An expert’s tips on how to collect data for Article 30

From safeguarding your company against GDPR fines to optimising consumer and client trust, Article 30 compliance comes with a long list of benefits.

We explored some of these benefits in our previous article, “Beyond compliance: 3 reasons why Article 30 isn’t just a GDPR concern”, demonstrating that understanding why and how your company processes data can have significant and far-reaching impacts on your entire organisation. 

For our next Article 30 focus, we turn our attention to the more practical side of implementation, honing in on a process that’s not just instrumental to this specific GDPR article but all aspects of compliance: collecting company data. 

Introducing your compliance expert: Christina Schak Møller

With six years of consultancy experience within compliance and two decades of working with organisations to optimise processes and implement structures and procedures, Christina Schak Møller is the person to go to when it comes to learning about effective data collection strategies. 

Currently working as a Management Consultant at VENZO, we’ve seen Christina work her magic across numerous complex accounts, assisting clients in mapping out their data processes and instilling new ways of working to ensure continuous compliance for a variety of businesses, ranging from global finance enterprises to fast-moving AI disruptors. 

Here, Christina shares some advice for those embarking on their data collection process, including navigating difficult conversations, where to start if the process feels overwhelming and what to expect if you decide to work with an external consultancy.

In compliance, why is thorough and best practice data collection so important for organisations?

I think one way of looking at it is as the backbone of compliance. It ensures that you have all the information you need so you can actually comply and follow the necessary processes, activities and regulations. For example, having data mapping in place allows you to swiftly reply to customer and DPO access requests or quickly produce an Article 30 report.

You can’t do any of this if you do not have up-to-date data mapping in place. So for me, it’s an essential step before you can start anything else. You may have all the procedures, processes and governance in place, but if you don’t have an overview of your activities, you can’t really achieve anything with these structures. 

It’s also an ever-changing world – activities change, purposes change; you have new projects, new customers or new devices in your organisation. If you don’t have your data structured and hold a clear overview of the data you process, it’s really difficult to have an up-to-date understanding of what you need to do to stay compliant. 

What are the main challenges businesses face when it comes to collecting data across the organisation? 

Whether we’re talking to large companies or smaller organisations, a common issue we see is that they do not have a clear overview of their processing activities, making it quite difficult to know where to start or what to do first. 

So it can be overwhelming to get that initial mapping in place, and sometimes it’s good to bring in someone external who can facilitate the process and show a business which questions need to be asked to get that information out in the open.

What does the start of a data collection process typically look like for your team?

We often start out with asking a data privacy manager (or the people in the company who engaged our services) to provide an overview of how the company is structured and which key stakeholders to talk to. 

Then we typically invite them for an introduction session where we explain what is going to happen so they can start to think about what they’re doing and what we need to do. 

Before the workshop, we’ll sometimes provide session attendees with a spreadsheet and say, “Okay, map everything you do – all of your activities”. Doing this before we meet means we can structure a bit of their work in advance. It allows us to identify repetitive processes and find the right level of detail required for data mapping.

Some companies prefer not to have this introductory step, so we just go straight to the workshop and spend the first hour or two drawing everything out on a whiteboard.

With either approach, we work together with the client to define the headlines for the processes and list out activities underneath. Once we have that in place, we can go to our tools and start data mapping. 

Is there anything a business should do before a data collection workshop?

If you don’t have backup from the management team or if this exercise has not been approved by those at the highest level, you will often not succeed. Data collection and mapping processes can be time-consuming projects and communication from management gives your work emphasis, so I recommend you spend time getting this buy-in to make your task easier.

I’d also suggest having a story ready to support the value rather than relying on “We’re doing this to be compliant”. Everyone knows that they need to comply with certain regulations and laws, but it’s more effective if you can communicate the business advantages that the workshop or exercises will achieve.

Do you ever come across any resistance or negative attitudes in these workshops?

We do hear that GDPR and data privacy are boring topics – but people are always polite, especially if the management team has conveyed a message of why we’re doing what we’re doing.

Over the last few years, there has also been a lot of focus on cyber attacks and data privacy, so it’s my impression that people are now more open towards compliance than they were. We don’t see people sitting with their arms crossed, not wanting to participate anymore.

In fact, most of the team managers and process owners we work with give feedback that they’re pleasantly surprised by the data mapping experience. Particularly when working with large companies, a common response is, “Wow, I understand my company a lot better now”. They can see the side benefits of data mapping, such as optimising internal non-compliance activities or increasing productivity after identifying overlapping workflows.

You mentioned that GDPR could be seen as boring for some employees. Are there any particular approaches you use to increase engagement with disinterested groups?

I just try to meet people where they are. If you can feel that someone is busy or doesn’t really want to be there, then it’s important to have open communication and say, “It’s okay that you think GDPR is boring. We will do this as quickly as we can and not take much time away from your work”. 

Sometimes that means we split our sessions up into a couple of workshops where we outline what we’ll cover and what we need them to do. Then we go away and do some work on the backend while they input information into a compliance tool. Afterwards, we can regroup and do a sort of validation session which is less time-consuming.

We prefer to do the full workshops together, but we know that sometimes it’s not possible, and we just try to make life easy for everyone involved. 

In general, I also try to be positive and outgoing and crack a little joke here and there, so it doesn’t become too dry!

How do you navigate conversations if someone doesn’t want to take accountability and ownership?

Honestly, we don’t experience these conversations very often. Perhaps that’s because we work with different departments, so people may not know exactly what they need to do, but they know that they are responsible for the data they process. 

However, if there are occasions where we identify some processes and nobody wants to own them, all we can do is flag this to management. As an external party, we can’t make a decision because the company needs to own that responsibility and someone needs to take charge. 

We can advise and we can facilitate, but the responsibility lies with the client.

What are your go-to strategies for making the information you discuss at your workshops stick? 

Organisational change management is key to succeeding with compliance goals – yet sometimes it’s something that companies forget to do or don’t focus on. They just want to collect the data and map it, so they live up to regulations. 

But if you don’t ensure a continuous compliance approach and the people who are responsible for the processes and activities don’t understand what they need to do, the work you’ve done leading up to this is more or less lost. We’ve seen this happen with huge data mapping projects where companies skip the change management part. They end up calling us two years later for help, and we have to pretty much start over again as the data is now out of date and hasn’t been anchored anywhere.

It’s sad to see because organisational change management can be done at many price points. If there’s the budget, we’ll do cartoons and presentations – but that’s not always necessary. Sometimes you just need to have the key stakeholders involved and bought into what is expected of them. 

When data is so fast-moving and ever-changing, how can a company ensure long-term Article 30 compliance?

It’s one thing having the policies in place and another if nobody reads or follows them, so you need to make sure it’s anchored in the organisation. Ways we’ve done this include creating tools such as e-learning training, presentations for all-hands meetings, data privacy sites and intranet content. 

With all this activity, it’s important to have one place where you can collect information so employees can find what they need to do in terms of their individual responsibilities and also what to do in scenarios such as a data breach. You need to make it very simple for people to find out what is expected of them.

Policies need to be read and understood, so make sure your documents aren’t 50 pages long. Instead, you need to produce documents that are easy to digest, such as a three slide PowerPoint with FAQs that quickly convey your information.

We also advise setting up an annual activity wheel in your compliance software so you are prompted to do tasks on a regular basis. A system may also be able to trigger prompts that remind you to review your data privacy policies and privacy notices if you start a new project or buy a new system. 

Even if you don’t have an automated trigger set up, your compliance tool will prompt you regularly to take certain actions and review your activity to ensure continuous compliance.

Would you say compliance technologies and systems are an important part of this continuous compliance approach?

Yes. It’s also important in the data mapping phase, as it’s extremely hard to map everything in a spreadsheet, from the types of data you process to who you share this information with and what systems you use. We see clients determined to use spreadsheets come back to us after half a year because there’s just too much data to manage and they need a tool. 

You also can’t build in prompts or annual activity wheel functionality in Excel. Nor can you combine it with assessments, like transfer impact assessments. So getting a tool in place is key, especially if you have a fair amount of data to process.  

You can follow Christina on LinkedIn here and sign up for our new Compliance newsletter to be the first to receive our latest interviews, articles and news.

Beyond compliance: 3 reasons why Article 30 isn’t just a GDPR concern

Data holds more value for today’s businesses than ever before. From advancing personalised UX journeys to optimising products, the ways a company can transform consumer data to accelerate growth and market share are becoming more varied and sophisticated by the day.

However, while 70% of companies are increasing data collection activity and tapping into its growing list of business drivers, consumers are becoming more guarded and worried about how organisations use their personal data.

A recent report from KPMG suggests 86% of people feel a growing concern about data privacy, 78% are fearful about the amount of data being collected, and 40% don’t trust companies to use their data ethically.

As a direct response to concerns around data collection processes, Article 30 is a major GDPR strategy designed to keep data-handlers transparent and fair. Here, we take a closer look at the Article, exploring its compliance benefits, as well as the enterprise-wide impact Article 30 can have outside the world of GDPR. 


In this article, we spotlight Article 30, looking at its importance both within and outside compliance departments.

  • What is Article 30?
  • Why is Article 30 important?
  • Beyond compliance: 3 major business benefits for Article 30
    1. Optimising workflows
    2. Enhancing digital transformation projects
    3. Updating tech-stacks 
  • An introduction to Complyon’s free Article 30 data-mapping tool

To begin with: what is Article 30?

Article 30 is concerned with why and how a company processes data. Requiring businesses to produce “records of processing activities”, the Article forces organisations to look beyond data storage and examine their reasons and processes for data collection. 

This instruction means that a company must demonstrate how data moves throughout its organisation. They need to provide information such as what data categories are being processed,  why it was processed, if a third party or international organisation has been involved with any processing and a description of relevant security measures laid out by Article 32(1).

The process of being Article 30 compliant will vary from company to company.  Some rely on employee questionnaires; others schedule a series of consultant-led workshops. Whatever the method for collecting data, the aim is always the same – to understand and describe a company’s data flows. This information often needs to cover the processes, categories, systems and other parties involved with each data stream.  

Once the required data is collected, GDPR responsibles are then able to structure and fill in all required fields in their Article 30 documentation. 

Why is Article 30 important?

Before we talk about some of the major non-compliance benefits of Article 30, here’s a quick breakdown of what the Article can achieve within the field of compliance:

  • Identifying risk and non-compliance: through data-mapping a company’s information, GDPR responsibles have the overview they need to determine if data is moving through an organisation correctly and can quickly pinpoint non-compliant processes and activities that need addressing.
  • Laying GDPR foundations: the overview of Article 30 gives GDPR responsibles the information they need to start examining additional compliance areas such as retention rules, Third Country Transfer Impact Assessments and potential security breaches.
  • Demonstrating trust and transparency: As we’ve discussed, consumer sentiments and attitudes around data collection tend to lean towards the sceptical and the negative. Effective data mapping gives you everything you need to answer data requests, such as how someone’s data is being stored and used, which helps to maintain good customer relations.
  • Avoiding GDRP fines: Under GDPR legislation, data protection authorities can impose fines of up to €20 million or 4% of a company’s global turnover – whichever amount is higher. Alternatively, these governing bodies can allocate non-fine related penalties such as issuing a temporary or permanent ban on data processing, imposing a restriction on or erasure of data and suspending data transfers.

    It’s worth noting that if a business is found to be in breach of a specific Article but can show they took the right steps and safeguarding actions (for example, showing data mapping efforts made to comply with Article 30), DPAs are likely to consider this and hand out less severe fines and penalties. 

From optimising workflows to improving tech stacks: the power of Article 30

Alongside its GDPR benefits, the overview of the data processes, tools and roles generated by Article 30 is extremely useful for wider business areas and can be applied enterprise-wide to improve efficiency, productivity and security. 

Here, we explore a few of the major business benefits an Article 30 compliant business can expect.

1. Optimising workflows 

For many of us, our daily workflows tend to be a mix of processes inherited from predecessors, top-down instructions and individual work preferences. Whether we’re too busy or we feel it isn’t our place to challenge these ways of working, we often accept our various work streams and settle into how our roles play out at a specific company.

Article 30 gives managers the opportunity to go through their employee’s workflows and really examine how useful and effective they are. It gives them a space to ask questions that no one has had the time, agency or authority to consider, such as: “Are there too many people involved in this workflow?”, “Why is this task taking an employee so long?”, “Can we cut this step out of our approval phase?” or “Could we combine two data sets to reduce time and costs?” 

Emerging from their Article 30 projects, managers know how to make their departments run more effectively and can use these insights to put forward practical and strategic steps to improve their team’s productivity and efficiency. This optimisation can be experienced by the entire organisation if management and GDPR responsibles are supported in sharing their findings and applying them outside of departmental silos.

2. Enhancing digital transformation projects 

From global online workforce migration to mass restructuring of physical to digital infrastructures, there is no denying that the past couple of years have seen digital transformation efforts fast-tracked by many businesses. 

Experts suggest that COVID-19 has caused companies to accelerate their digital transformation plans by up to four years and this surge of activity shows no sign of slowing down – with worldwide spending on digital transformation technologies and services expected to rise from 1.8 trillion in 2022 to a staggering 2.8 trillion in 2025.

Article 30 can support digital transformation projects in two main ways. Firstly, the overview created through Article 30 compliance allows companies to identify their pain points more clearly. Particularly as data flows throughout the whole organisation, management can pick up on company-wide issues caused by manual or outdated processes.

Creating a more detailed picture of where digital transformation is needed and identifying shared frustrations allows a business to then prioritise its digital transformation activity. For example, if one system can transform workflows across numerous departments, this solution could then be bumped up higher on the digital transformation agenda. Or, if an existing workflow costs a company significant time and resources, this may become a bigger focus than an upcoming digital project.

3. Upgrading tech stacks 

With digital transformation booming, it’s no surprise that investment in tech platforms and solutions has also been on a sharp increase. For example, in 2020, organisations worldwide were using an average of 80 SaaS applications. Last year that number rose to 110. 

Most systems and software exist to help manage or extract value from the growing volume of data that a business accumulates. At the very least, these solutions require data to operate. So, in tracking and evaluating data flows, Article 30 activity generates a detailed breakdown of all the systems in a company’s tech stack. 

Similar to the way an Article 30 overview supports digital transformation efforts, the knowledge of a company’s tech infrastructure is extremely valuable for identifying opportunities and risk – particularly in large organisations or those operating with departmental silos. 

With this overview, management can then ask questions such as:

  • If a system is working really well in one department, could it benefit other parts of the organisation? 
  • Are multiple departments using the same platform? If so, can a new subscription fee be negotiated? 
  • Are two systems doing the same tasks? Which is more effective?
  • Are there any old systems in the tech stack that are inefficient or risky and urgently need to be replaced? 
  • What version of the software are we running on each platform? Can any be upgraded to improve productivity or security?

Answers to these questions will signpost any systems that need to be replaced, expose security threats, cut costs and streamline your enterprise tech stack so it can operate as one, rather than as a group of disjointed parts.

How can Complyon’s free Article 30 data-mapping tool support your business?

If you’d like to start unlocking the benefits of Article 30, Complyon is currently offering a free 30-day trial of its Article 30 data-mapping module. 

This GDPR solution makes it easy to comply with Article 30 by providing a data-mapping tool that’s easy and intuitive to use. Linking data to all the systems, activities and contracts it comes into contact with, the data-mapping tool simplifies the compliance process by making connections between data straightforward to understand.

Using the Complyon tool, data can be easily updated to keep up with organisational changes, and you have centralised access to a log where you can view past edits, modifications and data additions.  

Reports can also be generated with one click, as the tool automatically pulls together all your latest data, giving you an accurate reflection of the data you’re processing. 

You can find out more here and get in touch with our team if you need any further information. 

10 ways to ensure a successful policies and procedures strategy

If you’re reading this blog, chances are you’re already aware of the importance of policies and procedures in the workplace.

Besides being a powerful legal tool for GDPR, policies and procedures play a vital role in safeguarding your company’s compliance plan. The general guidelines of a policy, supported by the corresponding step-by-step instructions of its procedures, provide employees with a clear roadmap to follow, giving them the information and structure they need to execute compliance strategies as planned. 

However, in order to deliver consistency and compliance across your organisation, it’s not enough for these policy structures to simply exist. They need to be implemented and maintained effectively if you want to achieve real results and impact.

A smart approach to your policy and procedure strategy is the subject of the sixth episode in our webinar series ‘Compliance best practices’ featuring DPO Catherin Raasdal from Basisbank. With a background working for the Danish Data Protection Agency, as well as Ernst & Young, Catherin shared some of her in-depth knowledge around planning, implementing and maintaining policies and procedures.

Read on for our main takeaways from the conversation, including advice on policy creation, which factors to consider for the long-term success of your policy structure, and how to ensure your colleagues engage with new policies and procedures. 

First up, what is a policy? And how does it differ from a procedure?

Before we get to our key learnings from the webinar, here’s a quick breakdown of some key definitions within this GDPR space.

  • Policies are internal documents that outline where a company stands on different GDPR issues. They don’t need to be too detailed as their main aims are to show a company’s commitment to GDPR and provide an overall strategy for a business’ data protection activity.

    Some areas you may cover in a policy include: the purpose of the policy, who the policy applies to (internally), relevant principles or legislation (e.g. Article 30) and information about data subject rights. 
  • Procedures support policies by detailing practical information relating to policy implementation. They should bring a policy’s intent to life through step-by-step tasks.

    For example, if a policy dictates an employee must delete customer data that has been stored for over a year, a procedure would then outline the numerous steps involved in deleting that data within a specific system. 
  • Policy structure is another way of saying ‘document hierarchy’, which covers any documents or internal files relating to a policy.

    Typically a policy structure would look something like this:
    1. Policy
    2. Procedure
    3. Supporting documents such as manuals, guidelines and handbooks

    For every step that’s further down the document hierarchy, files get more practical and hands-on.

10 ways to ensure a successful policies and procedures strategy 

If you want to set your policy and procedure strategies up for success, Catherin asks you to consider several factors in your policies and procedure setup, as well as your approach to implementation and maintenance. 

You’ll find ten of her top tips below and you can watch the full webinar here.

1. Invest time in your initial overview

At the start of your journey, you need to have a good overview of all your processing activities, especially regarding GDPR regulations. 

You should use your Article 30 record or gap analysis to clearly identify any weaknesses or missing documentation. For example, do you have up-to-date retention policies in place and how thorough are your procedures for handling data subject requests? If you jump straight into policy creation or do a half-hearted job on your overview, you risk missing out on the protection of vital policies and procedures. 

Data mapping software will be helpful during this stage to provide a central location for all your information and assist you in easily visualising your data flows, as well as establishing any links or dependencies between documents. 

2. Get buy-in from your C-suite

As discussed regularly on the Complyon blog in articles such as ‘Why you need buy-in from the top for your compliance strategy to succeed’ and ‘How to set your privacy program up for success’, C-suite buy-in is essential for any compliance activity, including policies and procedures. 

Top-level management needs to allocate enough resources for you to effectively carry out your role, whether that’s giving you the time to create a clear overview of current data activities or providing you with the support you need for frequent training programs. 

The C-suite also set the tone for the entire organisation’s attitude to GDPR and compliance. If maintaining the integrity of data processes and cultivating a GDPR compliant culture aren’t priorities for those running the business, you can bet it won’t be a top concern for the rest of the company.

Aligning with your C-suite before you begin your policies and procedures journey will give you the backing, resources, and support you need to successfully implement and manage your policies and procedures. 

3. Think about who is reading your documents

It’s also important to remember that policies and procedures start with people – specifically the people who will be reading your compliance documents. 

To begin with, you need to consider whether or not employees are used to following policies and procedures. If not, do you need to create more detailed supporting documentation to help guide people through your compliance steps? Or will too much detail frustrate colleagues who are used to interpreting high-level policies and procedures? 

Next, think about how you’re communicating your information. Are you using language that they can connect with and understand? Do your procedures include relatable work flows and scenarios that employees will recognise and engage with?

Understanding the different mindsets and levels of compliance knowledge in your organisation will go a long way in ensuring people understand and follow the documents you’ve tasked them with reading. 

4. Drill down into the different needs of your departments 

Just as one policy structure will work for one organisation, but not another, you may realise that some policies and procedures work well for one department, but aren’t picked up by others.

Different departments have different needs, so to succeed with implementing various GDPR policies and procedures, you need to take into account the range of abilities, knowledge and interest that exists across your enterprise. 

Some divisions such as finance and legal may be very familiar with these types of documents, so require little management, whereas others may need much more support. Try to tailor your awareness campaigns to specific departments in order to anchor your policies across the whole organisation. 

For departments that need more support, consider tools such as templates and flowcharts that make implementation easier. Scheduling regular training workshops will help you monitor progress and spot any issues before they become a problem or start to form part of an employee’s daily habits. 

5. Try to instil a positive compliance mindset

In Catherin’s experience, keeping policies and procedures simple, fun and engaging is the best approach to achieve maximum employee engagement and buy-in.

Adding humorous, interactive or fun elements to your compliance activity makes learning about policies and procedures more enjoyable and should leave employees feeling more motivated and upbeat about your plans. Kahoot quizzes have proven a particularly successful tool for Catherin and her team.

Similarly, by keeping your approach simple, leaving out any unnecessary industry terminology or complex language and opting for easy-to-follow,  operational documents, you’re more likely to connect with your reader and get your message across.

6. Find your GDPR ambassadors

A smart way of understanding the needs of departments and their workers is to set up a GDPR ambassador program.

Working alongside your GDPR responsibles, your ambassador team should be made up of representatives from each of your key departments. These individuals will be much closer to their department’s workstreams, so will be able to pass on valuable insights about what is working and what needs more attention. This inside information will help you create policies and procedures that more accurately reflect what employees actually do, making your strategies more relevant and relatable.  

Involving employees directly in your compliance efforts will help foster a sense of connection and accountability with your plans, particularly if you’re able to assign responsibilities and documents to your ambassadors. 

This type of team setup also gives you the opportunity to demonstrate why your work is so valuable to the different departments in your company, helping to motivate key members of your organisation to get more involved and help you reach goals that benefit the entire enterprise. 

7. Make sure your plan isn’t person-dependent

While it’s important to consider the human aspect of your compliance activity, you don’t want to become too dependent on individual employees for the delivery of your policies and procedures. 

Employee turnover is a reality for all businesses. If all the knowledge and expertise needed to execute your plans sits with an individual who then leaves the company, your efforts become compromised. 

One of the most effective ways of counteracting organisational knowledge loss is to introduce a system into your compliance mix. Compliance solutions enable you to store all your information in one centralised location so that it’s available to anyone who needs access to it. Someone can leave your company, but the system will ensure vital compliance knowledge isn’t lost in the process.

Centralising your compliance documents is also extremely helpful for those carrying out internal audits on your policies and procedures and makes it easier to train new recruits, as everything you need is stored in one place. 

8. Regularly update your policies and procedures

A fundamental element of maintaining the success of policies and procedures is to ensure they reflect the current reality of your company. 

Over time your company will change, whether that’s through exposure to new business deals, third party services, market legislations or staff turnover. To keep up with this change, your policies and procedures need to be updated on a regular basis so they offer the right level of protection and guidance for your organisation. Catherin recommends reviewing your policies and procedures at least once a year to see if you need to make any changes or not. 

If you’re working with a system, these updates will be made much easier. Policies and procedures can be amended directly within your centralised system and relevant employees can be automatically notified if something in their workflow changes. This means everyone is always up-to-date with the latest state of play and are prompted if they need to change any information in the documents they manage. The end result is you’re able to achieve much more transparency with much less effort. 

9. Establish document links and dependencies

The documents that make up your policy structure don’t exist in isolation. One document is often connected to another document, whether it’s another version that sits in a different department or a corresponding policy or procedure. 

This means that when you make a change to one document, it’s likely that updates need to be made to other documentation. As a result, it’s really important to be aware of any links and dependencies between policies, procedures and supporting documents.

If you’re managing these document dependencies manually, particularly if you work for a large or complex organisation, your tasks soon become problematic. Manually keeping tabs on every change your colleagues make to their policies and procedures, and then ensuring all other documents have been edited with the correct changes, can be time-consuming and risky.

Working with a compliance system simplifies and safeguards this process. When a change is made to a document, owners of linked documents are automatically notified about the update. They are then prompted to review this change and make the necessary updates to their document. As all these updates are centralised, you’re able to easily keep track of any outstanding deadlines, sending reminders in just one click.

10. Automate as many compliance elements as possible

Automation is a key area that Catherin highlights for successful implementation and maintenance of policies and procedures. 

Complyon software facilitates many aspects of compliance automation, from data mapping to policy and procedure management. You can find an example of how Complyon enables you to easily update and automate your policies and procedures here.

If you’d like to learn more about how Complyon can help you streamline and automate your compliance plan, we’d love to talk. You can get in touch with our team here.

7 expert tips on how to effectively implement security frameworks

In the last of our 2021 webinar series ‘Compliance Best Practices’, we tackled a crucial component of any successful compliance or privacy plan: implementing security frameworks. 

Joining us for this episode was Christoffer Fries, a Senior Consultant at Complyon’s implementation partner VENZO. With experience running large-scale implementation projects within both GDPR and information security, Christoffer brings a wealth of experience in risk and compliance, particularly around issues of implementation, maturity and standardisation. 

In the 30-minute talk, Christoffer and Complyon CEO and Co-founder Julie Suhr focussed on the benefits of investing in your security framework, as well as discussing their top pitfalls to avoid and strategies for success. You can watch the full webinar here or keep reading for our main takeaways on how to effectively implement your security framework.

What is a security framework?

Before we delve into the main learnings and tips from our conversation with Christoffer, here is a quick recap on what a security framework is and why companies embark on implementing such frameworks.

In general, frameworks are a set of rules or questions that work to standardise a chosen area, whether information security or compliance. Within GDPR, a compliance framework can be described as: 

“a structured set of guidelines that details an organization’s processes for maintaining accordance with established regulations, specifications or legislation.” 

This framework should cover all business processes and procedures related to the regulatory compliance standards an organisation needs to abide by. For example, a framework could detail risk mitigations, communication protocols, roles and responsibilities, governance and post-breach responses. 

Frameworks will vary from business to business, with companies required to build their own set of controls that reflect the frameworks being implemented as well as their individual maturity status. 

Why do companies introduce security frameworks?

There are many different reasons why businesses embark on their implementation journey. 

For some, they’re required by customers or suppliers to be certified, for example with certifications such as ISO/IEC 27001. For others, they could be part of a merger or acquisition deal where different technologies, cultures and ways of working need to be aligned to ensure efficiency and unite the organisation. 

Whatever the specific motivations for implementation may be, at the core of any security framework is the aim to standardise ways of working, ensuring one way of working is used across the entire organisation. 

Standardisation then leads to many business benefits from increased security, greater productivity, streamlined output and of course, enhanced compliance.

7 tips for implementing security frameworks 

From handy steps to take pre-implementation to smart strategies for safeguarding the impact of your security framework, here are some of Christoffer and Julie’s top tips for successful implementation.

1. Clearly define your implementation goals

While drivers for implementing security frameworks will vary, it’s fundamental that whatever you’re looking to achieve goes beyond a certification or status. 

Getting certified or achieving a goal such as ensuring your company is GDPR compliant is often the comparatively easy part. It’s more difficult to actually follow and maintain the procedures and processes that have been set in place. This maintenance requires consistent governance and evaluation. As time goes on you’ll have issues such as deviations, the need to report incidents, keep track of audit logs, and so on. 

If you don’t have enough drive to maintain the systems and processes that underpin and uphold your implementation phase, it’s unlikely that you’ll be able to hold on to the certifications or compliance you once achieved.  

Focusing on the long-term goal of developing the maturity of your company and the cumulative benefits that will bring allows your business to reap many more benefits than those brought by a piece of paper or certification. 

2. Take high-level activity and turn it into concrete actions 

Your framework is going to consist of a lot of high-level statements or objectives which while important, need to be broken down into easy to understand steps for employees to follow. 

For example, the statement ‘appropriate controls must be implemented to support this process’ needs to be backed up with documentation that specifically outlines exactly what actions and controls you expect an employee to take.

If your team don’t know exactly what steps to follow or who to contact in risk-based scenarios such as when a breach happens, a customer requests their data or a new supplier is onboarded, your security efforts will soon run into trouble.

Christoffer suggests adopting a method he calls “we do what we say and we say what we do”, where every statement exists alongside clearly defined activities, roles and responsibilities. Investing time into breaking down and interpreting the high-level action points of your framework minimises confusion in the long run and sets your framework up for success.

3. Communicate change in everyday language

Any documentation that needs to be read and acted on by employees needs to be written using language and scenarios that are familiar to the reader. 

Unless they work in the legal or compliance department, employees will struggle to understand and connect to legal documents that are full of complex industry terminology and overarching company objectives. So if you want to engage your colleagues and motivate them to fulfil the tasks required of them, documents have to be easily understood by any member of your team, whether they work in IT or customer services. 

These documents also need to reflect the reader’s every day. For instance, talk them through their workflows and risk scenarios such as the types of emails they’re sending or the protocol of taking calls in public spaces.

Creating relatable, easy-to-follow guidance will go a long way in helping you get the support of your colleagues and maintain the implementation of your security frameworks.

4. Shift your attention beyond the IT department

Due to the involvement of systems and technologies, many companies see the implementation process as an IT concern and responsibility. Following that line of thinking, a top-down approach to implementation is often adopted with many activities sitting between the DPO and IT department. 

However, when it only takes one employee to put your company at risk or cause a data breach, you need buy-in from everyone in your organisation and your compliance processes and efforts need to incorporate daily work and workers. Real benefits and real change happen when you ditch the department-specific approach and start involving your entire organization in your risk and compliance efforts. 

Awareness campaigns are therefore another hugely important component of successful security frameworks. Engaging, frequent and interactive, these training efforts need to be factored in when planning your implementation timelines and resources.

5. Don’t underestimate the importance of roles and responsibilities

A common problem organisations face is being unable to maintain their framework once their hired consultants have come in, fixed their problems, obtained their certifications and left. 

This issue mainly arises when internal roles and responsibilities haven’t been identified and implemented from the start of the project and consultants have been unable (whether due to resources or direction) to bring employees on the compliance journey with them. 

Effective implementation requires assigning these roles and responsibilities to internal teams to ensure they know how to sustain and evolve your framework. There is also the issue of accountability. If no one is responsible for upholding your new ways of working, change simply won’t happen. 

These internal responsibilities should become apparent through your initial gap analysis and CMMI assessments, which need to be rigorous and ask employees the hard and potentially annoying questions. 

Through this deep knowledge of a company’s maturity and ways of operating, you’re able to help management understand all the different parts of the organisation and get them thinking about what they’re doing, how they can do it better, who can help with this change and whether or not they need new hires such as a DPO or CISO. 

6. Remember to work towards “continuous compliance”

One of the major points Julie and Christoffer emphasised in the webinar was the need for businesses to understand the concept of ‘continuous compliance’. 

Risk and compliance are not areas where you can apply a ‘set it and see’ mentality. Frameworks that try to mitigate risk and standardise company practices must be dynamic, constantly changing to adapt to new business scenarios and environments.  

Where many frameworks fall short is they fail to scope for and view compliance as an ongoing process. May 18th 2018 is a good example of this, where many companies dedicated a lot of time and resources into mapping their data and becoming compliant, only to lose momentum on their compliance efforts after GDPR legislation had taken effect. 

Fast forward a couple of years, and many of these businesses are working with outdated and risky processes, systems and practices because no one has been updating them. 

Treating your risk and compliance journey as a never-ending, long-term process ensures you’re able to move to a proactive rather than reactive approach to safeguarding company data and processes and allows you to maintain an optimum level of protection against internal and external risk.

7. Track your activities 

To be able to continuously monitor the efficacy of your framework, you need to give your employees tools that provide them with a clear overview of the data and controls relevant to their tasks, as well as functionalities to help manage roles, responsibilities and the project status.  

Asking individuals to manually keep up with evolving controls, security measures and data, alongside managing various colleagues’ deadlines, soon becomes overwhelming and prone to human error.  Particularly if you’re working with multiple frameworks at the same time such as ISO 27001, ISO 27701 and CCPA, processes and scenarios quickly reveal themselves to be more too complicated and complex for manual practices and Excel spreadsheets.

Integrated risk and compliance systems like Complyon automate many of the manual tasks involved with implementing and safeguarding your security framework and provide a much clearer overview of the data flows, regulations and controls relevant to your projects. Its project management module allows you to quickly assign and track roles and responsibilities, send task reminders and keep on top of task and project statuses. 

If you’re interested in learning how Complyon helps organisations successfully implement security frameworks, take a look at our short demo here. The 7-minute demo focuses on how to create controls of security measures and implement multiple framework controls at the same time. 

To learn more about how software can help you effectively implement security frameworks or to speak to our team about your compliance efforts, get in touch here

5 GDPR trends defining business success in 2022

GDPR turns four next year, and though it took a few years to find its feet, 2021 has shown that compliance is primed and ready to climb next year’s C-suite priorities.

Thanks to a combination of growing public demand for data privacy and an increase in exposed data breaches, GDPR is finally being acknowledged as a business-wide concern rather than a legal issue confined within the risk and compliance department.

A company’s reputation, security infrastructure, and revenue are all potential victims of an ineffective compliance plan, meaning organisations are increasingly thinking beyond GDPR fines and acknowledging the internal and external impact of safeguarding data in their protection.

This more proactive, holistic approach to GDPR has to be dynamic, with flexible strategies that evolve and can cover emergent developments within the compliance sector.

Whether you’re in the process of creating your new compliance plan or want to be sure your current offering will stand up against the next 12 months, read on to find five of the top GDPR trends that all businesses should prepare for in 2022.

1. Remote and flexible working leads to greater exposure risk

While the pandemic continues to shape and define the way modern businesses operate, one of the emergent legacies of lockdown has been the global demand for remote working.

According to Thomson Reuters’ 2021 Report on the State of the Legal Market, pre-pandemic, around 37% of lawyers expressed an interest in working remotely. Fast forward to the close of this year, and that number has risen drastically, with three out of four lawyers stating they prefer to work from home.

In an attempt to safeguard workflows and income, companies across all sectors worldwide have been forced to migrate at least partially to online work environments, adopting more tools and new collaborative practices in the process. According to McKinsey, supporting this virtual workforce has fast-tracked many organisational digital transformation plans by up to four years.

Whether teams are working fully remote or within a hybrid model, this digital migration means that companies are now more exposed than they’ve ever been with employees handling more data, working across numerous platforms and sharing greater volumes of information outside of internal networks.

Traditionally, the response to increased exposure has primarily led to a focus on external forces – the hackers and scammers actively looking to take down businesses. However, when it only takes one employee to cause a data breach, it’s no surprise that the majority of GDPR fines that have been received so far haven’t been triggered by a cyber attack but due to a lack of internal compliance with Article 5 (concerning data processing activity), Article 6 (lawfulness of processing) and Article 32 (security of processing).

To tackle this rise in exposure, business owners will have to get serious about their awareness efforts and prioritise investing in strategic and effective training campaigns. In 2022, standard one-day training workshops will no longer cut it if a business wants to secure everyday employee compliance in the long term. Creative and consistent awareness strategies supported by tight internal regulations on device use and user access rights will become basic internal protocols to protect a company’s security, revenue and reputation.

2.  Get ready for an increase in fines

While it’s important not to reduce GDPR activity to headline-grabbing fines, it is important to note that year on year, penalties grow, and regulator activities have been on the rise. 2022 will be no exception, as public demand for privacy is set to increase alongside the confidence of local protection authorities in managing cases and calculating and issuing fines.

According to recent data acquired by Finbold, the cumulative number of GDPR violations surged 113.5% between July 2020 and July 2021. Over the same period, the number of fines imposed rose by 124.92%, with DLA Piper calculating that out of the €272m levied over GDPR’s three and a half year life span, €159m were imposed within the past 12 months.

With the latest EDPB discussions focusing on the streamlining of legislations and the need for local data protection agencies to work better together, regulation activity will undoubtedly continue to ramp up at an alarming rate. Whereas a company may have been able to get away with certain behaviour in the past, 2022 is not the year to take your chances when it comes to compliance.

3. Expect more regulations on digital activity

One of the greatest challenges faced by GDPR, both in terms of scope and impact, has been its inability to keep up with the data activities of big tech firms.

As we’ve seen in the past with numerous scandals, including the far-reaching Cambridge Analytica fallout, major players in tech industries have largely been operating with a big tech versus privacy rather than big tech with privacy mindset.

Towards the end of this year, we’ve seen regulatory bodies make greater strides towards tackling this issue. In mid-November, the EDGP published their Statement on the Digital Services Package and Data Strategy, specifically targeting digital activities such as AI, targeted advertising and big data.

The proposal, one of several digital services statements published since 2020, aims to push governing EU bodies into placing stricter regulations on previously unregulated online markets, platforms and gatekeepers.

Take AI. According to The World Economic Forum, AI and automation will lead to the creation of 97 million new jobs by 2025. With more companies and individuals using AI to process personal data, the EDGP report raises the need for stricter regulation on the use of AI, especially in public spaces and when used for emotion recognition.

With public appetite for greater privacy increasing, we predict that 2022 will be the year these EGDP concerns are turned into regulations, followed in turn by legislations, clearer guidelines and potential penalties for previously untouchable industries.

If your company is planning on integrating dominant tech trends into its digital transformation plan, we suggest keeping a close eye on emerging data regulations in this space.

4. Future facing legal tech needs to combine GDPR and Information Security

With legal departments predicted to triple their investment in legal technology by 2025 and budgets for legal tech expected to skyrocket, next year will be a crucial time for investment decisions.

When it comes to compliance and GDPR tech, there will be two main issues to consider. Firstly, companies will have to decide between two types of solutions on the market. Simple, standalone solutions that are cheap and improve digitalised GDPR efforts but work in silos, or more complex platforms with advanced capabilities such as data mapping and automated assessments, that are primed to move into the risk management market and support information security activity.

This ability to merge the world of compliance and information security is the second major factor businesses need to consider in their 2022 plans. With these two areas becoming increasingly dependent on each other for success, we predict that 2022’s leading companies will be those who have invested in software that encompasses the two.

While the information security arm of compliance may be new or daunting for some, it will become vital that teams are able to use their software to navigate areas such as audits, certifications and risk assessments in order to keep growing volumes of internal data secure.

5. Compliance will drive third party and business relations

By 2025, tech experts predict that 60% of organisations will use cybersecurity risk as a primary consideration when conducting third-party transactions and business engagements.

With compliance so closely tied to information security, you can expect to see the same rise in interest around data protection processes and policies. Businesses will receive more requests for information regarding their compliance and risk setup, as well as enquiries into the privacy plans, history and culture they have in place to safeguard personal data.

In particular, certifications and certification audits covering both GDPR and information security will become non-negotiable starting points for many organisations. Companies will want to know how secure their partners’ networks are before deciding whether or not they want to proceed with a contract and certifications offer a quick and easy indicator of an organisation’s security levels. It’s much easier to ask, “Are you ISAE 3000 audited and/or do you have an ISO 27001 certification” instead of sending, chasing and reviewing a 50 question assessment form.

If you don’t yet have a certification or your competitor has a better certification than you do, you can guarantee that 2022 is the year your clients and business associates take note.

Final thoughts

If 2021 taught us anything, it’s that a lot can change over the course of 12 months. While it’s near impossible to predict exactly what may happen next year, particularly as we’re still in the midst of COVID-19, the key is to ensure your compliance plan is dynamic with room for GDPR teams to apply necessary changes to documents, processes and training programs as the industry inevitably evolves alongside new and emerging trends.

For weekly risk, compliance and GDPR tips and trends, you can follow Complyon on LinkedIn. If you’d like to discuss how Complyon can help your company get ahead of this year’s GDPR trends, you can contact their team here.

7 insights from “Planning and managing risk scenarios” with White Label Consulting

Whether you work for a global enterprise that operates in a highly regulated industry or you’ve just launched your own start-up in the retail sector, risk management is a topic that will apply to you and is an area you simply cannot afford to ignore.

As it holds such universal importance and relevance, we decided to make risk management the next focus of our webinar series Compliance Best Practices and invited Magdalena Goralczyk to discuss the most effective ways to work with the process.

Magdalena is a partner at White Label Consultancy, a boutique consulting firm operating within privacy, data protection and, starting in January, security. Coming from a corporate and privacy background, Magdalena has a wealth of experience managing risk scenarios for large, highly regulated organisations. She’s also gained deep insights into the risks scene for smaller businesses after starting her own company, which has given her new learnings on the more holistic approaches required for some teams.

Having worked with companies of all sizes and sectors at various stages of what she playfully calls their “risk adventure”, Magdalena has a great overview of different types of risk management and processes. Kindly, she agreed to share her advice in our latest webinar, focusing in particular on her knowledge on reporting risk in a more valuable way and ensuring your risk results make a difference.

You can watch the full conversation hosted by Complyon’s Head of Customer Success, Alexandra N. B. Sigursteinsdóttir, via the link here or find our top seven insights below.

First up, what is risk management?

One of the first questions we posed to Magdalena was a common query among clients – how do you define risk management? 

While Magdalena was quick to point out that the answer will always vary slightly depending on your company size and what you do, she says risk management is about:

“Going back to the basics and actively approaching what can endanger your company and what can truly bring it to its knees.”

Although a quick Google search will probably tell you that risk management is about providing controls and mitigations to counteract potential threats, Magdalena suggests it’s more about asking yourself: “What’s the worst thing that can happen to us? “Can we do something about these risks? How do we prepare our company for these scenarios?” 

For large enterprises that handle massive risk scenarios, identifying these possible areas can be a lengthy and extensive undertaking. Whereas for some scale-ups with less to lose in terms of financial status and brand value, it may be a less intensive exercise. 

However, no matter your company size, it’s an essential process for any organisation that wants to protect itself from internal or external threats and unlock the many benefits and business opportunities that risk management can bring.


Whether you’re at the very beginning of your risk management journey or you’re revisiting existing measures to increase efficacy, you’ll know that the number of potential threats can seem overwhelming. 

Magdalena advises always starting with the question: “What does my company do at its core?”. For example, do you mainly work with IT solutions? Do you depend on a third-party service? Is data processing integral to the delivery of your product?

By establishing your core purpose and functions, you can then start identifying your core risks and move on to figure out what steps you need to take to counteract them. 

For instance, if you work at a large insurance company, your core risk is going to be losing your license. If you lose that, you can no longer operate as a business. So, you’d need to work out what situations could lead to this and what could prevent them from happening? What mitigations need to be in place to counteract these risks?


It’s highly unlikely that any business will be able to pinpoint the exact nature of every risk that comes its way. 

COVID is a prime example. It’s unlikely that most companies had a global pandemic listed as one of their number one risk scenarios for 2020. The likelihood of the events that unfolded over the past year and a half would have been hard to imagine, let alone predict. 

However, Magdalena suggests that by starting at your core business purpose and risk, you can always use your risk management efforts to prepare for major disruption. “In principle, the whole risk management process should prepare you for the unexpected,” says Magdalena. 

For example, if you know your company is dependent on IT, then you’d put in place mitigations around what could happen if any software in your tech stack was disturbed. If you rely on a delivery chain, what can you do at each stage if there’s an issue in the flow? Or, if data protection is central to your operations, what would you do in the case of a data breach?

“Sit down with a piece of paper”, suggests Magdalena “, and start looking into what could happen to your company that would look really, really, really bad.”


On the subject of defining risks, Magdalena advises that if this task becomes tricky, you should always spend more time discovering mitigations and less time defining risk. 

For instance, if we revisit the insurance company example, the most extreme risk they’d face is the loss of their license. While this is a generic, broad definition of their core risk, as we’re not saying it was lost because of specific actions, it allows the company to start working out how to mitigate this incident. Could there be issues of illicit activity within the company? Would there be a problem if there was a change in the regulatory environment?

Through discovering mitigations, you’re able to deepen your understanding of the risk in question. It’s also a more productive exercise, as mitigations should naturally improve your company, helping bring greater value to the business.  

Imagine your core risk is a ransomware attack. You can use this broad definition to look at your systems and locate any vulnerable IP stature. At the same time, you can use the same exercise as a chance to review how secure and relevant the different components of your tech stack are, providing immediate value to the company.


Once you’ve identified your core risks, the next three areas to look at are employees in your company, available resources for the project and your business’ unique risk profile.

When it comes to employees, you need to figure out who is responsible for your business as usual activities and who delivers your main services to clients. You then have to work out what could happen to them. 

HR will be particularly handy in this part of the process, providing insights into who carries out what tasks and what risks could interfere with their roles and responsibilities. In some companies, these risks could be physical. For others, it could be unsatisfactory remote working conditions that lead to high employee turnover due to incidents such as COVID.   

Magdalena raised the point that available resources, as always, will depend on your company. Not all companies will need a full-time risk manager or a dedicated team. Some businesses may have someone who spends 20% of their time driving and maintaining risk-based projects, with check-ins scheduled for bi-annual board meetings. Others, who are perhaps working with a more established risk management culture and history, along with sufficient budgets, will be able to put together an entire risk team who are in regular communication with stakeholders. 

When it comes to risk profiles, again, every company will be unique. However, some of the key questions Magdalena mentions that help her clients get a sense of where they are in the market include: “Are you a start-up and therefore potentially have less to lose financially and through your brand value?”, “Are you a regulated industry?”, and “What industry are you working in?”

She also suggests you should revisit the question: “What’s core to your business?”. This question, in particular, will ensure you don’t ignore major areas of business exposure. For example, if you rely on an external company to deliver your goods, you need to assess what might happen if they could no longer distribute your products. 

Rather than being overwhelmed by the number of potential risks, Magdalena advises starting small, stating: “I’d rather have a well-working process that is very minimal than a massive one with bells and whistles. Start with a simple scenario and just try to stack things up.”


When identifying your risks, you’ll often end up with lots and lots of possible risks. At some point, however, you need to start some sort of evaluation of which risks are most likely to happen and what sorts of consequences they’ll have. That’s where the likelihood and consequences step comes in.

Analysing your risks in this way allows you to prioritise your strategies and ensures you’ll tackle any threats in the right order. 

On this topic, Magdalena offers up a top tip of focusing inwards, rather than spending too much time investigating your industry:

“You can, of course, look on the internet and find different scales. Instead, look into your company. Really examine the likelihoods and consequences for your company that fit with the systems, processes and financials you have in place. The consequences will be very different for a company that has a bigger or smaller budget than yours.” 


Although you could argue that everything eventually translates into economic impact, it’s best practice to look at different types of risk, not just obvious financial issues. Some of your risks may be regulatory; others could be related to your brand; some are dependent on compliance. 

Make sure you look into all the varied sources of business disturbance. Then, revisit your likelihood and consequence process, working out which risks are more relevant to you. 

Don’t get too hung up on assigning the precise financial implications to each risk, as this can be time-consuming and problematic, but use this exercise as a guide to measuring risks against each other so you can get prioritising. 


When balancing up whether to tackle the most likely but low impact risks or the less likely but high impact risks, Magdalena recommends creating a trusty risk map.

For anyone new to risk maps, you start by establishing the likelihood of a risk occurring. We always recommend a four-tier labelling system of very low, low, high and very high to establish the level of impact that risk would have. With this information, you then map your risks onto a square heat map, helping you visualise where you need to direct your attention.

As a general rule, you should always try to mitigate the highest and most impactful risks. However, there could be some “low hanging fruit” in terms of easy solutions for highly likely, but low impact risks that you may want to take immediately.

Magdalena gives some handy questions to help you decide where your priorities are going to go. If you’re choosing between risks, ask yourself questions such as: “What would be the mitigations with this risk? Are they doable? Are we willing to invest time, innovation and money into handling this risk? Can we afford to ignore it?”

At this stage of decision-making, Magdalena raises the importance of having C-suite buy-in. By taking the time to focus on mitigations, you’re essentially taking away time from other business areas. You’ll need senior management involvement to ensure you’re given the time to carry out your mitigations and if you aren’t given the appropriate resources, accepting the risk lies with those making top company decisions.

We ended our webinar with a short demo on how risk management can be done easily in a compliance system. You can watch Alexandra’s demo here, and if you have any questions or would like to discuss how the Complyon team can help with your risk management process, get in touch

8 takeaways from “Ensuring effective impact assessments” with NNIT

In the latest instalment of our new webinar series Compliance Best Practices, we follow up on the topics of privacy program roles and responsibilities and how to maintain data mapping, with a closer look at impact assessments.

Joining us for our third episode are Bettina Kok and Mia Louise Bukholt from Danish IT and consulting firm NNIT. With their experience running a wide range of assessments, expert GDPR knowledge and backgrounds across a range of company sizes in both public and private sectors, Bettina and Mia were the ideal guests to give us insights and advice on improving efficacy in this area. 

When asked by host and Complyon’s Head of Customer Success, Alexandra N. B. Sigursteinsdóttir, why they’d agreed to contribute to our impact assessment webinar, Bettina replied, “Our immediate reaction was ‘Finally! Because we feel there must be more of a spotlight [on the subject]’”.

Bettina’s response reflects our observation that while impact assessments are essential components of any successful data protection plan, they can often be overlooked and under-resourced.

If you’re looking to persuade a client to take their impact assessments more seriously, or you want new tips for streamlining your process, you can watch the full webinar here.

Below, you’ll also find eight major takeaways from our discussion that explore the potential of impact assessments to transform businesses from reactive to proactive entities, helping keep their organisation’s data as safe as possible.


Timing is everything when it comes to impact assessments. Yet, as prioritisation of these assessments is typically low, businesses often fail to capitalise on the value of the process or only pick up on major issues when it’s too late. 

As emphasised by Bettina and Mia, you should always carry out your assessment prior to any form of implementation, especially regarding the DPIA. This initial screening process ensures that your timeline can continue as planned if you add a new system or subcontractor to your project. You won’t experience a stall waiting for your team to assess and approve the change, saving you time and money before entering into any contracts.

Carrying out your assessment at the right time in the project cycle also allows you to make more strategic, data-driven decisions, helping you realise the efficacy of a new solution or suitability of a third party at the start of a project rather than in the middle of it.

For instance, imagine you want to introduce a new project such as installing analytics software to track your new website metrics. Rather than picking a solution and conducting your assessment later down the line, you should carry out your DPIA beforehand.

Questions to consider would include ‘Is the purpose of the processing formally defined?’, ‘Will there be disclosed data to third countries?’ and ‘Are there high risks associated with processing personal data?’

If any of your replies are negative, it would be much less problematic to revise your plan if you haven’t already committed to or purchased your tracking software.  


Before you begin your assessment, you need to have visibility over the company’s data flow. Always break these flows down, whether using a spreadsheet or taking advantage of the advanced overviews and functionalities of purposely designed software.

Once you understand the data flow, you can then turn your attention to assigning ownership to areas of risk. You don’t need to allocate a risk per person; there can be one person in charge of several risks; just make sure you add accountability into your assessment to avoid any steps being missed. 

Software can also help you streamline the ownership process. Solutions such as Complyon give you access to features that allow you to easily assign responsibilities, keep track of a project’s progress and send colleagues deadline reminders directly within the system.

A lot of the manual effort is removed, it’s easier to keep everyone on track, and all your information is in one centralised and secure location. 


Speaking of her experience facilitating awareness, risk assessment and DPIA workshops, Mia highlighted the common issue of employees being sceptical of the need for assessments. “Why are we here? We don’t need this risk assessment” are words Mia has heard many times. 

However, in Mia’s experience, by asking the right questions, you often discover that risk scenarios have been either missed or understated. It’s not unusual for high-risk situations to emerge from processes that she was initially told contained no personal data.

Mia also brought up a common issue that many people are unaware of. Even if you don’t process data, if you have access to it or can see it, that still falls within the confines of GDPR.

For example, a company that produces clothes may feel that the only departments processing data are HR and IT (who deal with employee data) and Sales and marketing (who manage customer data). They’ll often consider those producing the clothes totally separate from anything that involves GDPR and compliance.

However, this isn’t correct. If those making the clothes send out emails, have a list of employee birthdays, upload photos to an internal HR portal or have access to a computer with consumer data on it, they are processing data or have the potential to process data. These all count as risky scenarios to consider for assessments.

Although you may be met with initial hesitation or scepticism around risk assessments, it’s important to remember that employees usually leave the process understanding more about their role and feeling a new sense of ownership over their workflow. So, while it may take some effort to change initial attitudes, keep in mind that in the end, everyone in the company benefits from the assessment. 


According to our panel, whenever you touch customer data, you should do some form of assessment. Even if it’s considered low-risk, when it comes to personal data, any risk is a threat to your company and needs to be taken seriously.

However, you don’t need to do a full-blown risk assessment for all low-risk activities. Simply document what you know and don’t know and be open and honest about how the process could potentially harm those behind the data.

Documenting low-risk scenarios helps you monitor their status, identifying if they increase in risk over time. These limited assessments can also help protect your business from fines if the situation escalates and is brought to the attention of a regulatory body.

When any organisational change occurs, it’s best practice to apply your basic GDPR questions such as: ‘What types of data are you processing?’ and ‘Is it generic, confidential or sensitive?’ 

Be sure to explain these words to the people you’re speaking to so that moving forward, they understand the risk attached to their actions and can take subsequent steps to remain compliant. 

If necessary, you can then move on to more complex areas such as customer segments or types of data subjects (e.g. individuals, employees, clients) and start digging deeper with more advanced questions. 

At this point, pre-defined templates or software are extremely useful in streamlining your process and assisting clients to become compliant at the best achievable level. 


If the result of a risk assessment is that you discover medium or high-risk scenarios and part of what’s causing the risks are the systems being used,  Bettina and Mia recommend reviewing the technical setup alongside employees with technical knowledge such as an IT Solutions Architect or Delivery Manager.

Combining technical expertise with compliance knowledge allows you to really understand a system, find where you can reduce risk, and quickly execute those changes. 

Employees with more technical knowledge will also have a different mindset that is invaluable to the assessment. While those with a legal, compliance, information security or risk background will know what changes to make, they may not necessarily have the technical knowledge of how to implement the changes they want to make. For instance, encryption and setting up compliant storage solutions often require deep and specific technical expertise.  

An added bonus to working closely with the technical team is that you’re prompting them to take a closer look at their processes, giving them the chance to optimise workflows. For instance, through your assessment, you can help determine if a system is the right one to be using and if it’s set up correctly. 


Anyone who has done an impact assessment will know that not everyone shares our interest in and enthusiasm for the process. Employees are often very busy, so they can be easily agitated if someone is adding work to their immediate to-do list.

Wherever possible, bring some patience and empathy into your encounters to make the assessment as pain-free as possible and try your best to cultivate more positive feelings about the project. 

Honesty is another key approach to consider, as often people fear that assessments might disrupt or halt their workflow. Therefore, it can be tempting not to answer your questions correctly if it means they can continue working as they please. 

Encourage people to answer with total transparency, especially if something feels like it may be risky. Assure them that you’ll work to lower the risk, which means avoiding navigating negative outcomes further down the line. 

Facilitating honesty and weathering impatience can sometimes be trickier when assessments are carried out internally. If you know the road ahead could be slightly confrontational, consider hiring an external consultant who can be completely objective and ask the tough questions. 


Perhaps one of the most pressing messages from our talk with Bettina and Mia is that impact assessments should be regarded as ‘organic documents’ that are dynamic, ever-changing and always in need of regular updates.  

While at the time you conduct them, you’re doing so using the best current knowledge; you need to remember that things change – legislations change, employees change, clients change, products change. 

This inevitable change means that you must go back and revisit your assessments whenever it’s time to do something new, such as introducing new software, working with a third-party service, or optimising a workflow. Even if you are just updating documentation, these evaluations will ensure you’re always acting with maximum compliance and minimum risk.


With impact assessments being ‘organic’ rather than static, Bettina and Mia often work with businesses to create yearly compliance wheels, helping them keep track of their progress and better monitor risk.

Involving structured processes and, in most modern scenarios, dedicated software, this approach allows companies to go back and look at their documentation at the right time to confirm if a system or process is still valid following any changes. 

Without this structured approach, a business would have to start from scratch whenever they needed to conduct an assessment, leading to more work, an increase in resources and delayed timelines. 

Compliance wheels also allow people to be more productive, focusing on areas that are likely to change instead of spending time on irrelevant questions or reviewing parts of the process that have stayed the same.

Here’s where systems come in handy again. Many have the ability to notify when it’s time to do another risk assessment and which type it should be. It may be the case that very little has changed, but in revisiting your compliance wheel and ticking a box to determine risk levels haven’t changed, you can rest assured you’re keeping company data safe and can quickly move on to your next task. 

If you’ve found our webinar on impact assessments insightful and would like to learn more about how our team and software can help streamline your processes, get in touch with our team today.

Our next line-up of Compliance Best Practices webinars is now live on our website. You can check them out and sign up here.

How to set your privacy program up for success

Whether you’re about to embark on a new privacy program, or you’ve started and are struggling to see results, you’ll know that the work you do pre-implementation has the potential to make or break your plan. 

From securing buy-in from your C-suite to defining policies, creating lasting awareness in your workforce to risk-based planning, there are many steps ahead that need to be considered if you want to give your program the solid foundation it needs to succeed.

Working with a range of clients across numerous sectors and company sizes, our Head of Customer Success – Alexandra N. B. Sigursteinsdóttir, has a lot of experience observing common mistakes and smart actions that businesses take during the implementation phase. 

Here, she shares some of her insights along with seven key areas to turn your attention to before you begin implementation to ensure your organisation is setting itself up for long-term success. 

Learn how to communicate with your colleagues

One of the biggest questions I get asked by new clients is: “What’s the best way for us to do data mapping?” I often find that behind this question is, in fact, a different question and what they are usually trying to say is: “What’s the best way to approach the people I need to talk to?”

Anyone who hasn’t started the data mapping process yet or is trying to make sense of the work someone did a while ago knows that their job starts with collecting a load of information from various departments.

This task involves speaking to pretty high-level people, who are typically time poor and may not immediately see the value in prioritising your project over their many other deadlines. 

Every company is different, so while it’s hard to give generic advice around this topic, I’d say you need to find the fine line between demanding their attention but also being respectful of their time. This balance involves really thinking about how you’re going to structure your meeting, making sure what you say is relevant and interesting to these key figures.

Do your research on who you are talking to. Are they afraid of new systems and set in their ways, or are they more tech-savvy and up for innovation? Do they have digitalisation projects on the agenda that you know you can get them excited about? Are they driven by sales results, and therefore, you need to spend more time demonstrating the link between compliance and improved customer relations and subsequent revenue?

Rather than using a blanket approach to communicating with colleagues, shift your focus depending on who you’re speaking to. This more tailored approach will help you secure buy-in from as many people as possible. 

Make an effort to convert the sceptics

Before you host a workshop or walk into a meeting where you’ll be educating people on your plans, I also recommend taking a moment to think about how you’re going to be received. Will your prospective audience greet you openly, or are they going to be sceptical from the get-go?

If you expect to be met with a room of sceptics, there are two main things to think about. Firstly, how can you make learning about GDPR as interesting as possible? Compliance consultant Thorleif Gotved recently shared some amazing ideas for thinking outside the box when it comes to raising awareness in his guest blog post “Creative, fun and engaging: expert tips for GDPR training”.

Next, you need to find their pain points. In other words, why they should care about your privacy program, and why do you need their involvement to make it work? For some people, they’ll buy in to the concept that data protection is a human right, and they are playing a major role in upholding a value that feeds into a greater good.

For others, they may need to see the wider benefits that data mapping and complying with GDPR brings. For example, you could help them figure out if the systems they are using are still valid and giving them the best results. Or, you could uncover that your company is using several systems for the same purpose, and by merging them into one solution, you’re making financial cuts and freeing up larger budgets.

I find it’s also very effective to remind people that if they ever want to create something new such as introducing a new tool or revising their processes, that data mapping will always give them an advantage and help them start from a more favourable position. 

These changes involve data – particularly when adopting new software. Data mapping gives people one central place where they can access all of the most up-to-date information they need.

Whatever their goals, you can help them get there while being compliant and give them the overview they need to troubleshoot any issues, streamline their project, and avoid costly mistakes.  

Go beyond securing C-suite backing

Getting the support of your C-suite and senior data responsibles is a non-negotiable when it comes to the success of a privacy program. We’ve discussed this subject extensively on our blog and with other industry experts such as Clara Kromann, Attorney-at-law at PANDORA.

Without buy-in from the top, you’ll lack resources and have little chance of ensuring compliance is achieved throughout your enterprise. 

However, securing C-suite backing is one thing; how you communicate or use that support is another step that can be a hit or miss for the success of your project. 

If your organisation is hierarchical in its nature and orders from the top are definitely followed, that’s great news. Some companies, however, may have more resistance or push-back to top-level decisions. 

In these instances, you need to identify where possible risks are (e.g. the people who are likely to ignore or go against the steps you need them to take) and look to try a new approach. 

Can you make these individuals feel valued or tap into their motivation drivers? For instance, could you help them understand that by taking these steps, they’ll be more productive and shave off hours spent looking for information or having to respond to time-consuming data requests?

I’d always say frame GDPR in a positive light – so motivate rather than threaten. You want to work with as many compliance allies as possible rather than spend energy collaborating with colleagues who resent your program and could potentially jeopardise your hard work.

Consider how to make awareness land with your internal culture 

What many people fail to realise when implementing a privacy program is that GDPR is a culture change for most companies. 

Privacy programs that are executed well and have long-term success factor in how far along a business is with this cultural change and how people are currently thinking about GDPR in relation to their everyday work. 

Many companies will be in a place where most people have a basic awareness of GDPR, but awareness doesn’t equate to caring about GDPR or remembering to take daily steps to be compliant.

It’s rarely the case that a one-off workshop will bring about the huge shift needed to move a company from a non-compliant culture to a workforce of GDPR champions. People may show up to the workshop and listen to what has to be said, but more often than not, they’ll quickly resume their busy workday and forget about what they should and shouldn’t be doing.

Get creative with how you keep GDPR at the forefront of people’s minds. In one of our new webinar episodes with Bo Pyskow, CEO of Sixtus Compliance, Bo talks about helping a client create an animated GDPR cartoon displayed on the office coffee machine to serve up a fun, daily awareness reminder. 

As well as getting creative, if you know you’re embarking on a major culture shift, take small steps quickly and often if you want to keep compliance at the forefront of people’s minds. You don’t want to overload people with information or leave big time gaps between awareness sessions, so they forget what they need to do. 

Get your hierarchy of documentation in check

Ensuring your policies and procedures are watertight before you implement any stages of your privacy program is key.

Sit down and look at all relevant policies and really examine whether or not they contain your short and long term goals. Then make sure all procedures and corresponding documents that relate to these policies are up to date and written out for relevant parties to view.

It’s fundamental that this hierarchy of documents is checked and reflects your plan before asking people to start their new ways of working. It’s highly likely that whilst going through each stage of a new implementation process, you’ll find either missing or outdated documents that can cause confusion later down the line. 

For instance, I often hear from clients that once they start data mapping, they quickly run into issues around third parties. With departments using a host of different third-party services and software, getting hold of or creating new data protection agreements for all these external companies can become a nightmare. 

Having an internal procedure in place which precedes any third-party agreement with the signing of documents that guarantee everyone is acting in compliance with your privacy policies not only safeguards your business but saves a lot of future problem-solving.   

Make your internal documents easy to access and understand

Even if a company has their privacy procedures and policies written out for its staff to follow, another common problem is that people don’t have easy access to these files and find them difficult to understand or too boring to read. 

It’s not unusual for important data protection steps to be buried within a new starter pack that’s glanced at once on the first day of a job and then shoved away in a desk drawer. Or, it may be accessible via SharePoint, but no one has made it a compulsory step for people to read through the documents before taking on a particular task.

Internally, you need to ensure people are always directed to these documents whenever they need to take a step that could impact your programme (e.g. onboarding a third party). 

You need to ensure that these documents are written using engaging copy and speaking in your company’s brand voice, so you hold the reader’s attention and get your points across effectively. 

These employee-facing documents also need to be easy to digest. Although your IT and Legal professionals will fill your guides and files with all the right information, you need to guarantee that every single person in your company understands the language being used and that the content hasn’t become too technical or littered with industry terminology. 

Set deadlines

Deadlines are always important because if you give people a task without them, I can assure you that your project timeline will soon be compromised.

Keep in mind what a good deadline is. A good deadline is rarely two months from now. Unless you’re talking about a seriously big activity, having 60 days to complete one task is too long, and you should look at how that task can be broken down into smaller tasks and multiple deadlines.

At the same time, when setting deadlines for both yourself and others, you need to make sure they are realistic given current and upcoming workloads. While you don’t want to give people too much slack, you also don’t want to stress people out and set a deadline that is doomed from the start. 

Follow the deadlines you set closely, and a week before they’re due, send your colleagues a reminder of the upcoming date and expected work. People tend to be a lot more receptive to a gentle nudge in the lead up to a deadline than being chased afterwards.  

To find out more about how Alexandra and our GDPR specialists can assist you in your data mapping activities and privacy program implementation, get in touch with our team today.

10 insights from ‘Defining roles and responsibilities’ best practices webinar with PANDORA

The world of governance, risk, and compliance can be complex. To help you navigate the challenges and realities of your compliance solution and add value to your work, our new webinar series Compliance Best Practices asks a range of leading experts to share their best practices and tips for success.

We launched our series this week with the mastermind behind PANDORA’s global privacy program – Clara Kromann.

Interviewed by Complyon CEO and Co-founder Julie Suhr, Clara was invited to explore the topic of how to plan and implement a successful compliance management program, with a particular focus on how to identify relevant roles and responsibilities from the start.

You can watch the full webinar here or find our top ten insights below. 


But first, let us introduce our webinar guest… 

Clara, Attorney-at-law for PANDORA, joined the global jewellery brand in 2018 with the initial task of implementing GDPR and privacy policies into the organisation. 

Working largely on her own, in a non-process driven and unregulated enterprise, Clara adopted a number of strategic and creative ways to improve the understanding and commitment to compliance within the business. 

The result of her approach was the launch and development of PANDORA’s global privacy program. which is currently implemented internationally by a newly formed compliance team, with Clara now guiding and advising the business on all things privacy, digital and technology-related. 

With her experience of building a successful compliance program from the ground up in a non-regulated sector, Clara was our go-to guest to discuss the challenges of communicating responsibilities relating to compliance and the benefits that occur when this is done consistently throughout an enterprise.

Read on for ten major insights we gained from Clara in our first-ever Compliance Best Practices webinar. 

1. Establishing roles and responsibilities is the foundation of a successful compliance program

One of the reasons Clara was a keen participant in our series was her enthusiasm for the webinar’s topic. “I think [roles and responsibilities] is one of the most central topics for anyone who is building or in the middle of implementing any type of program,” said Clara, “it’s one of the ground pillars of compliance activity.” 

Drilling down into why the subject is so important, Clara explained that defining roles and responsibilities provides organisations with the foundations needed to ensure that you create a “sustainable compliance program” that lives on and keeps developing. 

This step introduces the necessary accountability to your program, ensuring it doesn’t end up in a place where you create and define a great set of activities but then have no one to drive them, grow them and keep them compliant. 

2. Building a sustainable compliance plan needs to consider three main components

When asked about what advice she would give to those establishing a new, sustainable program with the hope of long-term impact, Clara replied: “I think it’s extremely important to know your organisation and for me, that meant focusing on three areas: culture, ways of working and strategic direction.”  

She built on her these focus points with the below questions:

  • Culture: Who does your company employ? What is the culture among staff? Is there a compliance-driven culture?

    If, like PANDORA, your business operates in a non-regulated industry, can you identify what else drives workplace culture?
  • Ways of working: What are your ways of working? How do different people or departments work in your organisation? Are you a very process-driven organisation? Or are you not? 
  • Strategic direction: What is your strategic direction? Where are you going? What is the driver behind the business? For some companies, compliance will be a huge driver, whereas others, for example, will be driven by sales.

With these three areas covered, you have a much better baseline for defining what makes sense for your business’ governance framework and can help you establish what actions you need to take next.

3. Switch your legal mindset for a strategic one 

Clara continued to stress the value of strategic direction, which she deemed “the most important factor” when looking into roles and responsibilities, but warned strategic thinking doesn’t necessarily come naturally to everyone working in compliance.

Typically, many of us in the sector come from legal or compliance backgrounds, which provides many benefits, but, according to Clara, has one major drawback:

“Coming from a legal background, I haven’t been trained to think very strategically from the outset. I think that it’s important to maybe throw a bit of that legal/compliance mindset away, put on your best management and strategic consultancy hat and really look into what drives your business.”

Activating your strategic mindset means you can align with what drives your management team, allowing you to then find ways to tap into those goals and get the necessary attention and buy-in that you need. 

For instance, at the time Clara began planning her program, PANDORA was in the middle of a huge turnaround program to become an extremely data-driven brand that champions best-in-class practices. 

Clara looked at specific KPIs, such as the push for greater personalisation, and incorporated those projects into her program to give her plan weight and relevance.  

“Look for what you can find that connects with your business agenda”, advises Clara. “Find documentation, or whatever is put to the stakeholders and… dive into that.” 

4. Get to know your C-suite one-on-one

In addition to aligning compliance activities with specific business drivers, Clara also took the time to really get to know and understand her C-suite before assigning her programme’s roles and responsibilities.

“I sat down with identified stakeholders in top management and had one on one interviews with them to understand – what drives them personally? What are their KPIs? What is on their particular agenda that I can utilise and tap into?”

Taking the time to speak to management individually also gave Clara the opportunity to explain how her program could help her colleagues reach their goals in a safe, compliant manner, gaining key support for her initiatives.

Getting to know your senior team says Clara, also reveals the best recruits for your program:

“Make sure you understand [your management]. Then you know who will be great stakeholders in terms of roles and responsibilities going forward. Because, if you can understand what their agenda is, you already know who in your business is the most compliance-driven”.

5. Buy-in from C-suite is integral to the success of any compliance plan

If anyone was in doubt as to the importance of securing C-suite support, Clara echoed a key belief we hold at Complyon, saying: “[Setting the] tone from the top is absolutely essential.”

“When it comes to getting commitment from the individuals in your organisation, you need your management to be the ones that stand up and set the tone. If they are not ready to work and formulate the direction, you’re unlikely to ever get buy-in from the rest of the organisation, especially [further] down in your organisation.”

Clara explained a lack of management support creates two kinds of people. There are those who understand what you’re doing and “from the good of their heart” might take on some responsibility and implement your activities, despite themselves being at 100% capacity. Then, there are those who, without management involvement or any incentives, will question your work and its relevance to them, which does not bode well for the success of your program. 

6. Offer a variety of ‘carrots’ 

When asked by webinar host Julie Suhr about her thoughts on practical measures businesses could take to increase buy-in from the entire organisation, including those who don’t feel compliance is “the most interesting topic”, Clara responded:

“I think you can talk about the carrot and the stick [approach]. You will have some people who are very much purpose-driven, who understand the purpose behind what we’re doing and the importance of it. And that’s really great – they already see the carrot.

But there will also be a need for other carrots for what [some] people will look at as the stick, which I think is embedding compliance-related KPIs or goals into performance evaluations and personal development reviews.”

Speaking of her experience at PANDORA, as well as knowledge of other companies that are mature in their compliance journey, Clara suggested that if you want to increase commitment, you should set specific goals that tap into your program agenda and make sure these are applied throughout the organisation, from the bottom to top management. 

“I can assure you”, confirmed Clara, “if that is done, you will 100% achieve what you set out to.” 

7. Choosing between a centralised vs a decentralised compliance team is company-dependent 

The webinar also touched on the much-debated topic of whether compliance teams should operate as centralised or decentralised teams. 

Reminding us that there is “no golden nugget” when it comes to opting for a decentralised or centralised model, Clara spoke of the need to examine your company’s structure. 

“In general, at least from my experience, if you have an extremely process-driven organisation with a compliant culture and employees who are very used to working with frameworks, it works really well [to have] a centralised organisation. 

In relation to Pandora, we didn’t have a very compliance-driven culture or process orientated organisation. So what we did and what we actually still have today is a very decentralised organisation where we have privacy people in the various functions.”

Clara believes the benefit of this decentralised structure allows companies to have compliance people truly embedded within the organisation. People are close to the action and, therefore, more able to pick up on what is happening in real-time and report back. 

Adding her insights to the topic, Julie agreed, saying: “What I’ve seen from our customers is that it makes sense to start up being very centralised and then maybe pushing that out and being more decentralised as you [develop].”

8. Securing compliance buy-in takes time

Regarding timelines, a message Clara was eager to raise was that compliance does not happen overnight. “It was a journey. “It’s not something that happens from one day to the next”.

In particular, getting to know management and having the opportunity to find times that worked for busy diaries, then learn more about what drives individual C-suite members, was a process that needed some time.

9. Never forget that a compliance programme should be dynamic 

Talking more on the topic of managing expectations, Clara was eager to stress the importance of the maintenance of a compliance program, saying: “I think [maintenance] is something that keeps challenging organisations.” 

Clara highlighted that many who share her legal background don’t necessarily like things to be in a constant state of flux and are more used to counting on their work staying within the same framework. 

However, no matter what your background when approaching compliance, Clara reminded us of the importance of change: 

“It’s extremely important to recognise that what you do is not static. It’s dynamic, and you need to have a mindset and an approach that follows the organisation. You will never be finished with compliance.”

10. Software counteracts issues of accountability, productivity and knowledge gaps 

Rounding off the webinar, Clara and Jules discussed the value of incorporating software such as Complyon into a compliance plan to help ensure successful implementation and maintenance. 

Following a short demo of the ways in which Complyon facilitates assigning and monitoring roles and responsibilities, Clara commented:

“I think that where we are at this point in time, especially if you’re working with GDPR and global privacy compliance, it is extremely hard to continue doing manual exercises, especially if you have a very dynamic organisation.”

Touching on the ways that a solution enables companies to ensure staff turnover doesn’t lead to knowledge loss, she added: 

“You need to have this [tech-led] overview that ultimately leads back to accountability. At any point in time, you should be able to know, show and present what your accountability looks like. And if you don’t, you already have a compliance gap there.”

Julie and Clara also discussed how software means reducing time spent discussing who owns what or debating issues of responsibility, with Julie concluding the talk by saying:

“There’s a lot of legal counsels and risk managers who are highly educated, that spend way too much time on project management – tedious, little things, instead of the actual valuations and assessments, and so on. So that’s definitely Complyon’s goal, to minimise that.

You can watch the full webinar with Clara here and if you’ve enjoyed our first episode, make sure to join us for our second with Bo Pyskow, CEO and Co-founder of Sixtus Compliance. You can signup and find more information about the webinar, which will discuss how to begin and sustain the data mapping process via our website.

You can also watch the Complyon demo that Julie and Clara discussed here. In just a few minutes, we demonstrate how to establish and manage roles and responsibilities using Complyon, illustrating three use cases in our system. 

Creative, fun and engaging: expert tips on GDPR training with Thorleif Gotved

If you work in compliance, you won’t need us to tell you that GDPR training can be challenging.  

While those of us in the industry get excited about the positive impact of specific Articles and the long list of benefits of being a compliant business, it’s safe to say that our non-industry colleagues don’t always share the same level of enthusiasm. 

Often, this unmatched interest means that getting people to listen to what we have to say about data protection is no easy feat. For all our good intentions, it’s not uncommon for awareness sessions to produce disengaged or uninterested participants. 

If you’ve been struggling to get the response that your training program deserves, we’re delighted to introduce you to a man shaking up the GDPR awareness scene: Thorleif Gotved

As a renegade in the industry, Thorleif’s fun and engaging approach offers businesses a fresh and effective way of spreading awareness – and making it stick. 

Here, he discusses why GDPR training needs to be more creative, the pitfalls of traditional awareness campaigns and his reasons for introducing Barbie and Ken to the world of compliance.  

For anyone unfamiliar with your work, could you tell us how you first became interested in GDPR?

“Sure. I think we should start in February 2007 when I made a huge mistake. 

At that time, I was working in communications at a trade union and had to email 8,000 members. I sent the email via Outlook but I could only send 2,000 at a time, so four identical emails were sent. Then, I went to lunch, and when I got back, I realised I’d done something really stupid. I forgot the BCC, which meant that not only did it take ages to scroll down to read the email, but people could also see the other 1999 recipients. 

Although data laws didn’t exist as they do now (fines were ridiculously small), this was not good – particularly working at a trade union where people aren’t meant to know who else is a member. 

What this mistake made me realise is that when you are working with personal data, you have an obligation and a responsibility to take care of it. Just like when you’re handling money or anything valuable, you should take care of it – especially if it’s somebody else’s, and especially personal data. If somebody steals that data, it’s not like money, you can’t replace it if it has been stolen. It can be stolen once, and then it’s too late. 

I suddenly became interested in the laws around data protection and started to read a lot about it. I started to see it as a human right to respect someone’s data, which to this day remains very important to me.”

How did this initial interest in personal data develop into a career?

“Some years later, I started working for an IT company, and I hired a lawyer to put together courses for our customers on personal data. 

I learnt a lot from these talks, so I began writing articles for the company newsletter about the topic. Whenever I wrote about personal data, I could see it actually interested the people who receive the emails, including members of political parties, unions and NGOs. 

I then moved on to a new job doing something completely different. But I was only there for 14 days before I was sacked. This was in December 2017, half a year before GDPR would become a reality, so I thought, “Why not become an independent consultant?”. I had the knowledge, was really interested in it and guessed there would be a demand. 

I went on to LinkedIn and wrote a post saying, “This was not the plan. But hey, it’s not that bad because now I have the opportunity to become a freelance GDPR consultant”.

After publishing that post, 15-20 people contacted me asking me for help and around half became my first customers. Today, I use LinkedIn a lot and sometimes receive thousands of likes, but I never received as much business interest as I did from that first announcement.”

In your LinkedIn bio, you mention that “you convey the topic of GDPR in a way people (probably) have not experienced before”. Can you discuss your approach and why you think a new way of teaching GDPR is necessary?

“So most people working in GDPR have studied law or GDPR. They’re great, great people. I love them and have learned a lot from them. 

However, when you go to law school, in Denmark at least, you’re very good at the knowledge of all the laws and stuff like that, but not necessarily good at explaining them to people because it is not part of what they learn at law school. 

Very often, I’ve seen papers from lawyers where everything they say is correct, but it’s really difficult for normal people to read and understand.

With me, I’m from another planet, so to speak. I went to university to become a high school teacher, so the ability to communicate and try to make people understand stuff is something that I’ve been trained in from early on. 

Unlike lawyers who have their reputation or company’s reputation to think about, I can be a little bit bold in how I teach people about GDPR. For example, I sometimes use props like Barbies, Ken dolls, teddy bears etc., to explain some of the basics of processing personal data. Something that could be incredibly boring is suddenly made funny and memorable because you’ve introduced a teddy bear and some dolls. I actually did this once for an article. I made a video using a teddy bear, and my daughter joined in. I got a lot of reactions to that video, and even now when I go into meetings with potential customers, they tell me they loved the video. 

When people think something is funny or get more curious, they start to open their eyes and ears and listen to you, especially when it comes to something like GDPR, which so many people are obliged to know about.”

What are the most common challenges facing organisations educating staff about GDPR and compliance?

“For most people, it’s boring and difficult to understand. 

It’s also my impression, more often than not, at the management and C-suite level, there needs to be more concern about GDPR. I wish that they would not just see it as a cost but actually something they can gain a lot from. 

For instance, if they actually start to clean up all the mess, they can make sure that the right people have the right access to information. Or, if an employee leaves a company or joins a competitor, they may leave with that knowledge or still have access to critical information, which can be very harmful.”

Where do you think the lack of concern around GDPR comes from?

“In general, GDPR is still connected with big fines. I think that’s horrible. Because if that’s the reason why you are doing something about GDPR because you’re afraid of fines, you’re coming at it from the wrong place.

I perfectly understand why people are talking about big fines. Still, it means much action is driven by fear rather than the opportunity to take care of something that belongs to other people – their personal data. That alone should be the reason why you take GDPR seriously.

Let’s say that you’re living in an apartment, and you have a loft with a lot of stuff up there. Suddenly, your landlord calls and says if you don’t clean it up within one week, I’ll give you a huge fine. Okay, then you have to do it.

But imagine, if instead you’re told that by cleaning up your loft, you would find a lot of stuff you could throw out, so you have space for more things. Or, you would find things that you thought you had lost that were very valuable to you. Or, you’d just be able to find things very quickly. There are so many reasons why you should do this job instead of just to avoid the fine, right?”

When a company hires an external consultant to help with their awareness efforts, what should they expect? 

“The most important thing to know is that they should be doing most of the work themselves. Consultants shouldn’t be doing all the paperwork. This has to be done internally, so businesses understand what they’re doing. 

Our job is to explain why they’re doing it and what it’s all about so they’re able to change it later on. I’ve seen so many organisations that did a lot of work regarding GDPR a few years ago, but today, they haven’t done anything. They don’t know what was done or how it was done because someone else took care of it all. 

And then there are deadlines. Deadlines are extremely important. Often, people know they need to do something, and they spend time gaining knowledge from webinars and white papers but then don’t do what they should do. That’s because they don’t have deadlines in place. 

With deadlines in place, it creates a process to make sure a business goes from A to B, and perhaps a little further.”

What are your go-to formats or techniques for making GDPR education as engaging and exciting as possible? 

“It depends on the company size and sector, but when I give a speech or teach a course, I like to use Kahoot! Sometimes, I’ll include a prize to add a bit of gamification. 

It’s all about being creative. Once I had a customer who wanted to make sure their entire staff was more aware of GDPR. So I hijacked the CEO’s email account and emailed the whole company who thought there’d been a data breach. Of course, I did so with acceptance from the CEO

That got everyone’s attention much more effectively than simply sending them a manual because they were surprised, and the more you can surprise people, the more they will be affected.”

And lastly, what is your opinion on the GDPR scenario in Denmark at the moment? Do you think the market is mature? Or do you think DPA has some work to do to force businesses to take data compliance more seriously?  

“I think some of the decisions made by the Danish DPA lately have been disappointing. Denmark is a very small country, but the trust in Denmark is bigger than in other countries, surveys have shown. We believe in others, which is a beautiful thing, but we live in an international world now. Things are going so fast, especially with the internet and social media, so we should be better at taking care of stuff. 

In Germany, they have been way more strict when it comes to GDPR as they have a different history and culture. But the thing is, whatever organisations are doing in Germany or Sweden or Denmark should be all regulated the same. There should be a universal European body that says, “Hey Denmark, you haven’t done this good enough. You have to do better.” We do have the EDPB but I would appreciate it if they were more offensive towards the efforts made by some of the national data authorities

We also have to remember that we have Europe, and then there’s the United States and China. In China, they have very different rules and attitudes to personal data. In the United States, they haven’t really paid that much attention so far, although they’ve started rolling out more laws in some states, such as California.

I think respecting privacy could be something really unique for Europe and European companies. Because we are more aware of respecting privacy, we could share the value of always acting to the highest standard, which would be a great opportunity.”

For more GDPR insights and tips, you can follow Thorleif on LinkedIn, and you’ll find his latest articles here. You can also follow Complyon for more industry interviews, tips and updates here