Skip to main content

Beyond Legal #40: The chief people officer who understood that people are the programme

·8 mins
Beyond Legal Chief People Officer Data Protection Culture Accountability GDPR Article 5 Board Level Governance GDPR at 10

Beyond Legal #40: The chief people officer who understood that people are the programme

She didn’t just know the regulation. She knew how people worked. That’s rare at any level. — Hamid S., Chief People Officer

Twenty posts. Forty roles. One recurring observation: the data protection failures that end careers and generate enforcement actions are not, in most cases, primarily legal failures. They are human ones. Someone did not understand why. Someone did not think it applied to them. Someone moved fast and assumed the compliance question would resolve itself. Someone drew an organisational line that the GDPR does not recognise. A Chief People Officer who understands that distinction — who sees data protection not as a regulatory obligation to be managed but as a cultural condition to be built — is one of the most valuable allies a Data Protection Leader can have. They are also one of the rarest.

Hamid’s story #

Hamid is a Chief People Officer at a European financial services group with operations across 11 member states and a workforce of around 20.000 people. He has spent his career thinking about how companies get people to behave in ways that serve the company’s values — not through compliance monitoring, but through culture, through leadership behaviour, through the conditions that make it easy to do the right thing and difficult to do the wrong one.

He had worked with many Data Protection Leaders over the years. Most of them, he observed, thought about data protection as a set of requirements to be met. The best one he had worked with — we’ll call her Sofía — thought about it as a set of behaviours to be embedded.

The distinction sounds small. It is not. A requirement to be met produces a training completion rate, a policy document, and a DPIA process that runs when someone remembers to trigger it. A behaviour to be embedded produces a culture in which an engineer raises a data minimisation concern before the sprint begins, a procurement manager asks about sub-processor chains before signing a contract, and a marketing team knows instinctively that the email list needs a lawful basis before the campaign is built.

Hamid had spent enough time in companies to know which of those two things was harder to build — and which one actually protected the company when a Supervisory Authority came looking.

What Hamid and Sofía built together #

Sofía had been in her current role for 3 years when she and Hamid began working together on a programme that neither of them framed as a data protection initiative. They framed it as a values and conduct programme — a deliberate decision, because both of them understood that employees engage with values in ways they do not engage with compliance.

The programme embedded data protection behaviours into the company’s existing people frameworks: into the leadership development curriculum, into the performance management criteria for roles that routinely handled personal data, into the onboarding experience for all new joiners, and into the criteria by which the company selected and developed its managers. Data protection was not a standalone module. It was one of the dimensions along which the company assessed whether people were operating consistently with the company’s stated values.

Hamid provided three things that Sofía had not previously had access to: the infrastructure to reach every employee through the people function’s existing channels, the credibility to frame data protection as a leadership expectation rather than a compliance burden, and the organisational authority to ensure that the programme received board-level attention as a people issue rather than a legal one.

When the Supervisory Authority included the company in a periodic review of the group’s data protection framework two years later, what it found was not a compliance programme. It found a company in which data protection was demonstrably embedded in how people made decisions. The review concluded without findings.

Sofía was appointed to the board as Group Data Protection and Ethics Director — the first such role in the group’s history. Hamid presented her appointment as a people and culture decision, not a legal one.

What does a Chief People Officer contribute to a data protection programme that no one else can? #

The accountability principle under Article 5(2) of the GDPR requires controllers to demonstrate compliance with the data protection principles. Demonstrating compliance at scale — across 20.000 employees in 11 EU member states — requires that data protection is embedded in company behaviour, not just documented in a policy. A Chief People Officer has access to the mechanisms through which behaviour is shaped at scale: leadership development, performance management, reward frameworks, onboarding, culture programmes, and the organisational signals that tell employees what is actually valued rather than what is formally required.

Two enforcement decisions illustrate what Supervisory Authorities find when those mechanisms are absent. In June 2024, Sweden’s data protection authority IMY fined Avanza Bank approximately €1.3 million after finding that the bank had inadvertently transferred the financial personal data of between 500,000 and one million customers to Meta over a period of approximately nineteen months, through the accidental activation of two advanced functions in the Meta Pixel analytics tool. The bank could not subsequently determine who had activated the functions or when — the incident had continued undetected from November 2019 until an external source flagged it in June 2021. The transferred data included customers’ securities holdings, loan amounts, account numbers, and national identification numbers. The IMY’s finding was grounded in Articles 5(1)(f) and 32(1): the bank had failed to implement appropriate technical and organisational measures to ensure an adequate level of security for personal data. The bank had procedures for implementing new functions on its website, but those procedures were insufficient to prevent the unintended activation. The regulator framed it as a security failure — but what it revealed was a governance gap. The system existed, and nobody in the bank had the awareness or the mandate to catch what was happening inside it before it had been happening for nineteen months.

In June 2024, Italy’s Garante fined Eni Plenitude €6.4 million after finding extensive data protection violations in the company’s telemarketing activities. The authority had received 108 reports and 7 complaints from individuals who reported receiving unwanted and repeated promotional calls — in some cases up to 248 calls within a few months — despite being registered on Italy’s Do Not Call Registry. The Garante’s investigation found that in a single sample week, 657 of 747 contracts concluded by the sales network resulted from unlawful contacts. The violations spanned multiple GDPR articles, including Article 5(1)(a) on lawfulness and transparency, Article 6 on lawful basis, Article 25 on data protection by design, and Article 28 on processor obligations. The Garante found that the company’s controls over its agencies and sub-agencies were insufficient to prevent contracts concluded on the basis of unlawful telephone contacts from entering the company’s systems — a failure not of individual agents, but of the organisational measures that should have made such outcomes structurally difficult.

In both cases, the companies had governance frameworks. In both cases, those frameworks failed to reach the people and teams making the decisions that mattered — whether an engineer configuring a tracking pixel or a sales network acquiring contracts through unlawful contacts. And in both cases, the Supervisory Authority arrived before the organisation did.

What does a data protection culture actually require — and why does it matter at board level? #

A data protection culture is not a training programme. It is the condition in which the company’s people make decisions consistent with the data protection principles without being instructed to do so in each specific instance — because they understand why those principles exist, see the behaviour modelled by their leaders, and operate in an environment where asking a data protection question is the normal thing to do rather than an exceptional one. Building that culture requires leadership commitment that is visible and consistent, people frameworks that embed data protection expectations into how performance and conduct are assessed, and an organisational structure that gives the Data Protection Leader the authority and access to operate across functions rather than within a compliance silo. A Chief People Officer who understands that the data protection programme is, at its core, a people programme is not a luxury for a mature company. They are the reason the programme works — or the reason it does not.

The final challenge: Look at your data protection programme and ask one question: if every policy document, every training module, and every legal opinion disappeared tomorrow, what would remain? The answer tells you how much of your programme lives in the documentation and how much lives in the culture. The Supervisory Authority, if it arrives, is interested in both — but it is the culture it will find hardest to fake.

Frequently Asked Questions #

What is the accountability principle under GDPR Article 5(2)? Article 5(2) requires data controllers not only to comply with the data protection principles but to demonstrate that compliance. At scale, this means embedding data protection into organisational behaviour — not just documenting it in policies.

Why should a Chief People Officer be involved in data protection? A Chief People Officer controls the mechanisms through which behaviour is shaped at scale: leadership development, performance management, onboarding, and culture programmes. These are the systems that determine whether employees actually protect data in practice, not just in theory.

What is a data protection culture? A data protection culture is the condition in which employees make decisions consistent with data protection principles without being instructed to do so in each specific instance — because they understand why those principles exist and see the behaviour modelled by their leaders.

Article references: Article 5(1) (data protection principles), Article 5(2) (accountability), Article 12 (transparent communication), Article 25 (data protection by design and by default), Article 29 (processing under controller’s authority), Article 33 (personal data breach notification), Article 83(5) (fines for principles violations).

Series: This is post 20 in the ‘GDPR at 10’ series — 40 roles, 20 days, real consequences. Hamid, Sofia and the story are fictitious, the two cases from Sweden and Italy are real.The series is complete.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts