Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
EU-US data transfers continue to be a complex and evolving compliance challenge for organisations that transfer personal data from the European Union to the United States. A recent analysis from privacy group NOYB warns that existing mechanisms, including the Transatlantic Data Privacy Framework (TADPF) and Standard Contractual Clauses (SCCs), depend on fragile elements of US law and non-binding standards that may not hold up in the coming months. UK organisations that rely on these frameworks for cross-border data flows should act now to understand and mitigate emerging risks.
Most EU-US transfers of personal data are based on two key instruments:
According to NOYB, both instruments rely on unstable legal elements in US law, non-binding regulations and judicial decisions that are currently under challenge or at risk of being undermined. This “house of cards” approach means that the failure of a single legal element, such as recognition of enforcement bodies or oversight mechanisms, could cause the entire framework to collapse. This is particularly pressing in light of ongoing legal and political developments in the US.
Cross-border transfer mechanisms like TADPF and SCCs are essential for many organisations. They allow EU personal data to be legally processed in the United States, where many major cloud, marketing and analytics services are based. However, the legal basis for these mechanisms rests on several fragile foundations:
These structural vulnerabilities create uncertainty for organisations that depend on EU-US data transfers. If key elements of the current framework are invalidated or withdrawn, many commonly used transfer mechanisms could become legally untenable overnight.
UK organisations need to prepare for potential disruption to EU-US data transfers, even though the UK is outside the EU. This is because many UK businesses process EU personal data or operate in markets where compliance with EU transfer law is a business requirement.
The landscape of EU-US data transfers remains unsettled. While adequacy decisions like the TADPF provide temporary legal cover, underlying vulnerabilities in US law and ongoing legal challenges mean that certainty is far from guaranteed. UK organisations must act now to understand where their data flows depend on these mechanisms and build resilient approaches that protect privacy and compliance even in the face of legal shifts.
At Data Protection People, we recommend a pragmatic, proactive approach to cross-border transfers. This includes robust impact assessments, strong contractual safeguards, and contingency planning to ensure uninterrupted compliance with both EU and UK data protection obligations.
The TADPF is a mechanism intended to allow personal data to flow legally from the EU to the United States by recognising US law as providing sufficiently equivalent protection. Its future is uncertain due to legal challenges and underlying vulnerabilities in US law.
Yes, SCCs remain available as a transfer mechanism, but organisations must conduct Transfer Impact Assessments and adopt additional safeguards because US law can conflict with EU privacy rights, especially around government access.
If frameworks like the TADPF are invalidated without replacement, data transfers could be limited to “necessary” transfers under Article 49 of the GDPR or require alternative mechanisms such as enhanced contractual protections and technical measures. Strong planning and documentation will be critical.
This primarily concerns transfers of EU personal data. However, UK organisations that handle EU data or have operations in the EU must align with these developments to avoid compliance risks and enforcement action.
Three London councils, including the Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council, and Hammersmith and Fulham, have triggered emergency response plans following a significant cyber incident affecting shared systems. The attack, now under investigation by the National Crime Agency and GCHQ’s National Cyber Security Centre, has disrupted essential services and raised concerns about a potential council data breach. With networks partially offline and some staff told to work from home, the incident highlights the growing threat facing local authorities and the importance of strong cyber resilience.
This attack comes at a time when councils across the UK are increasingly targeted by organised cybercriminal groups exploiting shared IT infrastructures and legacy systems. Cyber-security experts have warned that personal data may have been compromised, and have urged residents to remain cautious of suspicious emails, texts, or calls referencing the incident. As local authorities continue to digitalise essential services, any council data breach presents serious risks, including service disruption, financial loss, and harm to community trust.
RBKC confirmed that it has identified the cause of the cyber incident and has notified the Information Commissioner’s Office (ICO) as required under UK GDPR. Several systems, including phone lines and online forms, remain disrupted while investigations continue. Staff have been advised to work from home wherever possible as networks remain partially closed “as a precautionary measure”. The council is not expecting a full return of affected systems for several days.
An internal RBKC memo, shared with the Local Democracy Reporting Service (LDRS), indicates the council has restricted parts of its network to prevent further compromise. Guest Wi-Fi and mobile hotspots remain available, but key internal systems are offline while the investigation progresses.
Cyber-security specialists have stressed the importance of identifying the organisation responsible for the shared infrastructure affected by the attack. If the breach originated from a third-party system, other customers using the same provider may also be at risk. Experts have warned residents to “treat all correspondence with caution”, as attackers frequently exploit publicity surrounding a cyber attack to launch secondary phishing campaigns.
RBKC stated that its IT teams “worked through the night” to determine the cause of the incident. While the council has acknowledged ongoing disruption, it said it will not share further details until the investigation is complete. In the meantime, alternative contact numbers have been added to its website, although some pages and online forms may be unavailable during planned maintenance linked to incident recovery.
Councils hold vast quantities of personal data including names, addresses, financial information, social care records, planning documents, staff details, and internal communications. The scale and sensitivity of this information make councils attractive targets for cybercriminals. A single council data breach can expose thousands of residents to fraud, identity theft, or targeted scams.
Local authorities also manage critical services such as housing, social care, benefits, and environmental health. Disrupting these systems can create real-world impact quickly, putting pressure on councils to restore access and making them more vulnerable to ransomware extortion attempts.
RBKC has said it spends more than £12 million per year on IT and security systems, reflecting the scale of the threat and the complexity of maintaining resilient infrastructure across multiple services.
Cyber attacks on local authorities are increasing in frequency and sophistication. This incident demonstrates how one breach can affect multiple boroughs through shared systems. Councils should take immediate action to strengthen their cyber resilience and reduce the risk of a council data breach.
Key steps include:
1. Strengthen Incident Response Procedures
Ensure emergency plans are tested, documented, and ready to be activated. Define roles, escalation routes, and communication strategies for both internal staff and the public.
2. Prioritise Network Segmentation and Access Controls
Limit how far attackers can move across internal systems. Use least-privilege access, multi-factor authentication, and enhanced monitoring for high-risk accounts.
3. Conduct Regular Cyber Audits
Carry out proactive assessments to identify vulnerabilities in shared platforms, legacy systems, and third-party software. Our GDPR Audits help organisations identify and resolve high-risk gaps.
4. Improve Supplier Oversight
Review contracts and ensure third-party providers have clear obligations around security, breach notification, and resilience. A supplier failure can quickly escalate into a major council data breach.
5. Train Staff
Human error remains the top cause of data breaches. All staff, especially frontline teams, should receive regular data protection and cyber awareness training to identify phishing threats and respond safely.
6. Maintain Clear Resident Communications
Provide up-to-date information through trusted channels to prevent misinformation and reduce the risk of scammers exploiting anxious residents.
This incident reinforces an uncomfortable truth: public sector organisations remain on the frontline of cybercrime. While RBKC and its partner boroughs responded quickly and initiated emergency plans, the attack highlights the scale of risk created by interconnected systems and shared digital infrastructure. A council data breach has the potential to impact tens of thousands of residents, disrupt essential services, and undermine public confidence.
At Data Protection People, we support councils in building resilience through strong governance, independent audits, tailored training, and ongoing compliance support. Preventing an incident is always less costly — financially and reputationally — than recovering from one.
It is not yet confirmed. Experts have stated that there is a possibility of personal data being affected, and residents are advised to remain cautious.
Councils hold large volumes of sensitive data and run essential public services, making them valuable targets for criminals.
Yes. After any council data breach, attackers often exploit publicity to target residents with phishing messages. Treat unexpected contact with caution.
RBKC has confirmed that full system restoration may take several days, depending on the investigation and recovery work.
If your council or organisation needs support strengthening cyber resilience, managing data breaches, or improving governance, our team can help. We offer Data Protection Support, GDPR Audits, and staff training to reduce risk and protect the people you serve. Contact us today.
2026 is set to be a busy year for data protection. From stronger AI governance to the rise of tools that safeguard personal data, these developments will redefine how we work and live online.
Consumers have more awareness than ever on how their data is being collected and stored, and with that awareness comes growing concern about the risks involved:
As a result, more and more consumers are becoming proactive about their data privacy, with many turning off third-party cookies, using VPNs and enabling multifactor authentication on their devices.
We expect this trend to continue into 2026 and beyond, so as a brand, it will pay to be upfront about how you’re protecting their data. Your privacy policy should be understandable, your opt-out options should be easy, and you should be training your team on privacy risks.
There are 160 jurisdictions worldwide with their own privacy laws, each with its own nuances and requirements, and this number is growing.
In the UK, the Data Use and Access Act 2025 is still rolling out, and in the States, there are a number of data privacy laws emerging in 2026.
While overall, there are core data protection principles that translate globally, there are regional nuances that you need to pay attention to. If you’re a business that operates in a number of different territories, global compliance should be your priority in 2026.
In August 2026, the EU’s AI Act will fully implement rules around high-risk AI systems and transparency requirements, which means businesses must be accountable for how they use AI and safeguard individuals’ data.
The EU’s framework requires organisations to document model training data, conduct risk assessments and ensure human oversight. For privacy teams, this means that AI governance and data protection are no longer separate.
Many businesses rely on personal data to provide their customers with a personalised experience. But with stricter data laws, consumer expectations for transparency, and the phasing out of third-party cookies, this has become increasingly more difficult.
That’s where zero- and first-part data comes into play. Zero-party data is information that your customers willingly share with you through surveys, chatbots and self-segmentation. It’s often much more valuable because it’s come straight from the horse’s mouth – so you know that’s what they genuinely want.
First-party data is information you collect through your own channels, such as product views, social media engagement, and website visits.
Customers do want personalised experiences, they’re just getting savvier about who they share their information with and when.
The Privacy Enhancing Technologies (PETs) market is forecast to reach 12.26 billion USD in 2030, so we’re expecting this to be another major trend over the next few years. PETs are a set of tools that protect sensitive data, allowing its use but minimising privacy risks.
There are a number of different types of PETs gaining traction:
The wider adoption of PETs is a trend we expect to see in 2026, as more businesses get to grips with what PETs are and how they can be used to benefit the business.
Whether you need GDPR training, data protection support, or an outsourced Data Protection Officer, we can help. Our experts can help you keep on top of the new trends, keeping you compliant and at the forefront of data protection. Get in touch with us today.
A GDPR audit can expose weaknesses in how you collect, store and use personal data. Those weaknesses could lead to investigations and even substantial fines under some of the world’s strictest data protection laws.
But fines are just one of the costs of failing a GDPR audit. In this article, we’ll discuss the financial consequences, the reputational costs and other harm that might come from failing a GDPR audit.
A General Data Protection Regulation (GDPR) compliance audit is an independent assessment of an organisation’s compliance with the GDPR.
It is designed to help companies make sure that they are meeting their obligations under the GDPR, and identify any gaps or areas that need improvement.
Key areas auditors examine:
Failing to comply with GDPR can carry both direct and indirect financial consequences, regardless of business size.
Internal GDPR audits (like the ones Data Protection People conduct) don’t directly lead to fines, as auditors don’t issue fines.
Third-party reports or complaints may trigger an investigation by a formal regulatory body like the ICO. Regulatory audits by the ICO are more formal, and therefore can lead to fines if evidence of non-compliance is found.
GDPR allows for fines up to 20 million euros or 4% of global revenue, whichever is higher. One of the biggest fines was for Meta in 2023 – a fine of 1.2 billion euros for transferring personal data of European users to the US without adequate protection.
Indirect costs include:
While not a direct penalty, a data breach or non-compliance can lead to significant reputational damage.
There are more costs to consider – ones to the business itself. You might find that there is disruption to business operations during the investigation itself, with staff being redirected to auditing, fixing issues or retraining.
Failing a GDPR audit isn’t inevitable. Here’s what we recommend:
Annual audits are recommended to keep up with evolving regulations and to catch gaps early. If you launch a new service, merge with another company or have a data breach you should conduct one immediately.
Integrating privacy from the very beginning of your data processing is the best way to ensure that you’re GDPR compliant throughout your systems, services and practices by default.
Human error is one of the common reasons why data breaches occur. Training your staff to be meticulous and to understand policies and procedures is one of the best things you can do to mitigate error, stay GDPR compliant and keep your business safe.
A core component of the accountability principle, you must maintain records of your data processing activities to stay compliant. The ICO has a helpful guide on how to document your processing activities. At Data Protection People, we have an extensive range of toolkits to use that helps you to remain compliant.
Getting compliant and staying compliant can be complex, especially for staff with no previous experience in GDPR. That’s why you should consider external consultancy or DPO support – the experts know the regulations inside and out.
With a team of certified experts, Data Protection People can audit your data processes and help you identify where you might need to improve. Get in touch with the team about GDPR audits today.
Data Protection Made Easy Podcast, Episode 228 – Hosted by Caine Glancy and Special Guest Katerina Douni
This week’s episode takes a festive look at one of the most common challenges in data protection, knowing what to keep, what to delete, and what to safely archive. Inspired by Santa’s famous naughty list, Caine Glancy and first time guest host Katarina Douni lead a lively discussion on data retention, storage limitation, and the practical steps organisations can take to stay compliant without holding information for longer than needed.
Katarina joined the podcast for her debut session and quickly set the tone with a clear message, many organisations continue to struggle with retention. She explored why data decisions matter, how retention periods should be approached, and why email is often the biggest culprit for uncontrolled storage. The session sparked strong engagement from our live audience and the chat was filled with questions, examples, and shared challenges around retention, erasure, and day to day pressures inside busy teams.
Caine and Katarina walked listeners through common problems such as the over use of email as a filing system, storing information long after its purpose has expired, and the difficulty teams face when deciding how long is long enough. They also discussed the risks of under collecting or over collecting information, the impact this has on storage limitation, and how organisations can simplify their retention rules to reduce confusion and avoid unnecessary risk.
As always, the live chat added a valuable layer to the discussion. Attendees shared their own retention periods, debated tricky scenarios, and raised questions that pushed the session further. The interactive nature of the podcast remains one of its key strengths and gives practitioners the chance to test ideas, compare approaches, and learn from each other in real time.
This episode is ideal for anyone who handles personal data, manages email systems, or oversees compliance. It provides clear explanations, relatable examples, and practical steps that can be applied immediately. With year end approaching, the timing could not be better for organisations reviewing their retention schedules or tackling email backlogs.
If you listened back on Spotify and want to join a future episode live, you can request an invite by emailing info@dataprotectionpeople.com. Live attendees can take part in the chat, ask questions, and access the deeper insight that comes from community discussion.
We host Data Protection Made Easy every Friday at 12:30 and new listeners are always welcome. Our community continues to grow each week with hundreds joining live and many more tuning in through audio platforms.
If you work in the housing sector, you may also be interested in our upcoming in person STAIRs event taking place on the 5th of February. Details can be found on our website and on LinkedIn.
Listen below and enjoy this festive and practical dive into data retention.
Episode 227 of the Data Protection Made Easy Podcast hosted by experts at Data Protection People. This episode was hosted live via Microsoft Teams in front of a live audience of listeners.
The episode opens with a look at what the team have been working on. Catarina reflects on a very busy week supporting a major client project alongside her team. Caine shares updates on ongoing STAIRs sessions for social housing providers and hints at an in person STAIRs event coming soon.
Both hosts also discuss their guest appearance on another organisation’s podcast where they explored how users understand privacy information, how organisations communicate their obligations and why cross functional training is so important.
The main focus of the episode is the European Commission’s Digital Omnibus package, announced on 19 November. The discussion highlights several of the most significant proposals, including:
The proposal introduces a major shift. Information would be classed as personal data only if the controller has means reasonably likely to identify the individual.
The team explore:
Catarina outlines proposals that:
Caine questions whether reducing low risk reporting could hide patterns of poor practice and the group debate what this means for real world compliance.
The Digital Omnibus seeks to simplify cookie requirements by reducing reliance on consent for low risk purposes such as security and aggregated analytics. The team draw comparisons with the UK DUA Act and consider how consent fatigue has shaped this direction.
David shares two important observations:
Under the new proposals, organisations may reject or charge for a SAR if the purpose is not to access personal data, for example in an employment dispute. This could be a significant change for many organisations that currently process large volumes of tactical or grievance based SARs.
David explains that the EU is pushing back deadlines for identifying high risk AI processing due to a lack of clear guidance, with expectations now set for no later than December 2027.
Caine introduces a study from the CNIL which found that 65 percent of surveyed French citizens would sell their personal data for between 1 and 100 euros. The hosts explore:
The session closes with a reminder that the next podcast will explore data retention, followed by an update that the team are working on the new in house DPP studio.
Our podcast community is one of the most active privacy networks in the UK with more than 150 regular live attendees and over 1,600 subscribers across all audio platforms. Joining the community gives you access to:
Attending live offers clear benefits. You can join the conversation, shape the discussion, raise real world challenges and take part in polls, chat and Q and A. Many listeners tell us they get far more value from attending live than listening back later.
We also have a strong line up of sessions taking us through to the end of the year, covering topics such as data retention, AI risk, international transfers, STAIRs, marketing compliance and more.
If you are not yet part of the Data Protection Made Easy community, you can join for free and get involved straight away.
After our first SARs session, we picked up the phone and asked our listeners what they struggle with most in real life. They shared questions, tricky scenarios and points of disagreement. In this follow up episode of the Data Protection Made Easy podcast, Caine Glancy and Oluwagbenga Onojobi work through those issues live with members of our community.
In this session we explore:
Listeners share how they handle these issues in housing and HR, which gives a rounded view of what is happening on the ground, not just what the legislation says.
If you are trying to balance transparency with protecting third party rights, you will find this discussion especially useful.
You can listen back to this episode now on Spotify and all major podcast platforms.
If you are not yet part of the Data Protection Made Easy community, complete our contact form and ask to join. Membership is free. You will receive a weekly invite to our live Friday sessions, access to visual materials, and ongoing support from over 1,500 like minded data protection practitioners.
This week our live Friday session is a GDPR Radio episode. Caine, Catarina and the team will be back to look at the latest news, enforcement action and real world challenges from across our community. If you would like to receive an invite, fill in our contact form and the team will add you to the mailing list.
This Halloween special of the Data Protection Made Easy Podcast dives into two hot topics, consent or pay and cookieless advertising. Watch or listen on demand below.
Recorded: Friday 7 November 2025
Hosts: Catarina Santos with guests Oluwagbenga Onojobi (Gbenga) and Holly Miller, cameo from Phil Brining
In this 30 minute session we focus on the implications of consent or pay under UK GDPR and what the move to cookieless advertising means in practice. We also touch on recent regulatory opinions and enforcement trends. The aim is simple, give you practical clarity that reduces risk without hurting conversions.
Catarina Santos with guests Oluwagbenga Onojobi (Gbenga) and Holly Miller, cameo from Phil Brining.
One of the UK’s largest data protection communities, more than 1,500 subscribers, over 200 episodes on major audio platforms. Join for free, get weekly live invites, monthly newsletters, and first access to in person events.
If you missed our first conversation on cookies, you can catch up on that episode, along with more than 200 others, on the Data Protection Made Easy Podcast.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
