Compliance 3.0: Taking Care of Business

Compliance 3.0: Taking Care of Business

Dan C. Dan C.

Dan C.

Experienced Director of Privacy and Data Protection Officer @ Hard Rock Digital | GDPR, CCPA My opinions, thoughts, articles, statements, etc. are all my own and do not represent in any way those of my employer.

发布日期: 2023年8月4日
+ 关注

Well, here we are at the final part of my introduction to Compliance 3.0, just takin' care of business ?? The previous 2 parts can be found here:

Let’s just jump straight in shall we?

No alt text provided for this image

Implementation

However worthwhile it is, getting the idea of Compliance 3.0 to work in the real world isn't a simple or quick process. I may have mentioned that already ?? Textbook models and academic ideas tend to break in application, and there aren’t any short cuts when dealing with cultural change. Us humans are notoriously resistant to it ???? That’s OK, no plan survives first contact. The trick is to learn, adapt, overcome, and not give in to frustrations.

That being said, plans are still good, just be ready to flex yours as needed. You’ll find that approach far more successful, and in the spirit of having a plan I wanted to share some thoughts to get you started. ??

No alt text provided for this image

Tone At the Top

When I mentioned the degree of personal fortitude (and headache pills) ?? needed to champion this sort of change in the previous article, I was mostly being serious. As a DPO myself I know that keeping my own spirits up in the face of frustration and (what feels like) rejection ?? is incredibly draining, but if I let it beat me just because it's uncomfortable, then how can I ask anyone else to make any changes?

Remember cognitive dissonance from article 2? Resistance to change is as natural as breathing, if something has worked before our brains tell us we have no reason to do anything differently. Overriding that part of the brain with logic can cause real discomfort. Let it take its time, and keep radiating that positivity us DPOs are totally known for.

You're going to have to bring everyone on a journey with you, and sometimes they might need a little cajoling, some encouragement, or just to see that you understand why they're annoyed. Compliance 3.0 is a shift not only in the way things are done ??, but equally in the way things are thought about ??, how people feel about them ??, and what the company values ??

This type of change must be led from the top down, bottom up can’t drive it. The commitment needs to be demonstrated where the decisions are being made.

No alt text provided for this image

Getting It Done

Enough philosophising and health warnings, we’re here to take care of business, so let’s do that. As ever, this is personal advice from me to you, nothing more. You can take it, leave it, laugh at it, whatever you like - I'm putting it out there for anyone who finds a grain of usefulness in it ??????

领英推荐

General Strategy

  • Controlling my ego can sometimes be a struggle I'll admit. I've learned that when trying to pesuade your ego is almost always your enemy, stay humble, stay real. Compliance doesn’t pack the punch that Operations does, acting like we do only triggers status competitions. It’s hard to de-escalate that once it's started.
  • Speak softly, and repeat as necessary. I can’t stress this enough, do NOT attempt to “speak softly and carry a big stick” ?? Sticks are about fear. No major fines for 6 months = no fear = no stick = you’re dead in the water. Your credibility just took a hit too by the way ?
  • Invest time in getting a clear understanding of the organization’s vision, mission, values, and goals ?? Use Compliance 3.0 approaches to add value to as many as you can. The company already knows it ‘has’ to keep Compliance around, we need them to ‘want’ to keep us around.
  • Talk to people ??, genuinely listen to their issues and irritations ??, DPOs aren't the only people with frustrations. Keep the mood light, don’t interrupt them, resist the urge to defend yourself, accept the feedback, and say ‘thank you’ ??. You’re gathering intelligence, NOW isn’t the moment to change anyone’s mind.

The Plan: 3.0 All In

  • Review the organization’s current compliance status and identify opportunities for improvement through Compliance 3.0 ??
  • Show how you could quantify and report on the Return on Investment (ROI) of moving to Compliance 3.0. I can guarantee you’ll be asked about it. I can't give you foolproof ways to do it either, it's whatever works in your culture and with your Execs. If I had a magic wand for this I'd have a lot less grey hair?
  • Have a risk-based transition plan that cross references risk, business priorities, and ROI ?? Your Execs have limited resources, not everything can be done at once, and not everything is equally beneficial.
  • Provide information, evidence, and where applicable your opinion and recommnedation. Let those who will pay any operational price make the decisions. Focus on facilitating them.

Now you've come this far, take a moment, review everything you’ve learned, write your pitch without ever actually using the phrase “Compliance 3.0”, check your ego at the door, and then go for it, because now IS the time to win hearts and change minds.

This won't be a basic sales pitch either; this is a full-blown political campaign, and your opponent is the status quo. You need to get out there championing the vision, knocking on virtual doors, and you need to make sure the Execs are doing it too.

The Perpetual Campaign Trail

During the campaign (which lasts forever) people might say one thing to you and do another, it doesn’t matter, it happens. Don’t assume any stumbling blocks are caused by malice or bad intention, we all have shifting priorities it’s unlikely to be personal ??

  • Go back, re-engage, keep talking, keep up the energy. Offer practical solutions to problems, be prepared to commit your own resources.
  • Align your solutions with those values and goals you found out earlier. If they shift, then you shift.
  • Don’t lose sight of the overall shape of Compliance 3.0 by getting bogged down in details. Draw the lines before focussing on colouring in the detail.
  • Assign roles and responsibilities to the appropriate people. A task that needs doing every day shouldn’t be with an Exec, have staggered levels of responsibility and accountability. All management layers have a purpose, use them.
  • Communicate and engage with stakeholders about the compliance strategy, your program, its objectives, and positive outcomes. Always encourage them to give you feedback and input, listen to it ??, and then find a way to show you listened to it. You don't have to fix it, showing you listened might be as simple as a follow up email, or a couple of words by the coffee machine ?
  • Implement and execute according to the approved plan, then monitor, track, and report on progress and performance to the Exec sponsors ??
  • Expectation management is crucial at all levels, especially when in a period where things are happening slowly. Sometimes it really is 'one step forward, two steps back', people know that and will understand if you're communicating openly.
  • Celebrate successes and recognize contributions as you go ???? It’s not only you facing frustrations and getting disheartened. Cultural change is hard. Take the wins. Share the wins. Maybe even invent a couple now and then, just so you can give them away to people that need one ????

No alt text provided for this image

Conclusion

So there you have it, my thought on Compliance 3.0 and how to make it happen. This evolution sees a shift from a reactive and rule-based approach to a proactive and risk-based approach, a recognition that many laws and regulations are already moving in that direction and compliance needs to keep up. Compliance 3.0 focuses on the effectiveness of compliance programs and the principles behind them, not just their existence or adequacy.

Compliance 3.0 offers many benefits for organizations that adopt it, such as enhancing reputation, increasing loyalty, improving engagement, reducing costs, driving innovation, expanding opportunities, fulfilling expectations, and gaining advantages. However, Compliance 3.0 also poses some challenges for organizations, the most challenging of which might well be the sustained effort required for cultural change.

Compliance 3.0 requires a careful assessment of the costs and benefits of adopting it for each organisation. The costs and benefits will vary depending on factors such as the size, nature, industry, location, maturity, starting point, level of external regulation, and culture of the organization.

To make it happen you'll need a strategic vision, a clear roadmap, strong leadership, a dedicated team, a collaborative culture, and a continuous improvement mindset. It also needs to be handled pragmatically, keeping it real, programs that get caught up in too much theory or academia are destined to fail – as are ones keeping too tight of a grip on the textbook. It can be a challenge to stay grounded and make compromises, but if you want to keep moving forwards then that's one thing that isn’t negotiable.

I hope this article, including the previous 2 parts, has given you some insights into what Compliance 3.0 is and how to achieve it. If you have any questions or comments, please feel free to share them below. If you've not read the other parts yet the links are up at the top.

If we're not already connected, and you'd like to, send over that invitation and say "Hi!". I'm an easy going chap, no need to over think it ??

Thank you for reading, stay in touch, and I'll catch you next time ?? I'm thinking of exploring how to quantify privacy ROI next, that's something a lot of people ask me for help with.

?? Dan

要查看或添加评论,请登录

更多精彩文章

社区洞察

其他会员也浏览了