.jpg)
Back in 2018, my GDPR playbook looked like this:
💵 Calculate 4 % of the global revenue.
👮🏻♀️Threaten management with 4 % of global revenue fines.
📚 Read through the GDPR to estimate minimum requirements.
💻 Create massive spread sheet for ROPA and risk assessments.
✅ Quickly tick-the-boxes of minimum requirements.
😇 Feel good for a moment.
🧑🏼💻 Get back to “real work”.
Regulatory compliance was my religion…
… I was a tick-the-box disciple.
Fast forward to 2025 and a similar approach wouldn’t cut it…
… even though the temptation is there to go:
⛔️”Hey, CEO. If you don’t comply, you could be held personally accountable and banned from management,
🏎️No more Ferrari,
🏖️🛥️No more holidays in the Caribean for you.”
{{factbox-dark}}
The only problem is, that it did not work with GDPR and it will not work with NIS2 (or any other data protection and information security framework for that matter).
💵 Calculating 4 % of global revenue for fines does not make sense anymore.
To most companies discovery risk is low, and the level of fines have never reached that level - and probably that will be the same with NIS2. I’m pretty sure that to most CEO’s the fear of being stripped of his title will also feel pretty distant.
👮🏻♀️Management buy-in should not be based on fear of fines (or being temporarily banned from holding a management position).
When I worked in public relations, my boss would sometimes say to our clients: “Now that’s a great message - until the journalist asks a follow up question!” It’s the same in this case.
If fear is your main argument, be prepared for the inevitable pushback: 'How likely is this really?' Compliance needs a stronger foundation than hypothetical threats.
I think you should communicate how the privacy program positively benefits the organisation.
📚 Legal requirements are important.
I’ve sometimes been accused of thinking that it’s ok to NOT comply with the law. However, I do think that legal requirements are important.
However, so are the demands and wishes of our customers, colleagues, local community and other stakeholders.
We should substitute regulatory compliance with sustainable compliance and take those demands and wishes into account.
✅ Tick-the-box compliance is dying.
Instead, let’s replace it with making balanced decisions on data compliance taking the law, the security of the business and the demands and wishes of our stakeholders into account. .
💻 Spreadsheets are great …
Spreadsheets serve many purposes, but as a long-term compliance tool, they fall short. Many GDPR records haven’t been updated since 2018—we need more dynamic solutions.
😇 Feeling good about your job is important.
However, only feeling good when you ARE compliant will make you
feel miserable most of the time.
Let’s feel great about the process of compliance.
🧑🏼💻 And finally. Compliance is real work and provides benefits to the organisation.
5 trends to turn fragile data protection and infosec into sustainable GRC programmes.
Sustainable GRC means moving beyond mere legal checklists to a framework that aligns with business goals, customer expectations, and long-term risk management.
The trends are:
Trend #1 From centralised authority to company-wide collaboration
Trend #2 From tick-the-box compliance to balanced decision-making
Trend #3 From problem-oriented to solution-oriented
Trend #4 From legal thinking to strategic involvement
Trend #5 From managing data subject to caring about people
Learn about GRC, infosec and data protection
In our newsletter we provide insights from experts, discuss the latest trends, learnings, and advice within the field of compliance. We also explore how we can reshape the way we think and organise around compliance, in order to pave a sustainable and viable path for processes.
.jpg)
