Full article
Overview
Executive summary: Board approval is a starting point, not a working control. In most organisations, the real risk appears later, when a campaign is being built against a date, a brief and a target list, and nobody can show which rule applies, who owns it or what evidence is required before launch.
This delivery assurance note sets out a practical way to turn policy into campaign approval rules. The method is simple enough to run inside existing delivery tools, but strict enough to stand up to audit: define the rule, name the owner, set the acceptance criteria, record the evidence and review it on a set date. If your plan has no named owners and dates, it is not a plan. Fix it.
Quick context
The gap between board policy and campaign execution is usually not about bad intent. It is operational. A board signs off a policy on lawful processing, transparency and data quality; the marketing team then has to ship a campaign by Friday. If the policy has not been translated into campaign-level controls, people fall back on memory, precedent or whatever happened last time. That is where drift starts.
In practice, campaign teams need concrete decisions, not broad principles. They need to know which suppression list applies, which lawful basis has been approved, which privacy notice version must be linked, and what evidence has to be attached before a launch ticket can move to green. Without that bridge, approvals become subjective and inconsistent.
The wider context matters too. The Office for National Statistics continues to publish quarterly personal well-being estimates and local authority well-being data across the UK, tracking measures such as anxiety and happiness. Those datasets are not marketing controls in themselves, obviously, but they are a useful reminder that trust and confidence are observable public concerns, not abstract brand language. If a customer opts out and still hears from you, the issue is not just technical non-compliance; it is a visible failure to respect the choice they made.
Step-by-step approach
The fix is not a longer policy. It is a controlled translation from principle to rule to workflow. Done properly, this gives you a usable data governance UK model rather than a document that gathers dust on the intranet.
Turn principles into operational rules
Start by taking each governance principle and rewriting it as a campaign rule that can be tested. For example, “process data lawfully and transparently” is too broad for delivery teams. A workable rule is: “The lawful basis for each campaign must be recorded in the campaign brief before build starts.” Better still: “For consent-based activity, a sample record showing consent source, timestamp and user ID must be retrievable before dispatch.”
That sounds a bit dry, because it is. Dry is fine here. Clear beats clever. Each rule should have acceptance criteria that are binary: met or not met. As a checkpoint, review ten recent campaign briefs by a set date, say 30 April 2026, and confirm whether all ten include lawful basis, audience definition and evidence links. If fewer than nine do, you have found a control gap that needs a named owner.
Name owners and set review dates
A control without an owner is just a hopeful thought. Assign one named person to own each rule, even when another person performs the task. For instance, a Data Protection Officer may review a form, but the Head of Product might own the rule that no new form goes live before that review is complete. That distinction matters because ownership follows the outcome, not merely the action.
Set a review date at the same time. If ownership is clear but there is no date, the work drifts. A sensible minimum is a quarterly control review, with exceptions logged when tools, regulation or campaign types change. Keep a change log with the rule ID, reason for change, owner and approval date. It is not glamorous, but it saves a lot of forensic archaeology later.
Build controls into the delivery path
The strongest controls sit inside the workflow people already use. If checks happen in a separate spreadsheet after the build is finished, they will be rushed when time is bit tight. If the launch ticket cannot progress until mandatory evidence is attached, the process is far more reliable.
For example, a Jira or Asana workflow can require these fields before a ticket moves to Ready for launch: lawful basis recorded, audience query linked, suppression list evidence attached, privacy notice version checked, unsubscribe journey tested, and final approver named. Yesterday, after stand-up, ticket MKT-451 was blocked by the privacy notice dependency. A quick call with Jane, the content owner, cleared it once the link-check evidence was added. New date set, ticket back on path to green. That is what good governance looks like in delivery: specific, boring and sorted.
Pitfalls to avoid
Most control failures come from a few repeatable mistakes. Better to flag them early than pretend a shiny dashboard will rescue the process.
Buying tooling before defining the rule
A consent platform, workflow tool or governance dashboard can help, but none of them can invent a sensible operating model for you. If the organisation has not agreed the rule, owner, evidence and escalation path first, technology will simply automate confusion. Before any new tooling decision, ask one blunt question: which control does this tool enforce, and how will we prove it is working by a named date?
A practical checkpoint is to test one campaign type first, such as promotional email, and measure completion rates for mandatory approval fields over a four-week period. If completion does not improve, the issue is likely process design rather than tool capability.
Using vague acceptance criteria
“Ensure GDPR compliance” is not acceptance criteria. It is a wish. Delivery teams need criteria that can be tested by another person without interpretation. For example:
Between 09:00 and 10:30, I rewrote the acceptance criteria for one approval story because the original text said only “legal review completed”. Tests passed once the edge case of a broken preference-centre redirect was covered. That is the standard to aim for: explicit enough that failure is visible.
- Vague: Check the email is compliant.
- Usable: Confirm the footer contains the correct company registration number, registered address and a working link to the current privacy notice.
- Usable: Verify the unsubscribe link works in Gmail, Outlook and Apple Mail, and record the result in the QA log.
Treating governance as a one-off exercise
Rules decay. Teams change, tools get reconfigured, legal wording is updated, and campaign formats multiply. A framework built in January can be out of date by June if nobody reviews it. Put recurring dates in the diary and make the review evidence-based: which controls failed, which were bypassed, which created false positives, and which need simplification.
If you want an external signal for why regular review matters, the ONS weekly registration datasets show how quickly national and regional conditions can shift in other domains. The lesson for operations is straightforward: static assumptions age badly. Control frameworks need maintenance, not admiration.
Checklist you can reuse
Below is a starter checklist for campaign approval. Adapt it to your stack and governance model, but keep the same discipline: owner, evidence, date and status. If a row cannot be completed, the campaign should not pass the gate without an explicit risk acceptance.
As a practical metric, aim for 100% completion of mandatory checkpoint evidence on live campaigns by the end of the next reporting cycle. If you are below that, identify the top two failure points, assign owners and set dates for remediation. Keep it measurable.
Closing guidance
Board governance matters, but it does not approve a campaign on its own. Approval happens where rules are applied, evidence is checked and somebody is accountable for the outcome. That is the point of this whole exercise: turning good intentions into repeatable controls that work on a normal Tuesday, not just in a board pack.
If your current process relies on people remembering what “good” looks like, there is a cleaner way to run it. We can help you map policy to operational rules, define owners and dates, and build a campaign approval path that is auditable without becoming painful. If you want your next launch to feel controlled rather than hopeful, let’s have a proper conversation and get it sorted.
