Written by Liz Taylor

Information Governance: the Trials and Tribulations of a career in Data Protection

Published on 29 Jun, 2026

Working in information governance and data protection is rarely straightforward. The legal framework changes, technology evolves, organisations want to pursue new opportunities, and expectations of clients and service users continue to grow. Yet despite decades of development in the field, many of the challenges facing information governance professionals remain remarkably familiar.  

Having worked with data protection since the late 1990s, I’ve seen the profession evolve from a niche specialism that few people understood into a discipline that has a much higher profile within organisational governance. Along the way, I’ve learned valuable lessons about risk, influence and communication, which help me deal with the realities of being a Data Protection Officer (DPO). 

This article explores some of those lessons and reflects on the personal and professional challenges that come with working in information governance. 

From the 1990s to the UK GDPR: A Changing Landscape

When I first started dealing with data protection in the 1990s, awareness of the topic was limited. Interpretations of the legislation could vary significantly and arguably still do today in some areas. 

The 2000s were, in many ways, what I call the dark ages of data protection awareness. Explaining your job often generated blank stares. Friends and family rarely understood the role, and many organisations viewed data protection as a peripheral concern. 

The introduction of the GDPR changed that. While the media’s focus on large regulatory fines was unhelpful, it had one undeniable benefit: senior leaders started to pay attention. Data protection became a board-level issue, and governance professionals found themselves with greater visibility and influence. 

Lessons to reflect on

Accept That You Will Never Have All the Facts 

One of the most important lessons I learned early in my career is that information governance professionals are rarely fully informed. 

People often don’t realise that information they possess is relevant to your decision-making process. Sometimes they genuinely don’t know. Other times they may believe that withholding information will lead to a more favourable or easier outcome. 

As a result, many decisions are made against a backdrop of uncertainty. 

This is where context becomes critical. Data protection professionals are often asked for definitive answers, but the reality is that many situations depend on a complex mix of factors. The answer to most data protection questions remains the same, as highlighted by many in the field: 

“It depends.” 

The challenge is learning to make informed, justifiable decisions using the information available at the time, while remaining open to revisiting those decisions as new information emerges.

Why Information Governance Professionals Should Be Everyone’s Friend

One of the peculiar realities of the profession is that your role is to help the organisation succeed while simultaneously identifying risks that others may sometimes prefer not to hear about. 

As a result, information governance professionals are often perceived as blockers. 

In reality, this perception usually arises when information governance is introduced too late. If a project is already underway, budgets have been committed, and expectations have been set, any governance concerns can feel like obstacles. 

The solution is simple in principle but difficult in practice: become involved early. 

Data protection by design does not usually happen accidentally. It requires information governance professionals to build relationships, establish trust, and create mechanisms that ensure they are engaged before decisions become irreversible. 

Beware the “Shiny Box” Syndrome 

Every organisation has these moments. 

A senior leader visits another organisation, attends a conference, or discovers a new technology online and immediately wants to implement it. Governance, risk assessment, and privacy considerations often become secondary concerns. 

These situations are reminders that enthusiasm and innovation are not substitutes for governance. The role of the DPO is not to stop innovation but to ensure that organisations understand and manage the risks associated with it. 

Building Resilience in the Role 

Working in data protection can be emotionally demanding. Decisions are often scrutinised, disagreements are common, and expectations can be unrealistic.  Sometimes you can be dealing with some really sensitive information that has had a significant and detrimental effect on the people whose data it is. 

Over time, I’ve developed several coping strategies. 

Be Honest With Yourself 

No one gets every decision right. 

The most effective professionals are willing to acknowledge mistakes, learn from them, and improve their approach. At the same time, it’s important to distinguish between genuine mistakes and situations that were simply outside your control. 

Reserve the Right to Change Your Mind

New information emerges constantly. 

Good information governance requires flexibility in approach. If circumstances change or additional facts come to light, it may be appropriate to revise previous advice. Being willing to do so demonstrates professionalism, not weakness. 

Think About Difficult Issues Before They Happen 

Certain topics, such as confidentiality, data sharing, and conflicts of interest, arise repeatedly. 

Thinking through your approach in advance allows you to respond more effectively when difficult situations occur. Developing clear principles and boundaries, as well as understanding all the factors that contribute to decisions, can make challenging decisions easier when the pressure is high. 

Choose Professionalism Over Emotion 

Many information governance professionals can recall meetings or emails that tested their patience. 

Experience teaches an important lesson: responding emotionally rarely improves the outcome. Taking time to reflect before reacting often leads to better decisions and more productive relationships. 

Understanding Risk: Speaking the Same Language 

Risk is often a misunderstood concept in data protection, and there is no accepted way to think about risk despite it being critical to developing appropriate organisational controls. 

When organisations discuss risk, they are often referring to corporate risk: financial impact, reputational damage, operational disruption, or regulatory consequences. 

Data protection legislation, however, focuses on risk to individuals. 

These are not always the same thing. 

When different stakeholders use the same terminology but mean different things, misunderstandings are inevitable.  

A key challenge for DPOs is ensuring that conversations remain focused on risks to data subjects while still engaging effectively with broader organisational risk frameworks. 

Managing Conflicts of Interest 

Few areas of the DPO role generate more discussion than conflicts of interest. 

The legislation requires DPOs both to advise on compliance and to monitor compliance. This naturally raises questions about independence and objectivity. 

Can a DPO monitor the effectiveness of advice they previously provided? 

In practice, most organisations expect them to do exactly that. 

The reality is that many organisations do not have the resources to separate advisory and monitoring functions. The key is recognising where genuine conflicts may arise and implementing safeguards to manage them. 

Personally, I maintain clear boundaries around operational decision-making. I will provide advice, identify risks, and support decision-makers, but I avoid making final decisions where it could be argued that I have determined the purposes or means of processing. 

Conflict management is less about eliminating every possible conflict and more about recognising risks, maintaining transparency, and documenting how those risks are managed. 

Qualifications, Competence, and Credibility for Information Governance Professionals 

One of the ongoing debates within the profession concerns qualifications. 

Should DPOs hold formal certifications? Are practical skills more important than academic knowledge? Is there a recognised pathway into the profession? 

Unlike many established professions, and despite some standards being articulated by the UK GDPR, data protection lacks an accepted career route. Professionals arrive from legal, compliance, audit, information security, records management, and operational backgrounds. 

While qualifications can be valuable, they are only part of the picture and, for DPOs, are not required to comply with the legislation. 

The most effective information governance professionals typically combine: 

  • Strong knowledge of legislation 
  • The ability to interpret legal requirements in context 
  • Excellent communication skills 
  • Pragmatic problem-solving ability 
  • Sound risk-based decision making 

Data protection: looking ahead

The future of data protection will undoubtedly be subject to lots of changes as legislation continues to evolve. Emerging technologies will create new challenges, and organisations face increasing pressure to balance innovation with compliance. 

What is certain, however, is that the need for skilled information governance professionals will remain. 

Whether the role of the DPO changes or is rebranded in the years ahead, organisations will continue to need people who can interpret complex requirements and ensure appropriate controls are in place, communicate effectively, and help navigate risk.  

After more than two decades working in the field, I remain optimistic. Data protection has been with us for a long time, and it will continue to play a critical role in how organisations operate. 

Most importantly, despite all the challenges, it remains a fascinating and rewarding profession: one that offers opportunities to learn something new every day. 

If you’re already working as a DPO and are ready to build your knowledge, but need to fit studying round your day job, we offer an online, on demand Practitioner Certificate in Data Protection.  

Connect with Liz on Linkedin