One of the things that frustrates me most in privacy consulting is the absolutist approach. The consultant who walks in with a rigid playbook, presents a set of requirements as non-negotiable mandates, and leaves without considering whether any of it is actually achievable given where the organisation is today.
Well-intentioned. Often counterproductive.
Privacy Lives in the Gray
The core problem with absolutism in privacy is that the right answer for one organisation can be completely wrong for another. Take consent mechanisms as an example. The ideal implementation might demand granular, unbundled, explicit opt-ins for every processing activity. In a well-resourced enterprise with a modern tech stack, that is entirely achievable. In a three-person startup building an MVP, or a mid-sized company running legacy systems that predate modern consent frameworks, the gap between "ideal" and "feasible" is enormous.
Telling that company they are non-compliant unless they implement enterprise-grade consent management does not make them more compliant. It makes them feel the problem is unsolvable, and they do nothing.
What Actually Matters
Effective privacy implementation requires evaluating the organisation's actual context, not an abstract standard. That means looking at:
- Technical capabilities and system constraints
- Budget and resource availability
- Organisational size and complexity
- Risk tolerance and data sensitivity
- Industry and regulatory environment
- Current and planned jurisdictional scope
- Customer expectations and existing system realities
These considerations are not excuses for non-compliance. They are the essential context that determines what a sustainable, practical implementation looks like. A risk-informed approach that achieves 80% of the privacy outcome with controls that actually get implemented beats a theoretically perfect program that never leaves the slide deck.
The Real Risk of Absolutism
When consultants deliver prescriptive mandates that ignore organisational constraints, teams have two common responses. They implement nothing, because the bar feels unreachable. Or they build overly convoluted systems that confuse users, undermine the transparency objectives the controls were supposed to serve, and create technical debt that makes future improvements harder.
Neither outcome is better than where they started.
A Better Way
Practical, risk-informed guidance acknowledges constraints while maintaining compliance. It identifies the highest-risk gaps and addresses those first. It builds toward the ideal rather than demanding it on day one.
If you are working with a privacy consultant who is telling you that you need to implement everything immediately or you are non-compliant, it is worth getting a second opinion. Sustainable privacy programs are built incrementally, with controls that match where the organisation actually is.
If that is the conversation you need to have, reach out.