Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact Us
Data Protection People's world-class GDPR Support Desk. If you're navigating the complex landscape of data protection, PCI DSS, and cybersecurity, our support desk is your reliable compass.
Contact Us
A range of high level reviews, detailed audits and mid-range assessments to test compliance with data protection laws and standards
Contact Us
Explore our Subject Access Request (SAR) Handling Service and understand how Data Protection People can support your organisation
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
The UK GDPR mentions “appropriate technical and organisational measures” almost 100 times. What this means and covers, however, is not exactly clear.
This law consists of two key aspects: data security and protection. Data protection focuses on the legality of processing and collecting personal data. Data security, on the other hand, examines the security measures necessary to protect personal data from unauthorised access or misuse.
So, a technical and organisational measure refers to the controls taken to ensure data protection. In part one of this series, we focused on organisational measures, and below, we continue with the technical aspects.
Before you determine suitable technical measures, you should first understand Article 32.
Article 32 of the GDPR outlines that data controllers and processors must implement technical and organisational measures to protect the personal data they process.
Your measures should protect data from (Article 32 (2)):
The security measures you choose must be ‘appropriate’ to your processing activities and the associated risks. The UK GDPR considers an adequate level of protection to be able to:
Please note that you should first conduct a risk assessment of your processing activities to determine which of these technical measures will be most effective for your circumstances.
With this in mind, we list the technical controls recommended by the ICO and the Cyber Essentials framework.
While the world is becoming increasingly digital, we still need to consider our security in the real world. Consider your office, home and anywhere else you work; you can be just as incident-prone here as you are online.
For example, your employees may have lost or had their equipment stolen, or perhaps hard-copy documents were misplaced, stolen, or improperly disposed of. These security incidents happen all the time.
As such, you should consider the following controls for keeping your physical location secure:
You also need to consider your cyber security posture, especially with new cyber threats and vulnerabilities on the rise.
Cyber security is a highly advanced field, so what you may need to consider will depend on the sophistication of your systems and the personal data they process. For the sake of this article, you should have measures for:
You need to maintain the security of your internal networks, servers, cloud infrastructure and any other systems that process or store personal data.
Example measures:
Along with keeping your systems secure, you must also protect the personal data stored within them. Having the right technical controls will maintain the confidentiality, integrity and availability of this data.
You should consider:
Your website, applications or any third-party online service you use needs to be secure. When not protected, they serve as easy entry points for cyber criminals to compromise customer data.
You may need to consider technical measures such as Secure Sockets Layer (SSL) certificates for encryption, web application firewalls, security plugins to scan for threats and conducting regular security updates.
There are many other ways to secure a website, which is best left to a third party to manage on your behalf.
Whether personal or company-issued, your employees’ devices need to be protected at all times. Best practices include:
For more tips, refer to the National Cyber Security Centre (NCSC) guide on device security.
Yes. Article 32 states that you must have “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures”. The tests you take and how often you do them will depend on your business’s circumstances.
You can assess the effectiveness of your measures using a vulnerability scan, penetration test, GDPR audit or through other techniques. These tests are best done externally, such as through a data protection consultancy, to avoid a conflict of interest.
You should document all the results and implement changes swiftly to minimise potential risks resulting in a personal data breach.
Unsure whether you have the ‘appropriate’ technical and organisational measures in place? We can conduct a GDPR audit to identify areas of non-compliance, including weaknesses in your security controls.
We also provide cyber security services to help improve your technical controls, including GDPR support services to improve your overall compliance. Speak to our team to find out more.
12,194. That’s the number of data breaches that were reported to the ICO in 2024. Even worse, these incidents don’t reflect the number of data subjects affected. A single breach could have a widespread impact on hundreds of thousands of individuals.
Data breaches happen when data controllers and processors don’t have the “appropriate technical and organisational measures” (Article 32) to safeguard the personal data they hold.
Failing to implement the necessary measures goes against one of the seven principles that underpin the UK GDPR: security. To ensure you remain compliant, we cover all the provisions needed to protect personal data at an organisational level.
Read part two to find out which technical controls you need to implement.
Information security comes from the UK GDPR’s principle of ‘integrity and confidentiality’ (Article 5(1)(f)). Complying with this principle ensures you have the right security in place to minimise personal data from being breached unintentionally or maliciously.
Information security is simply good data protection practice. By not securing data, you expose individuals involved in a data breach to fraud, physical harm, intimidation, and undue distress. Regardless of the level of harm caused, the ICO will hold you accountable, resulting in substantial administrative fines.
Non-compliance could cost you up to £17.5 million or 4% of your total annual turnover, whichever is more. Are you willing to risk all this?
Your technical and organisational measures need to:
These three components are known as confidentiality, integrity and availability. They form part of your GDPR obligations, as well as your ISO 27001 compliance requirements.
Below, we outline several organisational measures to maintain data security:
For tailored advice, speak to our GDPR consultancy to ensure you choose actions suitable for your organisation.
One way to demonstrate your accountability is through regular risk assessments, which help identify and mitigate problems before they escalate.
These risk assessments are otherwise known as data protection impact assessments (DPIAs). You complete a DPIA when processing personal data is “likely to result in a high risk” to the rights and freedoms of individuals. While the notion of ‘high risk’ isn’t entirely clear, there are multiple situations in which a DPIA is required.
A DPIA is conducted at the beginning of a project or before processing begins. Here, you will assess, identify and mitigate the risks involved in processing.
Outside of this, you should have a process in place to enable employees to report data protection concerns to a central contact such as a DPO. Doing this will improve accountability across your organisation.
GDPR compliance starts from within your organisation. Your employees need to understand their data protection obligations and the actions they must take to maintain compliance.
This forms part of your GDPR training programme, which should cover topics including:
This training should be conducted during inductions, as well as through regular refreshers, to ensure employees’ knowledge and skills remain up to date. An appropriate trainer, such as a data protection officer (DPO) or Data Champion, should oversee and conduct the training.
The ICO states that you should have “a person with day-to-day responsibility for information security within your organisation.” These people include executive leadership, IT departments and your wider team. Essentially, everyone is responsible for data security and protection.
If applicable, you may have an in-house or outsourced data protection officer. These DPOs act as advisors for your GDPR obligations, monitoring compliance and providing support with training and GDPR audits.
Your DPO will work independently, meaning that GDPR compliance is their sole priority. If you already have an internal DPO, they may require additional help, either on an ad-hoc basis or by outsourcing another DPO.
Worried your internal team is struggling? Here are the five telltale signs that outsourcing your DPO might be the answer to all your problems.
An appropriate organisational measure is to have an information security policy to help demonstrate your compliance with the security principle. The scope of these documents depends on the size of your business and processing activities, so you may not require a formal policy.
You will, however, already have GDPR documentation in place that will support information security, such as:
You may also have a Bring Your Own Device (BYOD) and remote access policy to set standardised controls for employees using personal devices or working at home.
An essential aspect of information security is availability. This refers to restoring access to personal data even after a physical or technical incident (Article 32(1)(c)).
You should have a business continuity and disaster recovery plan that outlines how you’ll maintain your critical functions and protect personal data during an incident or disaster.
Along with these plans, you will also back up copies of online data, software and systems to ensure you can minimise the loss of personal data.
Worried about which steps to take next? Our data protection consultancy can help you implement the appropriate measures to maintain GDPR compliance.
Speak to our team today to get started.
Over the past week, I’ve read 30 or 40 blogs on the Data (Use and Access) Act 2025 (“DUA”). Many of them expertly written by leading legal professionals who offer detailed analysis of the legislation. But most focus squarely on the law itself, rather than its practical implications for privacy practitioners.
From my perspective, the most impactful changes in the DUA for privacy practitioners are:
Of course, there are other significant changes including updates to subject access request (SAR) timelines, information searches, legitimate interests, purpose limitation, and scientific research processing. But in many respects, these changes align with existing good practice.so the Act largely offers clarification and certainty rather than entirely new obligations.
By contrast, the new complaint right may represent a more fundamental shift in data protection practices.
Under the UK GDPR, data subjects have rights that affect either the processing of their data (e.g. the right to object or restrict) or the data itself (e.g. the rights to erasure or rectification), as well as the right of access (e.g. via SARs or data portability).
They’ve always had a right to lodge a complaint with the ICO (Article 77 UK GDPR) if they believed their personal data was being processed unlawfully. But crucially, the burden for investigating and acting on that complaint lay with the ICO.
The DUA changes that dynamic. Under Section 103 of the DUA, a data subject now has a statutory right to make a complaint directly to the controller if they believe there has been an infringement of the UK GDPR or Part 3 of the DPA 2018. While the ICO already encourages complainants to approach controllers first, this new provision formalises that expectation and elevates it to a legal requirement for controllers to respond.
This shift means that data controllers must:
Update privacy notices to reflect the new right of complaint,
And the volume and nature of these complaints? That remains an open question. It’s currently hard to say how this right will be utilised by data subjects. As data protection is so broad complaints will be wide and varied and may well prove difficult for some organisations to handle.
Will the complaints received directly differ from those historically made to the ICO? Data subjects may start raising issues such as:
Previously, many individuals may not have pursued such concerns with the ICO but with a formal avenue now open through the controller, will more choose to act?
Another noteworthy (if not yet in force) provision is Section 164B, which would require controllers to report the number of complaints received to the ICO. While not currently active, this could be implemented by the Secretary of State, meaning the legal mechanism is already in place.
If enacted, it will add a further layer of accountability and data controllers should be preparing for that possibility now.
In my view, this change represents a seismic shift in power toward the data subject in given them “free reign” as to what they can complain to the controller which could lead to masses of requests and it being used as a tool to process further complaints in a faster manner.
However, it is also a greatly beneficial tool in allowing data subjects to truly trust in the organisations that handle their personal data and makes their voice feel heard where their personal data is involved.
The right to complain, now enforceable directly with the controller, places data subjects at the heart of accountability and requires organisations to respond not only to their data but to their dissatisfaction.
As with any form of compliance, businesses must overcome several hurdles on their path to becoming compliant with the GDPR. Through the help of our data protection consultancy, we are able to provide businesses with the insight they need to know whether they’re on the right track.
Along with simplifying compliance, our GDPR consultants are tasked with helping businesses be proactive, allowing them to mitigate risks before they unravel.
Through this work, we’ve observed six common GDPR mistakes and how to resolve them, all of which we run through in this blog.
Under the GDPR, every individual has a right to access their personal information. This right, among seven other data subject rights, must be fulfilled without undue delay.
Individuals can submit subject access requests (SARs) verbally or in writing. Since they don’t need to be addressed to a specific individual in your organisation, these requests can be sent anywhere. Without knowing what an SAR is, it’s very easy for them to be ignored and not passed to the relevant individual for follow-up.
Remember, you only have 30 calendar days to respond to a SAR. Make sure you supply the person with their requested information before time runs out.
It’s too easy to let ‘just in case’ get in the way when erasing personal data after you no longer need it. After a while, this information will pile up, and then you’ll need to invest more resources in keeping it safe.
Rather than focusing on the what-ifs of deleting data, draw your attention to the reasons why you should erase it. If you come back empty-handed, erase the data. If the reason is valid, record it in a data retention policy so it is clear how you manage, store and delete specific types of data.
With less information stored, you won’t have to spend as much time on a subject access request. Just think – would you rather search through hundreds or thousands of files?
The ICO’s data security incidents trends dataset reveals that emailing data to the wrong person remains the most common mistake businesses make.
There are plenty of scenarios where this can happen. It may occur when you’re rushed off your feet between meetings or when you’re multitasking between two jobs.
All it takes is a little distraction, and you end up emailing someone with a similar name, but it’s an entirely different individual. Once that email comes through, they have access to the history of that entire email thread.
If you send bulk emails, always check that you’re using Blind Carbon Copy (BCC). Otherwise, everyone in your CC group can see each other’s email addresses.
If either of these errors happens to you, act quickly and try to recall the email as soon as possible. If it’s too late, contact the individual(s) and ask them to delete it.
Data breaches most often occur within the organisation. Your employees may email data to the wrong people, fail to redact or use BCC or fall victim to the all-too-common phishing attack.
If you don’t provide them with data protection training, how can you expect them to learn? Human error isn’t enough of an excuse – it’s just negligence on your part.
The UK GDPR doesn’t state how much or what type of training your business should do. Something as simple as our ‘Introduction to Data Protection’ course will be enough to give your team a solid understanding of your GDPR obligations.
If you’re looking for convenience, our GDPR training can be delivered online or in person, so there’s no excuse not to learn. For larger organisations, you may be best placed with a data protection officer (DPO) who will handle your team’s best practices in-house.
GDPR compliance is all about demonstrating accountability. To do this, you need a clean audit trail, which you can evidence at a moment’s notice.
Businesses often struggle with the record-keeping aspect of GDPR. There’s a lot of paperwork involved, and if these records are out of date or insufficient, how will you know what happens when things go wrong?
This is why keeping your Record of Processing Activities (RoPA) is non-negotiable. It may take time at the start, but maintaining it means you can prove the work that’s been done to stay compliant.
If you don’t know what data is held, we recommend conducting a data mapping exercise to understand your processing activities. If you need more transparency, a detailed GDPR audit may be required.
GDPR compliance cannot sustain a one-size-fits-all approach. A generic approach to data protection often falls short because it doesn’t consider your business’s specific nuances. This ‘one-size-fits-all’ mentality creates vulnerabilities, leaving room for costly mistakes.
A data protection by design and by default approach means your business integrates data protection into everything it does. Rather than assuming the best, this concept ensures privacy and security are built into your processes from the ground up, protecting individual rights proactively.
If you want a tailored approach, our GDPR consultants can help identify gaps in your data protection framework and recommend ways to improve compliance.
Don’t let these common GDPR mistakes expose your business to costly fines. Our expert data protection consultants provide the tailored insights and measures you need to secure your data and achieve compliance.
Speak to our team today to find out how we can support you.
On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.
Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.
Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.
Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.
Download the Slides
We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides
Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.
Click here to visit the Part Two event page and register your place: View Part Two
By joining our free community, you’ll get:
We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.
Data Protection Made Easy Podcast – Episode 214
After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.
Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
Understanding What Drives SARs
We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.
When You Must Respond – And When You Don’t
We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.
Managing Excessive or Repetitive Requests
Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.
Balancing Transparency and Internal Protection
Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.
Lessons from Real Grievance and Disciplinary Cases
We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.
Proactive Preparation: Getting Ahead of SARs
Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.
Avoiding Common Mistakes
From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.
Handling Escalation and Risk
Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.
Know someone who would benefit? Share the podcast link and help others take the complexity out of compliance.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
Data Protection Made Easy Podcast – Episode 114
Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.
If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:
From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”
As Catarina Santos explained, it’s essential to reframe the narrative:
“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”
The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.
This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.
Philip Brining highlighted the value of the community:
“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”
Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.
SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:
“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”
The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.
What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:
“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.
Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.
📩 Simply email us at [email protected] with the subject line “SAR Support”, and we’ll book in a free 30-minute consultation.
In this special episode of the Data Protection Made Easy podcast, long-time host and data protection consultant Joe Kirk reflects on his journey through the world of privacy and compliance—from his early days in sales, speaking to hundreds of DPOs across the UK, to becoming a consultant himself and working with a wide range of clients across every major sector.
As this marks Joe’s final regular appearance on the podcast, we dedicated the session to the Top 10 Lessons He’s Learned over the last four years. These are practical, honest, and experience-based takeaways that he hopes will help current and aspiring DPOs make a meaningful impact in their roles.
These tips are relevant whether you’re new to data protection, already in a DPO role, or even an employer looking to build a successful privacy function.
Joe’s departure also marks the beginning of a new phase for the Data Protection Made Easy community. As we look to evolve and bring even more value to our subscribers, we’re making some important changes:
Podcast Frequency
We will now host one episode per month, instead of weekly. This allows us to:
In-Person Events
To complement our podcast, we’ll be launching monthly in-person events, starting with a Housing Sector Roundtable in Leeds. These will be free to attend and packed with:
If you’re in the housing sector or work in data protection in Yorkshire, this is a great chance to connect with our team face-to-face. More info coming soon.
Monthly Newsletter
To replace our weekly GDPR Radio news episodes, we’ve launched a monthly email newsletter with:
If you’re a subscriber, your first issue should already be in your inbox! If not, sign up here:
We’ll soon be publishing a full article on Joe’s Top 10 Tips for DPOs, expanding on the episode with real-life examples, links to useful tools, and guidance from our team. This will be available in the Resource Centre and shared with our newsletter subscribers.
We’ll also be sharing details on our 10-Year Anniversary Celebration taking place in July 2025. If you’re based in Leeds and would like to attend this free event, keep an eye out for the invitation — food, drinks, music, and privacy professionals all under one roof (plus a special guest DJ set from Joe himself!).
While Joe is stepping away from the podcast, you may still hear him pop up as a guest speaker in future episodes or events. He’s made a lasting impact on our community and we’d love for you to stay connected with him: Connect with Joe on LinkedIn
Listen to Episode 213 – Joe Kirk’s Top 10 Tips on Spotify
Or find us on Apple Podcasts, Amazon Music, and all major streaming platforms.
Thank you to Joe for four years of thoughtful, passionate, and incredibly valuable contributions to the Data Protection Made Easy community. We’ll miss him as a regular host, but we know this isn’t goodbye – just see you later.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
