Global Privacy Culture Survey 2025

Executive Summary

Most organisations - whether large enterprises with dedicated privacy teams or smaller businesses where privacy sits alongside other responsibilities - can demonstrate some level of formal compliance: policies exist, training has been delivered, and there’s at least a documented approach to handling personal data. But formal compliance and embedded culture are not the same thing.

Culture is what happens when employees face ambiguity without a script: when a customer’s informal email might be a data subject request, when a new SaaS tool promises efficiency gains but requires data sharing, or when a retention policy exists but isn’t consistently enforced. These moments occur regardless of organisational size or sophistication. A 250-person company faces the same fundamental question as a 5,000-person multinational: do our people understand what’s expected, feel equipped to act, and know where to turn when uncertain?

The gap between what organisations believe they’ve implemented and what employees actually understand is where risk concentrates, regardless of scale.

The challenge for privacy leaders is that culture isn’t directly visible. Training completion rates, policy acknowledgements, and helpdesk volumes are measurable, but they don’t reveal whether the marketing team understands retention obligations, whether developers consider privacy in design decisions, or whether frontline staff can confidently identify and escalate a data subject request. The gap between what organisations believe they’ve implemented and what employees actually understand is where risk concentrates, regardless of scale.

Technical knowledge can be looked up, but cultural awareness - the instinct to pause, question, and escalate - is what determines how privacy is practiced in the moments that matter.

Over five years, the Global Privacy Culture Survey (GPCS) has been designed to make that gap visible. By measuring employee awareness, confidence, and day-to-day practices across twelve privacy domains, the survey provides insight into where capability exists, where it’s weakest, and - critically - where it varies across different parts of the organisation. For enterprises, this enables precision in targeting interventions across complex structures; for smaller organisations, it reveals whether foundational practices are embedding or whether growth is outpacing governance.

 

1.1. What Privacy Leaders need from culture measurement

 

Privacy leaders who measure culture effectively report several practical benefits. Culture measurement can reveal whether awareness is genuinely embedded or concentrated in specific teams, providing a foundation for Training Needs Analysis that targets resources where they’re most needed. It can help evaluate whether training investments are improving confidence and day-to-day decision-making, not merely completion rates. And in certain contexts - when a newly appointed DPO is establishing a baseline, or when M&A activity introduces new risk exposure - culture measurement serves as discovery and due diligence, revealing gaps that might otherwise remain invisible until they become incidents.

Establishing that first baseline can be uncomfortable. It may challenge assumptions about what previous training has achieved, or surface gaps that feel daunting to address. But the value lies in treating that baseline as a starting point rather than a verdict - identifying the clearest signals, understanding where capability sits relative to others (whether near the top quartile or in the bottom 10%), and building interventions that create measurable momentum over time.

 

1.2. What we measure and how to read this report

 

The survey examines 12 privacy domains through 50 questions that employees answer on a seven-point scale. The questions are not technical quizzes - they measure awareness, literacy, and opinions about process and organisational mentality.

The same dataset is analysed through three complementary lenses:

• Domain lens: Which privacy themes are relatively stronger or weaker (the “what”)
• Attribute lens: What’s driving those results - Knowledge, Behaviours, Attitudes, Perceived Control (the “why”)
• Persona lens: Actionable employee segments that help tailor interventions (the “who”)

 

Results are presented as a normalised index relative to the annual average, which reduces the influence of any single participating organisation. Our proprietary approach uses a Culture Index - combining score and response rate - and adjusts for base size to maintain “signal strength”.

We describe shifts directionally (e.g., “moderate positive”, “strong negative”) and focus on the clearest patterns. Before examining any culture scores, we consider the “baseline signal” - the participation rate itself - which signals whether the organisation genuinely cares about privacy culture or views measurement as a compliance exercise. To put it another way, the participation rate is a leading indicator of cultural readiness.

 

1.3. The 2025 story: cultural tension between values and capability

 

Attribute lens: “I care, but I can’t cope”

The 2025 attribute pattern reveals a striking tension.

1. Employees increasingly value privacy (Attitudes ↑0.17),
2. yet feel less equipped (Knowledge ↓0.07),
3. and less empowered (Perceived Control ↓0.14) to act on that commitment.
4. Behaviours barely move (↑0.03), suggesting a persistent gap between intention and execution.

 

This pattern could reflect the compounding effects of rapid technological change - shadow AI adoption, proliferating SaaS tools, escalating cyber threats - where employees recognise the stakes but struggle to keep pace. It may also suggest that deeper knowledge reveals greater complexity: as employees become more privacy-literate, they recognise the nuance involved and assess their own capability more cautiously.

Implication: Lifting Knowledge requires training; lifting Perceived Control and converting intention into Behaviour typically requires enablement - clearer guardrails, better tooling, visible leadership signals, and reduced friction in daily workflows.

 

Domain lens: reactive improving, proactive declining

The 2025 domain results suggest organisations are strengthening reactive capabilities.

1. Data Breach & Incident Management (↑0.2),
2. Data Security (↑0.2),
3. Compliance & Monitoring (↑0.1).

 

While proactive, documentation-driven practices decline:

1. Records of Processing & Lawfulness (↓0.3),
2. Data Subject Rights (↓0.2),
3. Retention & Deletion (↓0.2).

 

One hypothesis: organisations have invested heavily in incident response and security awareness, driven by high-profile breaches and board attention to cyber risk, while foundational data governance has struggled to keep pace with proliferating systems and processing activities.

 

The sharpest insight: employees can’t identify a DSAR

Within the Data Subject Rights domain (↓0.2 overall), one question index decreased dramatically:  “Can identify a Data Subject Request” declined by 0.44 — the single largest question — level drop in 2025.

Employees may understand rights conceptually, but they’re losing confidence in their ability to recognise a DSAR in the wild - whether it arrives via email, phone, or social media. This is a critical operational gap: if employees can’t spot a request, they can’t escalate it, and the organisation’s ability to meet regulatory deadlines is materially weakened.

The problem compounds: even when employees do recognise a potential DSAR, confidence in reporting it immediately has also declined sharply (↓0.27). This suggests that escalation pathways may be unclear, that employees worry about raising false alarms, or that previous experiences of escalating have been frustrating enough to create hesitation. The combination - can’t identify, and uncertain about escalating even when they do - creates a double failure point that leaves requests languishing unaddressed.

This pattern could reflect increased DSAR complexity (requests embedded in complaints, phrased vaguely or informally), higher volumes creating fatigue among frontline teams, or simply that training hasn’t kept pace with the evolving ways individuals exercise their rights.

 

1.4. The five-year review: where functions concentrate risk and strength

 

Drawing on five years of data, patterns emerge in how business functions perform across privacy themes. Three findings warrant attention:

Legal struggles with Records of Processing (↓0.68): Legal functions rank near the bottom overall and show particularly low confidence in RoPA and Retention & Deletion. This counter-intuitive pattern could reflect the fact that deeper expertise reveals greater complexity - Legal professionals may recognise the nuance and edge cases in these domains, leading to more cautious self-assessment than functions with less regulatory exposure. Distinguishing between genuine capability gaps and professional humility can often require moving beyond survey data to facilitated workshops.

Development shows risky practices: Development is the weakest performing function overall, with particularly low scores in Retention & Deletion (↓0.54) and Risk Management (↓0.54). This dual weakness could signal a “ship fast, document never” culture where DPIA completion and data lifecycle management are afterthoughts rather than embedded practices.

Customer Services excels at Data Subject Rights (↓0.22): Customer Services scores above the functional average on DSAR handling, demonstrating that targeted training can work when aligned with operational reality. Frontline teams handling customer requests daily show measurably higher confidence - evidence that investment in role-specific enablement delivers returns.

 

1.5. Personas: the power of variance

 

The 2025 survey introduces an employee persona lens - a rules-based model that segments the workforce into behaviourally distinct groups.

On average, 14% of employees qualify as “Compliance Champions” (consistently high scores across domains) - but this varies dramatically from 4% to 23% across organisations. A 23% Champion population suggests a strong, federated privacy culture; 4% suggests an isolated DPO struggling to distribute accountability.

Similarly, 15% are “Privacy Beginners” (weaker scores, aware of their gaps), ranging from 6% to 26% across organisations. High Beginner populations aren’t necessarily problematic - they indicate self-awareness. Low Beginner populations in otherwise weak cultures may signal dangerous overconfidence.

Most critically, about 2% of employees score low enough on security questions to qualify as “Security Risks”, but this ranges from 0% to 9% across organisations. A 9% Security Risk population is a red flag requiring immediate drill-down to team level for targeted intervention.

This variance reveals that culture measurement isn’t only about your score - it’s about where risk and strength concentrate, enabling precision in resource allocation.

 

1.6. AI and foundational behaviours

 

The foundational behaviours we measure - DPIA completion, RoPA maintenance, minimisation discipline - provide a firm base for the disciplines needed around responsible AI. If employees don’t document traditional systems or complete risk assessments for established technologies, they’re unlikely to do so for generative AI tools either. The sharp decline in RoPA confidence (↓0.3) and ongoing Risk Management struggles could both signal increased vulnerability to undocumented AI adoption and shadow AI proliferation.

 

1.7. Where this leaves us

 

The 2025 data suggest organisations are navigating cultural tension: employees increasingly recognise that privacy matters, but feel less equipped to translate that recognition into confident action. Reactive capabilities — breach response, security awareness — are strengthening, while proactive governance practices strain under technological proliferation.

For Privacy Leaders, this presents both risk and opportunity. Foundational practices like RoPA maintenance, retention enforcement, and DSAR handling may erode further if left unaddressed. But rising Attitudes scores indicate cultural readiness: employees want to do the right thing, and interventions that reduce friction and provide enablement are more likely to land effectively.

The five-year lookback and persona-based segmentation provide lenses for targeting those interventions with precision. Privacy culture isn’t built through organisation-wide campaigns alone—it’s built by identifying where capability is weakest, understanding why, and designing responses that address root causes.

 

Looking ahead

 

When we launched this survey in 2021, quantitative measurement of privacy culture at scale was largely unexplored. Five years on, the evidence demonstrates that culture patterns are observable, trends are trackable, and the insights genuinely help privacy practitioners move beyond compliance toward embedding privacy as a business capability. As AI and technological change intensify privacy challenges, the ability to measure culture — not just document policy — becomes more critical. The next five years of the Global Privacy Culture Survey will deepen that evidence base, refine these methods, and expand the conversation about what effective privacy culture requires. If these findings resonate — or challenge your assumptions — we’d welcome continuing that conversation.

 

Now download the full report

 

For all the deep dive, multi-year perspective, personas and key takeaways click the button below for the free download.