Getting executive buy-in for your data protection program - how far would you go?

Deep down, you know that as a data protection leader, your program/function could be adding greater value to your organization rather than being perceived as a legally-driven, tick-box exercise.

You have drafted some ideas for improvement, perhaps based upon an assessment you've conducted of your program's maturity using an established framework, e.g., AICPA/CICA or the excellent one from the New Zealand government.

You may have a prioritized remediation plan.

You've presented your recommendations to your boss who then shows them to her boss and then it stops. 

No interest. "Didn't we already address this?" "GDPR is so last year."

You know that once you get the buy-in and support, there will be a higher chance of appropriate "tone from the top" towards your privacy program, and you'll have the foundation to establish the privacy-focused workforce you've dreamed of, where colleagues instinctively think privacy - "Privacy by Instinct."

Getting buy-in and support on an ongoing basis is still an issue for many data protection leaders. 

From my experience, the scenario described above is quite common across many organizations.

Where do you start? 

Here are a few tips - in no particular order - based on personal lessons learned mainly from global corporations that I've worked with, or for, over the years.

Framing

Some data protection leaders failed to initially get traction for their GDPR work over the past few years ago because their colleagues got immediately turned off by terms such as "GDPR," "Data Subject," "Article xx," "Controller," "DPIA," "Data Protection by Design and by Default," etc.

The language of the data protection office, not the language of the business.

Yes, certain terms need to be understood by specific people but not by everybody in an organization. If your work is being perceived as a barrier to daily operations, or as a tick-box exercise, you may have an issue with your framing.

You need an overall frame and specific frames for key stakeholders or departments.

Recognizing the business value personal data brings to an organization and the part it plays in the achievement of personal objectives for your colleagues will only help in the dialogue you need to have with them - in their business terminology, their world.

Having a positive frame, aligned with the achievement of business and/or organizational objectives, will help you get traction. The communications department is often a huge help with getting the right frame and developing key messages.

Political manoeuvring

Sometimes termed "stakeholder management," it includes understanding the political dynamics of your organization. Who has the ear of specific executives, who do you need to build your "coalition of change" with, who is most likely to support your proposal and potentially put financial resources behind it? Who are the resistors, what strategies and tactics do you need to get them on board, if that's at all possible?

It also involves recognizing exactly how personal data supports your business and in some sectors, how it is fueling your business.

Identify those who have got the most to gain from the processing of personal data. They often need help seeing the holistic view of data - not just the benefits to be achieved but also the legal obligations. Make it personal - understand their problems with data processing and how it affects them.

People approve ideas and initiatives. You can influence people.

Get out and about in your organization, Wander around. Meet people. Build relationships. Get yourself known face-to-face and not just a name in an email signature.

Business case

Often overlooked by data protection leaders because of past JFDI approaches to data protection, a robust business case is an essential document to justify your intentions.

Most organizations won't allow any new initiatives involving new investments and resource allocation without an approved business case typically driven through a portfolio management process. With budgets already agreed and the portfolio set, it's challenging to get your new initiative considered unless you have a compelling business case, which even then may get deferred to next year.

Some companies have established internal start-ups that allow ideas to get consideration, tested, and experiments undertaken all outside of the traditional corporate portfolio. If you have a compelling case to test say, a data ethics approach to the processing of personal data in a specific LoB, this could be an excellent route to take (if your organization has one).

Business cases do not need to be huge, thick documents. Less is more, ensure you include:

• Problem statement
• Options considered
• Alignment with existing business objectives
• Risks
• Cost/benefit analysis
• Timeline

Once you have a draft business case, produce two, high level, and visual documents for use in stakeholder meetings where you may only get 10 minutes or less to pitch your case:

1. Problem statement summary (RiskTelling)

Sometimes, business cases fail to offer compelling reasons or justification for why investment is required because they often focus on the symptoms of a problem rather than the underlying causes of the problem.

Addressing a problem is often a tangle of complexity involving combinations of factors such as technology, policies/procedures, organizational structures, people, and information.

See my earlier article covering an approach to unravelling complexity (in the context of audit reports).

By conducting root cause analysis, you'll pinpoint relationships and dependencies between these factors that, when understood and documented, will map out what needs to be done to address the problem(s). 

Factors (vulnerabilities) that are left unaddressed can present risks, and by understanding the relationships, a narrative or story can be developed to explain to key stakeholders why "deep surgery" is required instead of applying "plasters."

It's a powerful way to story-tell the "Why" - I call it "RiskTelling."

Conceptually it looks like this:

2. Visual game plan

This is a one-page overview of HOW you'll be tackling the work involved. Using builds and animations in PowerPoint you can story-tell what will be happening and setting expectations with your key stakeholders. Mail me if you would like an editable PowerPoint template of this game plan. Read my earlier article about visual game plans if you want to discover how beneficial they can be.

Open door policy

Although some leaders claim to operate with a "my door's always open" policy, it often depends on who you are. If you work in this type of organization and want to make use of this opportunity, you need to prepare by having the story (the "why"), a visual game plan (the "how") and the business case that you can circulate afterwards - all as described in the previous section of this article.

I worked with one organization a few years ago that did operate an open-door policy, and it was beneficial for project and program managers who needed to engage with senior stakeholders between Board meetings. You were able to move forward instead of having to use wasteful time "lining up the ducks", "jumping through the hoops," or whatever term you use in your company.

Most of the organizations I've worked with unfortunately have not had an open door policy. You need to sell your idea to your boss, and then it continues several layers upwards until the carefully prepared business case is diluted to a couple of bullet points within a sometimes unrelated set of slides that eventually gets presented by somebody far away from your program or function. Even your boss is not present at the meeting, let alone you!

External input

It's sometimes beneficial to bring in somebody from the outside to deliver your idea to your executive team on your behalf (but with a degree of stealth that the idea originated from you.)

This works especially if the external body or individual has a good reputation or track record but can be frustrating to you and your colleagues who have painstakingly tried to articulate the same idea for the preceding months at a fraction of the cost of the external body.

How far would you go?

Would you go as far as David Stirling? 

Stirling was an officer in the British Army during WW2 and had an idea that he knew would be quashed if he presented it through his chain of command (his boss, then his boss's boss, etc.) 

He decided he needed to present his idea directly to the "top brass." On crutches, following an accident, he managed to gain access to army HQ and eventually burst into the office of a senior officer and explained his idea to him who then persuaded his Commander-in-Chief to accept his plan. 

His idea was to establish a unit that later became known as the SAS, the special forces unit of the British Army.

Without his audacity, his idea may not have got off the ground and other "special forces" around the world may never have subsequently been established. A good thing, or a bad thing depending upon your viewpoint.

There's a time and a place for such an approach. I'm not even suggesting this as an option unless you have a groundbreaking idea, though perhaps your leadership encourages spontaneous suggestions?

The leadership of some organizations, such as the UK high street retailer, Richer Sounds, actively seek and reward new ideas and suggestions for improvements from their employees across the UK, which according to Richer Sounds' CEO, is a critical factor to their ongoing success. Lots we can all learn from that.

Get in touch

I help global privacy leaders develop their privacy strategy & roadmap aligned with business purpose and business goals. Interested? Let's get on a call this week. I'll outline the approach in more detail.

Book a time now.