, a message Clara was eager to raise was that compliance does not happen overnight. “It was a journey. “It’s not something that happens from one day to the next”.

In particular, getting to know management and having the opportunity to find times that worked for busy diaries, then learn more about what drives individual C-suite members, was a process that needed some time.

9. Never forget that a compliance programme should be dynamic 

Talking more on the topic of managing expectations, Clara was eager to stress the importance of the maintenance of a compliance program, saying: “I think [maintenance] is something that keeps challenging organisations.” 

Clara highlighted that many who share her legal background don’t necessarily like things to be in a constant state of flux and are more used to counting on their work staying within the same framework. 

However, no matter what your background when approaching compliance, Clara reminded us of the importance of change: 

“It’s extremely important to recognise that what you do is not static. It’s dynamic, and you need to have a mindset and an approach that follows the organisation. You will never be finished with compliance.”

10. Software counteracts issues of accountability, productivity and knowledge gaps 

Rounding off the webinar, Clara and Jules discussed the value of incorporating software such as Complyon into a compliance plan to help ensure successful implementation and maintenance. 

Following a short demo of the ways in which Complyon facilitates assigning and monitoring roles and responsibilities, Clara commented:

“I think that where we are at this point in time, especially if you’re working with GDPR and global privacy compliance, it is extremely hard to continue doing manual exercises, especially if you have a very dynamic organisation.”

Touching on the ways that a solution enables companies to ensure staff turnover doesn’t lead to knowledge loss, she added: 

“You need to have this [tech-led] overview that ultimately leads back to accountability. At any point in time, you should be able to know, show and present what your accountability looks like. And if you don’t, you already have a compliance gap there.”

Julie and Clara also discussed how software means reducing time spent discussing who owns what or debating issues of responsibility, with Julie concluding the talk by saying:

“There’s a lot of legal counsels and risk managers who are highly educated, that spend way too much time on project management – tedious, little things, instead of the actual valuations and assessments, and so on. So that’s definitely Complyon’s goal, to minimise that.

You can watch the full webinar with Clara here and if you’ve enjoyed our first episode, make sure to join us for our second with Bo Pyskow, CEO and Co-founder of Sixtus Compliance. You can signup and find more information about the webinar, which will discuss how to begin and sustain the data mapping process via our website.

You can also watch the Complyon demo that Julie and Clara discussed here. In just a few minutes, we demonstrate how to establish and manage roles and responsibilities using Complyon, illustrating three use cases in our system. 

Creative, fun and engaging: expert tips on GDPR training with Thorleif Gotved

If you work in compliance, you won’t need us to tell you that GDPR training can be challenging.  

While those of us in the industry get excited about the positive impact of specific Articles and the long list of benefits of being a compliant business, it’s safe to say that our non-industry colleagues don’t always share the same level of enthusiasm. 

Often, this unmatched interest means that getting people to listen to what we have to say about data protection is no easy feat. For all our good intentions, it’s not uncommon for awareness sessions to produce disengaged or uninterested participants. 

If you’ve been struggling to get the response that your training program deserves, we’re delighted to introduce you to a man shaking up the GDPR awareness scene: Thorleif Gotved

As a renegade in the industry, Thorleif’s fun and engaging approach offers businesses a fresh and effective way of spreading awareness – and making it stick. 

Here, he discusses why GDPR training needs to be more creative, the pitfalls of traditional awareness campaigns and his reasons for introducing Barbie and Ken to the world of compliance.  

For anyone unfamiliar with your work, could you tell us how you first became interested in GDPR?

“Sure. I think we should start in February 2007 when I made a huge mistake. 

At that time, I was working in communications at a trade union and had to email 8,000 members. I sent the email via Outlook but I could only send 2,000 at a time, so four identical emails were sent. Then, I went to lunch, and when I got back, I realised I’d done something really stupid. I forgot the BCC, which meant that not only did it take ages to scroll down to read the email, but people could also see the other 1999 recipients. 

Although data laws didn’t exist as they do now (fines were ridiculously small), this was not good – particularly working at a trade union where people aren’t meant to know who else is a member. 

What this mistake made me realise is that when you are working with personal data, you have an obligation and a responsibility to take care of it. Just like when you’re handling money or anything valuable, you should take care of it – especially if it’s somebody else’s, and especially personal data. If somebody steals that data, it’s not like money, you can’t replace it if it has been stolen. It can be stolen once, and then it’s too late. 

I suddenly became interested in the laws around data protection and started to read a lot about it. I started to see it as a human right to respect someone’s data, which to this day remains very important to me.”

How did this initial interest in personal data develop into a career?

“Some years later, I started working for an IT company, and I hired a lawyer to put together courses for our customers on personal data. 

I learnt a lot from these talks, so I began writing articles for the company newsletter about the topic. Whenever I wrote about personal data, I could see it actually interested the people who receive the emails, including members of political parties, unions and NGOs. 

I then moved on to a new job doing something completely different. But I was only there for 14 days before I was sacked. This was in December 2017, half a year before GDPR would become a reality, so I thought, “Why not become an independent consultant?”. I had the knowledge, was really interested in it and guessed there would be a demand. 

I went on to LinkedIn and wrote a post saying, “This was not the plan. But hey, it’s not that bad because now I have the opportunity to become a freelance GDPR consultant”.

After publishing that post, 15-20 people contacted me asking me for help and around half became my first customers. Today, I use LinkedIn a lot and sometimes receive thousands of likes, but I never received as much business interest as I did from that first announcement.”

In your LinkedIn bio, you mention that “you convey the topic of GDPR in a way people (probably) have not experienced before”. Can you discuss your approach and why you think a new way of teaching GDPR is necessary?

“So most people working in GDPR have studied law or GDPR. They’re great, great people. I love them and have learned a lot from them. 

However, when you go to law school, in Denmark at least, you’re very good at the knowledge of all the laws and stuff like that, but not necessarily good at explaining them to people because it is not part of what they learn at law school. 

Very often, I’ve seen papers from lawyers where everything they say is correct, but it’s really difficult for normal people to read and understand.

With me, I’m from another planet, so to speak. I went to university to become a high school teacher, so the ability to communicate and try to make people understand stuff is something that I’ve been trained in from early on. 

Unlike lawyers who have their reputation or company’s reputation to think about, I can be a little bit bold in how I teach people about GDPR. For example, I sometimes use props like Barbies, Ken dolls, teddy bears etc., to explain some of the basics of processing personal data. Something that could be incredibly boring is suddenly made funny and memorable because you’ve introduced a teddy bear and some dolls. I actually did this once for an article. I made a video using a teddy bear, and my daughter joined in. I got a lot of reactions to that video, and even now when I go into meetings with potential customers, they tell me they loved the video. 

When people think something is funny or get more curious, they start to open their eyes and ears and listen to you, especially when it comes to something like GDPR, which so many people are obliged to know about.”

What are the most common challenges facing organisations educating staff about GDPR and compliance?

“For most people, it’s boring and difficult to understand. 

It’s also my impression, more often than not, at the management and C-suite level, there needs to be more concern about GDPR. I wish that they would not just see it as a cost but actually something they can gain a lot from. 

For instance, if they actually start to clean up all the mess, they can make sure that the right people have the right access to information. Or, if an employee leaves a company or joins a competitor, they may leave with that knowledge or still have access to critical information, which can be very harmful.”

Where do you think the lack of concern around GDPR comes from?

“In general, GDPR is still connected with big fines. I think that’s horrible. Because if that’s the reason why you are doing something about GDPR because you’re afraid of fines, you’re coming at it from the wrong place.

I perfectly understand why people are talking about big fines. Still, it means much action is driven by fear rather than the opportunity to take care of something that belongs to other people – their personal data. That alone should be the reason why you take GDPR seriously.

Let’s say that you’re living in an apartment, and you have a loft with a lot of stuff up there. Suddenly, your landlord calls and says if you don’t clean it up within one week, I’ll give you a huge fine. Okay, then you have to do it.

But imagine, if instead you’re told that by cleaning up your loft, you would find a lot of stuff you could throw out, so you have space for more things. Or, you would find things that you thought you had lost that were very valuable to you. Or, you’d just be able to find things very quickly. There are so many reasons why you should do this job instead of just to avoid the fine, right?”

When a company hires an external consultant to help with their awareness efforts, what should they expect? 

“The most important thing to know is that they should be doing most of the work themselves. Consultants shouldn’t be doing all the paperwork. This has to be done internally, so businesses understand what they’re doing. 

Our job is to explain why they’re doing it and what it’s all about so they’re able to change it later on. I’ve seen so many organisations that did a lot of work regarding GDPR a few years ago, but today, they haven’t done anything. They don’t know what was done or how it was done because someone else took care of it all. 

And then there are deadlines. Deadlines are extremely important. Often, people know they need to do something, and they spend time gaining knowledge from webinars and white papers but then don’t do what they should do. That’s because they don’t have deadlines in place. 

With deadlines in place, it creates a process to make sure a business goes from A to B, and perhaps a little further.”

What are your go-to formats or techniques for making GDPR education as engaging and exciting as possible? 

“It depends on the company size and sector, but when I give a speech or teach a course, I like to use Kahoot! Sometimes, I’ll include a prize to add a bit of gamification. 

It’s all about being creative. Once I had a customer who wanted to make sure their entire staff was more aware of GDPR. So I hijacked the CEO’s email account and emailed the whole company who thought there’d been a data breach. Of course, I did so with acceptance from the CEO

That got everyone’s attention much more effectively than simply sending them a manual because they were surprised, and the more you can surprise people, the more they will be affected.”

And lastly, what is your opinion on the GDPR scenario in Denmark at the moment? Do you think the market is mature? Or do you think DPA has some work to do to force businesses to take data compliance more seriously?  

“I think some of the decisions made by the Danish DPA lately have been disappointing. Denmark is a very small country, but the trust in Denmark is bigger than in other countries, surveys have shown. We believe in others, which is a beautiful thing, but we live in an international world now. Things are going so fast, especially with the internet and social media, so we should be better at taking care of stuff. 

In Germany, they have been way more strict when it comes to GDPR as they have a different history and culture. But the thing is, whatever organisations are doing in Germany or Sweden or Denmark should be all regulated the same. There should be a universal European body that says, “Hey Denmark, you haven’t done this good enough. You have to do better.” We do have the EDPB but I would appreciate it if they were more offensive towards the efforts made by some of the national data authorities

We also have to remember that we have Europe, and then there’s the United States and China. In China, they have very different rules and attitudes to personal data. In the United States, they haven’t really paid that much attention so far, although they’ve started rolling out more laws in some states, such as California.

I think respecting privacy could be something really unique for Europe and European companies. Because we are more aware of respecting privacy, we could share the value of always acting to the highest standard, which would be a great opportunity.”

For more GDPR insights and tips, you can follow Thorleif on LinkedIn, and you’ll find his latest articles here. You can also follow Complyon for more industry interviews, tips and updates here