PL&B UK January 2026
How to run a successful data champions programme
Data champions need to be carefully selected and nurtured so that organisations can make the most of this voluntary role. By Jenai Nissim and Claire Saunders of HelloDPO Law Ltd.
The role of the DPO can be a solitary one or so the 2024 survey by the Confederation of European Data Protection Organisations indicates. Based on input from over a thousand DPOs, the survey found that 42% of DPOs work alone, a further 19% only having one “support person”. This, accompanied by the increasing demands of the role (anecdotally we are aware that privacy teams are now being tasked with responsibility for AI compliance, something which seems to be a wider trend as indicated by the survey on the DPO’s role in relation to AI governance recently launched by France’s Data Protection Authority, the CNIL) means that even where the DPO has a privacy team to rely on, finding ways to spread the responsibility for data protection compliance throughout an organisation is only becoming more important. Over the last 10 years, our team has worked with clients to put in place data champion programmes to help DPOs and privacy teams free up their time to concentrate on more strategic matters whilst at the same time building a stronger privacy culture in their organisations. Along the way we have learned a thing or two about what works and what doesn’t.
What is a data champion?
Data champions are individuals with enhanced knowledge of and responsibility for data protection who help to ensure that responsibility for data protection is flowed down through an organisation on an ongoing basis. Of course, simply nominating an individual and giving them a title is not going to be enough, and the DPO/privacy team have an important role to play in ensuring a data protection champions programme is a success.
Why have data champions?
As we have already indicated, the DPO/privacy team can’t do it all. They can’t be in every team meeting, reminding each department of their responsibilities and keeping data protection at the front of everyone’s minds.
In the absence of department/team level input, there is a real risk of data protection becoming a tick box exercise which does not extend much beyond annual training, alternatively the DPO/privacy team may find themselves overwhelmed with basic enquiries because they are the first point of contact for all data protection questions. Neither situation is likely to be good for data protection compliance.
By developing a team of people who have current and in-depth data protection knowledge, it is possible to embed a culture of data protection within an organisation in a way that no single team or individual could. Done well, it can create a real sense of ownership and accountability at team level. As one client put it, it is about adopting the attitude that “compliance is everyone’s duty.”
This is also an example of resourcing at the right level to ensure efficiency in an organisation’s data protection compliance activities and, as the use of AI continues to grow in popularity, finding people who are willing to embrace change, use AI and come up with creative “compliance” ideas (yes these do exist) for how AI can be used as part of compliance activities, will be key to the success of a data champion’s role.
What can data champions do?
This very much depends on the needs of the organisation and deserves some careful consideration before you go out to “recruit”. Data champions can be involved in a range of activities, from everyday matters to simpler privacy projects. Some examples of tasks we have seen data champions take on include:
- Being the first point of contact for their team in relation to data protection queries and escalating any queries and concerns to the privacy team or DPO as appropriate.
- Promoting data protection best practice within their team.
- Assisting with keeping the organisation’s record of data processing activities (ROPA) up to date in relation to the activities of their team.
- Reviewing their team’s privacy notice annually to ensure it is accurate and up to date.
- Monitoring their team’s awareness and compliance with data protection policies and procedures, for example providing assurance that data is being destroyed in line with the data retention policy; and, ensuring that any personal data breaches that arise in the team are reported immediately to the privacy team/DPO in accordance with the organisation’s personal data breach management policy.
- Assisting in the roll out of data protection training and awareness; data protection policies and procedures; data protection audits and other monitoring arrangements.
Taking the time to consider where the pain points are in your data protection compliance programme, both at an organisational and team level and how data champions could best assist with these issues will help you to shape a clear role profile, setting out the tasks you want them to undertake. Knowing this will help you in the longer term when implementing AI compliance tools to simplify and target compliance risks. It is important at this stage to consider the best way to accomplish this in the context of how each team works, for example, are data protection queries best dealt with by email, or if they are more complex, at a drop in session, or could you use AI to create a privacy chatbot tailored for teams to use based on the types of privacy queries you receive?
Drawing up a data champion role profile will help give individuals an idea of what will be expected of them. You should also be clear about what the data champions are not expected to do, such as making decisions about data processing for their department, reporting personal data breaches to regulators etc. or going off and using a non-approved AI tool! You should also make clear at this point the support and training which will be available to help them perform their data champion tasks.
How to get the right people to be data champions
Now you have decided what you need the data champions to do; you need to spend some time finding people who will do well in the role and make sure you sell the benefits of the role.
In terms of picking the individual, they should be someone with enough authority to be able to direct projects such as ROPA updates and the ability to stand their ground if they get push back within the team/department. Choosing people who are also willing to embrace change, try (and fail) before succeeding with the use of AI is a must to help cover compliance tasks and keep costs low. You will, of course, need to have an eye to resourcing and the cost of using AI, and you will want to engage with team/department heads to get their input on who might be best placed to do it.
The most important quality in a data champion though? An enthusiasm for privacy! We have been in quarterly catch-up meetings where the champions are genuinely enthusiastic about sharing the progress their team has made and it’s truly infectious. If a data champion views the role as just an additional burden, it is unlikely to lead to good results. Encouraging the data champion to embrace change in terms of the way things are done and leverage their enthusiasm to try new things, like AI, is one of the key characteristics we look for in a data champion.
In terms of selling the role to potential data champions, there are a few different ways of doing this. There are great development opportunities in a role like this, which can give experience in project management, enhancing or developing privacy knowledge, dealing with a wider range of colleagues and developing a new area of expertise. The role also provides exposure to the wider business and can potentially improve inter-departmental relations and collaboration. You could also consider whether it is possible to provide some incentive/recognition in terms of job title or compensation as this is undoubtedly another way to incentivise individuals.
What is the right number of data champions?
The number of data champions will very much depend on organisation size, structure, industry and the willingness to adopt tech and AI to identify and manage privacy risks. It would be a mistake to think it is as simple as designating one individual per department. Whilst this may be appropriate in some cases, the question you need to ask is how many people you need to ensure responsibility for data protection is effectively flowed down into the teams/departments. Some departments may be more involved in high-risk processing, some might be very keen on using AI and so may need more support. Requirements may change over time, and you should keep the resource under review.
Put in the time
Designing an engaging and supportive data champions’ programme takes time. Simply designating individuals as data champions is not enough; in order for the programme to be successful you must dedicate ongoing resource to ensure you have data champions who have the training and support they need to properly fulfil their role and nurture the team so they do not feel that tasks have just been dumped on them.
It is a good idea to hold a welcome meeting and training session to kick off the programme. This can be used to set expectations and objectives. It should be an interactive session as this will allow you to seek the data champions’ views on how they think the programme will work in their teams. Being as clear as possible about expectations at this stage is key. It is also a good opportunity to set out the annual programme of meetings and training which they will receive to support them.
To set the scene for the work ahead, it helps to give an overview of where the organisation is in terms of its compliance, including the key risks and the strategy to resolve these, with an explanation of how the data champions can help to support this.
You should also set and review objectives on a quarterly basis. When running a long-term project such as this, keeping the momentum is essential. We have found having a quarterly focus for efforts is a good way to stop the programme from becoming stale and providing short term goals to meet stops the task becoming overwhelming. Objectives should be SMART to ensure the data champions have clarity as to what they need to achieve.
To support the data champions in meeting their objectives, they will need annual training tailored to their role and focussing on the core compliance areas for the year. Keep training interesting, use workshops and real-world scenarios and a test at the end to cement the training. We normally provide a half-day training session each year so data champions can get into the detail of their privacy tasks.
We have found monthly drop-in clinics work well as they give data champions the opportunity to raise queries and provide the DPO/privacy team with updates on projects. This can also limit the email traffic with queries and updates.
We have also had success with monthly newsletters keeping data champions informed of recent news stories with commentary relating to why it is relevant to the organisation and doing profile features on data champions and members of the legal and privacy teams.
If you start right and continue to put time and effort into the programme, it will pay dividends. One of our clients commented that “as time has gone on, we have had more and more buy-in and people are definitely more alive to data protection as data becomes more prevalent in the day-to-day job and growth ambitions of the company.”
You will also need to consider succession planning, putting processes in place to set out what training you give to your data champions so that you can get a new champion up to speed as soon as possible and making sure to regularly check if any of the data champions are due to leave. One client ensures that in high-risk areas there is a 1 to 1 meeting between the outgoing and incoming champion so they can bring them up to speed on what they need to know.
Be creative
As there are no specific legal requirements to comply with when setting up and running a programme, you can be creative with this. We have had “Data Doctors” and “Data Ninjas”, we have held sessions where the data champions share their experiences with each other and highlight things that have worked for them in their team. There is no prescribed format and so anything which keeps engagement levels high is to be encouraged!
Remember that information flow is a two-way street
Whilst, the data champions will need the benefit of your knowledge and assistance, they are also an amazing resource. As well as carrying out the designated tasks, they are better placed than the DPO/privacy team to understand where central messaging is not working, catch issues before they become problems and give an overview of the challenges that their team is facing, which can give a DPO valuable information in terms of where to focus strategic efforts.
Finally - show your appreciation!
Make sure you show your data champions how much you appreciate their help and how much of an impact their work makes.
All of us know that, at times, making people understand the importance of and prioritise privacy can be a challenging task, and it is important your data champions know they are valued and appreciated. Make time to show them the impact they have had on privacy challenges within the organisation. Be creative, host an awards ceremony or have a fun data protection quiz!
Running a successful data champions programme is not a quick fix, it takes time and effort, but, done well, it can free up DPO/privacy team resources for more important, strategic matters, ensure the basics of data protection are taken care of and even inspire others in the organisation to see data protection as a core element of how the organisation operates and to take pride in ensuring individuals’ privacy is put first.