How to Run a Privacy Programme Without Slowing Down Your Business

Privacy is one of those things that’s easy for scale-ups to deprioritise, until that’s just not an option anymore.

At first, a reactive approach works fine. You deal with things as they come up, tick off what’s needed, and keep the business moving. But as you scale, that starts to change.

So how do you introduce a more structured, proactive approach, without slowing things down?

We spoke to a few experts to find out, including our customer Jarrolds - a multi-entity business that’s already been through this shift, building a privacy programme that works across the group without getting in the way of growth.

Tom Blake

Group Head of Technology at Jarrolds

Kayleigh Logan-Cleghorn

Lead DPO at Trust Keith

Mitch Omer

Director of Revenue at Trust Keith

Contents

• How Data Protection Evolves as Your Business Scales

• Common Data Protection Risks and Challenges

• Signs Your Privacy Approach Isn’t Working Anymore

• What Good Data Protection Looks Like (and How to Get There)

• Running Privacy Without Slowing Down

How Data Protection Evolves as Your Business Scales

In the early stages of a business, data protection is rarely structured.

There might be a few policies in place, some good practices, and a general awareness that it’s important, but it isn’t always consistent or risk-led.

For Jarrolds, that was the starting point.

“There was a general vested interest in understanding we needed to do something about data privacy, but we were lacking a risk-orientated approach.”

“We had lots of fingers in lots of pies, which comes with its own challenges as it scales out.”

Tom Blake, Group Head of Technology @ Jarrolds

At this stage, privacy tends to be handled as and when it comes up, often by a small number of people, without a consistent way of assessing or managing risk.

And that’s a familiar position for many businesses. An approach to privacy exists, but it hasn’t been built into how the business actually operates.

What worked early on starts to become less effective. The volume increases, the complexity increases, and there’s a growing expectation to demonstrate control.

Common Data Protection Risks and Challenges

As you scale, data protection challenges become less about individual tasks and more about how consistently privacy is managed across the business.

The same issues tend to come up again and again. Not because teams aren’t trying, but because their approach hasn’t evolved with the level of complexity they’re now operating in.

As we heard from Jarrolds, this becomes especially important in environments with multiple teams, systems, and use cases — where maintaining a clear, joined-up approach is harder than it first appears.

“When there’s a lot going on across different areas of the business, that’s where it starts to become difficult to manage.”
Tom Blake, Group Head of Technology @ Jarrolds

1. Lack of Clear Ownership and Accountability

One of the first issues that often emerges is ownership.

Without a clear structure in place, responsibility often ends up sitting with one person - usually alongside their main role.

That might work initially, but it doesn’t scale.

As the business grows, so does the need for a more coordinated, business-wide approach.

“You’ve got different teams, different use cases, so you need a way of looking at it all together and prioritising what actually matters.”
Kayleigh Logan-Cleghorn, Lead DPO @ Trust Keith

Without that joined-up view, privacy becomes dependent on individuals rather than a consistent, business-wide approach.

2. Limited Visibility Across Data and Risk

As businesses grow, visibility often becomes a challenge.

Data sits across multiple systems, teams, and vendors, and without a clear structure in place, it becomes harder to maintain an accurate, up-to-date view of what’s actually happening.

That includes understanding:

• What data is being processed across the business
• Where the key risks sit
• Which activities have already been assessed, and which haven’t

“It’s about being able to take a unified view across everything and understand what actually needs attention.”

“You need a way of looking at data, risk, and activity across the business, and prioritising what actually matters.”

Kayleigh Logan-Cleghorn, Lead DPO @ Trust Keith

Without that visibility, decision-making becomes more difficult.

3. Inconsistent Processes Across Teams

As more teams become involved in handling personal data, ways of working can start to diverge.

Different departments often develop their own approaches - whether that’s how they assess risk, onboard vendors, or handle data requests.

That’s not usually intentional. It’s just a result of growth.

“You end up with different parts of the business doing similar things in slightly different ways, and that’s where privacy and compliance becomes difficult to manage consistently.”
Mitch Omer, Director of Revenue @ Trust Keith

Some areas may have clear processes in place, while others are more reactive, making it harder to maintain a consistent standard or demonstrate control.

4. Reactive, Manual Ways of Working

As these challenges build, many businesses find themselves relying on reactive, manual ways of managing privacy.

Handling requests as they come in, repeating similar tasks, relying on spreadsheets, inboxes, or individual knowledge to keep things moving.

That approach can work for a time, but it becomes harder to sustain as complexity increases.

“You end up firefighting and dealing with things as they come up, rather than having a clear way of managing it.”
Mitch Omer, Director of Revenue @ Trust Keith

Teams spend more time chasing information, redoing work, or sense-checking decisions, instead of moving quickly with confidence.

Signs Your Privacy Approach Isn’t Working Anymore

These privacy challenges don’t usually appear all at once. They build gradually — in day-to-day decisions, small delays — and ways of working that start to feel harder than they should.

At first, it’s easy to put it down to growth, but over time, the pattern becomes clearer.

You might recognise it when:

• The same privacy questions come up again and again
• Work is repeated because there’s no clear record of what’s already been done
• Decisions involving data take longer than they should
• Teams rely on one or two people for answers
• New initiatives slow down while risks are reviewed or clarified

“You don’t always notice it straight away. It just starts to feel like things are taking longer, or getting harder to manage.”
Mitch Omer, Director of Revenue @ Trust Keith

Individually, these don’t always feel like major issues, but together, they point to the same underlying problem: your approach to privacy hasn’t kept up with how your business operates today.

What Good Data Protection Looks Like (and How to Get There)

Moving beyond a reactive approach doesn’t mean adding layers of process or slowing the business down.

Done properly, it’s the opposite.

Good data protection isn’t about doing more, it’s about having the right structure in place so things can run consistently, without constant input or escalation.

A well-functioning privacy programme gives you:

• Clear visibility of what data you hold and where risk sits
• Defined processes that teams can follow without second-guessing
• Shared ownership across the business, not reliance on one person
• Consistency in how decisions are made and documented

“It’s about being able to take a proportionate approach, understanding what actually needs attention, and focusing on that.”
Kayleigh Logan-Cleghorn, Lead DPO @ Trust Keith

Instead of reacting to issues as they arise, teams can:

• Move faster with confidence
• Make decisions without unnecessary escalation
• Apply a consistent approach across different use cases
• Stay ahead of risk, rather than catching up to it

“Privacy should just be part of how the business runs, not something that slows things down or needs constant input.”
Mitch Omer, Director of Revenue @ Trust Keith

How to Make Privacy Work Commercially

For many businesses, privacy is still seen as something separate from commercial goals, but when it’s set up properly, that changes.

Privacy becomes part of how the business operates, not something that sits alongside it.

Instead of slowing things down, it starts to support:

• Faster due diligence with customers and partners
• Greater confidence when making decisions involving data
• Stronger trust with customers and stakeholders
• Smoother internal processes across teams

“It gives you confidence when you’re making decisions… because you know you’ve got the right things in place.”
Tom Blake, Group Head of Technology @ Jarrolds

It starts with alignment.

Privacy needs to reflect how the business actually operates, not sit as a separate layer of process. That means understanding where data is used, how decisions are made, and where risk genuinely sits.

“We didn’t want something overly complex, we needed something that actually worked for how we operate as a business.”
Tom Blake, Group Head of Technology @ Jarrolds

From there, it’s about structure.

Putting in place clear, repeatable ways of working, so teams don’t have to stop and figure things out every time something involves personal data.

“It’s about having something you can rely on, rather than approaching each situation differently.”
Kayleigh Logan-Cleghorn, Lead DPO @ Trust Keith

That includes:

• Clear processes for common activities (like vendor reviews or DPIAs)
• Defined ownership across teams
• A single view of data, risk, and progress

And finally, it’s about embedding it into day-to-day operations.

When privacy is set up properly, it stops being something teams have to think about constantly, it becomes part of how things get done.

“When it’s working properly, it shouldn’t feel like an extra step… it just becomes part of the process.”
Mitch Omer, Director of Revenue @ Trust Keith

Running Privacy Without Slowing Down

Building a structured, scalable privacy programme doesn’t happen overnight.

And for many businesses, the challenge isn’t knowing what needs to be done, it’s finding the time, resource, and expertise to do it properly, while everything else is scaling.

That’s where having the right support makes a difference.

At Trust Keith, we help businesses move beyond reactive privacy, supporting you to build a structured, scalable approach that fits how your business actually operates.

So instead of privacy sitting on your to-do list, we take it off your plate and keep it running in the background so it becomes part of how your business operates day to day.

Tom Blake, Group Head of Technology @ Jarrolds

Tom is the Group Head of Technology at Jarrolds, leading technology and data across a multi-business group. With a background in scaling IT functions, he brings a practical, commercially-aware approach to data protection.

Kayleigh Logan-Cleghorn, Lead DPO @ Trust Keith

Kayleigh is the Lead DPO at Trust Keith, where she leads a team of privacy experts dedicated to helping customers manage data compliance with confidence.

Mitch Omer, Director of Revenue @ Trust Keith

Mitch is the Director of Revenue at Trust Keith, where he supports hundreds of businesses through privacy audits, vendor evaluations, and privacy programs.