Trend: Goodbye checklist compliance

10:38 PM, one Wednesday in May 2018. I had just typed “Legal Basis” into cell B14 of the spreadsheet. Remember those days? We had warned senior management that if we didn’t get GDPR under control, fines were looming. Now it was time to tick the boxes.

Published: 
March 11, 2025
Jacob Høedt Larsen
PR & PA

Read more from the author

Fear and checklists — that was the recipe for many of us when GDPR stormed onto the scene in 2018.

My playbook back then?

  • Calculate 4% of annual turnover as the potential fine

  • Use that figure to get leadership's attention

  • Read the GDPR for minimum requirements

  • Build a spreadsheet with processing records and risks

  • Check the boxes – then get back to the core business

But now it’s 2025, and that approach no longer works.

The fear turned out to be unfounded

We used fear as leverage:
“If you don’t comply, you could be held personally liable. Goodbye board positions. Goodbye to Ferraris and Caribbean holidays.”

In reality, that strategy has proven counterproductive. For most companies, the risk of being caught is low, and the fines have, in practice, been relatively modest.

Many leaders have come to realize there was nothing to fear.

As one of my former bosses often said to our PR clients:
"It’s a strong message – right up until the journalist asks a follow-up question."

The same applies in compliance. If the entire argument is built on fear, the inevitable question follows: “But how likely is that really?”

Compliance should instead be built on a positive narrative – one that focuses on how a data protection program supports the business and creates value for people.

{{factbox-dark}}

Checklists are no longer enough

The other part of my playbook was all about checklists. Probably yours too.

Checklist compliance isn’t just outdated – it’s inadequate in a world where risks and external expectations are constantly evolving. Instead, we need an approach that enables us to make balanced decisions about information security and data protection.

Yes, spreadsheets can be useful.
But they are rarely enough as a long-term compliance tool.

Many GDPR records from 2018 have never been updated.

It takes dynamic systems and ongoing integration with the business.

And perhaps most importantly: Compliance shouldn’t just be about being compliant – it should be about feeling confident in the processes and the work we do.

The future of GRC?

It demands more than checklists and fear.

It requires an eye for complexity, the courage to navigate change – and a willingness to make compliance a natural part of the business.

Not because we have to. But because it makes sense.

5 trends to turn fragile data protection and infosec into sustainable GRC programmes.

Sustainable GRC means moving beyond mere legal checklists to a framework that aligns with business goals, customer expectations, and long-term risk management.

The trends are:

Trend #1 From centralised authority to company-wide collaboration

Trend #2 From tick-the-box compliance to balanced decision-making

Trend #3 From problem-oriented to solution-oriented

Trend #4 From legal thinking to strategic involvement

Trend #5 From managing data subject to caring about people

Learn about GRC, infosec and data protection

In our newsletter we provide insights from experts, discuss the latest trends, learnings, and advice within the field of compliance. We also explore how we can reshape the way we think and organise around compliance, in order to pave a sustainable and viable path for processes.

Get Sustainable Compliance news

You might also like

Trend: Are We Forgetting the Data Subjects in GRC?

Trend: Want a Seat at the Table? Then GRC Needs to Understand the Business

Trend: Why You're Never Involved When New Systems Are Bought – And What You Can Do About It