When the ICO gets sharper with its criticism of government breaches, it hits on a point we know well. 

Privacy professionals have always understood that systems and controls can only go so far. The real test is whether staff care enough, notice enough, and act quickly enough when it matters. This depends on the culture within the organisation, which in many cases is still treated as a black box.

The cultural blind spot

Every breach report that cites “human error” is really pointing to a cultural weakness. Did staff feel safe to raise their hand when something went wrong? Did leaders make privacy a visible priority? Was the process clear enough to follow under pressure?

Organisations often assume culture is either “good” or “bad” in a general sense. In reality it is uneven. A legal team might be sharp on process but hesitant to challenge senior managers. A regional office might quietly ignore reporting lines because local habits prevail. A finance function might view privacy as someone else’s problem. These gaps in attitude and behaviour are rarely visible on risk registers.

Measuring the invisible

That is where a culture survey comes in. Instead of guessing at where culture is weak, you ask staff directly about behaviours, perceptions, and confidence. The questions are designed to reveal whether people:

• feel ownership of privacy outcomes,
• believe leadership backs them,
• know how to act in a crisis,
• think colleagues would support them if they spoke up.

Not just a snapshot

The value grows when the survey is repeated. Culture is not static an always evolving. Stress, turnover, external scrutiny, or a shift in leadership style can change it. Running the survey at intervals lets you see whether interventions are working. Each time staff are asked, they are reminded that privacy is part of the job, not a side task.

This ongoing pulse strengthens culture as much as it measures it. Staff know someone is paying attention, and that alone can shift behaviour.

Benchmarks that carry weight

As privacy professionals, we are often asked by boards: “how do we compare?” A culture survey that benchmarks against external scores gives a clear answer. It allows you to say, with evidence, whether your people gaps are wider or narrower than sector norms.

That matters when persuading leadership to act or when regulators come calling. Demonstrating that you have measured, benchmarked, and responded to cultural risk is a far stronger position than claiming generic training covers the issue.

Turning insight into cultural change

A survey only earns its keep if it leads to action. That means targeted, culturally aware interventions:

• reinforcing visible leadership where staff feel unsupported,
• building peer champions where confidence is low,
• tailoring training to departments whose work patterns make errors more likely,
• addressing over-confidence as much as under-confidence.

The goal is not to “fix” culture in a single sweep, but to tune it, shift it, and keep it alive as part of everyday practice.

Why this matters now

Regulators are more assertive. The public mood is less forgiving. “Human error” is no longer an excuse, it is evidence of poor preparation. 

A culture survey is one of the few tools that gives clarity here. It takes culture from something intangible to something measured, tracked, and improved. It powers the organisation with a set direction towards building a more informed culture of privacy. 

A cultural step forward

For those of us tasked with proving that privacy is more than paperwork, this is a practical next step. Running a culture survey shows you know where your organisation is strong, where it is exposed, and how it compares. It equips you to push back when culture is dismissed as “too soft to measure”.

Above all, it recognises that privacy lives in people, not policies. And if you want to reduce the breach headlines of tomorrow, culture is a good starting point.