Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
Ecommerce businesses cannot survive without personal data, which means that they must be GDPR compliant. But what does that mean?
In this article, we’ll talk about why GDPR is important for ecommerce businesses, what the requirements are and some practical steps you can take to stay compliant.
Whether it’s account information, taking payment or marketing to them, your customers’ data is everything to a business that operates online. That’s why GDPR is so critical – your business is built on data.
GDPR impacts businesses that handle personal data of UK citizens or residents. So if you’re not compliant, then you run the risk of fines and loss of customer trust.
You must have a lawful basis for processing personal data. Lawful bases that are most commonly used in ecommerce include:
There are other lawful bases for processing data, like legal obligation and legitimate interest, but they are not usually needed for ecommerce businesses.
On explicit consent, GDPR requires businesses to get informed consent from customers before collecting data. They must understand what it is for, which means that you need to obtain separate consent for each purpose, i.e. email marketing, order processing, etc.
You must be transparent about collecting, using and protecting personal data. For ecommerce businesses, that usually comes in the form of a privacy policy. This tells your customers or subscribers what you will do with their data, how long you will keep it and gives them the option to opt out of the collection and use of their information.
This policy needs to be easily accessible on your website, and should include:
If you use cookies to track user behaviour and serve advertising, you must obtain consent before setting them. You must provide clear, transparent information about their cookies and offer granular choices to users for accepting or rejecting non-essential ones – you must make it easy to withdraw consent at any time.
You should also make sure that you have a more detailed cookie policy available (similar in scope to the privacy policy) to people who want to know more. Get more in-depth information on cookie compliance in our blog post.
Data minimisation and retention are core principles of UK GDPR, requiring businesses to collect and store the minimum amount of personal data, and deleting it when it’s no longer needed.
Individuals have a legal right to ask companies to provide a copy of their personal data, known as a SAR or DSAR (Data Subject Access Request).
As an ecommerce company, you need to respond within the timeline of one month, providing the personal data as well as things like how the data is used and how long it will be stored.
There are a number of practical ways you can make sure your company complies with GDPR:
It’s easy to see GDPR as just rules and regulations you have to follow, but it’s also an opportunity to strengthen customer trust and streamline your data practices.
Our data protection consultants can carry out a GDPR audit to see how compliant you are and where you might be able to improve. Get in touch today.
Data protection is often something people feel they have to get past rather than something that helps them feel safe. Cookie banners, long forms, and dense notices can make privacy feel like a hurdle instead of part of being supported. That disconnect creates problems for trust, confidence, and customer experience.
To explore how organisations can change that story, our consultants Catarina Santos and Caine Glancy joined Beyond Encryption for a discussion on what customer friendly data protection looks like in the real world. Between them, Catarina and Caine deal with hundreds of frontline queries every month, giving them a unique view of the challenges people face when trying to exercise their rights or understand what is happening with their data.
You can watch the full conversation on the Beyond Encryption site, where the video, transcript, and extended insights are hosted.
Public attitudes to data protection have shifted in recent years. People are more aware of the risks, more likely to act when something feels wrong, and more comfortable asking questions about how their information is used.
This is not a rejection of data protection. It is a sign that people want clarity, control, and reassurance.
In the discussion, Catarina explains that the biggest challenge is often how organisations frame privacy. Many organisations have strong principles written into their governance, but these ideals rarely translate into the customer experience. People see the rules as barriers rather than as protections designed for their benefit.
Taking a customer friendly approach means bringing the principles of UK GDPR to life in a way that feels fair, transparent, and easy to follow. It supports trust and strengthens wider expectations under regimes such as the Consumer Duty, where clear communication and effective support are central to good outcomes.
One of the clearest reflections on the session is that traditional privacy notices no longer meet people where they are. A single, static page full of legal language does little to support understanding.
Catarina and Caine discussed practical ways organisations can make privacy information easier to use, such as:
These approaches reflect guidance from regulators on transparency and accountability, but more importantly, they reflect what people need to feel informed and comfortable.
While Catarina works closely with organisations on governance and design, Caine’s role on the support desk gives a direct view of the issues people face every day.
Patterns in queries reveal more than confusion. They often highlight where a process, training approach, or communication has broken down. Repeated questions about retention or rights might indicate unclear messaging, while frequent concerns about access or marketing preferences may point to a system that is nudging people in unexpected directions.
By treating support queries as valuable feedback, organisations can improve their transparency, strengthen their governance, and reduce friction for customers and colleagues alike. It is a practical form of data protection by design and default: listening to the people who rely on your services and acting on what they tell you.
The conversation also explored how to communicate with people when something goes wrong. Breach notifications can be some of the most sensitive interactions an organisation has with its customers.
People affected by a breach may be anxious, frustrated, or worried about the consequences. A slow or overly legalistic response can deepen those concerns.
Catarina and Caine emphasised:
Done well, breach communication can help preserve trust even in difficult circumstances.
Policies are important, but culture is where data protection becomes part of everyday practice. The session touched on the value of data protection champions, who act as embedded points of awareness within teams. Champions help spot issues earlier, raise questions before they escalate, and keep privacy considerations visible between audits or training cycles.
This cultural approach aligns with wider shifts in public expectations around AI, profiling, and digital decision making. People want to know how technology affects them, and organisations that stay close to those concerns build stronger, more resilient trust.
Beyond Encryption is a UK based organisation specialising in secure digital communication. Their work focuses on helping businesses protect sensitive information in a way that feels straightforward for users. The company develops tools that make it easier for people to share and receive information securely without navigating complex processes or technical barriers.
They take a people centred approach to security design, aiming to make trust and privacy feel intuitive rather than complicated. Their team is based in Hampshire and brings together specialists in cybersecurity, usability, and digital communication.
Beyond Encryption also operates as a certified B Corp, meaning they build their products and services with wider social and environmental considerations in mind. Their focus on ethics and transparency shapes how they approach digital trust, communication, and identity.
You can learn more about Beyond Encryption and watch the full episode on their website:
Learn More
The full interview between Beyond Encryption, Catarina, and Caine is available on the Beyond Encryption blog, along with further insights and practical examples.
To watch the episode and explore Beyond Encryption’s work on trusted digital communication, visit their site here:
Listen to the Full Episode Here
Data Protection People is expanding at a pace we have never seen before. Our team is the largest it has ever been and with our biggest year ahead, we are now looking for an ambitious Business Development Manager to help drive the continued growth of our Cyber Security Services division. If you are passionate about Cyber Security, enjoy building relationships, and thrive in a target driven environment, we would love to hear from you.
We are recruiting a Business Development Manager focused on Cyber Security Services. This role is central to our growth strategy and involves generating new business across key service areas including PCI DSS, ISO 27001, Cyber Essentials, SOC 2, penetration testing and wider security consultancy. You will play a key part in helping organisations strengthen their security posture and navigate complex compliance requirements.
Lead Generation
Identify and pursue new business opportunities using cold outreach, networking, events and market research. You will be proactive in building your own pipeline and opening doors with organisations that need support with cybersecurity.
Sales Presentations and Proposals
Prepare and deliver tailored proposals that clearly communicate the value of our cybersecurity solutions, and how they align with client objectives.
Negotiation and Closing
Negotiate confidently and secure new business agreements that help you meet or exceed your sales targets.
Market Insight
Stay informed on industry trends, compliance changes and competitor offerings to help identify new opportunities and position our services effectively.
Collaboration
Work closely with our Cyber Security and Consultancy teams to ensure proposals are accurate, solutions meet client needs, and handovers are smooth.
Reporting and CRM Management
Maintain accurate records of all sales activities, meetings and opportunities using Salesforce CRM.
Strategy and Campaign Development
Support the wider sales and marketing function by contributing ideas, supporting campaigns and helping shape how we reach new clients.
We are seeking someone who is driven, confident and ready to take ownership of their pipeline.
Experience
A proven track record in business development or sales is essential, ideally within cybersecurity or technology.
Skills
Attributes
Joining Data Protection People means becoming part of a friendly, fast growing and highly respected organisation.
Our benefits include:
If you are excited by this opportunity and want to join us on our next stage of growth, we would love to hear from you. Please submit your CV along with a cover letter explaining why you are the right fit for this role.
Once your CV has been reviewed, we will send an application form and arrange an introductory meeting.
Data Protection People is proud to be an equal opportunity employer. We welcome applicants from all backgrounds and are committed to creating an inclusive workplace where everyone can thrive.
On 19 November 2025, the European Commission published its Digital Omnibus package. This set of proposals would update several major EU digital laws, including the GDPR, ePrivacy framework, AI Act, Data Act and Data Governance Act. The goal is to simplify compliance and support innovation while maintaining the fundamental rights and protections established in EU law.
For UK organisations with customers in the EU or who transfer EU personal data, these proposals are strategically important. Although the Omnibus is an EU initiative, it will shape expectations in the wider regulatory environment. It may also influence the UK’s own reforms, including the Data Use and Access Act 2025.
The Digital Omnibus contains two draft regulations. One amends the AI Act and the other makes cross cutting updates across digital and data laws. The proposals focus on three core areas: data protection, cybersecurity and breach reporting, and artificial intelligence.
The Omnibus introduces several changes intended to reduce the early compliance burden on organisations developing or deploying high risk AI systems.
For example, deadlines linked to training and validation obligations would shift to late 2027 rather than 2026. This gives businesses more time to meet new technical standards and reduces early compliance pressure for AI developers working within EU markets.
One of the most significant proposals is a revised definition of personal data. Under the current GDPR, any information that could directly or indirectly identify an individual is treated as personal. This includes names, emails, IP addresses, device IDs and pseudonymous data.
The Omnibus moves to a controller centred test. Data will only be personal if the organisation processing it has the means that are reasonably likely to be used to identify a person.
In practice this means:
This approach aligns with recent case law, including SRB v Edenred. It may reduce compliance obligations for analytics and telemetry datasets, but introduces subjectivity. Organisations will need strong documentation to justify how they assess identifiability.
The Omnibus narrows what is considered special category data under Article 9. Only data that directly reveals sensitive characteristics, such as health, religion or political opinions, would fall under the enhanced protections.
Inferences or predictions about sensitive traits, such as deducing health conditions through profiling, would not automatically count as special category data.
The proposals also allow limited exceptions for processing special category data to train or operate AI systems and for biometric data processed on user devices under strict conditions.
The Omnibus provides controllers with stronger grounds to refuse or charge for requests that are abusive or manifestly excessive. This aims to reduce the burden of DSARs used strategically in litigation or to disrupt operations.
Although “abusive” is not tightly defined, the approach mirrors changes already seen in the UK under the Data Use and Access Act. UK organisations will still need clear internal criteria to avoid rejecting legitimate requests.
Under the existing GDPR, controllers must report any breach that risks individuals’ rights within 72 hours. The Omnibus proposes raising this threshold so that only high risk breaches must be reported, and extends the reporting window to 96 hours.
The proposals also introduce an EU wide incident reporting portal operated by ENISA. This would consolidate reporting under GDPR, NIS2, DORA and other frameworks.
UK breach reporting rules remain unchanged. Notifications must still be made without undue delay and within 72 hours unless UK legislation is updated in future.
The Omnibus includes further measures intended to simplify and standardise compliance:
These measures would reduce the volume of consent banners and bring greater technical consistency to DPIAs and cookie compliance. This direction is similar to recent UK guidance on consent and preference management.
The Omnibus aims to create clearer legal grounds for AI development and reduce administrative burden for organisations. Many businesses welcome the potential for fewer overlapping obligations and more predictable compliance requirements.
There are also trade offs:
For UK organisations, divergence between EU and UK regimes is likely to increase. This will require more precise policy alignment, updated data sharing contracts and consistent governance.
The Digital Omnibus is still under negotiation by the European Parliament and Council. If adopted, it will represent a substantial shift in the EU digital regulatory landscape and highlight growing divergence from UK law following the DUAA.
Whether or not the UK adopts similar measures, any organisation operating across both jurisdictions will need to adjust its practices. Preparing early will reduce risk, support innovation and maintain compliance.
The Omnibus signals a wider regulatory trend. Policymakers are recalibrating privacy and digital governance for an AI driven economy. While some protections may narrow, many proposals aim to reduce friction and bring clarity for businesses. UK organisations should begin planning now to remain compliant and competitive.
Data Protection Made Easy Podcast, Episode 228 – Hosted by Caine Glancy and Special Guest Katerina Douni
This week’s episode takes a festive look at one of the most common challenges in data protection, knowing what to keep, what to delete, and what to safely archive. Inspired by Santa’s famous naughty list, Caine Glancy and first time guest host Katarina Douni lead a lively discussion on data retention, storage limitation, and the practical steps organisations can take to stay compliant without holding information for longer than needed.
Katarina joined the podcast for her debut session and quickly set the tone with a clear message, many organisations continue to struggle with retention. She explored why data decisions matter, how retention periods should be approached, and why email is often the biggest culprit for uncontrolled storage. The session sparked strong engagement from our live audience and the chat was filled with questions, examples, and shared challenges around retention, erasure, and day to day pressures inside busy teams.
Caine and Katarina walked listeners through common problems such as the over use of email as a filing system, storing information long after its purpose has expired, and the difficulty teams face when deciding how long is long enough. They also discussed the risks of under collecting or over collecting information, the impact this has on storage limitation, and how organisations can simplify their retention rules to reduce confusion and avoid unnecessary risk.
As always, the live chat added a valuable layer to the discussion. Attendees shared their own retention periods, debated tricky scenarios, and raised questions that pushed the session further. The interactive nature of the podcast remains one of its key strengths and gives practitioners the chance to test ideas, compare approaches, and learn from each other in real time.
This episode is ideal for anyone who handles personal data, manages email systems, or oversees compliance. It provides clear explanations, relatable examples, and practical steps that can be applied immediately. With year end approaching, the timing could not be better for organisations reviewing their retention schedules or tackling email backlogs.
If you listened back on Spotify and want to join a future episode live, you can request an invite by emailing info@dataprotectionpeople.com. Live attendees can take part in the chat, ask questions, and access the deeper insight that comes from community discussion.
We host Data Protection Made Easy every Friday at 12:30 and new listeners are always welcome. Our community continues to grow each week with hundreds joining live and many more tuning in through audio platforms.
If you work in the housing sector, you may also be interested in our upcoming in person STAIRs event taking place on the 5th of February. Details can be found on our website and on LinkedIn.
Listen below and enjoy this festive and practical dive into data retention.
Episode 227 of the Data Protection Made Easy Podcast hosted by experts at Data Protection People. This episode was hosted live via Microsoft Teams in front of a live audience of listeners.
The episode opens with a look at what the team have been working on. Catarina reflects on a very busy week supporting a major client project alongside her team. Caine shares updates on ongoing STAIRs sessions for social housing providers and hints at an in person STAIRs event coming soon.
Both hosts also discuss their guest appearance on another organisation’s podcast where they explored how users understand privacy information, how organisations communicate their obligations and why cross functional training is so important.
The main focus of the episode is the European Commission’s Digital Omnibus package, announced on 19 November. The discussion highlights several of the most significant proposals, including:
The proposal introduces a major shift. Information would be classed as personal data only if the controller has means reasonably likely to identify the individual.
The team explore:
Catarina outlines proposals that:
Caine questions whether reducing low risk reporting could hide patterns of poor practice and the group debate what this means for real world compliance.
The Digital Omnibus seeks to simplify cookie requirements by reducing reliance on consent for low risk purposes such as security and aggregated analytics. The team draw comparisons with the UK DUA Act and consider how consent fatigue has shaped this direction.
David shares two important observations:
Under the new proposals, organisations may reject or charge for a SAR if the purpose is not to access personal data, for example in an employment dispute. This could be a significant change for many organisations that currently process large volumes of tactical or grievance based SARs.
David explains that the EU is pushing back deadlines for identifying high risk AI processing due to a lack of clear guidance, with expectations now set for no later than December 2027.
Caine introduces a study from the CNIL which found that 65 percent of surveyed French citizens would sell their personal data for between 1 and 100 euros. The hosts explore:
The session closes with a reminder that the next podcast will explore data retention, followed by an update that the team are working on the new in house DPP studio.
Our podcast community is one of the most active privacy networks in the UK with more than 150 regular live attendees and over 1,600 subscribers across all audio platforms. Joining the community gives you access to:
Attending live offers clear benefits. You can join the conversation, shape the discussion, raise real world challenges and take part in polls, chat and Q and A. Many listeners tell us they get far more value from attending live than listening back later.
We also have a strong line up of sessions taking us through to the end of the year, covering topics such as data retention, AI risk, international transfers, STAIRs, marketing compliance and more.
If you are not yet part of the Data Protection Made Easy community, you can join for free and get involved straight away.
After our first SARs session, we picked up the phone and asked our listeners what they struggle with most in real life. They shared questions, tricky scenarios and points of disagreement. In this follow up episode of the Data Protection Made Easy podcast, Caine Glancy and Oluwagbenga Onojobi work through those issues live with members of our community.
In this session we explore:
Listeners share how they handle these issues in housing and HR, which gives a rounded view of what is happening on the ground, not just what the legislation says.
If you are trying to balance transparency with protecting third party rights, you will find this discussion especially useful.
You can listen back to this episode now on Spotify and all major podcast platforms.
If you are not yet part of the Data Protection Made Easy community, complete our contact form and ask to join. Membership is free. You will receive a weekly invite to our live Friday sessions, access to visual materials, and ongoing support from over 1,500 like minded data protection practitioners.
This week our live Friday session is a GDPR Radio episode. Caine, Catarina and the team will be back to look at the latest news, enforcement action and real world challenges from across our community. If you would like to receive an invite, fill in our contact form and the team will add you to the mailing list.
This Halloween special of the Data Protection Made Easy Podcast dives into two hot topics, consent or pay and cookieless advertising. Watch or listen on demand below.
Recorded: Friday 7 November 2025
Hosts: Catarina Santos with guests Oluwagbenga Onojobi (Gbenga) and Holly Miller, cameo from Phil Brining
In this 30 minute session we focus on the implications of consent or pay under UK GDPR and what the move to cookieless advertising means in practice. We also touch on recent regulatory opinions and enforcement trends. The aim is simple, give you practical clarity that reduces risk without hurting conversions.
Catarina Santos with guests Oluwagbenga Onojobi (Gbenga) and Holly Miller, cameo from Phil Brining.
One of the UK’s largest data protection communities, more than 1,500 subscribers, over 200 episodes on major audio platforms. Join for free, get weekly live invites, monthly newsletters, and first access to in person events.
If you missed our first conversation on cookies, you can catch up on that episode, along with more than 200 others, on the Data Protection Made Easy Podcast.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
