C-suite series: How to secure your compliance budget and buy-in from the executive team

Last month we launched the first part of our C-suite series with the article: ‘Why you need buy-in from the top for your compliance strategy to succeed.’ 

Outlining a long list of reasons why winning over your executive team is directly linked to the success of your compliance plan, we touched on major benefits such as the ability to protect your company from large fines, safeguard brand value, increase company productivity and improve client relations.

Having firmly established that buy-in from the top is an essential strategy for any compliance team, we now turn our attention from the ‘why’ to the ‘how.’

Your C-suite members are incredibly busy people who are fielding demands from the entire organization, so below, you’ll find tried-and-tested techniques to cut through the noise and secure the executive buy-in and budget your compliance plan needs.

Position compliance as a business concern, not a legal one

Perhaps one of the most effective ways of getting (and holding) the attention of your C-suite is to start talking about compliance as a business driver rather than a legal problem. 

Most people in your company will be aware of the legal need for data protection policies and processes. However, by discussing compliance within legal parameters, you may fail to get the interest of those operating outside of compliance and legal departments. 

Colleagues may recognize the importance of your work but feel it’s irrelevant to their direct responsibilities and objectives, meaning your plans and budget get pushed way down the list of pressing C-suite concerns.

Rather than focusing on regulations, fines, or updates on specific Articles, make compliance a more accessible topic by discussing the wider business benefits and advantages of a robust data protection and privacy plan. 

As we discussed in the first article of our C-suite series, compliance generates numerous business drivers, from increased productivity to boosting brand value,  and these should pique the interest of anyone responsible for ensuring your company’s growth and success. 

Make it your goal to reposition compliance alongside these larger business objectives so that your plan becomes undeniably valuable and is impossible to ignore. 

Get specific: align your strategy with business initiative

A sure-fire way of shifting compliance from a legal issue to a key business driver worthy of C-suite time and investment, is to tailor your compliance proposal to existing or upcoming internal initiatives. 

Take a look at major programs, strategies, or projects that are in progress or in the pipeline, and think about how you can make compliance and privacy relevant to the success of those initiatives.  

For example, say your company is set to embark on a big project with a third-party vendor based in the US. Instead of approaching your C-suite with the latest guidelines from DOJ’s updated “Evaluation of Corporate Compliance Programs,” connect compliance with planned business activity around the new partnership. 

The fact that the DOJ June 2020 paper does indeed mention third parties a staggering 33 times may be fascinating to you. However, your C-suite is more likely to listen to how poor third-party risk management could impact an expensive marketing campaign, derail a carefully strategized PR push, and compromise business relations that have taken months to cultivate. 

The trick is to identify the biggest pain points of your business and look for the areas that mean the most to your C-suite. For some companies, that focus may be on the brand’s reputation; for others, it could be the transition to a data-driven organization. Find these business concerns and make sure your compliance activity taps into them. 

Speak the same language

How you communicate the value of compliance to the C-suite is also incredibly important. In our experience, as soon as you start speaking in GDPR lingo, attention spans begin to dwindle. 

Again, turn to the business world to help ensure your proposal lands. Use universally understood language, company terminology, and business metrics to get on the same page as your board. 

Don’t underestimate the power of visual language. Use your company’s branding and visual signifiers on any presentation or document to help drive home the notion that compliance has a place in your organization’s brand world.

When discussing predicted outcomes or benefits of your compliance strategy, it’s also helpful to reference findings from leading research bodies that you know speak to your C-suite and get their attention and respect. 

For instance, you could highlight that recent studies, such as a PwC US report, have found a direct link between risk management activities and better growth, improved customer relations, and increased profit margins. 

Or, you could cite how IBM’s 20th C Suite study found that the world’s leading organizations are those that incorporate data protection into their data strategy. A great sample quote to pull out would be that by putting data protection and customer trust center stage, companies were proven to ‘create extraordinary value from data, leverage trust to their advantage, and consistently outperform others in many areas.’

Provide a visual overview of your company’s current risk

Once you’ve demonstrated the broader value of compliance to your C-suite, you’ll need to justify the importance and need for specific investments such as additional staff or compliance software.

To convey the value and impact that your strategies will have, use striking graphics, simplified graphs, and bold colors to create a visual overview of your current situation. If your company has done minimal or no compliance work in your chosen area, you should be showing your team a lot of red colors that spark urgent concerns and must-act-now attitudes.

After presenting the current risk, show a visual comparison of where your company will be after your proposed investment and strategies. Switching your reds for ambers and greens is a quick and effective way of explaining to time-poor C-suite members that your actions will lead to direct results and are therefore worth backing.

At Complyon, one feature of our risk and compliance software is a dashboard that shows real-time visualization of your data scenarios, so you’re able to create and send decision-making visuals to your colleagues in just a few clicks. No designers or briefs needed.

Using the traffic light color code, the Compliance Dashboard is a powerful way of demonstrating where you need to focus your efforts and helps communicate how your project is performing.

Back up your strategy by showing risks from real companies

When pitching a new compliance plan and budget to your C-suite, you may want to start by setting the scene with general compliance statistics. You could tell your colleagues how 2021 reports have found that in just a year, GDPR fines have risen by 40%, data breach notifications have surged by 19%, and subsequent penalties totaled €158.5 million.

However, while a general overview of the evolving compliance landscape won’t harm your presentation, relatable case studies from your industry (particularly those that draw parallels to your proposal) will prove far more convincing material for those working outside the data protection and privacy sector. 

With any case studies you present, make sure you explore exactly what went wrong, cover wider consequences beyond the fine, and explain how your proposed compliance solutions would prevent your company from making the same mistakes. 

For example, if you’re employed by a clothing or retail company and are struggling to get C-suite attention, H&M’s 2020 breach would be a good way to educate executives about the importance of investing in compliant practices and processes.

Firstly, bringing up a household brand or industry-renowned name such as H&M should instantly make your pitch more relevant and compelling. Your audience should be interested to know what happened to a fellow industry player and, importantly, see their own company in the scenario.

Building on the initial interest in your story, you could then outline how irresponsible handling of employee data resulted in a €35.3 million fine, negative headlines in major press outlets, and a backlash from both staff and consumers. 

You could then emphasize that all of this could have been avoided if H&M had invested in processes and policies such as those outlined in your proposal (e.g. Strict access controls on internal data and policies for processing and storing personal information). 

Rooting your planned actions in relatable, real-life scenarios helps bring to life the value of compliance strategies, increasing your chance of getting that all-important executive buy-in.

Divide, conquer, then unite the C-suite

When you’re presenting to the C-suite, it’s important to remember that this diverse group of individuals have their own focuses and priorities. Your CMO will have a different set of objectives than your CIO, who is busy dealing with things that aren’t on your CFO’s radar. So, rather than approaching these team members with a blanket pitch for investment, tap into their unique interests and goals. 

Set up individual meetings with each board member to find out what they’re focusing on, what drives their priorities, and what blockers are standing in the way of their goals. Then, figure out how compliance can fit into their roadmaps and make their day-to-day operations more productive and efficient.

If possible, replay these findings to your execs ahead of your big C-suite pitch, as this will help you recruit your compliance allies and give you the chance to fine-tune any messaging, so you know your presentation will land.

Going the extra mile and speaking to your C-suite colleagues personally will ensure your strategy is relevant, considers aspects that are of genuine concern to the board, and sets you up for the successful outcome you’re after. 

Don’t overload, but schedule regular check-ins

As anyone in the industry knows, compliance isn’t a ‘set in and see’ process. Data protection and risk management is a constantly evolving and ongoing process.  It has to react and adapt to new business priorities and technologies, and requires consistent monitoring, new strategies, and varying resources.

Although you want to show that your plan has long-term as well as short-term needs, try not to overwhelm the C-suite with too much information. Instead, break your project into phases and schedule future check-ins to update everyone on your project’s performance and suggested next steps. 

Dividing your workload and goals into clear stages also gives you the opportunity to retain C-suite interest with regular communication, which helps keep your work at the forefront of their busy minds.

Retaining support is just as crucial to the success of a compliance plan as winning initial investment, so make sure to keep your work relevant, engaging, and responsive to the ever-changing needs of your company.

From our real-time risk dashboard to advanced data mapping abilities, Complyon offers a range of solutions that not only keep your company compliant but also automate many of the processes required to show internal and external parties the value and status of your projects. To find out more, get in touch with our team today.

C-suite series: Why you need buy-in from the top for your compliance strategy to succeed

When most people think of the biggest threat to their business data, their minds are usually drawn to cyber hackers – an external group of online villains who are becoming more dangerous and skilled by the day. 

While it’s true that in 2021 cyber-attacks are more sophisticated, tailored, and frequent than ever, more often than not, inadequate internal processes, systems, and protocols are the main culprit for compliance issues and breaches.

To protect company data to their best ability and safeguard the business from attacks, compliance teams need the support and investment of one key group – the C-suite.

With the backing of executives, those in charge of compliance can achieve much better results for their organization and overcome common roadblocks they may face when creating a robust and strategic compliance plan.

In the first of our two-part C-suite series, we examine why buy-in from the top is crucial and explore the benefits of getting the board to realise the value of company-wide compliance.

1. C-suite is the key to securing sufficient resources and budget

It’s an inescapable fact that achieving company-wide compliance costs money. If the C-suite doesn’t recognize the importance of compliance, you run the risk of receiving a budget that is unable to provide you with the right tools and talent needed to safeguard company data.

When a compliance budget doesn’t reflect the needs and demands of an organization, this not only opens your business up to security risks, but can also lead to further difficulties, such as:

  • Hours of lost productivity: Rather than spending time on high-value work such as updating policies or risk analysis, compliance teams have to spend much more time on repetitive, administrative tasks just to meet basic compliance protocols.
  • Poor client relations: Today’s customers care about how you use their information. If your team doesn’t have the time or tools to carry out effective data mapping, they may be unable to tell a customer exactly how their information has been used, which is one of the requirements of GDPR. Or, they may take weeks to respond to a single SRR (an issue faced by two-thirds of those interviewed in Gartner’s 2019 Security and Risk Survey), putting hard-earned client relations in jeopardy. 
  • Knowledge loss due to employee turnover: If a compliance budget only stretches to a limited number of individuals and information isn’t made centrally available, vital knowledge about data storage, processes, archiving, and usage can be lost once an employee leaves the company.

Another major issue that we often witness occurs when a compliance team doesn’t have the right investment and backing from the C-suite, so they resort to taking budget sourcing into their own hands instead.

This means the person responsible for compliance often has to go from department to department to secure additional budget for compliance needs. While it’s undoubtedly beneficial to highlight the benefits that compliance software and expertise can bring to each division (plus, you’ll recruit some compliance allies as you go), this process is extremely time-consuming. It’s also risky, resulting in a sort of patchwork protection of a company’s information, with some departments left much more exposed than others. 

To achieve company-wide compliance, increase employee productivity and protect company knowledge, executives need to buy in to safeguarding their entire organization and allocate budget for data projects accordingly. 

Alongside budget allocation, the C-suite must block out enough time for themselves and their colleagues to fully understand and implement new systems and protocols, carving out time for company-wide training sessions and regular meetings for updates and reporting.

Compliance is an ongoing process, so commitment from the C-suite is vital for keeping data protection and privacy at the forefront of the minds of all employees and achieving long-term success. 

2. C-suite buy-in helps avoid higher regulatory fines

Another direct result of securing increased funding and interest from the C-suite is that your company is in a better position to mitigate high penalty fines. 

Whenever a breach or violation takes place, regulatory bodies in both the States, EU, and the UK will investigate which procedures and protocols a company had in place at the time to protect the data in question. 

For example, the US federal sentencing guidelines states that the following two measures could reduce (or even prevent) a fine: “the existence of an effective compliance and ethics program” and “self-reporting, cooperation, or acceptance of responsibility.”

Similarly, Article 83 of the GDPR outlines various factors that determine the value of an imposed fine, including “the intentional or negligent character of the infringement” (paragraph 2b) and “any action taken by the controller or processor to mitigate the damage suffered by data subjects” (paragraph 2c). 

Although other factors, such as types of data and sectors, will also influence fine calculations, if a business can show they matched effort and good intent with processes, resources, and planning, you’re likely to be looking at a much more lenient punishment.

3. Brand value is protected through C-suite investment in compliance

Most C-suite members are aware of the fines associated with poor data and privacy management. However, many aren’t prepared for the financial impact caused by the reputational damage of a breach.

Highlighted by research such as IBM’s 20th Global C-suite study, today’s leading businesses are not only data-led; they’re privacy-led. They take this approach as they know that “customer trust once endowed in brands is now contingent on data.”

No matter which sector you operate in, customer trust related to data management will impact your brand’s value and revenue. IBM’s report further backs this notion by stating: “how organizations transparently share data about their offerings, are accountable for the personal data they collect, and use that data to their customers’ benefit determines their market position.”

As a warning to those who aren’t taking their compliance and privacy program seriously, the report also suggests: “Organizations that lack customer trust—cut off from prized personal data—could find themselves slipping further behind.”

Another study that looks into the cost of customer fall out after a breach is The Ponemon Institute’s Impact of a Data Breach report. The investigation found that following a data breach, 65% of data breach victims lose trust in an organization, translating directly into loss of business. 

Organizations that lost less than 2% of customers after a breach suffered an average revenue loss of $2.67 million, and companies that lost more than 5% of customers experienced an average loss of $3.94 million. To add a further blow, stock prices reportedly dropped an average of 5% after a breach.

Then comes the cleanup costs that follow a data breach. Crisis management outgoings include PR and marketing costs needed to earn back customer trust, new systems to prevent another imminent attack, and consultant fees to help fast-track your business to recovery. 

Rather than following a well-thought-through strategy with an appropriate budget allocation and considered tools, you have to make expensive decisions under incredible pressure to demonstrate to regulatory boards, shareholders, and customers that another breach won’t happen. 

4. Establishing an organisation-wide compliant culture often needs C-suite commitment

For a company to be fully compliant and optimally protected against data threats, you need every single employee to follow the correct data procedures, policies, and practices. It only takes one employee’s misconduct to expose a company to a breach or penalty. 

However, how can you expect colleagues to be following appropriate data handling measures if senior members of staff don’t see compliance as a priority? Change needs to be driven from the top down; otherwise, your organization will also face an element of risk. 

Busy employees don’t appreciate new procedures, technologies, or rules being added to their workflow and are unlikely to engage with new protocols unless they know it’s a non-negotiable for their job. 

If your C-suite tells employees that they must take certain steps in their day-to-day activities, that instruction will carry a lot more weight than if it’s delivered by a compliance team. Personal accountability is then instilled across the company, improving organization-wide security.

Executives also have the power to make data protection processes mandatory and achieve compliance with incentives or disciplinary action. In some companies where compliance is so valued, C-suite members even link bonuses to compliance objectives, helping to drive a truly compliant culture.  

5. Preventing data silos requires C-suite support

A core part of compliance is effective data mapping – a process that gives a clear overview of exactly where a customer’s data is being stored, how it is being used, and who has come into contact with that data. 

If the C-suite doesn’t understand the importance of arming a compliance team with the time, tools, and knowledge needed for data mapping processes, a company will experience the undesirable effect of a rising number of data silos.

Data silos are extremely damaging for two main reasons. Firstly, they put your business at an increased risk of data leaks or security breaches. If different offices, departments, or individuals follow their own data steps and practices, there’s a much greater risk of business data being mishandled or compromised. Without a centralized overview and control of data flow, valuable information could be stored on unsecured devices, sent to unapproved parties, or be kept in circulation well past its deletion date. 

Secondly, data silos are a massive blocker for any company that wants to realize the full potential of its data. Rather than enabling the free flow of valuable assets, data silos limit company knowledge and potential. It’s only when data is shared between colleagues and departments that its actual value can be unlocked.

As discussed by Complyon CEO and Co-founder Julie Suhr in our recent interview, treating data in this way also has a detrimental effect on company culture. Divisions become isolated rather than collaborative, which again limits the potential and productivity of an organization.

By educating your C-suite that data value and company productivity are enhanced by compliance, you should have a more successful conversation about securing the buy-in and budget you need to run a smart compliance plan.

If you’ve enjoyed this article, keep an eye on Complyon’s LinkedIn for our next C-suite blog article, which will cover top strategies and tips for securing executive buy-in for your compliance plan.

Software or Consultant: which GDPR product is right for you?

As it stands, the GDPR services market is valued at USD 1183.2 million and is expected to reach USD 4364 million by 2026.

This rapid growth at a CAGR of 24.3% between 2021-2016, means businesses looking to improve their company compliance have never had more access to different market options for GDPR tools, experts and knowledge. 

Such a vast choice can be daunting, and many organisations are finding themselves torn between choosing compliance software, onboarding a GDPR consultant or adopting a robust combination of the two.

If you’re struggling to make a call on which GDPR product is right for your business, below we look at three major factors to consider before purchasing your next compliance investment.

1. The scope of your GDPR project

A good starting point for figuring out which GDPR product or service is right for your business is to work out how compliant you want to be – both tomorrow as well as in the next couple of years. 

Will you start implementing GDPR to a select department of your company such as legal or HR, which you know deals with lots of personal data, or do you want your entire organization to be fully GDPR compliant collectively?

If you’re tackling a smaller amount of data to begin with, and have already started basic data mapping (with some documentation and policies in place), then the chances are you’d be best suited to starting your GDPR tasks internally with the support of compliance software and a project lead.

Compliance software will enable your team to embark on more effective data mapping, getting all your data into one place and building a strong foundation of best practices and processes.

Once you’ve consolidated all your information, you’ll have a much clearer oversight of your situation. You’ll be able to identify any risks or find out if you’re missing critical GDPR protocols such as retention rules, policies or risk assessments. From this point, you can also make a more informed call on whether or not you need to bring in an external consultant. 

However, if you know your compliance goals are more ambitious, or if you haven’t started any data mapping at all and your project seems overwhelming, then we recommend getting a GDPR consultant on board.

A GDPR consultancy service will not only provide you with a robust roadmap to compliance, but will also save you from time poorly spent, manual errors or costly mistakes. Consultants will also be able to recommend the best time to introduce a compliance solution, ensuring maximum ROI on your software investment.  

If you’re still unsure about choosing between a software vs consultancy approach, here’s an example of the two options in action:

Imagine you’re having a hard time citing how data is being deleted within your processes. If your challenge lies within creating the right retention rules in your policies, then getting a legal consultant on board is the best option. They can help you understand your options and decide which retention rules are the best to implement based on your specific policies. 

If you’re in the situation where the retention rules are defined properly and the challenge is that the organization is not following them, then your best option is a GDPR project lead consultant who can help facilitate better communication between policies and the organization. 

If however, you know that your organization is deleting data according to your policies but you’re having challenges proving this, then you should invest in a system that allows you to document the deletion process easily.

It’s important to note that while the right tool will help you ask your organization the key questions, the tool itself is only as good as the informed people behind it. So if you’re working in an environment with a poor compliance culture, it’s vital to consider external assistance that will help you fill the knowledge gap and onboard the right resources.

2. The extent of your internal knowledge

After your GDPR processes and roadmap are in place, you need to look inwards and consider your available expertise: do you have the right knowledge internally to carry out your compliance process yourself? Or, would you benefit from an external specialist?

An easy way to determine a knowledge gap is to ask the GDPR responsible in your company to look at your roadmap and reflect on how confident they feel with implementing each task and phase. 

If the required knowledge and expertise are available and you have the internal know-how to build on your compliance goals, then you may opt for software over a consultant, to begin with. 

Alongside a long list of benefits, the right compliance platform will allow your internal GDPR responsible to spend less time on manual tasks, such as report generation or data retrieval, and more time on high-value activity such as strategy, risk assessment and keeping up to date with the latest industry developments. 

On the other hand if, after viewing your GDPR roadmap, there is some hesitation or insecurity around implementation, an external consultant will be extremely valuable to your compliance efforts.

For example, your internal team may be managing your current compliance process effectively but feel less confident about new projects you have in store, such as retention projects or third country data transfers

Rather than exposing your company to any risks by hoping you’re applying the right rules and processes, it’s a much smarter move to safeguard your company’s data and reputation by following the guidance of a GDPR consultant. 

Compliance knowledge in action in your company

As well as helping improve internal knowledge, a consultant can be instrumental in securing greater internal buy-in of GDPR processes and investment. If you’re struggling to get employees to follow compliance regulations or various departments or managers aren’t aligned in the necessary direction, an external expert is often extremely helpful in giving your project the extra weight and validity it needs to unite your company.

Our clients often tell us that it’s more efficient and transparent to have our team hold the GDPR workshops because we bring an unbiased view and angle to the project. Having a neutral presence allows a company to focus on the steps they need to take without the interference of workplace tensions or office politics. 

3. The sensitivity of your data

While it’s true that all data needs protection, the more sensitive your data, the greater your need will be to invest in GDPR products and services. 

For example, if you’re operating in a highly regulated industry such as healthcare or finance, a potential data breach of personal information will generally be more costly and risky than if you work in the retail sector and capture minimal personal data. So, the higher the risk, the greater your investment should be in protecting your data. 

Combining software that enables more effective data mapping and optimized risk analysis with the expertise of a GDPR consultant will ensure you’re taking every possible step to keep your data safe and secure.

This said, while some information may not technically be deemed highly sensitive by governing bodies, mishandling this data could be equally damaging in terms of your company’s reputation. Just because you won’t incur a high GDPR fine doesn’t mean you won’t lose business from data-savvy clients. 

To figure out the level of protection your data needs, you should look at what the consequences would be if you had a data breach – both in terms of a visit from the DPA and from a business perspective. Remember, a fine or an injunction also means spending resources on a subsequent clean-up to ensure the same mistake is not repeated. 
If your data poses a low risk, then internal operations supported by software would be a good fit. However, if your data operations are riskier, it’s better practice to take no chances and arm your team with the tech and expertise they need to keep your company as compliant as possible.

Final thoughts:

There are many factors to consider when choosing which GDPR product is right for your business. However, every company is unique. An appropriate solution for one company could fall short in safeguarding your data. 

So, always make sure you approach your product or service investment after a thorough examination of your internal practices, protocols and goals.

Our final piece of advice for any company looking to improve its compliance processes is to acquire some knowledge before setting your GDPR goals and roadmap – whether that’s hiring an employee with experience and expertise or an external consultant. This knowledge will allow you to set realistic goals and onboard the support or tools you need to get it right from the start and leverage it in the years to come.

Behind Complyon: CEO and Co-founder Julie Suhr shares her compliance journey

Can you talk a little about your background in compliance?

“I have a background in consulting and IT management. In my time at Deloitte, my role involved implementing the personal data act (which was the previous privacy law). As part of this, I also worked with implementing some IT security frameworks, such as ISO-standards, cyber security frameworks, and IT risk analysis. At the time, there were just a few people interested in this area, but then all of a sudden the GDPR came, and everyone was suddenly much more interested.

Deloitte offered me a really thorough education in the field of data privacy and security, but it was only by the time I started working in IT that it was becoming a hot topic. To me, that created an opportunity  where I could say ‘okay, I can take this area here and the difficulties in it, and make it into something that can be standardised and resolved again and again’. And we did this – with great success.”

What did you learn from these previous experiences?

“I developed a deep knowledge about how to secure IT systems in a proportional way. But I also learned that this security was never really linked to what the company did in their core business, and it was frustrating that no one ever really cared about knowing and understanding where risk lay within the business. 

The common understanding was that IT and IT security fulfil a purpose tied to the business, but solo work and policies were kept in the IT department based on the intention of providing proof to auditors they had been done. I didn’t feel like this created true value for the CEO, or the company as a whole.”

Can you explain a bit more about these frustrations in how companies manage their data security?

“The difficulty was that what IT did and knew lacked integration to other parts of the company.

In large companies, it’s very common that concepts most of the company find difficult to understand become unimportant to know, so are IT knowledge only. I felt like I’d spent so much time gaining understanding around these processes which are important for the entire company, and I was frustrated there was never an intention to make it matter, and help the rest of the company understand the importance of compliance. 

This then became part of the basis and the passion which Complyon was developed from.”

Why did you choose to develop Complyon?

“When working as consultants, the long, long implementation process for compliance solutions helped us realise this compliance isn’t something with just one end result. For instance, if a client needs to be able to pull seven reports, then over one year they need tens of thousands of consulting hours, and every week they need a new overview of the project, and they need to be able to pull several hundred different views on the work. This requires a data model where everything is interrelated, otherwise companies end up in a blind spot.

From the very beginning, when we started our own solution, the end goal was interrelated data. A lot of other compliance solutions base themselves on existing risk analysis solutions in companies, for example Excel spreadsheets that can become dynamic, but this just further deepens siloes – or creates new ones. Even when a new GDPR solution is added, it often just creates a new silo, because you can pull the reports you need for GDPR at the time, but there’s no capacity in the solution for other reports you might need down the line. 

But because we’ve spent so many hours in all angles of the compliance process, we truly understand the long-term importance of ensuring all data is connected and can be understood, and that’s the aim that’s behind Complyon and the basis for what Complyon offers. I think our ambition has been a bit more long term from the beginning, and that’s both an advantage and a challenge.”

Can you explain a bit more about why silos are problematic for compliance?

“Silo and assessment-based mapping are often the solution when no compliance system has been implemented before. This is for a few reasons, but mostly because it does the immediate job at hand, and because most compliance happens from within legal resources, where people are not used to buying software. Initially, they think it’s important to build on existing spreadsheets and make them more dynamic. However, the cons of this are that eventually, if you’re a large company, it results in so many different assessments and a lot are unnecessary. 

People find that they’re happy for a year or two, then they discover the blind spots in their solution. We avoid these difficulties and silos through interrelated mapping in our system.”

Is interrelated mapping how Complyon differentiates from other compliance solutions?

“Yes, this and the fact that we’re born from a very enterprise-mature need.

We don’t come from smaller companies who just want a tool to fix compliance in a way which is simple to understand. This is one of the reasons we had so much success in consultancy: the stakeholders we were working with were the best in the field, so they were really good at challenging us and requiring new improvements. We were constantly pushed, and constantly learning and growing and becoming more ambitious along with that. 

We have a lot of knowledge and a really mature data model that looks much further into the future than other solutions – we understand the need for continual data management and the security of knowing you can comply with every data need. It gives us an advantage but also a challenge, as we need to educate smaller companies about the challenge they are facing, and the benefits that working with an interrelated data model gives them.

I feel like the markets are still only just starting their journey of beginning to realise the importance of data security, and it’s a long way to maturity. It’s pretty normal, when a new area such as compliance comes into play, that it just takes time and can take years before everyone realises the importance. It creates an interesting and challenging arena for us now – we’re challenged to be better and better, and also help people realise the importance more and more.”

What one piece of knowledge would you give to smaller companies about compliance?

“To think more long term, and consider the long term success of their compliance. It’s not a case of just being able to run a report now, but it’s knowing you will always be able to run that report and can trust that you know and understand your data and compliance needs. 

Also, it’s a must that legal, IT, and the business work with the same pieces of information, so connecting them all is so important. They may not be departments that traditionally talk to each other, but they’re all using the same data and it makes the process so much easier when they are connected and working together.”

What does the future look like for Complyon?

“We definitely have an international focus – we don’t see any sense in making a tool that can help people all over the world and keeping it within Denmark, when it could be making such a difference. We also still need to have a focus on making our solution just as simple as other solutions, and continuing to educate the market to help them understand this.

And we are realising that we would like to add some machine learning. Everyone wants to automate the process more, because it saves so many hours. There’s great potential to implement machine learning to give suggestions, e.g. in recruitment processes and data flows, and the full overview of data creates the exciting possibility for offering suggestions and increasing automation.”