C-suite series: How to secure your compliance budget and buy-in from the executive team

Last month we launched the first part of our C-suite series with the article: ‘Why you need buy-in from the top for your compliance strategy to succeed.’ 

Outlining a long list of reasons why winning over your executive team is directly linked to the success of your compliance plan, we touched on major benefits such as the ability to protect your company from large fines, safeguard brand value, increase company productivity and improve client relations.

Having firmly established that buy-in from the top is an essential strategy for any compliance team, we now turn our attention from the ‘why’ to the ‘how.’

Your C-suite members are incredibly busy people who are fielding demands from the entire organization, so below, you’ll find tried-and-tested techniques to cut through the noise and secure the executive buy-in and budget your compliance plan needs.

Position compliance as a business concern, not a legal one

Perhaps one of the most effective ways of getting (and holding) the attention of your C-suite is to start talking about compliance as a business driver rather than a legal problem. 

Most people in your company will be aware of the legal need for data protection policies and processes. However, by discussing compliance within legal parameters, you may fail to get the interest of those operating outside of compliance and legal departments. 

Colleagues may recognize the importance of your work but feel it’s irrelevant to their direct responsibilities and objectives, meaning your plans and budget get pushed way down the list of pressing C-suite concerns.

Rather than focusing on regulations, fines, or updates on specific Articles, make compliance a more accessible topic by discussing the wider business benefits and advantages of a robust data protection and privacy plan. 

As we discussed in the first article of our C-suite series, compliance generates numerous business drivers, from increased productivity to boosting brand value,  and these should pique the interest of anyone responsible for ensuring your company’s growth and success. 

Make it your goal to reposition compliance alongside these larger business objectives so that your plan becomes undeniably valuable and is impossible to ignore. 

Get specific: align your strategy with business initiative

A sure-fire way of shifting compliance from a legal issue to a key business driver worthy of C-suite time and investment, is to tailor your compliance proposal to existing or upcoming internal initiatives. 

Take a look at major programs, strategies, or projects that are in progress or in the pipeline, and think about how you can make compliance and privacy relevant to the success of those initiatives.  

For example, say your company is set to embark on a big project with a third-party vendor based in the US. Instead of approaching your C-suite with the latest guidelines from DOJ’s updated “Evaluation of Corporate Compliance Programs,” connect compliance with planned business activity around the new partnership. 

The fact that the DOJ June 2020 paper does indeed mention third parties a staggering 33 times may be fascinating to you. However, your C-suite is more likely to listen to how poor third-party risk management could impact an expensive marketing campaign, derail a carefully strategized PR push, and compromise business relations that have taken months to cultivate. 

The trick is to identify the biggest pain points of your business and look for the areas that mean the most to your C-suite. For some companies, that focus may be on the brand’s reputation; for others, it could be the transition to a data-driven organization. Find these business concerns and make sure your compliance activity taps into them. 

Speak the same language

How you communicate the value of compliance to the C-suite is also incredibly important. In our experience, as soon as you start speaking in GDPR lingo, attention spans begin to dwindle. 

Again, turn to the business world to help ensure your proposal lands. Use universally understood language, company terminology, and business metrics to get on the same page as your board. 

Don’t underestimate the power of visual language. Use your company’s branding and visual signifiers on any presentation or document to help drive home the notion that compliance has a place in your organization’s brand world.

When discussing predicted outcomes or benefits of your compliance strategy, it’s also helpful to reference findings from leading research bodies that you know speak to your C-suite and get their attention and respect. 

For instance, you could highlight that recent studies, such as a PwC US report, have found a direct link between risk management activities and better growth, improved customer relations, and increased profit margins. 

Or, you could cite how IBM’s 20th C Suite study found that the world’s leading organizations are those that incorporate data protection into their data strategy. A great sample quote to pull out would be that by putting data protection and customer trust center stage, companies were proven to ‘create extraordinary value from data, leverage trust to their advantage, and consistently outperform others in many areas.’

Provide a visual overview of your company’s current risk

Once you’ve demonstrated the broader value of compliance to your C-suite, you’ll need to justify the importance and need for specific investments such as additional staff or compliance software.

To convey the value and impact that your strategies will have, use striking graphics, simplified graphs, and bold colors to create a visual overview of your current situation. If your company has done minimal or no compliance work in your chosen area, you should be showing your team a lot of red colors that spark urgent concerns and must-act-now attitudes.

After presenting the current risk, show a visual comparison of where your company will be after your proposed investment and strategies. Switching your reds for ambers and greens is a quick and effective way of explaining to time-poor C-suite members that your actions will lead to direct results and are therefore worth backing.

At Complyon, one feature of our risk and compliance software is a dashboard that shows real-time visualization of your data scenarios, so you’re able to create and send decision-making visuals to your colleagues in just a few clicks. No designers or briefs needed.

Using the traffic light color code, the Compliance Dashboard is a powerful way of demonstrating where you need to focus your efforts and helps communicate how your project is performing.

Back up your strategy by showing risks from real companies

When pitching a new compliance plan and budget to your C-suite, you may want to start by setting the scene with general compliance statistics. You could tell your colleagues how 2021 reports have found that in just a year, GDPR fines have risen by 40%, data breach notifications have surged by 19%, and subsequent penalties totaled €158.5 million.

However, while a general overview of the evolving compliance landscape won’t harm your presentation, relatable case studies from your industry (particularly those that draw parallels to your proposal) will prove far more convincing material for those working outside the data protection and privacy sector. 

With any case studies you present, make sure you explore exactly what went wrong, cover wider consequences beyond the fine, and explain how your proposed compliance solutions would prevent your company from making the same mistakes. 

For example, if you’re employed by a clothing or retail company and are struggling to get C-suite attention, H&M’s 2020 breach would be a good way to educate executives about the importance of investing in compliant practices and processes.

Firstly, bringing up a household brand or industry-renowned name such as H&M should instantly make your pitch more relevant and compelling. Your audience should be interested to know what happened to a fellow industry player and, importantly, see their own company in the scenario.

Building on the initial interest in your story, you could then outline how irresponsible handling of employee data resulted in a €35.3 million fine, negative headlines in major press outlets, and a backlash from both staff and consumers. 

You could then emphasize that all of this could have been avoided if H&M had invested in processes and policies such as those outlined in your proposal (e.g. Strict access controls on internal data and policies for processing and storing personal information). 

Rooting your planned actions in relatable, real-life scenarios helps bring to life the value of compliance strategies, increasing your chance of getting that all-important executive buy-in.

Divide, conquer, then unite the C-suite

When you’re presenting to the C-suite, it’s important to remember that this diverse group of individuals have their own focuses and priorities. Your CMO will have a different set of objectives than your CIO, who is busy dealing with things that aren’t on your CFO’s radar. So, rather than approaching these team members with a blanket pitch for investment, tap into their unique interests and goals. 

Set up individual meetings with each board member to find out what they’re focusing on, what drives their priorities, and what blockers are standing in the way of their goals. Then, figure out how compliance can fit into their roadmaps and make their day-to-day operations more productive and efficient.

If possible, replay these findings to your execs ahead of your big C-suite pitch, as this will help you recruit your compliance allies and give you the chance to fine-tune any messaging, so you know your presentation will land.

Going the extra mile and speaking to your C-suite colleagues personally will ensure your strategy is relevant, considers aspects that are of genuine concern to the board, and sets you up for the successful outcome you’re after. 

Don’t overload, but schedule regular check-ins

As anyone in the industry knows, compliance isn’t a ‘set in and see’ process. Data protection and risk management is a constantly evolving and ongoing process.  It has to react and adapt to new business priorities and technologies, and requires consistent monitoring, new strategies, and varying resources.

Although you want to show that your plan has long-term as well as short-term needs, try not to overwhelm the C-suite with too much information. Instead, break your project into phases and schedule future check-ins to update everyone on your project’s performance and suggested next steps. 

Dividing your workload and goals into clear stages also gives you the opportunity to retain C-suite interest with regular communication, which helps keep your work at the forefront of their busy minds.

Retaining support is just as crucial to the success of a compliance plan as winning initial investment, so make sure to keep your work relevant, engaging, and responsive to the ever-changing needs of your company.

From our real-time risk dashboard to advanced data mapping abilities, Complyon offers a range of solutions that not only keep your company compliant but also automate many of the processes required to show internal and external parties the value and status of your projects. To find out more, get in touch with our team today.

C-suite series: Why you need buy-in from the top for your compliance strategy to succeed

When most people think of the biggest threat to their business data, their minds are usually drawn to cyber hackers – an external group of online villains who are becoming more dangerous and skilled by the day. 

While it’s true that in 2021 cyber-attacks are more sophisticated, tailored, and frequent than ever, more often than not, inadequate internal processes, systems, and protocols are the main culprit for compliance issues and breaches.

To protect company data to their best ability and safeguard the business from attacks, compliance teams need the support and investment of one key group – the C-suite.

With the backing of executives, those in charge of compliance can achieve much better results for their organization and overcome common roadblocks they may face when creating a robust and strategic compliance plan.

In the first of our two-part C-suite series, we examine why buy-in from the top is crucial and explore the benefits of getting the board to realise the value of company-wide compliance.

1. C-suite is the key to securing sufficient resources and budget

It’s an inescapable fact that achieving company-wide compliance costs money. If the C-suite doesn’t recognize the importance of compliance, you run the risk of receiving a budget that is unable to provide you with the right tools and talent needed to safeguard company data.

When a compliance budget doesn’t reflect the needs and demands of an organization, this not only opens your business up to security risks, but can also lead to further difficulties, such as:

  • Hours of lost productivity: Rather than spending time on high-value work such as updating policies or risk analysis, compliance teams have to spend much more time on repetitive, administrative tasks just to meet basic compliance protocols.
  • Poor client relations: Today’s customers care about how you use their information. If your team doesn’t have the time or tools to carry out effective data mapping, they may be unable to tell a customer exactly how their information has been used, which is one of the requirements of GDPR. Or, they may take weeks to respond to a single SRR (an issue faced by two-thirds of those interviewed in Gartner’s 2019 Security and Risk Survey), putting hard-earned client relations in jeopardy. 
  • Knowledge loss due to employee turnover: If a compliance budget only stretches to a limited number of individuals and information isn’t made centrally available, vital knowledge about data storage, processes, archiving, and usage can be lost once an employee leaves the company.

Another major issue that we often witness occurs when a compliance team doesn’t have the right investment and backing from the C-suite, so they resort to taking budget sourcing into their own hands instead.

This means the person responsible for compliance often has to go from department to department to secure additional budget for compliance needs. While it’s undoubtedly beneficial to highlight the benefits that compliance software and expertise can bring to each division (plus, you’ll recruit some compliance allies as you go), this process is extremely time-consuming. It’s also risky, resulting in a sort of patchwork protection of a company’s information, with some departments left much more exposed than others. 

To achieve company-wide compliance, increase employee productivity and protect company knowledge, executives need to buy in to safeguarding their entire organization and allocate budget for data projects accordingly. 

Alongside budget allocation, the C-suite must block out enough time for themselves and their colleagues to fully understand and implement new systems and protocols, carving out time for company-wide training sessions and regular meetings for updates and reporting.

Compliance is an ongoing process, so commitment from the C-suite is vital for keeping data protection and privacy at the forefront of the minds of all employees and achieving long-term success. 

2. C-suite buy-in helps avoid higher regulatory fines

Another direct result of securing increased funding and interest from the C-suite is that your company is in a better position to mitigate high penalty fines. 

Whenever a breach or violation takes place, regulatory bodies in both the States, EU, and the UK will investigate which procedures and protocols a company had in place at the time to protect the data in question. 

For example, the US federal sentencing guidelines states that the following two measures could reduce (or even prevent) a fine: “the existence of an effective compliance and ethics program” and “self-reporting, cooperation, or acceptance of responsibility.”

Similarly, Article 83 of the GDPR outlines various factors that determine the value of an imposed fine, including “the intentional or negligent character of the infringement” (paragraph 2b) and “any action taken by the controller or processor to mitigate the damage suffered by data subjects” (paragraph 2c). 

Although other factors, such as types of data and sectors, will also influence fine calculations, if a business can show they matched effort and good intent with processes, resources, and planning, you’re likely to be looking at a much more lenient punishment.

3. Brand value is protected through C-suite investment in compliance

Most C-suite members are aware of the fines associated with poor data and privacy management. However, many aren’t prepared for the financial impact caused by the reputational damage of a breach.

Highlighted by research such as IBM’s 20th Global C-suite study, today’s leading businesses are not only data-led; they’re privacy-led. They take this approach as they know that “customer trust once endowed in brands is now contingent on data.”

No matter which sector you operate in, customer trust related to data management will impact your brand’s value and revenue. IBM’s report further backs this notion by stating: “how organizations transparently share data about their offerings, are accountable for the personal data they collect, and use that data to their customers’ benefit determines their market position.”

As a warning to those who aren’t taking their compliance and privacy program seriously, the report also suggests: “Organizations that lack customer trust—cut off from prized personal data—could find themselves slipping further behind.”

Another study that looks into the cost of customer fall out after a breach is The Ponemon Institute’s Impact of a Data Breach report. The investigation found that following a data breach, 65% of data breach victims lose trust in an organization, translating directly into loss of business. 

Organizations that lost less than 2% of customers after a breach suffered an average revenue loss of $2.67 million, and companies that lost more than 5% of customers experienced an average loss of $3.94 million. To add a further blow, stock prices reportedly dropped an average of 5% after a breach.

Then comes the cleanup costs that follow a data breach. Crisis management outgoings include PR and marketing costs needed to earn back customer trust, new systems to prevent another imminent attack, and consultant fees to help fast-track your business to recovery. 

Rather than following a well-thought-through strategy with an appropriate budget allocation and considered tools, you have to make expensive decisions under incredible pressure to demonstrate to regulatory boards, shareholders, and customers that another breach won’t happen. 

4. Establishing an organisation-wide compliant culture often needs C-suite commitment

For a company to be fully compliant and optimally protected against data threats, you need every single employee to follow the correct data procedures, policies, and practices. It only takes one employee’s misconduct to expose a company to a breach or penalty. 

However, how can you expect colleagues to be following appropriate data handling measures if senior members of staff don’t see compliance as a priority? Change needs to be driven from the top down; otherwise, your organization will also face an element of risk. 

Busy employees don’t appreciate new procedures, technologies, or rules being added to their workflow and are unlikely to engage with new protocols unless they know it’s a non-negotiable for their job. 

If your C-suite tells employees that they must take certain steps in their day-to-day activities, that instruction will carry a lot more weight than if it’s delivered by a compliance team. Personal accountability is then instilled across the company, improving organization-wide security.

Executives also have the power to make data protection processes mandatory and achieve compliance with incentives or disciplinary action. In some companies where compliance is so valued, C-suite members even link bonuses to compliance objectives, helping to drive a truly compliant culture.  

5. Preventing data silos requires C-suite support

A core part of compliance is effective data mapping – a process that gives a clear overview of exactly where a customer’s data is being stored, how it is being used, and who has come into contact with that data. 

If the C-suite doesn’t understand the importance of arming a compliance team with the time, tools, and knowledge needed for data mapping processes, a company will experience the undesirable effect of a rising number of data silos.

Data silos are extremely damaging for two main reasons. Firstly, they put your business at an increased risk of data leaks or security breaches. If different offices, departments, or individuals follow their own data steps and practices, there’s a much greater risk of business data being mishandled or compromised. Without a centralized overview and control of data flow, valuable information could be stored on unsecured devices, sent to unapproved parties, or be kept in circulation well past its deletion date. 

Secondly, data silos are a massive blocker for any company that wants to realize the full potential of its data. Rather than enabling the free flow of valuable assets, data silos limit company knowledge and potential. It’s only when data is shared between colleagues and departments that its actual value can be unlocked.

As discussed by Complyon CEO and Co-founder Julie Suhr in our recent interview, treating data in this way also has a detrimental effect on company culture. Divisions become isolated rather than collaborative, which again limits the potential and productivity of an organization.

By educating your C-suite that data value and company productivity are enhanced by compliance, you should have a more successful conversation about securing the buy-in and budget you need to run a smart compliance plan.

If you’ve enjoyed this article, keep an eye on Complyon’s LinkedIn for our next C-suite blog article, which will cover top strategies and tips for securing executive buy-in for your compliance plan.

Software or Consultant: which GDPR product is right for you?

As it stands, the GDPR services market is valued at USD 1183.2 million and is expected to reach USD 4364 million by 2026.

This rapid growth at a CAGR of 24.3% between 2021-2016, means businesses looking to improve their company compliance have never had more access to different market options for GDPR tools, experts and knowledge. 

Such a vast choice can be daunting, and many organisations are finding themselves torn between choosing compliance software, onboarding a GDPR consultant or adopting a robust combination of the two.

If you’re struggling to make a call on which GDPR product is right for your business, below we look at three major factors to consider before purchasing your next compliance investment.

1. The scope of your GDPR project

A good starting point for figuring out which GDPR product or service is right for your business is to work out how compliant you want to be – both tomorrow as well as in the next couple of years. 

Will you start implementing GDPR to a select department of your company such as legal or HR, which you know deals with lots of personal data, or do you want your entire organization to be fully GDPR compliant collectively?

If you’re tackling a smaller amount of data to begin with, and have already started basic data mapping (with some documentation and policies in place), then the chances are you’d be best suited to starting your GDPR tasks internally with the support of compliance software and a project lead.

Compliance software will enable your team to embark on more effective data mapping, getting all your data into one place and building a strong foundation of best practices and processes.

Once you’ve consolidated all your information, you’ll have a much clearer oversight of your situation. You’ll be able to identify any risks or find out if you’re missing critical GDPR protocols such as retention rules, policies or risk assessments. From this point, you can also make a more informed call on whether or not you need to bring in an external consultant. 

However, if you know your compliance goals are more ambitious, or if you haven’t started any data mapping at all and your project seems overwhelming, then we recommend getting a GDPR consultant on board.

A GDPR consultancy service will not only provide you with a robust roadmap to compliance, but will also save you from time poorly spent, manual errors or costly mistakes. Consultants will also be able to recommend the best time to introduce a compliance solution, ensuring maximum ROI on your software investment.  

If you’re still unsure about choosing between a software vs consultancy approach, here’s an example of the two options in action:

Imagine you’re having a hard time citing how data is being deleted within your processes. If your challenge lies within creating the right retention rules in your policies, then getting a legal consultant on board is the best option. They can help you understand your options and decide which retention rules are the best to implement based on your specific policies. 

If you’re in the situation where the retention rules are defined properly and the challenge is that the organization is not following them, then your best option is a GDPR project lead consultant who can help facilitate better communication between policies and the organization. 

If however, you know that your organization is deleting data according to your policies but you’re having challenges proving this, then you should invest in a system that allows you to document the deletion process easily.

It’s important to note that while the right tool will help you ask your organization the key questions, the tool itself is only as good as the informed people behind it. So if you’re working in an environment with a poor compliance culture, it’s vital to consider external assistance that will help you fill the knowledge gap and onboard the right resources.

2. The extent of your internal knowledge

After your GDPR processes and roadmap are in place, you need to look inwards and consider your available expertise: do you have the right knowledge internally to carry out your compliance process yourself? Or, would you benefit from an external specialist?

An easy way to determine a knowledge gap is to ask the GDPR responsible in your company to look at your roadmap and reflect on how confident they feel with implementing each task and phase. 

If the required knowledge and expertise are available and you have the internal know-how to build on your compliance goals, then you may opt for software over a consultant, to begin with. 

Alongside a long list of benefits, the right compliance platform will allow your internal GDPR responsible to spend less time on manual tasks, such as report generation or data retrieval, and more time on high-value activity such as strategy, risk assessment and keeping up to date with the latest industry developments. 

On the other hand if, after viewing your GDPR roadmap, there is some hesitation or insecurity around implementation, an external consultant will be extremely valuable to your compliance efforts.

For example, your internal team may be managing your current compliance process effectively but feel less confident about new projects you have in store, such as retention projects or third country data transfers

Rather than exposing your company to any risks by hoping you’re applying the right rules and processes, it’s a much smarter move to safeguard your company’s data and reputation by following the guidance of a GDPR consultant. 

Compliance knowledge in action in your company

As well as helping improve internal knowledge, a consultant can be instrumental in securing greater internal buy-in of GDPR processes and investment. If you’re struggling to get employees to follow compliance regulations or various departments or managers aren’t aligned in the necessary direction, an external expert is often extremely helpful in giving your project the extra weight and validity it needs to unite your company.

Our clients often tell us that it’s more efficient and transparent to have our team hold the GDPR workshops because we bring an unbiased view and angle to the project. Having a neutral presence allows a company to focus on the steps they need to take without the interference of workplace tensions or office politics. 

3. The sensitivity of your data

While it’s true that all data needs protection, the more sensitive your data, the greater your need will be to invest in GDPR products and services. 

For example, if you’re operating in a highly regulated industry such as healthcare or finance, a potential data breach of personal information will generally be more costly and risky than if you work in the retail sector and capture minimal personal data. So, the higher the risk, the greater your investment should be in protecting your data. 

Combining software that enables more effective data mapping and optimized risk analysis with the expertise of a GDPR consultant will ensure you’re taking every possible step to keep your data safe and secure.

This said, while some information may not technically be deemed highly sensitive by governing bodies, mishandling this data could be equally damaging in terms of your company’s reputation. Just because you won’t incur a high GDPR fine doesn’t mean you won’t lose business from data-savvy clients. 

To figure out the level of protection your data needs, you should look at what the consequences would be if you had a data breach – both in terms of a visit from the DPA and from a business perspective. Remember, a fine or an injunction also means spending resources on a subsequent clean-up to ensure the same mistake is not repeated. 
If your data poses a low risk, then internal operations supported by software would be a good fit. However, if your data operations are riskier, it’s better practice to take no chances and arm your team with the tech and expertise they need to keep your company as compliant as possible.

Final thoughts:

There are many factors to consider when choosing which GDPR product is right for your business. However, every company is unique. An appropriate solution for one company could fall short in safeguarding your data. 

So, always make sure you approach your product or service investment after a thorough examination of your internal practices, protocols and goals.

Our final piece of advice for any company looking to improve its compliance processes is to acquire some knowledge before setting your GDPR goals and roadmap – whether that’s hiring an employee with experience and expertise or an external consultant. This knowledge will allow you to set realistic goals and onboard the support or tools you need to get it right from the start and leverage it in the years to come.

Buyer’s Guide: How to choose GDPR compliance software

A time-consuming process

GDPR compliance is undeniably complex. If you’re the one charged with keeping your company compliant, you’ll know managing the process can be time-consuming, complicated, and demands constant attention – particularly if you’re handling large amounts of data.

Luckily, there is no shortage of solutions such as GDPR compliance software that make managing customer data and data security both easy and effective. In fact, to match 2022’s estimated $8 billion global spending on compliance tooling, the booming compliance software market is set to exceed a staggering $4.36 billion by 2025, growing at a CAGR of 24.3% over the next five years. 

While the ability to streamline GDPR processes well beyond “Excel sheets of the past” is excellent news for compliance managers, this ever-growing choice of GDPR compliance tools can be overwhelming. How do you know which solution is the best GDPR software for your company? Which modules should you invest in now? Which platform will give you an edge over competitors?

To help you navigate an investment that will completely transform your GDPR practices, we’ve put together a handy buyer’s guide for GDPR compliance software. From budgets to essential features, below, we’ll walk you through the key factors to consider before making your purchase.

Assess your internal needs

Before you start researching different  GDPR software solutions, you must have a clear understanding of what your company actually needs. Being aware of the challenges you face throughout the GDPR process allows you to gauge how effective, relevant, and necessary your chosen GDPR compliance software will be for your enterprise.

Start by identifying all areas that currently pose an obvious risk to your compliance process. Any solution or platform you consider should resolve the tasks directly affecting your compliance – whether that’s helping to prevent a potential data breach or providing clearer documentation of your data processes.

For example, a major issue for many organizations is handling subject right requests (SRRs). Under GDPR legislation, companies must respond to individual requests for personal data within a given timeframe. 

However, according to Gartner’s 2019 Security and Risk report, two-thirds of enterprises say it takes them two or more weeks to retrieve a single SRR. Usually relying on manual solutions, this essential GDPR activity then costs companies an average workflow cost of $1,400. 

So, not only is your customer waiting too long for their data, but you’re at risk of breaching a key GDPR legislation, and employees are wasting valuable time on a task easily solved by GDPR compliance software features such as data mapping.

Once you’ve created a list of urgent focus areas, move on to other tasks that slow down your workflow and need optimization. Are you taking too long to produce your Article 30 reports? Do you spend days instead of minutes trying to determine the links between different data sets? Is your working day spent chasing colleagues for their input and data? Could you benefit from expert-led consultancy services alongside GDPR or Privacy Management software?

By closely scrutinizing every task at each phase of your GDPR process, you can work out where you need the most support from tech-led GDPR solutions. It will help you determine if there are any features you do or don’t need and ensure you match up your GDPR compliance software with your company’s needs. 

Add speaking to your colleagues to your GDPR compliance checklist 

Even if you’re part of a small team, your purchasing decision must consider any other department that deals with or is affected by company data. Failing to get input from your colleagues before signing a contract with a GDPR compliance software vendor may mean you overlook a feature that could enhance enterprise workflow or fill a gap in your GDPR process.

Take the sales team. According to Cisco’s 2020 Cybersecurity Benchmark Study, inefficiencies in GDPR processes lead to a large number of sales delays. Cisco roots these delays in issues caused when customers want to know vital information concerning their data, such as what data is being captured, how it is stored and transferred, and who has access to it. 

With this issue experienced by 62% of surveyed companies, the average delay was a long 4.2 weeks. While it’s great to know that so many companies prioritize data protection and security, we’re sure this statistic will be horrifying to most salespeople.

Despite these troublesome findings, the report remains optimistic on the subject of sales delays, stating:

Over time, we would expect both the percentages and average delays to drop as companies develop more mature processes to handle customers’ questions and integrate privacy processes into their sales cycles.

As highlighted by Cisco, if you want your whole enterprise to benefit from your GDPR compliance software investment, a depart-wide approach is the way to go.

Determine who will use your system

There’s also a more practical side to involving others in your purchasing decision. If you need multiple parties to contribute to GDPR processes, does your future platform facilitate effective collaboration? Is it user-friendly and suitable for a range of tech-literate employees? Will your provider offer free training or resources, so the job of training up colleagues doesn’t fall on you? How much will you be charged for adding more users to the system? Are you able to add external parties such as stakeholders or clients? 

Taking the time to work out who needs access to GDPR compliance software and how a platform will support these additional users will ensure you end up with a platform that works not just for your DPO but for your entire enterprise. It will also help you avoid any unexpected costs or burdens on your own workload.

Clarify your budget

Your budget will have a massive influence on the types of solutions you’re able to shortlist, so make sure you have a figure in mind before speaking to vendors.

If you’re not happy with the budget you’ve been given or feel that your company will experience far more benefits from a more advanced system, it’s worth putting together a case for investing more in your solution. Chances are, C-suite members may not be aware of the added benefits that GDPR compliance software can bring to the entire business. So far we’ve touched on how integrated GDPR solutions would generate higher revenue for sales teams, but with almost every department and employee creating and using data, the case for ROI can be argued across divisions such as legal, HR, marketing, and finance. 

Alongside gathering internal intel, check out the latest reports from established bodies such as GartnerForrester, and Cisco. Referring back to Cisco’s Annual Cybersecurity Benchmark Study, you’ll find a treasure trove of persuasive statistics and findings to support your push for more investment in GDPR compliance software. 

For example, out of the 2,500 organizations surveyed, the report outlined the percentage of companies getting significant benefits in each of the below areas following their investment in privacy practices: 

  • 71% mitigating losses from data breaches
  • 71% enabling agility and innovation
  • 72% achieving operational efficiency from data controls
  • 73% making the company more attractive to investors 
  • 74% building loyalty and trust with customers 

The study also found that companies who invested more in their privacy processes experienced greater benefits in the above categories than those who spent less. A case, if any, to up your budget spend on GDPR compliance software.  

You should also be prepared to field questions as to why your chosen software justifies an increased spend. Your vendor should be able to provide you with as many relevant stats, case studies, and feature benefits as you need to sway your budget holder towards higher investment and move them away from low-cost GDPR compliance software or free GDPR tools.

How Complyon’s GDPR compliance software simplifies your compliance process 

Complyon is designed to make the complex task of GDPR compliance easy. With a focus on interconnected data flows and strategic overviews, we provide you with the tools and expertise you need to turn compliance activity into an asset and advantage. 

With users able to choose from a range of modules, including our Core module, GDPR module, Risk and Control module, and Campaign module, our multi-dimensional solution caters to a range of company requirements and needs. Our platform offers bespoke and flexible options, whether you’re looking for GDPR compliance software for small businesses or more advanced GDPR tools required for global and large-scale companies.

When it comes to GDPR compliance software, the main features our clients benefit from include:

  • Simple yet sophisticated data-mapping: take the stress and hassle out of tracking your data, processes, and activities
  • Centralized data: crush data silos and pool all your company’s data, policies, and practices into one location 
  • Optimized data connectivity: trace all connections and relationships between your data for greater data control, management, and risk assessment
  • Instant report generation: create legally compliant reports such as Article 30 in just one click
  • Run essential CIAs: activate your Complyon GDPR compliance toolkit to protect your company from loss of confidentiality, loss of integrity, and loss of availability
  • Multi-user friendly interface: facilitate employee collaboration and user adoption with our intuitive, easy-to-use platform
  • Third-party monitoring: get greater oversight over partner activity
  • Future-proof scalability: safeguard your GDPR investment with a solution that expands as your company grows and space to add new processes and systems.
  • Workflow optimization: streamline internal GDPR and data processes enterprise-wide
  • Minimize risk: ensure control in all situations with our Risk and Control module
  • Tailor-made features: get bespoke GDPR compliance software functionalities to fit with your systems and data requirements

To find out more about how Complyon’s GDPR compliance software can simplify your data, privacy, and risk processes, contact us here.

How does legal meet IT?

The magic of the DPO

Reading time: 7 min. 

According to the GDPR section four, a Data Protection Officer (DPO) can, and in some cases shall, be appointed to carry out certain tasks. They are, amongst other things, to assist with Data Protection Impact Assessments (DPIAs), inform and advise regarding the regulation and they also carry the main responsibility to be the link between the Data Protection Authority (DPA) and the organization. To have someone responsible for these tasks means that companies save time (and thus money ;-). Some of the main advantages of appointing a DPO who’s responsible for GDPR are listed below:

  • They skip the step of having to appoint a task force amongst different employees if the DPA decides to ask the organization questions. 
  • They ensure better communication about the regulation because employees will know who to ask questions about GDPR. 
  • They have the right person to advise on how to make a proper DPIA. 

This is only mentioning a few benefits of their awesome work. Whether the company chooses to appoint an actual DPO or someone in a similar position, experience has shown us that appointing someone responsible for certain tasks always turns out to be beneficial. It’s not enough to have a legal entity of multiple people  just sitting on the knowledge and no-one to be responsible. Appoint a DPO (or someone in a similar position) and watch the magic happen. 

The others, who are also doing magic

Far away in the basement at the other end of the big organization sits another business unit who’s primary work also consists of doing magic. Or at least many people think so, because their work is so complex that very few people actually get it. You guessed it right. It’s IT. 

Whether they do hide in the basement or if they’re suited up sitting on the top floor there’s often a lot of uncertainty as to what they actually do and thus it’s partially easier for a lot of people, to just think magic.

But what does IT actually do? This is a question you might find harder to answer than you expected. We know who to call when we can’t log in to our machine, or when some programs are acting up. We call the helpdesk, create a ticket and wait for them to show up. 

This is the way most of us know IT, but it highly emphasizes only a small part of what they do. Namely their responsibility for the ‘functionality’ of IT. Classically there are two more; infrastructure and governance! 

So, basically they do everything. This all sounds pretty good and maybe now you’re shaking your head in disbelief because you know that your IT department will not just whip their wand and work their magic. If you want something from IT take a number, get your ticket and get in line. IT are busy people and they’re expensive to employ, so unless you’re the CEO your best approach is to wait patiently for their guidance. 

Why DPO’s should get on IT’s agenda

If you’re a DPO one of the likely instances you’ve encountered IT is when conducting an article 30 report and describing the technical and organizational security measures in article 32. It’s a great example of a situation where legal and IT are forced to communicate. Common obstacles here can be communication, time and priorities. It’s rarely as easy as a quick email to IT asking for a description of security measures. They might take some time to answer and then get back to you with a description of encryption. If this happens you must be ready to do some more waiting if you also want to get an understandable description of confidentiality, integrity, ability to restore, testing, evaluation and everything else that security measures entail when it comes to GDPR. 

This can also be a big frustration for IT. Between them making sure that everything runs smoothly while helping out other employees with software problems and also implementing new systems, it might not be obvious to them for what reason someone working with personal data would be interested in knowing whether the accounting system is exposed to open networks and in which country the server of their payment system is placed. 

Legal and IT might in fact be the most dissimilar kids in the classroom. So why is it that we force them to work together? And how do we make it happen? 

Where’s the value? 

The why

 is the question that’s easiest to anwer. Because we have to, if we want to be compliant. 

But this should not be the only reason. If we dive a little deeper, a lot of great synergies between the two are revealed. IT has a lot of the answers that the DPO needs. In a digitalized world IT knows all of the risks from a system point of view for every system, because that’s part of what they’re trained to do. They also know how the risks can be mitigated by using certain controls and most importantly, they know the cost of these things. 

This information is thus half of the knowledge that the DPO needs to determine the final risk which he needs to be aware of when conducting an article 32 report or advising on the DPIA. The other half is the input that the business provides as they will know the impact (impact x probability) on the given business unit if something is not working the way it’s supposed to, is leaked or in other ways compromised. 

There are a lot of missed opportunities in the interactions that happen between the two. Often the information IT holds can answer multiple questions that legal has. If you’re working with GDPR there are a lot of similarities in the framework to the ISO standards 27001/2 and in the same way if you’re in pharma working with the GxP quality guidelines, IT’s knowledge about logging (traceability) or documentation (accountability) will be relevant in all of the mentioned fields as well. So, it’s definitely important for the DPO or legal to get on IT’s agenda, but the cherry on top is that IT also gets a piece of the cake which is the valuable information that the DPO is sitting on. In order to be compliant and for instance when conducting an article 30 report, the DPO needs to know what’s going on in the organization. 

Whether you’re working in Excel spreadsheets (and if you are, we would love to show you an alternative) or if you’re using a system, you as a DPO know the importance of mapping the organisation. Finding out exactly what business units are using what data, where they send it to, where it comes from, where it’s saved, how it’s processed, deleted, secured and so on, is all essential information. But this is also something IT can use. The DPO has the chance to become the link between the organisation and IT. Because in between all of the work that happens in IT, it’s hard to keep up with the business units. Someone might have bought a new solution without involving IT. Some systems aren’t being used anymore and some are being used in a different way than first intended. All of this is information the DPO can, and should, give to IT.  In this way IT can solve their tasks in a better way too, as functionality, infrastructure and governance might become easier to manage with the intel from the business units. They’ll know what’s going on in the fields. 

If this new flow of information can be set up in a system where the parties can easily communicate in the same language there’s even more value to point out for the DPO. Because of the fact that IT also benefits from it, there’s a possibility that both entities can share the costs that follow in creating these possibilities and thus the DPO and IT will have a good case to bring to management. In the end, enforcing better communication between the DPO, IT and the business units will also help the organization as a whole in terms of awareness about GDPR and thus become more compliant. 

If it’s possible to ensure that all of this information between the two can flow easily and understandably, a great synergy is created. We saw this and thus we built our campaign module and our risk- and control module to serve exactly this purpose. Others are aware as well and might have other solutions on how to best create this opportunity for the two. To some it might even be obvious that these synergies exist and they utilize them as well, and if so, all there’s left to ask is if it’s done in the most efficient way.

Do you have what it takes to make the risk assessment?

5 lessons from GDPR for your next Risk Assessment Report

With guidance from the Danish DPA 

In November alone, four out of eleven inspections from the Danish Data Protection Agency revolved around “risk assessments in security processing”. Since the implementation of GDPR,  companies have been holding their breath over where scrutiny will be applied by local DPA’s. Here are 5 things we learned so far.

Article 32 GDPR – why bother with a RAR?

If you don’t have a RAR (Risk Assessment Report) yet, you should. The requirement of conducting a risk assessment report is found in several articles in GDPR including article 32. Article 32 addresses the security of processing and requires: 

‘’(…) the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk’’

Furthermore, the considerations about the risks should include those that occur when processing data, in particular: 

  • accidental or unlawful destruction of data
  • loss of data
  • alteration of data
  • unauthorized disclosure of data, or 
  • access to personal data transmitted, stored or otherwise processed. 

All of this with the data subject in mind – that is the customers/business partners/workers or anyone else dealing with the company, where personal data is relevant. 

The RAR as a business enabler

In order to be GDPR compliant with regards to data risks, the Risk Assessment Report is introduced as a tool to show the DPA what considerations and thoughts have been made and to ensure that a risk-based approach is taken. The mantra within the GDPR community goes: If it’s not in black and white in the RAR, it’s not done.  

While the purpose of the regulation is to ensure the rights of the subjects the RAR actually creates an opportunity for companies to benefit as well. That is if the framework of the report is right. 

The common problems of drafting a RAR 

For all of those working with GDPR, the RAR can be a bit of a challenge. Not only because it seems like an impossible task to foresee all possible events of a data breach but also because of the uncertainty of what and how the DPA is going to demand when they come to audit. 

Even if the DPO, the CISO or the responsible entity within the organization will keep an eye on the latest statements from the DPA, it will still be a challenge to constantly change the framework of how the RAR is composed. Even after two years of the GDPR being in effect, companies are still not sure about the above-mentioned topics. Can we find a common thread in two years of scrutiny? 

The light at the end of the tunnel 

Danish authorities quickly realized that companies were taken by surprise when being investigated. So, they have issued some guidelines that can be helpful to have considered in advance of an investigation. The guidelines are Vejledende tekst om risikovurdering and Behandlingssikkerhed – Databeskyttelse gennem design og standardsindstillinger

The first mentioned focuses on identifying the risks and how to compose the right RAR framework. Main takeaways include how to conduct: 

  • An assessment of the consequences of a breach of data
  • An assessment of threats
  • An assessment of vulnerability, and finally 
  • The risk profile, which is composed of
    •  (risks x probability) – existing measures = the risk

These guidelines will serve as a great help as to how the report itself should be composed. The other guidelines are helpful as to how to identify the right measures to impose and how to implement them in practice. Furthermore, it offers a guide as to how data protection by design and default will help ease the work in the future by implementing a proactive approach throughout the organization. 

Learning from others mistakes 

The guides should serve as a great directory but there really isn’t a greater teacher than past mistakes. 

In one of the latest cases of the Danish DPA, an office community of law firms had drafted a risk assessment report but hadn’t included any thoughts regarding “encryption on the transport layer via TLS” when sending out emails that contained personal data to their clients. Since there was no RAR that included these considerations, it resulted in criticism from the DPA. 

This case is not only important because it gives a heads up to companies as to what to remember to consider in their RAR. It’s also important because it shows as to what extent IT and law need to walk together hand in hand in order to be compliant. 

If you’re from a legal background reading this and ‘’the transport layer via TLS’’ does not ring a bell, you better call up your IT department and get them on board of GDPR because this is part of being compliant.

Instant reports and “Dynamic presentation”

All aspects need to be interconnected in order to create adequate reports that will meet the requirements of the DPA, and be value-creating for the business. Start with connecting:

  • Systems
  • Activities
  • Processes, and
  • Third parties 

and continuing to further interconnect data, policies and procedures, legal background, retention rules, information obligation, data subjects, and last but not least technical measures in IT security. This will ensure not only a compliant RAR but also benefit the organization in its daily GDPR work and make data protection by design and default a whole lot easier to implement. 

It is not humanly possible to have manual control over this, so we look at the tech industry for answers. Excel has long been our trusted friend in all things data. Recent cases have however proven that this will not cut it. A static presentation is not versatile enough to meet the high standard the DPA sets for GDPR compliance. 

The High Tech solution 

When looking for a system that will make the mark, make sure it makes the connections between the above-mentioned aspects. To be truly prepared, companies need to be able to create reports from different angles about the same subset of data. As soon as this becomes a reality, the right framework will always be available as it becomes dynamic and can be molded to match any requirements from the DPA. This is where the RAR can go from a zero to truly become a hero!

Keep an eye out for our blog to learn more about the development of our framework. We help set the standard for compliance. We help – you comply.