Beyond legal #3: Why data protection leadership is more complex than just 'difficult' laws, and what it takes to succeed

In this third post of my "beyond legal" blog series, I'm taking a slight detour by focusing on two importatnt words: complex and difficult, because for many leaders, being responsible for data protection in your company isn't just difficult, it's extremely complex. (Simplification is another word we're reading a lot about about these days and yes, it's often associated with complex and difficult but I'll cover that later in this post.)

You're going to need to recognise the distinction between the complex and difficult, and acknowledge that you must involve a diverse set of competences and capabilities. That really is the key if you want to build and maintain a robust and future-proofed data protection function or office.

So what's the difference?

"Difficult" describes work that requires significant effort, expertise, or resources to achieve. It might be challenging, arduous, or require specialised skills and the path to success, while steep, is often discernible. To overcome difficulty, you need to make use of specific competences such as knowledge, skills, and behaviours (e.g. legal analysis, project management, communication).

"Complex," describes a system or challenge where a multitude of interconnected parts interact in non-linear ways that could, if you are not careful result in unpredictable outcomes. It could involve an intricate system where a change in one area can have unforeseen ripple effects elsewhere. This is common in large corporations where business systems involve layers of capabilities that, on a basic level you might categorise as ways of working, technology, people and organisational structures, and data and information.

How does this play out in the everyday reality of data protection? I want illustrate this with three common scenarios and will, when possible, reference the SFIA skills framework (from now on it will be SFIA 9 rather than SFIAplus).

And whilst mentioning SFIA, the framework also includes "...generic attributes, business skills and behavioural factors" and among these is complexity (COMP) so explore this and the other attributes further if you want to look seriously at your own role and start crafting a professional development plan.

1. The laws and regulations: complex principles, difficult application

Too many people transpose the GDPR into checklists, if only it was that simple. Principles like "lawfulness, fairness, and transparency," "accountability," "purpose limitation," "data minimisation," and concepts like "data protection by design and by default" are inherently complex. They demand abstract thinking, ethical consideration, and the ability to apply broad ideas to a broad set of technologies. Applying the GDPR in any organisation, understanding all the intricate interdependencies within a business model is a complex intellectual exercise. It initially requires competences such as legal analysis and interpretation, and business situation analysis (BUSA) to assess business impacts as a first cut.

Then comes the difficult part. How to apply GDPR consistently across your company's business operations that may be spread across multiple geographies each with other conflicting laws. Harmonising consent mechanisms, cookie banners, or standardising data retention policies across your global operations requires more than just legal knowledge. You'll need to gather a range of competences including requirements definition and management (REQM), feasibility assessment (FEAS), solution architecture (ARCH), systems design (DESN) and privacy engineering (if you have people with this currently rare competence), and don't forget risk management (BURM) to ensure you can begin to categorise the different types of risk you're dealing with and how you should interlock with your company's ERM.

If you are tempted to procure a privacy management tool, then I suggest you also include REQM, FEAS as well as enterprise and business architecture (STPL) and sourcing (SORC). Too many legal departments choose these tools without involving the right competences upfront and then wonder why they quickly run into problems.

2. Strategic vision & foresight (complex) versus tactical compliance (difficult)

Developing a relevant and adaptive data protection strategy that is aligned with business goals, anticipates emerging threats, and prepares for future regulations is a complex challenge. It requires the competence of strategic planning (ITSP), business situation analysis (BUSA), strong stakeholder relationship management (RLMT) to engage with your business colleagues, and often enterprise and business architecture (ARCH).

Now the difficult part. Maintaining an accurate RoPA, conducting thorough DPIAs, or ensuring your privacy notices are "...concise, transparent, intelligible and easily accessible, using clear and plain language" (from a GDPR perspective) yet will create friction in other parts of the world. Figuring out how to comply is extremely difficult. I often suggest taking a product design or service design approach. That way you're linking a process, template or repository to a set of requirements which can be traced throughout the lifecycle. This requires a range of competences but let's call out quality management (QUMG) and quality assurance (QUAS) because I rarely hear or read the word quality in data protection circles! That really is a problem and often results in clunky, awkward solutions like complex cookie consent banners or long-winded privacy notices.

3. Risk modelling & prioritisation (complex) versus mitigating identified risks (difficult)

Understanding the different categories of risk associated with data protection may, on the surface, appear to be straight forward, right? Risks to the rights and freedoms of individuals or risk of non-compliance. We really are in complex territory here especially when you need to develop risk models that account for evolving threats in your business context and to be able to understand the interconnectedness of risks - the so-called ripple effects. These could be the trigger for other organisational risks such as legal risks, regulatory risks, operational risks, financial risks, reputational risks, etc. And another area of complexity is risk measurement or risk quantification, so you are able to prioritise, request funding and keep senior leadership informed in business language they understand. Here, using colourful 3x3 or 6x6 heat maps are often a waste of time. To overcome this you'll need to engage with those with competences in risk management (BURM) at both strategic and operational levels, privacy risk experts and information security (SCTY, to name a few. More about risk quantification will come in a future blog post.

Implementing specific controls to treat an identified risk (e.g. implementing time limited location sharing, redacting sensitive information, or just-in-time transparency across a customer journey) is difficult. It requires competences including contextual business knowledge, solution architecture (ARCH), project management (PRMG) and potentially security operations (SCAD). If you have your own portfolio of projects, or your changes/projects have been concentrated in the form of a programme then portfolio management (POMG) and programme management (PGMG) competences will also be relevant. The companies I've seen that I consider mature, have built strong capabilities for data protection/privacy risk management, systematically identifying, measuring, prioritising, and mitigating risks across all business functions.

Why this distinction matters for effective data protection leadership

I think blaming the difficult aspects of fragmented enforcement or the complex nature of the law misses the point. An effective data protection leader is like the conductor of an orchestra. The leader does not need to be a legal expert, they need to orchestrate a multi-disciplinary effort. This involves cultivating all the individual competences across their team and the wider organisation and at the same time simultaneously build strong capabilities that can respond to the inherent complexity of the company's data landscape.

A word about simplification
Back in 2022, I developed a short course titled Simplicity targeting the data protection teams of a global financial services client. The material I developed was inspired by a great little book called The Laws of Simplicity written by John Maeda. Although it's about 20 years old now, much of the content is still relevant. John Maeda covers 10 principles but in my training I focused on only 4 of the principles: reduce, organise, learn and context. Mastering inherent complexity in data protection is not about making data protection simple in the traditional sense. We can apply John's simplicity principles to manage it effectively.

So applying the 4 principles I selected, a data protection leader can reduce the unnecessary noise and distractions by focusing on the key data protection risks and processing activities, rather than getting lost in every minor detail spend all day firefighting and getting nowhere.. They can organise their documents, information, processes, and data flows in logical structures to make everything clear and understandable - here I've always been a fan of establishing a "data protection management system" typically in Sharepoint or something similar. Also, leaders can establish a continuous culture of learning, that ensures you explain things to the workforce (in their context) and that they are keep informed, and are equipped to be able to adapt to new threats and evolving interpretations. Finally, all work must be anchored in context, ensuring solutions fulfil specific business needs, in line with your company's risk appetite, and jurisdictional variations. Another client of mine is a global MedTech client that over the years moved beyond generic compliance to embedded, effective data protection by following similar simplicity principles. Get your hands on John's book if you want to be inspired!

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.