From issues to action: a playful, practical workshop for Data Protection Day 2026
When a financial services Data Protection Leader needs to unite 37 entities across multiple countries for a critical 2026 planning session, we’re including some elements of play.
Data Protection Day 2026 is just round the corner and I’m currently preparing a few client events. Among them is a half‑day, virtual “From issues to action” workshop for a financial services client. Their European data protection leader is bringing together colleagues from across 37 legal entities, from the UK in the west to Turkey in the east, to do something formal assessments rarely achieve: to make the real work visible and turn it into a 2026 roadmap people create themselves and believe in.
Why run a workshop when you already have an assessment? Assessments are useful. They do offer a snapshot of capabilities and compliance gaps, and they often come packaged in colourful heatmaps and maturity scores. But what I have found out when an assessment is based on a generic framework, especially from one of the big larger consultancies, it tends to tell the story of the framework and not the company being assessed. It doesn’t always reveal the subtle differences between an entity in one country and another and it can sometimes underplay the realities of local regulators, legacy platforms, offshore support models, and the everyday work in the trenches by teams who are at the sharp end daily.
Assessments rarely identify and uncover what I call the “invisible architectures” of a company. All the dynamics, emotions, habits, incentives, and power structures that move things forward in one entity and stall in another. They may explain why DPIAs take a month in one team and three months in another, or why information security and data protection teams exist aligned and in harmony, or are working against each other.
The workshop structure The graphic above outlines the typical flow of the session though the workshop in at the end of January will have some subtle variations that I’m currently discussing with my client. In four hours, we’ll move from individual sense‑making to shared priorities to an actionable plan:
Individual elicitation. Participants begin with quiet thinking. Each participant lists the issues on their plate - workflows, risks, frictions, stakeholder challenges - without group influence. This step is gold dust: it reduces conformity and reveals what people actually experience.
Group clustering and prioritisation (affinity mapping). The participants sort individual issues into workgroups and cluster them. What’s working well? What needs improvement? They’ll then use a MoSCoW board (Must, Should, Could, Won’t) to prioritise across entities, so local realities inform group choices.
Root cause exploration. A short primer on Root Cause Analysis (yes, the Ishikawa or fishbone diagram) helps teams move beyond symptoms. “Our DPIAs are cumbersome” becomes “We have unclear ownership, late engagement, and tool friction” - three different problems requiring different actions.
Solutions and responsibilities. Teams frame options, owners, and first steps. A quick refresher on planning basics, e.g. work breakdown structures, milestones, and dependencies, keeps things practical.
Produce a target “to‑be” picture and a high‑level schedule. We close with short presentations that combine the pieces into a 2026 roadmap: themes, outcomes, owners, and critical path.
What’s in it for the data protection leader?
Visibility that isn’t theoretical or generic. You’ll get a consolidated view of issues grounded in lived experience, not just framework language.
A prioritised portfolio. Must/Should/Could/Won’t status across entities, with owners and first steps.
A 2026 roadmap. Themes (for example: DPIA flow redesign, data discovery automation, vendor due diligence overhaul), milestones, and a first 90‑day sprint.
A motivated and energised team - these workshops bring together your people who will get to know each other in ways your traditional status calls can’t achieve
If you’re leading a distributed data protection function and want your 2026 plan to reflect reality, not just the latest framework, get in touch to discuss options. We’ll help you transform issues into action, and action into a roadmap your teams can deliver.