Working in the world of governance, risk, and compliance (GRC) can sometimes feel as if you’re acting out a Cassandra Complex. The internet has opened up immense opportunities and possibilities for business, but it’s also brought an underbelly of risk and danger that pose real damage to both consumers and the public at-large. 

As GRC and/or data privacy professionals, it’s our job to manage those risks, stay on top of data regulations worldwide, and often be the vanguard of inglorious operations. 

It doesn’t have to be this way, and in fact, it shouldn’t. 

The average consumer blankly clicking away their data because the typical privacy policy clocks in at nearly 7,000 words is a travesty. Dulling people’s senses to a very real matter trains them to only notice the bad, such as data breaches at global enterprises that affect tens of millions. 

When is the last time your neighbor or cousin gave even ten seconds of thought to how a company was using their data? On a large scale, that cognizance does not happen, and we are worse off for it. 

While there remains a burning need to run public awareness campaigns across the country on data rights and corporate data collection processes, work remains to be done in-house as well. Innovative companies trying to manage data responsibly are out there, but for too many organizations, privacy and GRC do not track as priorities or core teams. 

Here’s the playbook for convincing your organization of the value or privacy.

Make it Relatable

Everyone who has spent time on the internet is aware of data privacy problems and has likely been affected by them, even if they wouldn't describe themselves as data privacy champions. 

Simply put, most people can relate to their privacy frustration, but have too much on their plate to do much about it, a big reason for phenomena like cookie fatigue and learned helplessness. 

Have you ever clicked away from a website because its consent notice was manipulative or annoying? Most people have.

Have you ever hesitated to enter your real name–or worse, your credit card details–on a website? Most people have.

Have you ever heard about one of the many major data breaches that occur annually and gotten angry about how the organization could allow that to happen? Most people have. 

The public’s frustrations with these bad data practices are on the rise, as the California Privacy Protection Agency noted between July 2023 and June 2024 it received 2176 complaints. That’s only about 6 a day, but for a law that not many consumers know about, it’s encouraging to see more and more people take action.

That mindset is how you need to talk to people within your organization. Don’t be a brand that people complain about. The collective frustration over data privacy is powerful and relatable, and is a good starting point for avoiding consumer-unfriendly data collection practices.

Don’t Be Too Much of a Wonk

The world of GRC and privacy has more acronyms than a Latin American political movement. Professionals within the sphere have trouble staying on top of new regulation and happenings, so imagine how little attention people outside the industry have to devote to it. 

If you want your friend to try and get into baseball, you’re not going to introduce them to WAR, FIP, or wOBA for quite a while. GRC is the same way (although we’ll let it slide as its own acronym). 

No one needs to be an expert in privacy to understand its role in an organization, and privacy professionals should be approaching these conversations less like a source of knowledge and more like a source of assistance towards a broader organizational goal.

Lego’s recent privacy policy video hits this excellently from a consumer point-of-view, touching on major points without getting bogged down in unnecessary details. 

When you talk to different departments, relate to them on their terms. What does the Product team need to know about Article 25 of GDPR? What does R&D need to be aware of about the EU AI Act? How is Texas’s new data privacy law going to affect the Marketing department?

Find Support Within Every Department

Doubling down on the point above, GRC has gotten a reputation as a bit of a party pooper (although don’t worry, dear reader, we know you personally are not!). 

Why? Because when you’re not active in your organization, you have people coming to you asking if they can do things in compliance with regulations or best data security and privacy practices. The framing of those conversations unfortunately often means the privacy professional ends up answering “no” to a lot of questions.

Don’t be that person, because then people from different departments will be hesitant to come to you for consultation. 

By taking a proactive role and embedding yourself in the processes and goings-on across the organization, you can set the table for conversations when it comes to product development, data system use, and other matters of risk. 

This allows you to work towards solutions and workarounds rather than acting as final boss of approval, turning you from a source of rejection and delay into one of the most valuable brainstorming minds in the company.

Even if it isn’t possible to reach an entire team or get bandwidth from everyone, finding the voices that respond to you and can echo your sentiments will amplify the message.

Operationalize Privacy

The next step to proactively involving yourself with different departments is operationalizing privacy and compliance. 

What does that look like in practice? Demonstrating privacy by design and privacy by default principles in your product development and championing solutions that minimize privacy harms. 

Smart toilets are just as much a privacy disaster waiting to happen than they are an innovation.  

Building consumer-safe products is about more than just internal product development. Call out examples of products on the market that have failed to account for privacy and GRC (like Microsoft’s Recall feature) and where they are failing, as well as products that do privacy right.

Educating the organization on use cases and successes and failures makes it easier to hit the mark when turning plans into product.

Show the ROI

Even by talking to others across the organization in a way that conveys the value and relatability of privacy and compliance, taking a proactive approach in product development, and following through on the end result, many organizations are focused on operational efficiencies. 

Lean operations, streamlined processes, and cost-saving measures are key in today’s economy, and although GRC and privacy are not traditionally seen as revenue drivers, they have the power to be in capable hands. 

From a pure compliance standpoint, these operations need to exist or an organization could find itself in trouble with government very quickly. That’s where good tools come into play.

Data subject requests (DSR)–the public practicing their data rights–accounts for a major portion of data governance operations now. And yet, with the average organization’s data stack composed of hundreds of data systems, completing just one DSR is a timely process. Statistics from our Data Governance platform, MineOS, show that the average DSR requires data to be accessed from at least nine data systems. That means hours and hours of work and extreme operational inefficiencies, especially if you need to loop in other departments because your organization lacks a comprehensive data map. 

What’s worse than fulfilling GRC tasks without proper tools? The brand damage data privacy and security incidents cause. 

Organizations that handle data in a cavalier way only open themselves up to risk, and if the day comes when something does happen, the public is not going to be happy about it. 

The one-two punch of manpower saved and crisis aversion makes data privacy and governance the unseen influence of revenue growth, which sensible management will recognize when presented with the facts.

Need help maximizing your privacy and compliance program? See how MineOS, the highest customer-rated solution around, makes privacy approachable for everyone.