The two faces of compliance
Let me start by saying that I hate Microsoft Outlook, especially on the Mac. If you go to an email thread where you were the last person to send a message and you hit ‘reply’, it sends to you, and only you. In the era where emails are nested into threads, this is insane. I tell you this to somewhat excuse myself in the story I am about to share.
A few years ago, I was handling a compliance request on behalf of a client. Their client had emailed them with a stack of paperwork that had to be completed. Most of this paperwork was, almost inevitably, totally irrelevant to what my client was doing. But it still had to be filled in diligently, in order to prevent someone from the ultimate client’s head office seeing a blip on their screen, and ordering everyone to stop work.
In order to complete this paperwork, I needed some information from the team working on the project. They were busy people, and I wanted to be clear to them that my aim was to bother them as little as possible. I therefore sent a message to this effect:
There are two types of compliance.
There’s the stuff that is tedious make-work. It doesn’t serve any value to the project, and so we should just get it done with the minimum effort.
Then there’s the stuff that’s actually useful. It prompts us to think about outcomes we care about. It prompts us to think about our work from a new angle. This is worth thinking seriously about.
Can we have a chat about how to do both of these soon?
Dear reader, I replied-all and sent this to the client’s client.
I realised I had done later the same day (Friday!), and immediately replied directly to them with some attempt to smooth things over before spending the weekend worrying I might get sacked.
Their reply came on Monday morning:
Don’t worry. I agree.
Phew!
This story I think illustrates an important general point.
Type 1 compliance only needs to be done on paper. Someone, somewhere needs to see a report. Their job is to prevent their foundation from being associated with scandals. They do not want to lose their job, and so they make everyone fill in a piece of paper saying “I will not cause a scandal” on a six-monthly basis. A lot of policies in a non-profit’s staff handbook exist for this reason1. And what’s more: everyone knows this.
Type 2 compliance is different. If you work with vulnerable groups, you really do care that they don’t come to any harm as a result of your work. If your work has a political component, you really do care that you are not supporting corruption. All kinds of harm can happen inadvertently. It’s important to think proactively and creatively about these risks and how we manage them. This is inherent to the quality of the work your organisation does.
But because everyone knows that Type 1 compliance is purely theatrical, it creates a veil of boredom and frustration that we have to pierce through in order to get to the Type 2 stuff that matters.
A lot of compliance training is Type 1. It’s the obligatory GDPR module that teaches you the list of the six lawful bases for processing, or the cybersecurity module that tells you never to click on a link in any email ever (preposterous advice in 2025).
But if you aspire to offer people Type 2 training, consider some of the following:
Describe why it matters to the people doing the work, in terms they care about
Identify the basic behaviour changes that someone has to adopt to make the work safer (what, concretely, do they have to do differently?)2
Share the knowledge that is not obvious, or is even paradoxical (such as the things that can be signs of a problem that most people wouldn’t recognise as such)3
Get experienced people, who are good at understanding the full complexity of what you do, to share real stories of things that they have seen go well and badly
Above all, have discussions about the real situations in front of you. It’s the ongoing discussion of real projects, with their messy specifics, where we truly navigate the ethics of our work.
I quote a colleague new to the sector: “I’d never heard the word ‘policy’ so many times until I joined an NGO.”
For instance, if you want to be a better steward of personal data (IE improve your GDPR compliance position), the first behaviour to master is noticing personal data. It is so ubiquitous, it’s hard to see.
Metaphorically, this is the fact that people drowning often do not splash about and scream, but in fact, bob around motionless in the water in a way that is not attention-grabbing. Literally, it’s things like the fact that children who are regularly reluctant to go home at the end of an activity may be suffering abuse. Or, of course, they may not - but this is one of the signs that teachers and youth workers should be looking out for, as a part of a broader picture. And it’s a much less obvious sign than, say, turning up with mysterious bruises.