15 posts into “Beyond Legal”: what's been covered so far

When I started writing my Beyond Legal series of blog posts, I wanted to challenge a default setting in our field: data protection is often treated as a legal topic, owned by legal professionals, solved with legal artefacts.

Of course, the laws themselves matter a huge amount. But succeeded in data protection isn’t just about legal interpretation. It also requires companies to fully understand how personal data is actually processed in their unique context, make sound decisions under uncertainty, and operationalise controls across their systems.

Now that I’ve published 15 posts, here’s a brief summary of what’s I've covered so far, organised by themes rather than in chronological order, because the point of the series isn’t "yet another GDPR explainer”. It’s a journey involving recognising and building the needed capabilities.

1. The real problem isn’t that the GDPR is hard. It’s that the job is bigger than “legal”

This past year there's been a lot of commentary in data protection highlighting frustrations around “GDPR complexity” often blaming the regulation itself, rather than looking inwards questioning whether companies have the needed capabilities.

Posts:

• Simplify the GDPR? Upgrade your competences instead

• Beyond legal #1: The data protection leader's journey begins

• Beyond legal #3: Why data protection leadership is more complex than just 'difficult' laws, and what it takes to succeed

Core takeaway: when we frame data protection as primarily legal, we over-invest in legal outputs and under-invest in delivery capability.

2. Risk competence is not optional, it’s the operating system

Data protection work is risk work so a functioning and effective risk management system needs to be at the heart of a data protection leader's work. But risk often gets reduced to vague language (“low risk”, “medium risk”) without shared methods, shared definitions, or decision discipline. The result is inconsistent and subjective decisions, a false sense of being in control, and either blanket blocking ("no!") or rubber-stamping.

Posts:

• Beyond legal #2: Why every data protection and AI governance leader needs SIRA competences in their toolkit

• Beyond legal #4: time to up your risk game

Core takeaway: if you want data protection (and AI governance) to be credible, you need to be able to analyse and communicate risk in a way that stands up outside the legal function.

3. Governance isn’t a pile of documents. It’s coordination.

Another theme: “governance” is widely misunderstood. Too often, it becomes a synonym for policies, templates, committees, and reporting. But governance is the practical reality of who decides, based on what, with which controls, and with what feedback loop.

Posts:

• Beyond legal #5: Get to know your data management and data governance colleagues

• Beyond legal #6: The great governance misunderstanding

• Beyond legal #7: You can't protect what you are not aware of

Core takeaway: you can’t govern what you can’t see. Awareness of data, flows, systems, and ownership is a precondition for meaningful protection.

4. If you don’t show up in engineering, you’re not in control.

This is where “beyond legal” becomes concrete and involves visiting the trenches, or engine room. If privacy or data protection considerations are not embedded into how products and systems are built and changed, it will always be late, reactive, and labour-intensive...and expensive.

Posts:

• Beyond legal #8: Why your next hire should be a data protection engineer

• Beyond legal #9: Get to know your SDLC

Core takeaway: scalable data protection is engineered. The most effective controls are designed and built into systems and delivery processes, not bolted on afterwards.

5. Training and measurement

A lot of companies can prove they did something (training delivered, DPIAs completed, RoPA entries updated). Fewer can show that the something mattered: improved behaviour, fewer incidents, better design decisions, reduced rework, improved time-to-safe-release.

Posts:

• Beyond legal #10: The battle for minds - why your data protection training needs an advertising makeover

• Beyond legal #11: Stop counting activities and start measuring outcomes

Core takeaway: if you want behavioural change, you need communication that competes for attention and metrics that reflect actual impact.

6. When incidents happen, operations beats legal theatre.

Personal data breach response is the ultimate test of whether your “governance” is real and effective. In the moment, what matters is coordination, clarity, and rehearsed operational capability, not beautifully written policies.

Post:

• Beyond legal #12: From headless chickens to coordinated data breach response - why operations beat legal theatre

Core takeaway: legal advice is essential, but it can’t substitute for operational readiness.

7. Third parties: contracts don’t create trust, practices do.

Vendor risk and third-party data protection is often approached by prioritising signatures on documents. But signatures don’t operate controls. Ongoing assurance does - and that requires relationships, transparency, and governance mechanisms that work after onboarding.

Post:

• Beyond legal #13: From signed contracts to trusted partnerships

Core takeaway: third-party governance is a living system, not a one-off legal transaction.

8 RoPA, business analysis, and “data sovereignty” debates.

Two later posts push into a broader category. Our tools and concepts often fail when they’re trivialised or detached from the reality of daily operations.

A RoPA that doesn’t reflect how processing actually takes place is a paper tiger and a wasted investment. Understanding and living up to Data sovereignty requirements is complex and involves a huge amount of hard work of trade-offs, assessing risk, and system design.

Posts:

• Beyond legal #14: Does your RoPA really show how your company processes personal data? (Why you need business analysis skills)

• Beyond legal #15: Data sovereignty and absolutism

Core takeaway: good governance needs working models that reflect reality, and leaders who can navigate trade-offs.

What’s still to come?

More posts will follow, continuing to map the competences needed for modern data protection and AI governance leadership, and to challenge the idea that data protection and privacy is primarily a job for lawyers. If you’ve been reading any of my posts, I would love to hear:

• Which theme has been most relevant to your work?

• Where is the biggest capability gap in your company right now (risk, engineering, operations, measurement, governance)?

• What should the next set of posts explore?

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions. Feel free to book a call if you wish to hear more about how we can help you improve your work.