"tended to use “templated or generic” reasons"
On the basis of our two years worth of research (shortly to be published with any luck), almost the entirety of data protection compliance is conducted using templated or generic statements. Come to think of it, most corporate "compliance" is too. The basic argument seems to be "what's the least effort we need to expend to keep the regulator off our backs?". The actual intended purpose of compliance requirements doesn't seem to feature at all in decision making.