Study measures the state of privacy culture in 2025

New research by PrivacyCulture highlights a persistent gap between formal organisational compliance and embedded privacy culture. The Global Privacy Culture Survey 2025 reveals that, despite most businesses having established policies and training programmes, true culture is defined by how employees act during moments of ambiguity, such as identifying informal data requests or evaluating new software tools. This discrepancy between implemented policies and employee understanding is identified as a primary source of institutional risk.

Data from the 2025 survey shows a growing tension: while employees increasingly value privacy, they often feel ill-equipped to take confident, proactive action. On a positive note, the findings indicate that reactive capabilities, including security awareness and breach response, are currently strengthening. In contrast, proactive governance practices, such as enforcing data retention policies, identifying subject access requests (SARs), or maintaining Records of Processing Activities (RoPA), are struggling amid the rapid proliferation of new technologies and processing activities.

The survey suggests that privacy culture is not effectively built through broad, organisation-wide campaigns. Instead, it requires precise interventions based on persona-based segmentation to address specific weaknesses in capability. Despite the erosion of some foundational practices, rising scores in employee attitudes indicate a cultural readiness to improve. The report concludes that privacy leaders should focus on reducing friction and providing practical enablement, as workers generally desire to handle data correctly but require clearer guidance to translate their instincts into effective day-to-day practice.

Training Announcement: Freevacy offers a range of short one-day courses on a range of data-related subjects, including data protection topics such as conducting DPIAs and privacy-by-design, as well as how to use AI tools responsibly, cybersecurity best practices, and information access. The interactive sessions cover basic concepts through to advanced examinations of specific areas. Find out more.