data protection

A marketing manager adds a customer’s email to a campaign list without checking consent records. A support agent shares a user’s account details with someone claiming to be their spouse. A developer copies production data containing real names and addresses into a staging environment.

None of these people intended to violate the GDPR. All of them did.

The General Data Protection Regulation has been enforceable since May 2018. Eight years in, fines keep climbing. The Irish Data Protection Commission fined Meta EUR 1.2 billion in 2023 for illegal data transfers to the US. The Italian Garante fined OpenAI EUR 15 million in late 2024 for ChatGPT’s privacy violations. These headlines grab attention, but the pattern behind them is consistent: organizations that treated GDPR as a legal department problem instead of a company-wide responsibility.

Your lawyers can’t prevent the marketing manager from misusing consent data. Your DPO can’t watch every developer’s staging environment. The only thing that scales is training, and most GDPR training programs are doing it wrong.

A systems administrator at a defense contractor copies classified schematics to a personal USB drive over the course of three months. His badge still works. His credentials are valid. He passes the same security checks as everyone else. Nothing in the firewall logs, intrusion detection system, or email gateway catches a thing.

When the breach is finally discovered, it is not because a tool flagged it. A coworker noticed he was accessing project folders he had no business being in and mentioned it to their manager. That conversation, uncomfortable as it was, prevented months of additional exfiltration.

External attackers need to break in. Insiders are already inside.