Every year, organisations run their data protection training. Every year, they report the completion rate. And every year, people handle data in ways that create incidents.

The two things are connected. Not because training is useless, but because completion is the wrong thing to measure. Knowing that 94% of your staff clicked through a module tells you nothing about whether any of them would recognise a data subject request arriving as a casual email, or know what to do with personal data they should have deleted two years ago. Those are the moments that generate incidents. The training module is not one of them.

The research is uncomfortable

Researchers at Leiden University analysed 69 studies on privacy and security training [1]. Training improves what people know and how they feel about privacy. It has almost no effect on what they actually do. The largest trial ever run on this question tracked nearly 20,000 employees over eight months and found that people who had just completed training clicked on phishing emails at exactly the same rate as those who completed it a year ago [2].

Proofpoint found that 68% of employees knowingly took risky actions in 2024 despite understanding the risk [3]. ISACA found that poor or inadequate training was cited as the most common privacy failure by 47% of organisations in 2024 [4], rising to 51% in 2026 [5]. More training. More completions. More failures.

What the external research describes in scattered pieces, our own five-year dataset captures as a single coherent pattern. PrivacyCultureLens measures the culture of privacy through five attributes - what employees Know, how they Behave, their Attitudes toward privacy, their Perceived Control over their own actions, and the Culture signals they pick up from the organisation around them. Four of these come directly from the Theory of Planned Behaviour - the behavioural science framework used for four decades to explain why people do what they do. The fifth, Culture, captures what peers, managers, and leadership normalise day-to-day. Training can lift one of these attributes. It rarely lifts the others. And without all five moving together, incidents keep happening.

What the survey shows

The Global Privacy Culture Survey measures what employees understand and how confident they feel applying it across twelve privacy domains [10]. It has been running for five years. What the 2025 data shows is specific enough to act on.

Employees care more about privacy than they did — Attitudes rose 0.17 points in 2025. But Knowledge fell 0.07, Perceived Control dropped 0.14, and Culture and Behaviour together barely moved at 0.03 apiece. This is the 'I care but I can't cope' pattern, and it isn't rhetorical — it's measurable across five distinct attributes, each of which points to a different intervention. Training raises Knowledge. Enablement and tooling raise Perceived Control. Leadership signals shift Attitudes. Peer norms and visible day-to-day practice shift Culture. Only when these align does Behaviour follow. The attribute lens tells you which of those levers is broken in your organisation, so you know which one to pull.

The sharpest number in the dataset: confidence in the ability to identify a Data Subject Access Request dropped by 0.44 points in one year [10]. The largest single movement across any question this year. People understand in principle that individuals have rights. What they are losing is the ability to recognise a request when it arrives as "can you tell me what you hold on me" rather than formal regulatory language. If they cannot spot it, nothing downstream matters. The clock does not start. The request goes nowhere.

At domain level the pattern repeats. Breach response improved. Data security improved. These attract board attention and investment follows. But Records of Processing fell by 0.31 [10]. Data Subject Rights fell by 0.21 [10]. Retention and Deletion by 0.16 [10]. The quiet foundational work is getting worse while the visible response capability gets better. Organisations are becoming sharper at responding to incidents caused by gaps they are not addressing.

Why this keeps happening

Organisations invest where the pain is obvious. A breach is obvious. A fine is obvious. An incomplete record of processing activities is invisible until a regulator asks for it. A retention policy nobody enforces builds risk slowly and silently over years.

The pace of change is making it worse. The survey shows confidence in Records of Processing falling sharply [10], and the honest explanation is not that people stopped trying, it is that the environment has outrun the tools used to document it. Shadow AI, new SaaS tools adopted without privacy review, cloud migrations adding new data flows faster than any manual process can track. Three years ago a spreadsheet might have been adequate. Today it is out of date before it is finished.

What regulators actually expect

The ICO does not ask whether training was delivered. It asks whether people understood it [7]. Article 32 of the UK GDPR requires organisations to test and evaluate whether their measures are actually working, not just whether they exist.

The enforcement record makes this concrete. In several ICO cases, training had been delivered but was not specific to the role and not tested for comprehension. The Romanian data protection authority fined a bank €100,000 after an employee shared a customer bank statement on WhatsApp [9]. The finding was not that training had been absent, it was that it had not worked. Across the EU, the EDPB has identified training effectiveness as a systemic weakness. France's CNIL now sets detailed criteria for what effective training looks like [8], and the bar is demonstrated understanding, not attendance.

The completion report is becoming a weaker defence.

What actually works

The 2025 survey has one result that points the right way. Customer Services scores well above average on Data Subject Rights, the domain that fell most sharply overall [10]. Not because they received better training, but because for them, handling data subject requests is part of the daily job. They see real requests, they practise recognition repeatedly. Confidence builds through relevance and repetition, not through module completion.

Only around 7.5% of organisations currently tailor training to the risk profile of the person receiving it [3]. When training maps to real situations people actually face, it produces different results. The same logic applies to measurement. Stop asking who completed the module and start asking whether the person handling your highest-risk data could tell you in plain language what they would do if something went wrong. Ask that question in a team meeting on Monday morning. The answer will tell you more than any completion report.

The gap

Most organisations can tell you their completion rate. Very few can tell you which team carries the most privacy risk right now, or whether anything changed as a result of last year's training spend. That is the gap the Global Privacy Culture Survey exists to close. Not by replacing training, but by measuring what training is supposed to produce.

Completion rates will satisfy an audit. Understanding is what stops incidents.

Find out more about how we measure privacy culture, including our Culture as a Service programme

Sources

[1] Leiden University - Assessing the effect of cybersecurity training on end-users: a meta-analysis https://scholarlypublications.universiteitleiden.nl/handle/1887/4195663

[2] UC San Diego - Cybersecurity Training Programs Don't Prevent Employees from Falling for Phishing Scams https://today.ucsd.edu/story/cybersecurity-training-programs-dont-prevent-employees-from-falling-for-phishing-scams

[3] Proofpoint - State of the Phish 2024 https://www.globenewswire.com/news-release/2024/02/27/2835744/35374/en/Proofpoint-s-2024-State-of-the-Phish-Report-68-of-Employees-Willingly-Gamble-with-Organizational-Security.html

[4] ISACA - Privacy in Practice 2024 https://www.isaca.org/about-us/newsroom/press-releases/2024/privacy-budgets-expected-to-decrease-in-2024-new-research-from-isaca-reveals

[5] ISACA - Privacy Teams Are Shrinking and Increasingly Stressed 2026 https://www.isaca.org/about-us/newsroom/press-releases/2026/new-isaca-study-privacy-teams-are-shrinking-increasingly-stressed

[6] UK Government - Cyber Security Breaches Survey 2025 https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025

[7] ICO - Training and Awareness - Data Protection Audit Framework https://ico.org.uk/for-organisations/advice-and-services/audits/data-protection-audit-framework/toolkits/accountability/training-and-awareness/ 

[8] CNIL - Standard on data protection training programmes https://www.cnil.fr/en/what-you-should-know-about-our-standard-data-protection-training-programmes

[9] GDPRhub - Romanian DPA fine against Banca Transilvania https://gdprhub.eu/index.php?title=ANSPDCP_-_Fine_against_Banca_Transilvania_SA

[10] Privacy Culture - Global Privacy Culture Survey 2025 https://www.privacyculture.com/gpcs-2025