Can you talk a little about your background in compliance?
“I have a background in consulting and IT management. In my time at Deloitte, my role involved implementing the personal data act (which was the previous privacy law). As part of this, I also worked with implementing some IT security frameworks, such as ISO-standards, cyber security frameworks, and IT risk analysis. At the time, there were just a few people interested in this area, but then all of a sudden the GDPR came, and everyone was suddenly much more interested.
Deloitte offered me a really thorough education in the field of data privacy and security, but it was only by the time I started working in IT that it was becoming a hot topic. To me, that created an opportunity where I could say ‘okay, I can take this area here and the difficulties in it, and make it into something that can be standardised and resolved again and again’. And we did this – with great success.”
What did you learn from these previous experiences?
“I developed a deep knowledge about how to secure IT systems in a proportional way. But I also learned that this security was never really linked to what the company did in their core business, and it was frustrating that no one ever really cared about knowing and understanding where risk lay within the business.
The common understanding was that IT and IT security fulfil a purpose tied to the business, but solo work and policies were kept in the IT department based on the intention of providing proof to auditors they had been done. I didn’t feel like this created true value for the CEO, or the company as a whole.”
Can you explain a bit more about these frustrations in how companies manage their data security?
“The difficulty was that what IT did and knew lacked integration to other parts of the company.
In large companies, it’s very common that concepts most of the company find difficult to understand become unimportant to know, so are IT knowledge only. I felt like I’d spent so much time gaining understanding around these processes which are important for the entire company, and I was frustrated there was never an intention to make it matter, and help the rest of the company understand the importance of compliance.
This then became part of the basis and the passion which Complyon was developed from.”
Why did you choose to develop Complyon?
“When working as consultants, the long, long implementation process for compliance solutions helped us realise this compliance isn’t something with just one end result. For instance, if a client needs to be able to pull seven reports, then over one year they need tens of thousands of consulting hours, and every week they need a new overview of the project, and they need to be able to pull several hundred different views on the work. This requires a data model where everything is interrelated, otherwise companies end up in a blind spot.
From the very beginning, when we started our own solution, the end goal was interrelated data. A lot of other compliance solutions base themselves on existing risk analysis solutions in companies, for example Excel spreadsheets that can become dynamic, but this just further deepens siloes – or creates new ones. Even when a new GDPR solution is added, it often just creates a new silo, because you can pull the reports you need for GDPR at the time, but there’s no capacity in the solution for other reports you might need down the line.
But because we’ve spent so many hours in all angles of the compliance process, we truly understand the long-term importance of ensuring all data is connected and can be understood, and that’s the aim that’s behind Complyon and the basis for what Complyon offers. I think our ambition has been a bit more long term from the beginning, and that’s both an advantage and a challenge.”
Can you explain a bit more about why silos are problematic for compliance?
“Silo and assessment-based mapping are often the solution when no compliance system has been implemented before. This is for a few reasons, but mostly because it does the immediate job at hand, and because most compliance happens from within legal resources, where people are not used to buying software. Initially, they think it’s important to build on existing spreadsheets and make them more dynamic. However, the cons of this are that eventually, if you’re a large company, it results in so many different assessments and a lot are unnecessary.
People find that they’re happy for a year or two, then they discover the blind spots in their solution. We avoid these difficulties and silos through interrelated mapping in our system.”
Is interrelated mapping how Complyon differentiates from other compliance solutions?
“Yes, this and the fact that we’re born from a very enterprise-mature need.
We don’t come from smaller companies who just want a tool to fix compliance in a way which is simple to understand. This is one of the reasons we had so much success in consultancy: the stakeholders we were working with were the best in the field, so they were really good at challenging us and requiring new improvements. We were constantly pushed, and constantly learning and growing and becoming more ambitious along with that.
We have a lot of knowledge and a really mature data model that looks much further into the future than other solutions – we understand the need for continual data management and the security of knowing you can comply with every data need. It gives us an advantage but also a challenge, as we need to educate smaller companies about the challenge they are facing, and the benefits that working with an interrelated data model gives them.
I feel like the markets are still only just starting their journey of beginning to realise the importance of data security, and it’s a long way to maturity. It’s pretty normal, when a new area such as compliance comes into play, that it just takes time and can take years before everyone realises the importance. It creates an interesting and challenging arena for us now – we’re challenged to be better and better, and also help people realise the importance more and more.”
What one piece of knowledge would you give to smaller companies about compliance?
“To think more long term, and consider the long term success of their compliance. It’s not a case of just being able to run a report now, but it’s knowing you will always be able to run that report and can trust that you know and understand your data and compliance needs.
Also, it’s a must that legal, IT, and the business work with the same pieces of information, so connecting them all is so important. They may not be departments that traditionally talk to each other, but they’re all using the same data and it makes the process so much easier when they are connected and working together.”
What does the future look like for Complyon?
“We definitely have an international focus – we don’t see any sense in making a tool that can help people all over the world and keeping it within Denmark, when it could be making such a difference. We also still need to have a focus on making our solution just as simple as other solutions, and continuing to educate the market to help them understand this.
And we are realising that we would like to add some machine learning. Everyone wants to automate the process more, because it saves so many hours. There’s great potential to implement machine learning to give suggestions, e.g. in recruitment processes and data flows, and the full overview of data creates the exciting possibility for offering suggestions and increasing automation.”