Your organisation has data protection policies. There's probably a privacy notice on the website, a document somewhere that covers how you handle personal data, maybe even a record of the training session you ran last year. You've done the work. Or at least, it feels that way.
But the ICO, the Information Commissioner's Office, the UK's data protection regulator, won't ask "do you have policies?" When they investigate, they ask two much harder questions: "Could your staff explain their responsibilities and how are they carried out in practice?" and "Would does the record match what people are actually doing?"
For most UK organisations, the honest answer to both questions is not always. And the difference between what's on paper and what's actually happening is where almost every data protection failure begins.
The numbers that expose the gap
Three independent government, commissioned surveys, the Cyber Security Breaches Survey 2025, the UK Business Data Survey 2024, and the ICO's own Data Controller Study 2025 – converge on the same picture.
72% of UK businesses say cyber security is a "high priority." Only 35% have a formal policy. Only 29% conduct risk assessments. Put those three numbers side by side and the lapse becomes obvious: what organisations say they care about and what they've actually doing about it don't correlate.
The rest of the picture is just as stark. 76% of organisations have one person or fewer responsible for data protection, and in practice, "one person" often means an already busy employee who inherited the role alongside their existing job. 81% of businesses with employees spent less than one hour on data protection training in the preceding 12 months. A quarter didn't even know they were required to register with the ICO at all.
And one number that should worry anyone at board level: board-level responsibility for cyber security has declined from 38% to 27% since 2021. Data protection is getting more complex, the regulatory expectations are getting clearer, and senior management attention is drifting in the opposite direction.
What the ICO actually looks for
The UK GDPR imposes a dual obligation that most organisations don't fully appreciate. Article 5(2) requires you to comply with data protection principles. Article 24 requires you to demonstrate that compliance, through appropriate measures that are proportionate, risk-based, and kept under review.
The word "demonstrate" is a lot of heavy lifting in that sentence. It means the ICO doesn't just want to see that you have the documentation. It wants clear evidence that the documentation is fully understood, followed, and reviewed. That the people who handle personal data know what they're supposed to do and can explain why.
The ICO's October 2024 Data Protection Audit Framework codifies this expectation across nine toolkits – from accountability and training to breach management and information security. But you don't need to memorise the framework to understand what it's really asking. Two questions cut through everything: does what happens in your organisation correlate with what your policies say should happen? And can the people responsible for following those policies explain the requirements and procedures?
If the answer to either question is "possibly not," you have documentation, but you don't have governance.
What goes wrong when policies don't work
The enforcement cases from 2024 to 2026 keep repeating the same story. Every major case had data protection policies. What none of them had was the bridge between those policies and what people actually did.
The Police Service of Northern Ireland was fined £750,000, the highest penalty imposed on a UK public body, after a spreadsheet error in a Freedom of Information response exposed the personal information of all 9,483 serving officers and staff. Names, ranks, locations, roles, everything you'd need to identify every officer in the service. In the context of Northern Ireland, where sectarian threats still remain real, this wasn't just an administrative embarrassment. Officers changed their daily routines. Some even moved house. PSNI had data protection policies, they delivered training. What they lacked was an adequate sign-off procedure for the specific task of disclosing data in response to FOI requests. The policy existed at the organisational level. The absence was at the desk level, the point where someone actually handles the data.
Every organisation I've worked with has a version of this problem somewhere. There's a policy that covers the broad strokes, and then there's a specific task, exporting a weekly report, responding to a request, sharing data with a third party, where nobody explained or wrote down what the person doing the task should actually check before they press send.
Capita's story is even harder to explain away. Three separate penetration tests had identified security vulnerabilities. Nobody fixed them. The internal security operations centre had been running understaffed for six months. When the ransomware attack hit, a high-priority alert was raised within 10 minutes, yet the response took 58 hours, against an internal target of one hour. 6.6 million people were affected. The fine was £14 million. The organisation understood what went wrong. The policies existed. The fixes were identified. The work hadn't been completed.
DPP Law, a Liverpool firm fined £60,000 after a cyber attack, illustrates a different failure. Staff "didn't think" the data theft constituted a reportable breach, resulting in a 43-day notification delay against a 72-hour legal deadline. It was the first case where the ICO cited late notification as an aggravating factor. The training was in place, the understanding of application wasn't.
The same pattern appears in smaller cases. The Staines Health Group had training but no written procedures for handling insurance data requests. Central YMCA delivered training but failed to provide role-specific guidance. Around three quarters of incidents reported to the ICO are non-cyber, non-sophisticated attacks, simply the result of human and procedural failures. The kind that good governance, rather than advanced technology, are supposed to prevent.
How to tell whether your policies are actually working
You can test this yourself, without a consultant or an audit. Ask four questions.
Pick any data protection policy your organisation has – could the person responsible for following it explain what it requires, right now, without looking it up? If the answer is no, the policy isn't governing anything. It's just a document sitting idly in a folder.
When did someone last check whether what actually happens correlates with what the policy says should happen? Policies written two years ago for a older version of your current operations aren't aligned with the organisation you're running today. If nobody has reviewed the correlation between documentation and practice, the drift is growing by default.
If you received a subject access request – a request from someone to see the personal data you hold about them – does your team know who handles it and what the 30-day deadline involves? In practice, the 30-day deadline is much tighter than it sounds, especially when personal data is scattered across email, shared drives, and a system nobody's loged into since 2019. Subject access requests are the most common operational test of whether data protection governance actually works. They arrive without warning, they have a hard deadline, and they expose data governance weaknesses.
Has your data protection training ever been assessed, not completed, assessed? The ICO's Training and Awareness Toolkit expects role-specific, ongoing training with a minimum pass mark. Completion is not the same as understanding. An organisation where everyone has completed a module is not the same as an organisation where everyone can explain their responsibilities relative to the daily tasks they complete.
These questions aren't a compliance checklist. They're the difference between an organisation that has policies and an organisation where those policies are actioned as an integral part of daily workflows.
The framework is settled – is your governance?
The Data Use and Access Act 2025 put this beyond doubt. The earlier DPDI Bill had proposed weakening several accountability requirements, data protection officer obligations, records of processing requirements, data protection impact assessment requirements, the Article 5(2) accountability principle. The enacted DUAA retained every one of them. The ICO's guidance was updated in February 2026 to reflect the settled position.
Any organisation that was waiting to see if the new legislation would soften requirements has run out of reasons to wait. And with a new obligation is coming: from June 2026, organisations must have a formal internal complaints, handling procedure. That requires functioning governance, not just documentation.
Let's circle back to the cases we've looked at. They all had policies. They all had training. What they didn't have was verifiable procedures to ensure that the written policies translated into daily practice. The gap between policy and practice was never a failure of intent, it was a failure of implementation and understanding at the point where the data was actually handled.
