Ensuring GDPR compliance in any business can feel like more than a full-time job. Coming into a new organization and being tasked with overseeing the organization’s entire GDPR program and reassessing the maturity levels of the group of companies as the very first tasks were one of the biggest growth experiences of my career within the past four years
While using AI tools is a real help, it didn’t capture the pitfalls I encountered as a GDPR Lead. Instead, I’d like to share my own experiences, including what worked, what didn’t, and the lessons I learned along the way.
In the span of one year, I went from entering the chaos of being a new joiner in a shipping company to creating a solid three-year GDPR implementation program that is well on its way of being implemented. Some steps were executed well, others required fast adjustments, but the following experiences are what took my team from chaos to clarity.
—-------------------------------------------------------------------------------------------------------------------------------
It all starts with understanding the organization and as you will see later, the sooner you get to know the organization’s culture, vision, goals, and its overall approach to compliance, the better you can turn these insights into the foundation of your privacy strategy and save you a lot of time and energy.
So, keep this in mind and let’s start with getting back to basics:
Identify Data Types and Sources: Curiosity is your best asset. Dive into how the business operates. Identify what kinds of data are being collected, who handles it, and where it flows. Not just related to personal data, but really get a feel of the business itself. Conversations with people across the organization are invaluable, so be open to meet new people at meetings, lunches and networking events.
Map Data Flows: If your organization already has a Records of Processing Activities (RoPA), start there. It provides a snapshot of the current state and helps you catch up quickly.
And if there isn’t a RoPA, congratulations—you’ve just identified your first gap and primary priority.
This was a lesson I learned after one year into the job, and I wish I’d understood it sooner. Knowing the organization will help you understand the organization’s risk appetite, i.e. how risk-averse or risk- tolerant it is, which can save you months of effort in the long run.
Risk appetite varies greatly. Some businesses aim for full compliance and have a high-risk aversion, while others prioritize practical and flexible measures. I would encourage you to engage stakeholders, particularly management, to clarify this early on.
If you’re the sole privacy professional, your decisions will carry more weight, and you can set the direction to some extent. In larger organizations, however, there may be multiple layers of decision- making, which can influence how risk appetite is defined.
Identifying the organization’s risk appetite can influence how much you put into the RoPA and your risk assessments, beyond the bare minimum.
Knowing the business and aligning your program to its culture and needs is crucial. This makes the difference between a successful and a failed GDPR initiative.
When I joined my current job, I was tasked with reviewing the existing GDPR program. It was based on a maturity assessment from a law firm, but despite the quality of the work, I quickly realized it was doomed to fail. Why? It was overly ambitious and didn’t align with the company’s actual risk appetite or resource availability.
I scrapped major parts of the original plan and started building on what did work, putting the pieces together in a new way. By, using a maturity questionnaire from the Danish Data Protection Agency (DDPA), I built a GDPR maturity assessment tailored to our organization. From there, my team and I crafted a program focused on raising the maturity level sustainably, balancing compliance requirements with available resources and ambitions of the organization.
The shift from a 100% compliance focus to a more practical one was transformative and we gained a lot of buy-ins from the management across countries.
Engaging stakeholders and gaining their support is critical. GDPR compliance is a team effort, and clear, tailored communication can make all the difference.
Effective communication begins with understanding your audience. I was so fortunate to be close to our internal change management team, who taught me a lot about stakeholder management and effective communication.
They advised me to tailor my message for different levels of the organization—C-level executives need strategic insights, while operational teams benefit from practical guidelines. I also learned from them to figure out the preferred communication channels of my main stakeholders and adapt to their preferences.
However, one thing they didn’t have to teach me, but I learned from being a privacy professional is about being transparent in my communication, as it not only work for building customer trust, it also fosters trust and encourages collaboration within the organization.
—------------------------------------------------------------------------------------------------------------------
These lessons helped me transform chaos and resistance into a realistic, supported program. Once the foundation was set, I could focus on the more engaging aspects of GDPR, like developing policies,conducting training, implementing data protection measures, and building processes for data breaches and data subject rights.
GDPR compliance isn’t a sprint—it’s a marathon. By understanding your organization, aligning your program with its risk appetite, and prioritizing realistic goals, you can build a foundation that drives long-term success. Embrace the journey, learn from the challenges, and enjoy the rewarding process of fostering a culture of data protection.
Sign up for a regular dose of news and updates from the legal landscape.
.png)
Get the latest updates about legal and privacy from experts in the field.
.png)
.png)
