Skip to main content

Beyond Legal #36: The change manager who understood why people resist what they don't understand

·7 mins
Beyond Legal Change Management Employee Data GDPR Article 12 Article 13 Data Subject Rights Accountability “GDPR at 10"

Beyond Legal #36: The Change Manager who understood why people resist what they don’t understand

She understood that employees resist what they don’t understand. So we changed how we trained. — Bayo T., Change Manager

I see quite a few data protection training programmes built in a “backwards” kind of way. They start with what the legal department think employees need to know — the legal obligations, the policy requirements, the processing activities that employees are involved in — and then they deliver that content through whatever channel is available. What they rarely start with is the question a good change manager asks first: why would this person change their behaviour, and what would make them resistant to doing so?

Bayo’s story #

Bayo is a Change Manager at a pan-European retail and logistics business with operations across nine EU member states and a workforce of around 14.000 people, the majority of whom work in warehouses, distribution centres, and retail sites rather than at desks. He has led transformation programmes across the business for six years. His specialism is adoption — getting people to actually use new systems, follow new processes, and change ingrained habits. He knows that knowledge transfer and behavioural change are not the same thing, and that telling people what to do is rarely sufficient to make them do it.

He had never been involved in a data protection programme until the Data Protection Leader — we’ll call her Rania — came to him with a problem that looked to him like exactly the kind of adoption challenge he spent his days solving.

The company did have a data protection framework that was functioning. The RoPA was maintained. The legal bases had been documented. The DPIA process was in place. But the annual compliance training had a 58% completion rate and no measurable impact on behaviour. Employees were still sharing customer data informally over team messaging apps. Managers were still storing personal data in shared drives with unrestricted access. Frontline staff had no idea that they had rights as data subjects themselves, or that exercising those rights was part of how the company demonstrated accountability under Article 5(2).

Rania had tried to fix this with better content. Bayo told her the problem was not the content. It was the change model.

What the collaboration produced #

Bayo applied the same diagnostic framework he used for any change programme: who are the people we need to reach, what are the specific behaviours we need to change, what are the barriers to those changes, and what would make the change feel relevant and achievable for each population?

The answers were different for each employee group. Warehouse staff did not need a module on GDPR principles. They needed to understand two things: what happens to their personal data at work, and what they should do if a colleague or manager asks them to share customer data in a way that feels wrong. Retail staff needed to understand what they were allowed to say to customers who asked about their data. Managers needed to understand their specific responsibilities as the people who make day-to-day decisions about how personal data is accessed and used.

Bayo and Rania redesigned the programme around those specific behavioural outcomes. Content was role-specific, delivered in formats suited to how each group actually worked, and framed around scenarios drawn from real situations in the business rather than regulatory theory. The training no longer started with the GDPR. It started with a situation the employee would recognise.

Completion rates improved substantially. More significantly, the number of internal data protection queries — employees asking whether they were allowed to do this or that, before doing it — increased by 40%. That is a cultural indicator that Bayo recognised from other change programmes: people asking permission rather than forgiveness is a sign that the change has reached them.

At their annual performance reviews, both were promoted. Rania cited the adoption framework as the most significant programme improvement since her appointment.

Why does data protection training fail — and what does effective change management require? #

Data protection training fails when it is designed as information transfer rather than behaviour change. The GDPR’s accountability principle under Article 5(2) requires controllers to demonstrate compliance — not simply to have distributed information about it. Demonstrating compliance means being able to show that employees understand their obligations, act consistently with the controller’s processing framework, and know how to raise concerns when something feels wrong. A training completion rate does not demonstrate any of those things. Two enforcement decisions illustrate what Supervisory Authorities find when they look behind compliance training that has not changed behaviour.

In 2023, Sweden’s data protection authority IMY fined insurance company Trygg-Hansa €3 million after finding that a misconfigured web interface had exposed sensitive customer data for an extended period — a failure of technical and organisational measures that the company had not detected or remediated in time. While the primary finding was one of inadequate security controls rather than individual employee behaviour, the case carries a direct lesson for training programmes: the misconfiguration went undetected in part because the internal processes for identifying and escalating potential vulnerabilities were not working as intended. Employees responsible for oversight did not recognise what they were looking at, or did not know what to do when they did. That is a training and awareness failure as much as a technical one. Controllers cannot demonstrate compliance under Article 5(2) with measures that exist on paper but have not been embedded in the people responsible for operating them.

In 2024, Italy’s Garante fined energy supplier Hera Comm €5 million after finding that door-to-door sales agents had been activating supply contracts using customers’ personal data — including identity documents — without those customers’ knowledge or consent. The company had failed to implement adequate technical and organisational measures to prevent this from happening. But look at what that finding actually describes: people doing a job, every day, in ways that violated the rights of the individuals whose data they were handling — and a company that had not given them the understanding, the boundaries, or the practical guidance to do it differently. That is a training failure. Not a failure to run a module or log a completion. A failure to reach the people whose behaviour determined whether the company was compliant or not. The Garante’s finding was directed at the company, not the agents. Under Article 5(2), accountability sits with the controller — and controllers cannot discharge that accountability by pointing to agents who were never adequately equipped to act within it.

What does Article 5(2) require from a data protection training programme? #

The accountability principle under Article 5(2) of the GDPR requires controllers to be able to demonstrate that personal data is processed in accordance with the regulation. For a training programme, this means demonstrating not just that training was delivered, but that it produced measurable change in how employees handle personal data. Article 29 of the GDPR places a direct obligation on any person acting under the authority of the controller to process personal data only on the controller’s instructions — and that obligation only works if employees know what those instructions are, understand why they matter, and have been given practical guidance on how to follow them in their specific working context. A change manager who understands why people resist change is not a luxury for a data protection programme. They are the mechanism through which the programme reaches the people whose behaviour it needs to change.

The challenge for today: Take your most recent data protection training and ask a change manager or an employee from your largest non-desk workforce population to review it. Ask them one question: what specific behaviour would a person do differently after completing this training? If the answer is not immediate and concrete, you have found the gap.

For more on how communications and behavioural change connect to compliance accountability, see Beyond Legal #32 on transparency that reaches people, and Beyond Legal #23 on what happens when the people closest to the data are not brought into the governance.

Article references: Article 5(1)(a) (lawfulness, fairness, transparency), Article 5(2) (accountability), Article 12 (transparent communication), Article 13 (information at point of collection), Article 29 (processing under controller’s authority), Articles 15–22 (data subject rights).

Series: This is post 16 in the Beyond Legal series — 20 roles, 20 days, real consequences. Bayo, Rania and the story are fictitious; the two cases are real.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get a sense of what we do.

Author
Tim Clements

Browse by Topic

accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness campaigns behaviour change beyond legal board reporting case law change management cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers dark patterns data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection day data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture product management profiling public sector quantum computing records of processing regulatory guidance risk management risk reduction ropa software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation “gdpr at 10"

Related Posts