From issues to action: a playful, practical workshop for Data Protection Day 2026

Data Protection Day 2026 is just round the corner and I'm currently preparing a few client events. Among them is a half‑day, virtual “From issues to action” workshop for a financial services client. Their European data protection leader is bringing together colleagues from across 37 legal entities, from the UK in the west to Turkey in the east, to do something formal assessments rarely achieve: to make the real work visible and turn it into a 2026 roadmap people create themselves and believe in.

Why run a workshop when you already have an assessment?
Assessments are useful. They do offer a snapshot of capabilities and compliance gaps, and they often come packaged in colourful heatmaps and maturity scores. But what I have found out when an assessment is based on a generic framework, especially from one of the big larger consultancies, it tends to tell the story of the framework and not the company being assessed. It doesn't always reveal the subtle differences between an entity in one country and another and it can sometimes underplay the realities of local regulators, legacy platforms, offshore support models, and the everyday work in the trenches by teams who are at the sharp end daily.

Assessments rarely identify and uncover what I call the "invisible architectures" of a company. All the dynamics, emotions, habits, incentives, and power structures that move things forward in one entity and stall in another. They may explain why DPIAs take a month in one team and three months in another, or why information security and data protection teams exist aligned and in harmony, or are working against each other.

The workshop structure
The graphic above outlines the typical flow of the session though the workshop in at the end of January will have some subtle variations that I'm currently discussing with my client. In four hours, we’ll move from individual sense‑making to shared priorities to an actionable plan:

• Individual elicitation. Participants begin with quiet thinking. Each participant lists the issues on their plate - workflows, risks, frictions, stakeholder challenges - without group influence. This step is gold dust: it reduces conformity and reveals what people actually experience.

• Group clustering and prioritisation (affinity mapping). The participants sort individual issues into workgroups and cluster them. What’s working well? What needs improvement? They'll then use a MoSCoW board (Must, Should, Could, Won’t) to prioritise across entities, so local realities inform group choices.

• Root cause exploration. A short primer on Root Cause Analysis (yes, the Ishikawa or fishbone diagram) helps teams move beyond symptoms. “Our DPIAs are cumbersome” becomes “We have unclear ownership, late engagement, and tool friction” - three different problems requiring different actions.

• Solutions and responsibilities. Teams frame options, owners, and first steps. A quick refresher on planning basics, e.g. work breakdown structures, milestones, and dependencies, keeps things practical.

• Produce a target “to‑be” picture and a high‑level schedule. We close with short presentations that combine the pieces into a 2026 roadmap: themes, outcomes, owners, and critical path.

What's in it for the data protection leader?

• Visibility that isn’t theoretical or generic. You'll get a consolidated view of issues grounded in lived experience, not just framework language.

• A prioritised portfolio. Must/Should/Could/Won’t status across entities, with owners and first steps.

• A 2026 roadmap. Themes (for example: DPIA flow redesign, data discovery automation, vendor due diligence overhaul), milestones, and a first 90‑day sprint.

• A motivated and energised team - these workshops bring together your people who will get to know each other in ways your traditional status calls can't achieve

If you’re leading a distributed data protection function and want your 2026 plan to reflect reality, not just the latest framework, get in touch to discuss options. We’ll help you transform issues into action, and action into a roadmap your teams can deliver.

Purpose and Means is a niche data protection and GRC consultancy based in Copenhagen but operating globally. We work with global corporations providing services with flexibility and a slightly different approach to the larger consultancies. We have the agility to adjust and change as your plans change. Take a look at some of our client cases to get sense of what we do.

We are experienced in working with data protection leaders and their teams in addressing troubled projects, programmes and functions.

Making it playful
Traditionally, I ask participants to prepare a “rich picture” of their data protection world as a pre-workshop task. For this workshop we’re going playful with LEGO Serious Play (LSP), fully online. Why? Because building metaphors with your hands lets you explain the in‑between spaces that a rich picture may not show. Also, I often encounter some hesitancy, from participants, e.g. "I can't draw" but the beauty of LSP is many people are happy to pick-up lego bricks as it takes them back to childhood memories. A miniature tower can represent escalation bottlenecks. A bridge can show how security and data protection connect in some processes and don’t in others. A small figurine positioned on the edge of a plate can symbolise a DPO constantly “at the table but on the sidelines.” These are the invisible architectures made visible, fast and in a fun way.

I’ll guide participants on setup (a small bag of bricks and a webcam). In breakouts, each person builds, explains, and refines their model as others ask clarifying questions. We photograph the models and upload them directly to a Miro board. The group not only sees the problems, they see how people experience them. That insight is what changes behaviour after the workshop.