Skip to main content

From issues to action: a playful, practical workshop for Data Protection Day 2026

·4 mins
Workshop Facilitation LEGO Serious Play Audit and Assessment Finance and Banking Data Protection Day

When a financial services Data Protection Leader needs to unite 37 entities across multiple countries for a critical 2026 planning session, we’re including some elements of play.

Lego Serious Play

Data Protection Day 2026 is just round the corner and I’m currently preparing a few client events. Among them is a half‑day, virtual “From issues to action” workshop for a financial services client. Their European data protection leader is bringing together colleagues from across 37 legal entities, from the UK in the west to Turkey in the east, to do something formal assessments rarely achieve: to make the real work visible and turn it into a 2026 roadmap people create themselves and believe in.

Why run a workshop when you already have an assessment? Assessments are useful. They do offer a snapshot of capabilities and compliance gaps, and they often come packaged in colourful heatmaps and maturity scores. But what I have found out when an assessment is based on a generic framework, especially from one of the big larger consultancies, it tends to tell the story of the framework and not the company being assessed. It doesn’t always reveal the subtle differences between an entity in one country and another and it can sometimes underplay the realities of local regulators, legacy platforms, offshore support models, and the everyday work in the trenches by teams who are at the sharp end daily.

Assessments rarely identify and uncover what I call the “invisible architectures” of a company. All the dynamics, emotions, habits, incentives, and power structures that move things forward in one entity and stall in another. They may explain why DPIAs take a month in one team and three months in another, or why information security and data protection teams exist aligned and in harmony, or are working against each other.

From issues to action workshop

The workshop structure The graphic above outlines the typical flow of the session though the workshop in at the end of January will have some subtle variations that I’m currently discussing with my client. In four hours, we’ll move from individual sense‑making to shared priorities to an actionable plan:

  • Individual elicitation. Participants begin with quiet thinking. Each participant lists the issues on their plate - workflows, risks, frictions, stakeholder challenges - without group influence. This step is gold dust: it reduces conformity and reveals what people actually experience.

  • Group clustering and prioritisation (affinity mapping). The participants sort individual issues into workgroups and cluster them. What’s working well? What needs improvement? They’ll then use a MoSCoW board (Must, Should, Could, Won’t) to prioritise across entities, so local realities inform group choices.

  • Root cause exploration. A short primer on Root Cause Analysis (yes, the Ishikawa or fishbone diagram) helps teams move beyond symptoms. “Our DPIAs are cumbersome” becomes “We have unclear ownership, late engagement, and tool friction” - three different problems requiring different actions.

  • Solutions and responsibilities. Teams frame options, owners, and first steps. A quick refresher on planning basics, e.g. work breakdown structures, milestones, and dependencies, keeps things practical.

  • Produce a target “to‑be” picture and a high‑level schedule. We close with short presentations that combine the pieces into a 2026 roadmap: themes, outcomes, owners, and critical path.

MoSCoW prioritisation

What’s in it for the data protection leader?

  • Visibility that isn’t theoretical or generic. You’ll get a consolidated view of issues grounded in lived experience, not just framework language.

  • A prioritised portfolio. Must/Should/Could/Won’t status across entities, with owners and first steps.

  • A 2026 roadmap. Themes (for example: DPIA flow redesign, data discovery automation, vendor due diligence overhaul), milestones, and a first 90‑day sprint.

  • A motivated and energised team - these workshops bring together your people who will get to know each other in ways your traditional status calls can’t achieve

Fishbone diagrams

If you’re leading a distributed data protection function and want your 2026 plan to reflect reality, not just the latest framework, get in touch to discuss options. We’ll help you transform issues into action, and action into a roadmap your teams can deliver.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts