Skip to main content

Beyond legal #2: Why every data protection and AI governance leader needs SIRA competences in their toolkit

·4 mins
Beyond Legal AI Governance GRC Horizon Scanning Executive Communication

Your data protection or AI governance work is not stuck because the law is too complicated or your systems systems are outdated. It’s stuck because you’ve not gathered the right competencies to anticipate, assess, plan, implement and eventually run.

Beyond legal #2: Why leaders need SIRA in the their toolkit

In an earlier post, Simplify the GDPR? Upgrade your competences instead, successful implementation of data protection or AI laws and regulations isn’t about simplifying rules. It’s more about leadership and possessing competences that drive change. In Beyond legal #1: The data protection leader’s journey begins, I suggested these include business analysis, stakeholder engagement, programme management, and strategic governance. In this second post, I propose that what companies need, especially around data protection and AI governance, is not more checklists, but strong Strategic Impact & Readiness competences.

Strategic Impact and Readiness Analysis (SIRA) You will always be on the back foot if you wait to react to the deluge of change that is coming. New laws and regulations, changes to existing, new technologies, societal change, geopolitics. It’s not going away and the longer you leave to address what’s relevant, the harder it will be to wrestle back control.

As mentioned in earlier posts, leaders need to look at themselves in the mirror and ask themselves firstly, are we assessing strategic impact and readiness? Are we doing it well, and if if the truthful answer to both questions is no, is to then ask do you have the necessary competencies to perform the work?

The key is to recognise whether you do, or do not have the competences, and then acknowledge the gap by taking action. Do not think you’ll get by and muddle through - this is often the root cause of failure, and then it’s easier to blame “that complex law.”

So what is strategic impact and readiness? It’s the set of capabilities that turns a legal requirement, or emerging tech, into a strategic transition: scanning the horizon for weak signals of change, identifying impact across various perspectives, identifying root causes of related issues, prioritisation, scheduling the delivery of both work products and outcomes in an organised, visual roadmap, and then formulating a business case that you present to senior leadership for their buy-in and approval.

I’ve now mentioned capabilities, and you may be wondering the relationship with competences. They are related but they represent different aspects of our human abilities. From my perspective, capabilities are the broad abilities that enable us to perform a specific work task or our job. Competencies are specific, measurable skills and knowledge that actually contribute to the capabilities.

So within the capabilities I’ve just mentioned, there are a number of competences that are needed (either yourself, or professionals you bring in), and I’ll again reference SFIAplus from BCS:

Strategic impact and readiness analysis will help you move from reactive compliance to proactive readiness and it collaboration across multidisciplinary teams e.g. legal, risk, data, HR, digital marketing, product, etc. and everyone sees and experiences their part in the change that needs to happen.

I’ll illustrate how this works in practice with a brief case example: AI Regulation Readiness Imagine a mid‑sized financial services company preparing for EU AI Act obligations. Here’s conducting SIRA works in brief:

Horizon scanning: Legal monitors recitals; risk reviews models; data ops maps systems.

Impact mapping: They discover opaque model code, weak consent flows, ungoverned data sets, lack of explainability.

**Root causes: **Legacy data platforms, siloed model developers, no central governance.

Prioritisation: Explainability and transparency are top‑priority; consent compliance next; platform reforms third.

**Roadmap: **

  • Over Q1, review AI inventory and update documentation.

  • Over Q2, deploy explainability tools and train data scientists.

  • Over Q3, integrate data governance workflows and audit output.

In reality, conducting this type of analysis often involves bring together the colleagues in one or more workshops. It could be a half day workshop, or several workshops spread over days or weeks - in-person, virtual and(or hybrid.

Key questions for you Do you, does your team, have strategic impact & readiness competences in house?”

Where are the gaps, and how might building SIRA avoid reactive chaos next time there’s a new regulation or a geopolitical event impacts your company?

**Purpose and Means **is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts