When a journalist asks how you protect customer data, your answer should be clear, specific, and grounded in verifiable practice. Name the frameworks you operate under, describe how accountability is structured in your organisation, and speak to the ongoing nature of your governance rather than treating it as a one-time project. Regulated organisations in particular cannot afford vague or evasive responses — the question is as much a test of organisational maturity as it is a media inquiry. The sections below unpack every dimension of that answer, from what journalists are actually probing for to how your team can stay prepared at all times. If you want to talk through your current governance posture, feel free to get in touch with us, and we are happy to help.
What do journalists actually want to know when they ask about data protection?
When a journalist asks about data protection, they are rarely asking for a technical overview. They want to know whether your organisation takes the responsibility seriously, whether real accountability exists, and whether customers can trust you with their data. The question is a proxy for organisational integrity, and the answer signals whether governance is genuine or performative.
Journalists covering data protection stories are typically working from one of three angles. They may be investigating a specific incident, benchmarking how companies in your sector handle privacy, or responding to a regulatory development such as a new enforcement action or law. Understanding which angle applies shapes how you frame your response.
What they are listening for, regardless of the angle, includes:
- Whether you can name specific frameworks, certifications, or standards you adhere to
- Whether a named, accountable person owns data protection in your organisation
- Whether your answer reflects ongoing practice rather than a past project
- Whether you acknowledge risk honestly rather than claiming perfection
A journalist will notice immediately if your answer sounds rehearsed but hollow, or if it deflects to legal language without substance. What they remember is specificity combined with confidence.
What makes a data protection answer credible versus evasive?
A credible data protection answer is specific, present-tense, and tied to accountable people and processes. An evasive answer relies on vague assurances, passive constructions, and the absence of verifiable claims. The difference is immediately recognisable to any experienced journalist, and to regulators reading the coverage afterward.
Markers of a credible answer
Credible answers name real things. They reference a certification your organisation holds or is actively pursuing, identify the role responsible for data protection (such as a Data Protection Officer or Chief Information Security Officer), and describe how governance operates day to day rather than only at audit time. Phrases like “we continuously monitor” or “our governance cycle is aligned to” signal that protection is structural, not reactive.
Markers of an evasive answer
Evasive answers tend to use the passive voice heavily (“data is protected by multiple layers”), make claims without grounding (“we take security very seriously”), or redirect to legal counsel without providing any substantive response. These patterns do not just fail to reassure journalists — they actively raise suspicion. Evasion often becomes the story itself.
The credibility gap between these two types of answers is not just a communications problem. It reflects whether continuous governance is genuinely embedded in the organisation or whether data protection exists only on paper.
Which frameworks and certifications should you reference in your answer?
The frameworks and certifications you reference should be the ones your organisation actually operates under. For regulated organisations in the EU in 2026, the most relevant include ISO 27001 for information security management, GDPR for personal data processing, NIS2 for critical and important entities, and where applicable, ISO 42001 for AI governance and DORA for financial sector resilience. Referencing frameworks you are not actively implementing will backfire under scrutiny.
When speaking to a journalist, you do not need to list every standard. Instead, lead with the one most relevant to the context of the question, then briefly note others if they add meaningful depth. For example, if the question follows a story about an AI-related data breach, ISO 42001 and GDPR together are more relevant than a general ISO 27001 reference.
Beyond certifications, mention the governance structures that make those frameworks operational:
- Regular internal audits and management reviews
- Defined roles with explicit accountability for each governance domain
- Documented incident response procedures
- Supplier and third-party risk management processes
Certifications are the credential; governance structures are the proof. Journalists and regulators are increasingly sophisticated enough to ask for both.
How should you handle the question if a data incident has occurred?
If a data incident has occurred, you should acknowledge it factually, describe the steps taken in response, and explain what has changed structurally as a result. Attempting to minimise, deflect, or avoid the topic when a journalist already has information about an incident is one of the most damaging things an organisation can do — both reputationally and legally.
The sequence of a credible incident response answer follows a clear pattern. First, confirm what happened at the level of detail that is accurate and appropriate to share publicly. Second, describe the immediate response actions taken, including notification to relevant authorities where required under GDPR or NIS2. Third, and most importantly, explain what the incident revealed about your governance and what has been put in place to prevent recurrence.
This third element is where organisations most often fall short. Saying “we have taken steps to improve our security” is not enough. A journalist will push for specifics: what steps, who owns them, and how you will know they are working. If your governance is genuinely continuous rather than reactive, you will have concrete answers to these follow-up questions. If governance has been treated as a periodic exercise, the absence of those answers becomes apparent very quickly.
One important practical note: in many regulated contexts, what can be said publicly during or immediately after an incident is constrained by legal and regulatory obligations. Coordinate with your legal counsel and your Data Protection Officer before any media response, but do not use that coordination as a reason to say nothing at all.
Who in the organisation should be answering this question?
The person answering a journalist’s question about data protection should be someone with direct operational knowledge of your governance structures, typically the Data Protection Officer, Chief Information Security Officer, or a senior executive who is actively involved in governance oversight. Routing the question to a communications team member who lacks that knowledge, or issuing a generic written statement, signals that governance is not a leadership priority.
In practice, the best answers come from a prepared combination: a spokesperson who understands the communication context, working from a briefing prepared by the person who owns governance day to day. This ensures the answer is both accurate and appropriately framed for a public audience.
Organisations that have embedded continuous governance into their structure tend to find this question easier to answer, because the people responsible for governance can speak to it from direct, current experience rather than from memory of a past audit. Role-based accountability, where specific individuals own specific governance domains on an ongoing basis, is what makes that possible.
How can organisations prepare so the answer is always ready?
Organisations can ensure the answer is always ready by treating governance as a permanent operational capability rather than a project that concludes with a certification. This means maintaining up-to-date documentation, conducting regular management reviews, assigning clear role-based accountability for each governance domain, and rehearsing media scenarios as part of broader crisis preparedness.
Preparation has two dimensions: structural and communicative. Structural preparation means your governance is genuinely current — certifications are maintained, controls are actively monitored, and incidents are documented and learned from. Communicative preparation means key spokespeople know what they can say, how to say it clearly, and who to involve when the question goes beyond their remit.
A few practical steps organisations can take:
- Maintain a live governance summary document that reflects your current certification status, active frameworks, and key accountability holders
- Include media response scenarios in annual governance reviews and tabletop exercises
- Ensure your DPO or CISO is briefed on current governance status at least quarterly, not only at audit time
- Align your public messaging to your actual governance posture — never claim more than you can substantiate
Organisations that work with a structured governance model, such as the approach we take at Moatt, are positioned to answer this question confidently at any point in the year because governance is always active, not seasonally refreshed. The 36-month certification cycle is managed as a continuous process, which means the answer to a journalist’s question is never dependent on when the last audit happened to fall.
The underlying principle is straightforward: if your governance is genuinely continuous, the answer to this question is always ready. If it is not, the question will expose that gap — and a journalist asking about data protection is rarely the most consequential audience that will notice. Contact us to find out how we can help your organisation build a governance posture that holds up to scrutiny at any moment.
Frequently Asked Questions
How do we know which framework to lead with if we operate under multiple certifications?
Lead with the framework most directly relevant to the context of the journalist's question or the sector they are covering. For example, if the inquiry relates to financial services resilience, DORA is your anchor reference; if it concerns AI-driven data processing, ISO 42001 and GDPR together are more compelling than a standalone ISO 27001 citation. The goal is not to list everything you hold, but to demonstrate that you understand which governance layer is most material to the concern being raised.
What if our organisation is still working towards certification rather than holding one — how should we communicate that?
Being in active pursuit of a certification is a legitimate and communicable position, provided you frame it accurately. Say that you are currently implementing ISO 27001 and are on track for certification by a specific date, rather than implying you already hold it. Journalists and regulators respond well to honest accounts of a structured journey; what damages credibility is claiming a status you cannot substantiate. Pair the in-progress certification with the governance controls already in place to show that protection is active regardless of formal accreditation.
How do we handle a journalist who pushes back and asks for evidence or documentation?
Acknowledge the request positively and offer to follow up with appropriate materials rather than refusing outright or over-committing in the moment. Suitable evidence might include a copy of your current ISO 27001 certificate, a summary of your GDPR processing register structure, or a reference to your published privacy notice. Avoid sharing internal audit reports or incident logs without legal review, but do not use that caution as a reason to provide nothing — a willingness to substantiate your claims is itself a credibility signal.
What are the most common mistakes organisations make when answering data protection questions from journalists?
The most damaging mistakes are claiming continuous governance while only being able to describe activity from the last audit cycle, routing the question to a communications contact who cannot speak to operational specifics, and using legal language as a substitute for a substantive answer. A closely related error is over-claiming — stating that data is 'fully secure' or that a breach 'cannot happen' — which experienced journalists will immediately flag as either naive or dishonest. Specificity, honesty about risk, and a named accountable person are the three elements most often missing from weak answers.
How often should spokespeople be refreshed on the organisation's current governance posture?
At a minimum, any spokesperson likely to face data protection questions should be briefed on current governance status quarterly, and immediately following any material change such as a new certification, a regulatory update, or an incident. Relying on annual audit summaries means your spokesperson's knowledge is potentially eleven months out of date. A live governance summary document, updated continuously and shared with key communication leads, is the most practical way to close that gap without requiring frequent formal briefings.
Should smaller organisations without a dedicated DPO or CISO answer this question differently?
Smaller organisations should be transparent about their structure rather than inventing titles they do not have. If data protection accountability sits with a senior director or the CEO rather than a dedicated officer, say so clearly and explain how that accountability is exercised in practice — what reviews take place, how incidents are managed, and which external advisors or partners support the function. What matters to a journalist is that accountability is real and named, not that it sits in a dedicated full-time role. Many small regulated organisations operate credible governance through a combination of internal ownership and specialist external support.
How does the answer change if the journalist is writing a positive benchmarking piece rather than investigating an incident?
In a benchmarking context, you have more latitude to speak to your governance philosophy and the journey your organisation has taken, not just the current state. This is an opportunity to describe how governance has matured, what investments have been made in continuous monitoring, and how your approach compares to sector norms — without making claims you cannot back up. The same principles of specificity and honesty apply, but the tone can be more forward-looking, referencing governance improvements underway and the strategic rationale behind your framework choices.
Related Articles
- What governance capabilities should a scale-up have before entering regulated markets?
- Why does using third-party AI without data processing agreements put you at risk?
- How does a governance system support ISO 42001 certification readiness?
- How does corporate governance reduce operational risk?
- How do you build a governance framework that makes your AI strategy credible?