Who are the key stakeholders in a GDPR compliance project?
Compliance with the EU General Data Protection Regulation (GDPR) can involve many stakeholders. This is especially true for mid- and large-sized organisations. This can be overwhelming for some people. In this article, we talk about key stakeholders that should ideally be part of your GDPR project.
Who are the key stakeholders?
To identify the key stakeholders, you should think about which of your colleagues should play a key role in working with you to define and implement privacy and data protection. In a large or mid-sized company, this list usually includes:
- Representative of the legal department, as there will be a need for input about local laws and legal requirements.
- Representative of the compliance and risk department, as there will be a need to evaluate (and assess) risks and compliance.
- Representative from marketing, as privacy decisions can have an impact on marketing activities and this needs to be discussed upfront.
- Representative from human resources, as there will be a need to remain aligned with HR policies when privacy choices are being made in the context of employees.
- Representative from procurement, as there will be a need to remain aligned with supplier policies when privacy choices are being made in the context of supplier personnel.
However, in a small company, one should consider limiting key stakeholders to executive managers like the director and CEO.
When engaging the key stakeholders, you should keep in mind that you are looking for an alliance or partnership with them in their areas of business. Do remember that you bring the privacy expertise, and the key stakeholders bring the specialised knowledge of their different departments.
Currently, we are talking about only identifying the key stakeholders. Don’t expect that they will be dying to start working on the GDPR as soon as you identify them. If you think so, you are in for a reality check. Once you have identified them, the next action or challenge is to get them to listen to you. Before we start, let us understand what they might think about privacy.
You may have prepared a nicely worded PowerPoint pitch, but don’t expect your key stakeholders to grasp all the benefits after a 20- or 30-minute meeting. No matter how nice your PowerPoint presentation looks, unfortunately, it will take time for key stakeholders to understand. So, you need to be patient and be prepared for a long process.
Here are a few techniques you may use for presenting your case in a more effective way:
- Prepare a pitch for key stakeholders. Chances are, you’ll achieve much more in informal occasions than in formal meetings ‑ e.g., when you accidentally stumble into your CEO or COO in a cafeteria, in an elevator, or similar. If you are not prepared for such an occasion, you’ll probably get confused. Therefore, you have to prepare a so-called elevator speech: a 30- to 60-second speech where you vividly present your case. When you rehearse it well, you will sound confident and convincing. For example, my elevator speech is: “The investment in GDPR will pay off if we can answer data subjects to avoid lawsuits and respond to the supervisory authority to avoid incurring fines”.
- Make allies. You need to find people who are close to your CEO and executive board and who would naturally be interested in what you are doing ‑ for example, your head of marketing might see privacy and protection as a way to decrease the number of marketing campaigns the company can run, so he or she may need to be convinced that the right approach can help the company run the right campaigns, in line with the law, and engage more customers. In any case, do your homework and research who would be interested in privacy and protection risks and benefits. These people will not only give you additional insight into how privacy and protection will help the company; they will also make it easier to get to the agenda more quickly.
- Be careful with words. Remember, your target group is top managers who don’t understand or don’t like your geeky expressions. For example:
- Replace the word “cost” with “investment” (By investing in …, we will save xyz euros…)
- Replace the word “probability” with “risk” (We will decrease the risk of…)
- Replace the word “incident” with “damage” (We will decrease the damage by implementing…)
Now that you know all of this, it is important to summarise that buy-in and alliance with key stakeholders is critical to the success of your GDPR implementation. And, for that, you will need to be patient and persistent.
Do not hesitate
In summary, compliance with the GDPR will require engagement with key stakeholders across your organization; and, to achieve this, you must identify the right stakeholders. Once identified, you should prepare an approach to engage them, and this would require a persistent and patient method. So, go and identify the right stakeholders as you plan for your GDPR implementation project.