As I clipped into my pedals, the starting gun for my first off-road gravel cycling race of the year echoed, and a cold wave of realisation washed over me: I had done almost no training. Zero. Zilch. It was highly likely I was about to physically ruin myself.
Back in January, fueled by New Year’s resolutions and the optimistic belief that this 76km event with 775m of ascent across the Somerset levels, Brean Sands, and up through the spectacular Cheddar Gorge would be a fantastic catalyst for my fitness, two friends and I signed up. I had over three clear months to prepare. Plenty of time, I told myself.
Then, as it always does, life happened. Work projects piled up, family commitments beckoned, illnesses struck, and let’s not forget the siren call of “just one more episode” of the latest Netflix boxset. My good intentions were steadily eroded. January slipped into February, then March, and each week I’d tell myself: “Next week, I’ll start. Just after I clear that work project. Or the garden.”
Suddenly, and with absolutely no warning (at least it felt that way), it was the first weekend of May. Still, I clung to the delusion that I had enough time to train. It wasn’t until the week of the race that the cold, hard truth set in: while my two friends were well prepared and ready to tackle the challenge… here I was, about to completely wing it. And, oddly, what I realised at that moment was that this situation was actually quite similar to what I see daily in my work in data protection.
What does this have to do with data protection?
Over the past few years, I’ve spoken to many professionals about their approach to data protection compliance projects or information governance within their organisations. And for some, their method uncannily mirrors my pre-race “preparation.”
We all start with the best intentions and a clear goal: to cross that compliance finish line. This often looks like a comprehensive suite of policies and procedures aligned with current legislation, adequately trained staff, and meticulously updated asset registers, Records of Processing Activities (ROPAs), Subject Access Request (SAR) logs, and Data Protection Impact Assessments (DPIAs). But few people openly discuss, or even recount, the actual journey to reaching that point (if they ever truly do).
Preparation is your compliance GPS
Just like training for a challenging cycling event, preparation is also key in data protection.
Carrying out an audit, even if it’s just an internal or departmental one, is a good starting point. Think of it as your initial fitness assessment, gauging your current compliance status and identifying gaps. From this baseline, you can develop a clear plan, pinpointing areas that need improvement (your “endurance” training) and allocating the necessary time (whether it’s dedicated daily sessions or a set amount of time each week).
Don’t forget to assess your “bike”, the appropriateness of your company’s infrastructure, software, and IT. And crucially, consider the “friends you’re doing the event with”: the people on your team and those supporting various departments who will help drive compliance forward.
During this process, there will be moments when crossing the finish line seems impossible. But your colleagues will be there to encourage you, offer wise advice, or just give you the necessary nudge to keep pushing. No matter the challenge, each small step and each turn of the pedal takes you closer to the finish line, whatever that may look like in your world.
The less stressful path to compliance
What I’m really getting at is this: if I had properly prepared for that cycling race, undertaken regular training, focused on nutrition, honed in on key areas, and set aside dedicated time, I would have arrived at the starting line feeling far more confident and, dare I say, actually looking forward to it. As it turned out, I did complete the event, and I was incredibly proud of myself. But if you don’t prepare for challenges like this, they won’t all turn out the same way.
It’s safe to say that my journey to the finish line would have been significantly less stressful if I had simply prepared and put even a modest plan in place. And if this is the case for a cycling event that, while really important to me, doesn’t really affect anybody else, then think about how vital it will be when it comes to safeguarding the personal data of who knows how many people?
So, next time you’re heading toward your goals, whether that’s steering your organisation to compliance or pedalling your way to off-road cycling victory, make sure you put plenty of time and thought into making sure you’re prepared. It truly makes all the difference.
Written by Kristal Rocks
