At a quarterly strategy meeting not long ago, a senior executive turned to me and asked a question I’ve heard many times before: “We’ve got our privacy policies and training in place — what more is there to do?” It’s a fair question, especially from someone who isn’t steeped in the day-to-day realities of data governance. But it reflects a broader, dangerous assumption: that data protection is a box to be ticked, rather than a discipline to be continuously lived.
The uncomfortable truth is this — risks never sleep. Not in cyber, not in compliance, and certainly not in the ever-expanding universe of personal data that flows through modern businesses. The perimeter has vanished. Data no longer lives in a central server behind a locked door. It’s in the cloud, on mobile devices, in Slack channels, passed between vendors and systems faster than most people realise. Yet many organisations still treat data protection like a one-off exercise from 2018, frozen in time, as if nothing has changed since the early days of GDPR.
Much has changed. Organisations have digitised entire operations, adopted AI-powered decision-making tools, and accelerated cloud migrations. Meanwhile, regulators have sharpened their teeth, and data subjects have become more vocal. Yet despite this, in audits across multiple companies, I continue to find customer data stored long after its retention period has expired, or sensitive information backed up in legacy systems that no one actively monitors. In one case, a team had held on to transaction data years past its lawful limit, unaware that doing so could trigger regulatory scrutiny, or worse, liability in the event of a breach.
This isn’t usually about malice or wilful noncompliance. It’s often about operational fatigue, outdated processes, or a lack of cross-functional ownership. Data retention schedules are filed away in policy folders, but they don’t always make it into workflows. Employees assume IT handles it, or that legal signed it off years ago. Meanwhile, the data quietly accumulates, unmonitored, unmanaged, and ultimately, unprotected.
Part of the challenge is cultural. In many companies, privacy still sits on the periphery — owned by a small team, often under-resourced, rarely integrated into product, marketing, or commercial decisions. This separation creates blind spots. Engineers roll out new features without consulting data protection teams. Marketing reuses databases from old campaigns without considering consent expiry. Even procurement can bring in tools that process personal data without conducting proper impact assessments.
The solution is not fear-driven compliance theatre, but the embedding of data protection into the operational fabric of the business. That means aligning privacy considerations with product design, procurement, security, and customer experience. It means building systems that remind staff when retention periods are due to expire, rather than relying on someone to remember a policy buried in SharePoint. It also requires training that speaks to real scenarios — not abstract legislation — so staff know what to do when they see risk in the wild.
Automation can help. So can stronger oversight. But the most powerful lever remains leadership. If privacy is framed as a back-office legal issue, it will be treated as one. If it’s elevated as a marker of trust, professionalism, and operational excellence, people will begin to act accordingly. Boards and senior leaders who remain passive on this front are increasingly out of sync with both the regulatory climate and public expectations.
In practical terms, this means regular audits, system-wide data mapping, real accountability for data owners, and honest conversations when gaps appear. The organisations that do this well don’t treat data protection as a fire drill — they treat it as good business hygiene. Not because they fear fines, but because they value trust, and they recognise that a breach, even a small one, can erode reputational capital overnight.
There’s a cost to getting this right, of course. But the cost of getting it wrong is almost always greater. If there’s one lesson I’ve learned from years in the field, it’s this: data risk doesn’t knock before it enters. It’s always awake. So we must be too.
business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com
