Purpose and Means

Most data protection programmes satisfy regulators but don't change behaviour. We help leaders build programmes that work in practice — through strategy, engagement, and visual communication.

Your data protection programme satisfies the regulator. Does it change how people work?

Most organisations have the policies, the RoPA, and the legal frameworks in place. But employees still don't follow them, leadership still treats data protection as a cost centre, and the gap between documentation and daily behaviour keeps growing.

That's the gap we close.

Purpose and Means builds data protection into how organisations actually work — through business-aligned strategy, visual communication, and employee engagement that sticks. We bring the skills that most law firms don't: business analysis, change management, and the ability to make complex regulation accessible to everyone from the boardroom to the front line.

Based in Copenhagen, operating globally. Trusted by multinational corporations across EMEA, LATAM, NA, and APAC.

What makes us different?

We make digital regulation visual and engaging. No more dense policy documents that nobody reads. We use visual thinking, interactive methods, and role-specific content to make data protection relevant to every function.
We go beyond the legal silo. While we work closely with legal teams, we break down barriers between functions — making data protection everyone's concern, not just the lawyers'.
Ethics at the core. We help you embed fairness and transparency as operating principles — reflecting the spirit of European data protection law, not just the letter.

Key issues we address

Many consultancies promise to do it all. We don't.

Our focus is sharp and deliberate — tackling the challenges we're best equipped to solve.

Horizon Scanning and Analysis →

LEGO® SERIOUS PLAY® Workshops →

Virtual Communication Support →

TechReg Purpose and Strategy →

Rapid Analysis Workshops →

ESG and Data Protection →

Programme Maturity Assessments →

Custom Education and Training →

Infographics and Explainers →

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Latest blog posts

15 May 2026 · 8 min read

Beyond Legal #40: The chief people officer who understood that people are the programme

Data protection programmes fail without culture. How a Chief People Officer embedded GDPR Article 5(2) accountability into people frameworks.

14 May 2026 · 8 min read

Beyond Legal #39: The customer success manager who didn't understand why

A customer success manager shared personal data with the account team because nobody explained why she shouldn't. The consequences were real.

13 May 2026 · 7 min read

Beyond Legal #38: The data protection leader who understood system design - and changed everything

An Enterprise Architect and a Data Protection Leader embedded data protection into the company's architecture itself. Both were elevated to board level.

12 May 2026 · 3 min read

Data Protection Hero: I have successfully locked my computer when leaving my desk

Screen locking is one of the simplest GDPR Article 32 security measures. Learn why locking your computer when you leave your desk is a data protection control that matters more than you think.

12 May 2026 · 6 min read

Beyond Legal #37: The sales director who worked around blockers

A sales director treated data protection as a blocker and worked around it. The supervisory authority treated it as the law and worked through her.

11 May 2026 · 7 min read

Beyond Legal #36: The change manager who understood why people resist what they don't understand

Employees resist what they don't understand. A change manager and a Data Protection Leader combined forces and the training programme stopped being a box-ticking exercise.

View all posts →