Beyond legal #5: Get to know your data management and data governance colleagues

In this fifth post of my beyond legal series, I will outline some more essential non-legal competencies a data protection leader needs, explain how to engage with the teams that hold these skills, and also provide a few examples of the kind of narratives required to change the tone of the conversations you'll need to have with them.

Many years ago I worked with a bloke who's most used expression was "...we're building on sand." He was head of the server build team in a large financial services company and very mindful that his work was highly dependent on having a firm foundation in place. He was quality conscious, and would often use this expression in project team meetings, especially when we would get status on open issues in the project issues log. He was 100% correct.

I think of that expression often when hearing data protection leaders taking a minimal compliance-based approach to data protection or AI governance. Attempting to place any kind of framework on top of poor data practices is like building on sand.

The data protection leaders that understand this, tend to be more quality-conscious and have a higher likelihood of succeeding.

Breaking free from the "Office of No"
As I allude to often in my posts, in many companies the data protection team is perceived as the team that says "no" to innovation, a necessary evil, a cost centre only focused on avoiding fines.

The good news is, this view is changing, but if this label persists in your company, it can be highly detrimental, especially if you're working in a data-driven or data-dependent company. You are going to have to change that perception and become a data protection leader that is seen as a strategic partner who understands that well-managed data is non-negotiable.

The competencies you need to embrace

Let's begin with some definitions and I'm sure from a data protection perspective you'll immediately see some connections. In this post I am turning to DAMA rather than SFIA because I personally feel DAMA is the primary reference when talking all things data.

The DAMA definition of data management is: "Data Management is the development, execution, and supervision of plans, policies, programs, and practices that deliver, control, protect, and enhance the value of data and information assets throughout their life cycles."

In plain English, this means data management is the professional, end-to-end discipline of actively managing data as a valuable business asset to make it useful, safe, and increasingly profitable.

DAMA's definition of data governance is "...the exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets," which, in plain English is about using power and rules to manage your company's data effectively, ensuring it's well-organised, kept safe, used correctly, and accessible to those who need it.

Now, it's worth mentioning at this point the difference between governance and management and the need to differentiate the two. Mark Thomas wrote a great post about this a while back that really does highlight the misuse and lack of understanding of the word governance by some organisations.

In a nutshell:

Data Management is the doing, the hands-on work of managing the data lifecycle.

Data Governance is the ruling, the leadership, decision-making, and oversight that ensures the work is done right.

I will also cover the misuse, building off Mark's post in the coming month or two.

Why these competencies are non-negotiable for data protection leaders
Compliance will be achieved if you focus on good data practices, but it's not the only objective. Understanding data management and data governance allows a data protection leader to see the upstream processes that create downstream risks. You can't effectively conduct a DPIA if you don't understand the data life cycle or the rules governing its use. You will continually struggle to fulfil data subject requests, and you will always struggle to maintain your RoPA - to name a few examples.

So much of what we need to achieve in data protection is dependent on data management (DM) and data governance (DG). I think the clue is in the word data :-)

To gain credibility you must speak the language of the teams
If you haven't already done so, you will need to build good relations with the DM and DG teams and a data protection leader who only speaks in riddles of legal articles will not be taken seriously by data engineers, data scientists, and product managers.

Discussing "data retention schedules" or "data stewardship models" shows you understand their world. This builds trust and turns you into a valued collaborator rather than someone who is more interested in dotting 'i's and crossing 't's. I therefore highly recommend familiarising yourself with a framework like DAMA. I'm not suggesting you become certified but there are some good Youtube videos that give you the basics, and enough knowledge where you can begin to join the dots of what you need to achieve from a data protection perspective.

A downside I see often of a strong legal approach is it is often reactive, e.g. responding after a new law or regulation is passed or a complaint is lodged. Once you can see the connections between your world and the world of DG and DM, you can begin to become more proactive and less reactive . in other worlds you are supporting principle 1 of Privacy by Design (PbD) and mastering these competencies will allow you to embed PbD (or the broader discipline data protection by design and by default from a European perspective) into the data protection framework you need to establish. In your own work, get things right the first time, and prevent future legal issues and expensive re-work. This is also at the heart of quality management - a term that is unfortunately rarely mentioned in legally-oriented data protection circles.

Moving from an Ivory Tower to the Trenches

A data protection leader is a hub, not an island. Your success really does depend on your ability to connect with and influence those with deep technical and business expertise. Now I acknowledge every company is different and the differences are very important to understand, but in many cases you'll find some of the roles I'm mentioning below in your company, albeit with slightly different titles, and these are listed in no particular order of importance. Again, it's just a few examples I'm listing here.

• Chief Data Officer or Head of Data: This individual is your natural ally because they are focused on leveraging data as an asset. Your work can help them do it responsibly and you need to convince them of that.

• IT and systems architects: They design and manage the infrastructure where data lives. Engage with them on data life cycle management, implementation of security controls and pseudonymisation techniques, for example.

• Product development teams: Build their trust and you might get a seat at the table during the ideation phase, rather than the night before go live. Help them innovate with privacy-enhancing features.

• Marketing and analytics teams: They normally have the big budgets which is an excellent reason to get to know them, and because they are at the sharp end of data collection and use, deploying emerging, risky technologies and when things go wrong, it's goes wrong big time. Help them understand the difference between insightful personalisation and intrusive surveillance.

As part of your own personal transformation, you'll need to get in the habit of:

• Becoming a problem-solver: Don't just identify problems. Ask, "What business outcome are you trying to achieve? Let's find a compliant way to get there."

• Using their tools and techniques: Participate in their agile sprints, join their project kick-offs, and learn to read (and eventually make) a basic data flow diagram. Show up in their environment.

• Being a translator: Act as the bridge between technical jargon, business goals, and legal requirements. Translate "legalese" into actionable steps for the teams, rather than vague, abstract requirements.

Your new narratives - changing the conversation
Your language shapes your company's data protection culture. Get rid of the fear-based narratives you may have used in the past and adopt the language of strategy and trust. Here are a few examples, but of course the most effective ones will be your own, in your company context.

From "compliance police" to "innovation enabler"
Old Narrative: "You can't do that because the GDPR says..."
New Narrative: "I see what you're trying to build. My job is to help you do that in a way that builds consumer trust and avoids future problems. Let's map out the data flows and find a solution together."

From "data as a liability" to "trust as a competitive advantage"
Old Narrative: "Every piece of data we collect increases our risk profile."
New Narrative: "Our commitment to ethical data handling is our market differentiator. Consumers choose us because they trust us. Our strong data governance isn't a cost, it's an investment in our brand reputation and customer loyalty."

Narrative 3: From "doing no more than we need to do" to "future-proofing the business"
Old Narrative: "We're doing just enough to be compliant with the GDPR"
New Narrative: "The regulatory and consumer landscape is constantly evolving. I want to align with your strong data practices so we aren't just addressing today's laws, we're creating a resilient data ecosystem that can adapt to whatever comes next."

To conclude, it's clear your role of data protection leader has fundamentally changed and though legal expertise gets you a seat at the table, if you want to succeed as the leader and sit at the top of the table, you need to stop building on sand. You need to understand and embrace those in your company that also have data in their titles - they will ultimately help you succeed.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.