A key theme of Data Protection Day 2025 is the evolving mandate of data protection. I feel this concept of evolution is worth exploring in more detail, because many organisations think of themselves either as ‘compliant’ or ‘not there yet’. That mindset doesn’t always allow for responding to changes in privacy and data protection.

So to mark this year’s edition of Data Protection Day, I’m reflecting on some recent experiences from working in this field and three recurring takeaways.

1: The work is never done

To borrow a phrase, data protection isn’t just for 28 January, it’s for life. I often come across organisations that want to treat compliance with data protection regulations as a box to be ticked as ‘done’. In my experience though, the work is never finished.

It’s true that certain aspects will always stay the same. For example, if an organisation is at the start of its privacy journey, it will need to put elements in place such as policies, record of processing activities, or data subject rights. These tend not to change. But in many other ways, data protection is always evolving, with most years bringing new guidelines to follow.

It’s easy to get everyone engaged at the outset, when there’s work to be done in enhancing approaches to privacy or putting the right procedures in place. However, when organisations have reached a certain level of maturity in data protection, it’s a different challenge to maintain those same levels of enthusiasm. For me, the last stage of being compliant is about checking back, staying informed about important privacy stories, and discussing the subject regularly with their own internal teams. Instead of seeing data protection as a finish line to cross, it’s better to think of it as a constantly moving treadmill.

2: Embed a ‘privacy by design’ mindset

Speaking of starts, this is one of the most effective approaches to data protection – but also one of the hardest. A ‘privacy by design’ mindset ensures that whenever an organisation embarks on a new project, implements a new system, or introduces new processes, it’s thinking about privacy principles from the outset.

It means doing risk assessments from the get-go and making sure anything an organisation uses internally, be it systems or processes, has privacy integrated into it from the beginning. In practice, let’s say it decides to move to a new cloud system or HR software. Even before the project has begun, the organisation involves a nominated privacy champion – who could be a member of the team or a trusted external partner – who can advise throughout the project. If the project involves a new IT system, the privacy champion would work with the organisation’s IT team to ensure the system is configured in such a way to ensure proper data protection, and adheres to data minimisation (which means only collecting the information it needs for the system to run).

Some very large organisations can struggle with the concept of privacy by design; when rolling out new processes and systems, in the interests of speed it’s tempting not to involve a privacy champion from the start. However, in my experience this is a false sense of progress. Waiting until much later in the project to do a data protection impact assessment means it will take longer to fix any problems (and consequently cost more money). I would also argue that in terms of data protection, there’s a higher risk that in the long run, it could lead to issues like a data breach or special category information being stored somewhere it’s not supposed to be.

3: Speak simply to a broad audience

One of the most effective ways to embed good privacy practice into an organisation is to get everyone involved. However, when we’re looking to spread the data protection message widely, we need to mind our language. Like a lot of disciplines, data protection comes with its own terminology. That’s fine as a shorthand when privacy professionals are speaking between themselves, but to everyone else, it can feel technical and legalistic. So if you want everyone in your organisation to get on board with data protection, then you need to tailor the message.

As a data protection expert, a great way you can share that expertise is to use plain language that’s easy to understand. In practice, this means paying attention to the phrases we use when creating awareness material or annual training content that’s intended for a wide audience. Don’t assume that everyone knows what a TIA is. Spell it out (the first time anyway). Call it a transfer impact assessment, and then explain what that involves. The same goes for any technical definitions you might need to use.

Closing thoughts: Raise awareness – and the bar

After all, Data Protection Day is about awareness raising. And an effective way to achieve this is to make the concepts understandable and relevant. Doing this increases the chances that people will apply them in their work every day.

I’ll finish with this thought: if we start from the premise that data protection is always evolving, then some might feel frustrating because it’s never ‘done’. But I would argue that’s not the point. For me, accountability is such a key principle of data protection rules. It’s about trying your best to adhere to the regulations and to best practice.