Gaining Senior Management Buy-In to GDPR Compliance

Know your audience

Identify the key stakeholders and establish their goals, objectives and measurements.  It is suggested that you consider approaching owners, investors, employees, customers, suppliers and other interested parties.  Once you have discovered their requirements, you can then map these against your GDPR project and tailor your ‘pitch’ to address their needs directly.  Be prepared to evolve your pitch as you go through this ‘requirements gathering’ process until you have a refined and fully-fledged proposal to present to senior management.

Packaging

GDPR may be a compliance-led project, but it will help if you can get people excited about it.  Try and communicate how it will support the organisation’s strategic goals and what benefits the business will derive, ideally across multiple departments.  You need to be fostering a belief that your organisation needs, rather than simply wants or is obliged, to achieve compliance.  Note that business framing is more effective than moral framing, which can lead your audience to think that you are questioning their moral character. Instead, emphasise the positives that the GDPR will bring as you reach the sunlit uplands of compliance.

Keep your cool

Attempting to persuade people to support your initiative can be a slow, thankless and frustrating process and it is important to keep your emotions in check.  Wherever possible, seek to inspire positive understanding and focus on benefits to the individual or organisation.

Timing is everything

You should be alert to identifying suitable opportunities to sell your GDPR initiative and have the awareness to know when it is not a good time to launch into your pitch.  You’re looking to catch the right wave!

‍

You’re not an island

Do not attempt to do this on your own.  Seek to build a coalition by identifying those people, both internally and externally, that the organisation trusts.  With the ‘blockers’, if you can’t gain their support try, at the very least, to ensure they do not actively obstruct your efforts and work on persuading the fence sitters to pick your side.

Learning styles

Every organisation has its own learning style.  Identify what type of information senior management use to make decisions, how they prefer to receive that information, formal vs. informal, etc.  Have they launched compliance-led programmes before?  Are there any lessons you can learn from that process? At the more senior levels, a formal approach is more likely to achieve results.  You may, therefore, wish to start informally as you engage stakeholders, build your coalition and refine your pitch, but then switch to a more formal style as you get closer to the senior decision makers.

Don’t bring me problems…

Throughout the process of gaining senior management buy-in, you should be offering solutions to meeting the GDPR challenges you are highlighting or, at the very least, proposing a sensible process for determining what the approach should be.

This is a process

In spite of what Hollywood films would have us believe, gaining senior management buy-in is the result of a considered process rather than a dramatic one-off, yes/no boardroom pitch.  With this in mind, you should:

• Pick your battles – “He will win who knows when to fight and when not to fight”, Sun Tzu, The Art of War.  Spend your reputational capital wisely.
• Combine approaches – Treat the tactics above as ingredients.  Determine the appropriate recipe for your organisation and use a blend, ideally a little of each, to deliver the change you are looking for.
• Sell it yourself – No one will sell your idea better than you.  If you are required to use intermediaries, e.g., a line manager, executive sponsor etc. then try and accompany them or do everything you can to prepare and support them.

‍