The Compliance Navigation:

  • cross-functional consensus building

  • stakeholder education

  • risk mitigation

I was brought in to identify analytics requirements, but the organization had no approved pathway to access the data it would be collecting and Legal, Privacy, and Compliance had defaulted to maximum risk aversion.

My role was to transform risk-averse gatekeepers into collaborative partners by pioneering the first approved use case for patient data, establishing the framework that became the company's formalized data request process.

The Problem

The client had invested heavily in building their first direct-to-patient support program to own patient data and generate richer insights than vendor partnerships could provide. But Legal, Privacy, and Compliance had no precedent for handling self-reported patient data and defaulted to prohibiting all access. This created a paradox: the entire point of building an in-house program was to unlock insights, but the organization's fear of regulatory exposure threatened to make the data entirely unusable. Without established protocols for what data could be accessed, at what granularity, and under what conditions, the organization couldn't extract any value from the patient data being collected. My dashboard project became the test case that would either prove the model viable or confirm that the organization couldn't operationalize what it had built. The challenge was that Privacy and Compliance had been consulted late in the program development process, Data Governance was a fledgling function of just one person, and all the uncertainty created paralysis.

The Solution

I facilitated a months-long series of cross-functional conversations that transformed vague concerns into concrete policies. Rather than treating Privacy and Compliance objections as roadblocks, I used my dashboard mockup as a discussion tool, walking stakeholders through each visualization to dissect what data points were required, how calculations would be performed, how data was collected, and why specific levels of granularity mattered to the business. Through these sessions, we negotiated our way to consensus. For example, when Privacy initially prohibited zip codes entirely under Safe Harbor regulations, I worked with them to identify middle ground: we eventually secured permission to use the first three digits with certain zip codes entirely prohibited and minimum patient thresholds before data appeared on dashboards. By pioneering the first approved use case of patient data, I effectively established the template that Data Governance later formalized into the company's first data request process, complete with privacy impact assessments and approval pathways. I wasn't ready to accept "no" without understanding why, and I realized the prohibition stemmed from uncertainty rather than true compliance barriers. By being proactive and consistent in helping Legal and Privacy understand the business need, inviting them to co-create boundaries, and translating business requirements into privacy terms, I got everyone on the same page and removed the paralyzing anxiety that had stalled progress.


This project is related to “Activating the Data Engine” — read here for additional context.

Core Skills Leveraged

  • Even though I was representing the brand lead, my client, I obviously had no formal power over Legal, Privacy, or Compliance. I needed their approval to move forward and their collaboration to shape company policy. I built influence through persistence, preparation, and respect for their constraints. I asked questions to understand their concerns deeply and made it clear I was invested in achieving their goals, not just my project's. I earned their trust by demonstrating that I understood the regulatory landscape they operated in and wasn't asking them to compromise compliance, only to help reimagine how it could evolve given the new business operations underway. Over time, they stopped viewing me as a stakeholder making requests and started treating me as a thought partner helping them navigate unfamiliar territory. This shift unlocked the influence I needed to shape not just my project's approval, but the policies that would govern all future patient data initiatives at the company.

  • The company had invested in collecting patient data but had no infrastructure for using it responsibly. Legal and Privacy defaulted to prohibition because they lacked the mental models, processes, and precedents to evaluate risk in this new domain. I recognized that my role wasn't just to navigate their uncertainty for my project; it was to help them build the frameworks that would enable the organization to innovate confidently going forward. I approached this as a change management challenge, moving stakeholders from "we can't do this" to "here's how we do this safely." I broke down overwhelming ambiguity into manageable decisions — one visualization, one data field, one calculation at a time. Each conversation became a building block for the larger framework. My dashboard project became the pilot that future processes were scaffolded upon, giving Data Governance the confidence to formalize a repeatable data request process. By spurring the creation of infrastructure that allowed future teams to derive insights from patient data, I helped the organization fundamentally shift their approach to understanding their customers.

  • Success depended entirely on my ability to build trust and communicate across functions that spoke different languages and operated with different priorities. I invested heavily in relationship building, attending meetings not just to present the business case but to understand each stakeholder's perspective, constraints, and concerns. I asked questions, listened actively, and validated their positions before proposing solutions. This built the credibility I needed to challenge assumptions and push for middle ground. My communication approach was deliberately multilingual: I translated business requirements into privacy impact language, reframed legal constraints as design parameters, and explained how regulatory limitations would affect business capabilities. For example, instead of saying "we need zip codes for segmentation," I explained how understanding geographic uptake would enable tailored patient support, then worked with Privacy to identify what level of geographic detail would satisfy both regulatory and business needs. I communicated transparently about what I didn't know and where I needed their expertise, which reinforced that I respected their authority. By consistently showing up prepared, respecting their time and constraints, and demonstrating that I valued their input, I transformed skeptical gatekeepers into engaged collaborators who could co-create solutions none of us would have reached alone.

Previous

Reporting Renaissance
Next

Analytical Engine