C-suite series: Why you need buy-in from the top for your compliance strategy to succeed

When most people think of the biggest threat to their business data, their minds are usually drawn to cyber hackers – an external group of online villains who are becoming more dangerous and skilled by the day. 

While it’s true that in 2021 cyber-attacks are more sophisticated, tailored, and frequent than ever, more often than not, inadequate internal processes, systems, and protocols are the main culprit for compliance issues and breaches.

To protect company data to their best ability and safeguard the business from attacks, compliance teams need the support and investment of one key group – the C-suite.

With the backing of executives, those in charge of compliance can achieve much better results for their organization and overcome common roadblocks they may face when creating a robust and strategic compliance plan.

In the first of our two-part C-suite series, we examine why buy-in from the top is crucial and explore the benefits of getting the board to realise the value of company-wide compliance.

1. C-suite is the key to securing sufficient resources and budget

It’s an inescapable fact that achieving company-wide compliance costs money. If the C-suite doesn’t recognize the importance of compliance, you run the risk of receiving a budget that is unable to provide you with the right tools and talent needed to safeguard company data.

When a compliance budget doesn’t reflect the needs and demands of an organization, this not only opens your business up to security risks, but can also lead to further difficulties, such as:

  • Hours of lost productivity: Rather than spending time on high-value work such as updating policies or risk analysis, compliance teams have to spend much more time on repetitive, administrative tasks just to meet basic compliance protocols.
  • Poor client relations: Today’s customers care about how you use their information. If your team doesn’t have the time or tools to carry out effective data mapping, they may be unable to tell a customer exactly how their information has been used, which is one of the requirements of GDPR. Or, they may take weeks to respond to a single SRR (an issue faced by two-thirds of those interviewed in Gartner’s 2019 Security and Risk Survey), putting hard-earned client relations in jeopardy. 
  • Knowledge loss due to employee turnover: If a compliance budget only stretches to a limited number of individuals and information isn’t made centrally available, vital knowledge about data storage, processes, archiving, and usage can be lost once an employee leaves the company.

Another major issue that we often witness occurs when a compliance team doesn’t have the right investment and backing from the C-suite, so they resort to taking budget sourcing into their own hands instead.

This means the person responsible for compliance often has to go from department to department to secure additional budget for compliance needs. While it’s undoubtedly beneficial to highlight the benefits that compliance software and expertise can bring to each division (plus, you’ll recruit some compliance allies as you go), this process is extremely time-consuming. It’s also risky, resulting in a sort of patchwork protection of a company’s information, with some departments left much more exposed than others. 

To achieve company-wide compliance, increase employee productivity and protect company knowledge, executives need to buy in to safeguarding their entire organization and allocate budget for data projects accordingly. 

Alongside budget allocation, the C-suite must block out enough time for themselves and their colleagues to fully understand and implement new systems and protocols, carving out time for company-wide training sessions and regular meetings for updates and reporting.

Compliance is an ongoing process, so commitment from the C-suite is vital for keeping data protection and privacy at the forefront of the minds of all employees and achieving long-term success. 

2. C-suite buy-in helps avoid higher regulatory fines

Another direct result of securing increased funding and interest from the C-suite is that your company is in a better position to mitigate high penalty fines. 

Whenever a breach or violation takes place, regulatory bodies in both the States, EU, and the UK will investigate which procedures and protocols a company had in place at the time to protect the data in question. 

For example, the US federal sentencing guidelines states that the following two measures could reduce (or even prevent) a fine: “the existence of an effective compliance and ethics program” and “self-reporting, cooperation, or acceptance of responsibility.”

Similarly, Article 83 of the GDPR outlines various factors that determine the value of an imposed fine, including “the intentional or negligent character of the infringement” (paragraph 2b) and “any action taken by the controller or processor to mitigate the damage suffered by data subjects” (paragraph 2c). 

Although other factors, such as types of data and sectors, will also influence fine calculations, if a business can show they matched effort and good intent with processes, resources, and planning, you’re likely to be looking at a much more lenient punishment.

3. Brand value is protected through C-suite investment in compliance

Most C-suite members are aware of the fines associated with poor data and privacy management. However, many aren’t prepared for the financial impact caused by the reputational damage of a breach.

Highlighted by research such as IBM’s 20th Global C-suite study, today’s leading businesses are not only data-led; they’re privacy-led. They take this approach as they know that “customer trust once endowed in brands is now contingent on data.”

No matter which sector you operate in, customer trust related to data management will impact your brand’s value and revenue. IBM’s report further backs this notion by stating: “how organizations transparently share data about their offerings, are accountable for the personal data they collect, and use that data to their customers’ benefit determines their market position.”

As a warning to those who aren’t taking their compliance and privacy program seriously, the report also suggests: “Organizations that lack customer trust—cut off from prized personal data—could find themselves slipping further behind.”

Another study that looks into the cost of customer fall out after a breach is The Ponemon Institute’s Impact of a Data Breach report. The investigation found that following a data breach, 65% of data breach victims lose trust in an organization, translating directly into loss of business. 

Organizations that lost less than 2% of customers after a breach suffered an average revenue loss of $2.67 million, and companies that lost more than 5% of customers experienced an average loss of $3.94 million. To add a further blow, stock prices reportedly dropped an average of 5% after a breach.

Then comes the cleanup costs that follow a data breach. Crisis management outgoings include PR and marketing costs needed to earn back customer trust, new systems to prevent another imminent attack, and consultant fees to help fast-track your business to recovery. 

Rather than following a well-thought-through strategy with an appropriate budget allocation and considered tools, you have to make expensive decisions under incredible pressure to demonstrate to regulatory boards, shareholders, and customers that another breach won’t happen. 

4. Establishing an organisation-wide compliant culture often needs C-suite commitment

For a company to be fully compliant and optimally protected against data threats, you need every single employee to follow the correct data procedures, policies, and practices. It only takes one employee’s misconduct to expose a company to a breach or penalty. 

However, how can you expect colleagues to be following appropriate data handling measures if senior members of staff don’t see compliance as a priority? Change needs to be driven from the top down; otherwise, your organization will also face an element of risk. 

Busy employees don’t appreciate new procedures, technologies, or rules being added to their workflow and are unlikely to engage with new protocols unless they know it’s a non-negotiable for their job. 

If your C-suite tells employees that they must take certain steps in their day-to-day activities, that instruction will carry a lot more weight than if it’s delivered by a compliance team. Personal accountability is then instilled across the company, improving organization-wide security.

Executives also have the power to make data protection processes mandatory and achieve compliance with incentives or disciplinary action. In some companies where compliance is so valued, C-suite members even link bonuses to compliance objectives, helping to drive a truly compliant culture.  

5. Preventing data silos requires C-suite support

A core part of compliance is effective data mapping – a process that gives a clear overview of exactly where a customer’s data is being stored, how it is being used, and who has come into contact with that data. 

If the C-suite doesn’t understand the importance of arming a compliance team with the time, tools, and knowledge needed for data mapping processes, a company will experience the undesirable effect of a rising number of data silos.

Data silos are extremely damaging for two main reasons. Firstly, they put your business at an increased risk of data leaks or security breaches. If different offices, departments, or individuals follow their own data steps and practices, there’s a much greater risk of business data being mishandled or compromised. Without a centralized overview and control of data flow, valuable information could be stored on unsecured devices, sent to unapproved parties, or be kept in circulation well past its deletion date. 

Secondly, data silos are a massive blocker for any company that wants to realize the full potential of its data. Rather than enabling the free flow of valuable assets, data silos limit company knowledge and potential. It’s only when data is shared between colleagues and departments that its actual value can be unlocked.

As discussed by Complyon CEO and Co-founder Julie Suhr in our recent interview, treating data in this way also has a detrimental effect on company culture. Divisions become isolated rather than collaborative, which again limits the potential and productivity of an organization.

By educating your C-suite that data value and company productivity are enhanced by compliance, you should have a more successful conversation about securing the buy-in and budget you need to run a smart compliance plan.

If you’ve enjoyed this article, keep an eye on Complyon’s LinkedIn for our next C-suite blog article, which will cover top strategies and tips for securing executive buy-in for your compliance plan.

Software or Consultant: which GDPR product is right for you?

As it stands, the GDPR services market is valued at USD 1183.2 million and is expected to reach USD 4364 million by 2026.

This rapid growth at a CAGR of 24.3% between 2021-2016, means businesses looking to improve their company compliance have never had more access to different market options for GDPR tools, experts and knowledge. 

Such a vast choice can be daunting, and many organisations are finding themselves torn between choosing compliance software, onboarding a GDPR consultant or adopting a robust combination of the two.

If you’re struggling to make a call on which GDPR product is right for your business, below we look at three major factors to consider before purchasing your next compliance investment.

1. The scope of your GDPR project

A good starting point for figuring out which GDPR product or service is right for your business is to work out how compliant you want to be – both tomorrow as well as in the next couple of years. 

Will you start implementing GDPR to a select department of your company such as legal or HR, which you know deals with lots of personal data, or do you want your entire organization to be fully GDPR compliant collectively?

If you’re tackling a smaller amount of data to begin with, and have already started basic data mapping (with some documentation and policies in place), then the chances are you’d be best suited to starting your GDPR tasks internally with the support of compliance software and a project lead.

Compliance software will enable your team to embark on more effective data mapping, getting all your data into one place and building a strong foundation of best practices and processes.

Once you’ve consolidated all your information, you’ll have a much clearer oversight of your situation. You’ll be able to identify any risks or find out if you’re missing critical GDPR protocols such as retention rules, policies or risk assessments. From this point, you can also make a more informed call on whether or not you need to bring in an external consultant. 

However, if you know your compliance goals are more ambitious, or if you haven’t started any data mapping at all and your project seems overwhelming, then we recommend getting a GDPR consultant on board.

A GDPR consultancy service will not only provide you with a robust roadmap to compliance, but will also save you from time poorly spent, manual errors or costly mistakes. Consultants will also be able to recommend the best time to introduce a compliance solution, ensuring maximum ROI on your software investment.  

If you’re still unsure about choosing between a software vs consultancy approach, here’s an example of the two options in action:

Imagine you’re having a hard time citing how data is being deleted within your processes. If your challenge lies within creating the right retention rules in your policies, then getting a legal consultant on board is the best option. They can help you understand your options and decide which retention rules are the best to implement based on your specific policies. 

If you’re in the situation where the retention rules are defined properly and the challenge is that the organization is not following them, then your best option is a GDPR project lead consultant who can help facilitate better communication between policies and the organization. 

If however, you know that your organization is deleting data according to your policies but you’re having challenges proving this, then you should invest in a system that allows you to document the deletion process easily.

It’s important to note that while the right tool will help you ask your organization the key questions, the tool itself is only as good as the informed people behind it. So if you’re working in an environment with a poor compliance culture, it’s vital to consider external assistance that will help you fill the knowledge gap and onboard the right resources.

2. The extent of your internal knowledge

After your GDPR processes and roadmap are in place, you need to look inwards and consider your available expertise: do you have the right knowledge internally to carry out your compliance process yourself? Or, would you benefit from an external specialist?

An easy way to determine a knowledge gap is to ask the GDPR responsible in your company to look at your roadmap and reflect on how confident they feel with implementing each task and phase. 

If the required knowledge and expertise are available and you have the internal know-how to build on your compliance goals, then you may opt for software over a consultant, to begin with. 

Alongside a long list of benefits, the right compliance platform will allow your internal GDPR responsible to spend less time on manual tasks, such as report generation or data retrieval, and more time on high-value activity such as strategy, risk assessment and keeping up to date with the latest industry developments. 

On the other hand if, after viewing your GDPR roadmap, there is some hesitation or insecurity around implementation, an external consultant will be extremely valuable to your compliance efforts.

For example, your internal team may be managing your current compliance process effectively but feel less confident about new projects you have in store, such as retention projects or third country data transfers

Rather than exposing your company to any risks by hoping you’re applying the right rules and processes, it’s a much smarter move to safeguard your company’s data and reputation by following the guidance of a GDPR consultant. 

Compliance knowledge in action in your company

As well as helping improve internal knowledge, a consultant can be instrumental in securing greater internal buy-in of GDPR processes and investment. If you’re struggling to get employees to follow compliance regulations or various departments or managers aren’t aligned in the necessary direction, an external expert is often extremely helpful in giving your project the extra weight and validity it needs to unite your company.

Our clients often tell us that it’s more efficient and transparent to have our team hold the GDPR workshops because we bring an unbiased view and angle to the project. Having a neutral presence allows a company to focus on the steps they need to take without the interference of workplace tensions or office politics. 

3. The sensitivity of your data

While it’s true that all data needs protection, the more sensitive your data, the greater your need will be to invest in GDPR products and services. 

For example, if you’re operating in a highly regulated industry such as healthcare or finance, a potential data breach of personal information will generally be more costly and risky than if you work in the retail sector and capture minimal personal data. So, the higher the risk, the greater your investment should be in protecting your data. 

Combining software that enables more effective data mapping and optimized risk analysis with the expertise of a GDPR consultant will ensure you’re taking every possible step to keep your data safe and secure.

This said, while some information may not technically be deemed highly sensitive by governing bodies, mishandling this data could be equally damaging in terms of your company’s reputation. Just because you won’t incur a high GDPR fine doesn’t mean you won’t lose business from data-savvy clients. 

To figure out the level of protection your data needs, you should look at what the consequences would be if you had a data breach – both in terms of a visit from the DPA and from a business perspective. Remember, a fine or an injunction also means spending resources on a subsequent clean-up to ensure the same mistake is not repeated. 
If your data poses a low risk, then internal operations supported by software would be a good fit. However, if your data operations are riskier, it’s better practice to take no chances and arm your team with the tech and expertise they need to keep your company as compliant as possible.

Final thoughts:

There are many factors to consider when choosing which GDPR product is right for your business. However, every company is unique. An appropriate solution for one company could fall short in safeguarding your data. 

So, always make sure you approach your product or service investment after a thorough examination of your internal practices, protocols and goals.

Our final piece of advice for any company looking to improve its compliance processes is to acquire some knowledge before setting your GDPR goals and roadmap – whether that’s hiring an employee with experience and expertise or an external consultant. This knowledge will allow you to set realistic goals and onboard the support or tools you need to get it right from the start and leverage it in the years to come.