To me, it’s something very concrete: it means asking different questions. It means shifting from a legal mindset to true strategic involvement. From legal compliance to sustainable GRC.

2018 changed the game‍

For those of us in InfoSec and data protection, the introduction of GDPR brought us straight into the boardroom – along with increased attention and resources. That was a win. But it also led many of us to adopt a legal-centric way of thinking. Records of processing. Third-country transfers. Lawful bases.

There was far less focus on strategic planning, governance, and risk management.

We've ended up with an overemphasis on legal interpretations.

GRC needs to be strategic‍

You might believe your job is to ensure your company complies with the law. That’s true – but it’s not enough.

The problem is, this narrow view turns GRC, data protection, and InfoSec into functions that are disconnected from the business. We end up joining critical conversations far too late – and that undermines what we’re trying to protect.

GRC should be about enabling workflows and processes that support innovation and development while reducing risk. It’s about risk management, vendor management, incident response.

And it’s about governance – continuous alignment with, and reporting to, senior management.

In short: we need to be better at strategic involvement than legal box-ticking.

Let’s take a concrete example: Tracking‍

Marketing teams love data – and are constantly discussing new ways to collect even more customer insights.

Why? Because it helps them work more effectively.

Traditional compliance asks questions like:

• Is it lawful to use Google Analytics?
  
  
• What should the cookie banner look like?
  
  
• Is our privacy notice up to date?
  
  

Robust GRC asks:

• Does tracking actually create business value?
  
  
• What risks are we taking on?
  
  
• Can we justify the balance between risk and reward?
  
  

This is a mindset shift for many of us.

What’s in it for you?‍

Still not convinced? Here are four great reasons to adopt a more strategic approach:

✅ You’ll be brought in earlier – because you’re seen as a contributor to solutions
✅ You’ll provide real protection – by influencing decisions before systems and processes are set in stone
✅ You’ll build stronger collaboration – because relationships grant access, and access brings influence
✅ You’ll shift how leadership sees you – from cost centre to strategic partner

(And yes, it takes patience – especially if you’ve been seen as a “compliance stickler” up to now.)

Next time the business pitches a new idea:
🔁 Skip the usual first question: “Is this legally compliant?”
🔍 Instead, ask: “How does this support our business?”
🧠 Explore the business model. Challenge the risks. Look for the value.

It’s still compliance – just with strategic impact.

‍