Beyond legal #2: Why every data protection and AI governance leader needs SIRA competences in their toolkit

Your data protection or AI governance work is not stuck because the law is too complicated or your systems systems are outdated. It’s stuck because you’ve not gathered the right competencies to anticipate, assess, plan, implement and eventually run.

WORKSHOPSDATA PROTECTION LEADERSHIPGOVERNANCEHORIZON SCANNING

Tim Clements

8/20/20253 min read

Beyond legal #2: Why leaders need SIRA in the their toolkit
Beyond legal #2: Why leaders need SIRA in the their toolkit

In an earlier post, Simplify the GDPR? Upgrade your competences instead, successful implementation of data protection or AI laws and regulations isn’t about simplifying rules. It’s more about leadership and possessing competences that drive change. In Beyond legal #1: The data protection leader’s journey begins, I suggested these include business analysis, stakeholder engagement, programme management, and strategic governance. In this second post, I propose that what companies need, especially around data protection and AI governance, is not more checklists, but strong Strategic Impact & Readiness competences.

Strategic Impact and Readiness Analysis (SIRA)
You will always be on the back foot if you wait to react to the deluge of change that is coming. New laws and regulations, changes to existing, new technologies, societal change, geopolitics. It's not going away and the longer you leave to address what's relevant, the harder it will be to wrestle back control.

As mentioned in earlier posts, leaders need to look at themselves in the mirror and ask themselves firstly, are we assessing strategic impact and readiness? Are we doing it well, and if if the truthful answer to both questions is no, is to then ask do you have the necessary competencies to perform the work?

The key is to recognise whether you do, or do not have the competences, and then acknowledge the gap by taking action. Do not think you'll get by and muddle through - this is often the root cause of failure, and then it's easier to blame "that complex law."

So what is strategic impact and readiness? It’s the set of capabilities that turns a legal requirement, or emerging tech, into a strategic transition: scanning the horizon for weak signals of change, identifying impact across various perspectives, identifying root causes of related issues, prioritisation, scheduling the delivery of both work products and outcomes in an organised, visual roadmap, and then formulating a business case that you present to senior leadership for their buy-in and approval.

I've now mentioned capabilities, and you may be wondering the relationship with competences. They are related but they represent different aspects of our human abilities. From my perspective, capabilities are the broad abilities that enable us to perform a specific work task or our job. Competencies are specific, measurable skills and knowledge that actually contribute to the capabilities.

So within the capabilities I've just mentioned, there are a number of competences that are needed (either yourself, or professionals you bring in), and I'll again reference SFIAplus from BCS:

Strategic impact and readiness analysis will help you move from reactive compliance to proactive readiness and it collaboration across multidisciplinary teams e.g. legal, risk, data, HR, digital marketing, product, etc. and everyone sees and experiences their part in the change that needs to happen.

I'll illustrate how this works in practice with a brief case example: AI Regulation Readiness
Imagine a mid‑sized financial services company preparing for EU AI Act obligations. Here’s conducting SIRA works in brief:

Horizon scanning: Legal monitors recitals; risk reviews models; data ops maps systems.

Impact mapping: They discover opaque model code, weak consent flows, ungoverned data sets, lack of explainability.

Root causes: Legacy data platforms, siloed model developers, no central governance.

Prioritisation: Explainability and transparency are top‑priority; consent compliance next; platform reforms third.

Roadmap:

  • Over Q1, review AI inventory and update documentation.

  • Over Q2, deploy explainability tools and train data scientists.

  • Over Q3, integrate data governance workflows and audit output.

In reality, conducting this type of analysis often involves bring together the colleagues in one or more workshops. It could be a half day workshop, or several workshops spread over days or weeks - in-person, virtual and(or hybrid.

Key questions for you
Do you, does your team, have strategic impact & readiness competences in house?”

Where are the gaps, and how might building SIRA avoid reactive chaos next time there's a new regulation or a geopolitical event impacts your company?

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.

Purpose and Means

Purpose and Means believes the business world is better when companies establish trust through impeccable governance.

BaseD in Copenhagen, OPerating Globally

tc@purposeandmeans.io

+45 6113 6106

© 2025. All rights reserved.

Information about how Purpose and Means processes personal data