Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
Every organisation handling personal data today should ask itself: are our data protection practices truly up to the ICO’s current standards, or are we merely ticking boxes? The ICO has made it clear that policies alone do not equal compliance. Staff training, role-specific awareness, and regular refreshers play a critical role. Falling short can expose your organisation to reputational harm, regulatory risk, and loss of trust.
Data protection has never been more in the spotlight. With increasing public awareness of data rights, stricter regulatory scrutiny, and emerging risks from technology (AI, cloud etc.), the ICO has sharpened its expectations. Organisations that rely on minimal compliance risk being exposed when the next audit or incident happens. The ICO’s updated guidance demands meaningful actions, not just a good looking policy document, especially when resources are tight or operations overlap in small teams.
The ICO has clarified several areas that often cause complacency. First, training must be tailored to each staff member’s role. A general GDPR overview is no longer sufficient. New starters must receive induction training that directly relates to their daily data-handling duties. Second, refresher or follow-up training is essential. It cannot be a one-off event. Organisations must test and evaluate staff understanding over time. Third, organisations must show evidence of effectiveness. This includes proof that training produces results: fewer errors, improved practice and proper handling of data in day-to-day operations.
Data protection is more than legal compliance. It directly affects your reputation, risk exposure, and customer trust. When staff lack proper training, one small mistake, such as sending personal data to the wrong recipient, can escalate into a breach. UK GDPR demands accountability and transparency. The ICO’s Accountability Framework highlights that regulators will look for evidence of training, understanding, and relevant role-based responsibilities.
Begin by reviewing your training programmes. Ensure induction training clearly explains data protection obligations relevant to each role. For example, customer service, HR, marketing and IT staff should each understand how their work impacts personal data protection. Then, schedule regular refresher courses. Reinforce learning through quizzes, scenario-based exercises and real-world examples. Collect evidence: track training completion, gather feedback, measure error rates. Use that data to improve your training and show you are meeting ICO expectations.
Next, align your documentation and policies with actual practice. Your privacy notice, internal policies and procedures must reflect how your staff operate. Don’t rely on generic policies; ensure they match how data flows, who handles what and where risks are highest. Also ensure you have a plan for external support if you lack in-house expertise. Outsourced training or specialist consultants can help fill capability gaps.
Finally, audit your accountability: use internal or external assessments to test how well your team applies data protection in daily work. Simulate real incidents, review SAR responses, check for secure handling of data, and ensure clear ownership of responsibilities. Transparency internally supports compliance externally.
At Data Protection People we believe that the ICO’s updated expectations are both necessary and achievable. Policies and roles must align, training must be role-specific and ongoing, and evidence must accompany claims of compliance. Organisations that treat data protection as culture, not just a legal requirement, will protect themselves better. Habits of complacency cost more in the long run than investing in capable people and well-practiced processes.
No. The ICO expects regular refreshers and assessments of understanding. A single session or generic e-learning does not meet their current standards.
Yes. Different roles handle different data risks. Training must reflect daily tasks. IT, HR, marketing and frontline staff all need bespoke briefings.
Keep records of who attended training, when, the content used, test results or follow-ups, how errors reduced, and whether your staff applied learning in real work. Evidence must be clear and relevant.
If you lack time, budget or internal knowledge, external consultants or trainers can provide up-to-date materials, role-based delivery, and measurable outcomes. This helps meet ICO expectations without overburdening teams.
If you’re not sure whether your training and data protection practices truly match what the ICO requires, our GDPR Audits service can evaluate and identify gaps. If you’d prefer hands-on help updating your staff training or policies, check out our Data Protection Training and Data Protection Support services. Let’s make sure you’re compliant, not complacent.
The recent judgment in EDPS v SRB (Case C-413/23 P, EU:C:2025:645) changes how we think about personal data. The court confirmed that opinions and views are personal data when they relate to an individual. It also ruled that pseudonymisation does not always take data outside the law. If your organisation handles Subject Access Requests, you must reassess what you disclose and how you decide whether information is personal.
Organisations rely heavily on pseudonymisation for data sharing and analytics. At the same time, more people are exercising their rights and submitting SARs. The Two Birds article “Can pseudonymisation make data anonymous” explains that removing identifiers does not guarantee anonymity. The CJEU confirmed this point. Pseudonymised data remains personal if you hold the key to re-identify. Only when re-identification is practically impossible can you treat it as anonymous. This ruling matters because it affects what you disclose, what you explain in privacy notices, and how you manage third-party sharing. Getting this wrong can lead to complaints and regulatory action.
The judgment provides two clear answers. First, opinions and comments that relate to a person are personal data. You must treat them as such. Second, pseudonymised data stays within scope when you hold re-identification keys or other means to link it back. A recipient who cannot realistically re-identify may treat it as anonymous, but only after checking risk carefully. The Two Birds article stresses that true anonymity is rare. You must consider technology, cost, time, and available information. These factors can change over time, so reviews should be ongoing.
This case has a direct impact on Subject Access Requests. When a person asks for their data, you must include any opinions or feedback about them. You must also check pseudonymised data and disclose it if you can re-identify the subject. Your privacy notices must explain what happens to the data you collect, including sharing with third parties in pseudonymised form. Clear notices build trust and show compliance. You must also assess identifiability using real-world conditions, not theory. If re-identification is reasonably likely, treat the data as personal and respond to the SAR.
Start by reviewing your SAR process. Make sure your teams treat opinions as personal data and include them in disclosures where no exemption applies. Map where you use pseudonymisation. Record who holds keys and how you control access. Update your privacy notices so people know when you share data and how you protect it. Train staff on assessing identifiability using practical tests. Keep a record of each decision where you exclude pseudonymised data from a SAR. When in doubt, disclose or seek advice. You can also run a GDPR audit to test your process and identify gaps. Data protection training helps teams apply the rules consistently and with confidence.
We welcome this judgment because it gives clarity. Opinions are clearly personal data, and pseudonymisation is not a free pass. The question is always whether you can identify the person, not what you call the dataset. We recommend a risk-based approach. Treat data as personal unless you have strong evidence that re-identification is not possible. Keep your privacy notices up to date and document your decisions. This approach will reduce risk, speed up SAR responses, and build trust with individuals.
Yes. If an opinion relates to a person you can identify, treat it as personal data and consider it for disclosure.
Only when you cannot re-identify the data subject and re-identification is not reasonably likely in practice. You must be able to show your reasoning.
Yes. You must tell people if you share their data, including in pseudonymised form, and explain how you protect it.
Keep a short note explaining the context, what re-identification methods exist, why you ruled out identifiability, and who approved the decision.
If you need help improving your SAR process or reviewing pseudonymisation risks, we can support you. Explore our GDPR Audits, Data Protection Training, Data Protection Support, or SAR Support services today.
The European Commission has taken the first step towards adopting a data adequacy decision with Brazil. This move would enable the free flow of personal data between the EU and Brazil, offering major benefits for businesses, public authorities, and researchers operating across both regions.
Brazil has been recognised by the Commission as offering an ‘adequate’ level of data protection, meaning its legal framework provides comparable safeguards to those set out under the EU’s General Data Protection Regulation (GDPR). Once formalised, this mutual recognition will remove barriers for data transfers between the EU and Brazil, creating one of the broadest adequacy frameworks to date.
The decision aligns with the EU’s broader aim to strengthen ties with countries that uphold high standards of privacy and data protection. Brazil is a key international partner, with strong cultural and economic links to Europe. By recognising each other’s frameworks, both sides aim to reinforce consumer trust and digital trade.
Henna Virkkunen, Executive Vice President for Tech Sovereignty, Security, and Democracy, commented: “In these uncertain times, we must work closer to our natural partners. Brazil is evidently one of them.” She added that the mutual adequacy decisions will help bring both economies closer together, benefiting over 670 million people.
Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, also welcomed the decision, highlighting Brazil’s robust legal framework for data privacy. He stated: “When personal data is protected, so too are consumer rights, ensuring individuals have control, transparency, and security in their interactions with businesses and services.”
The draft adequacy decision will now be reviewed by the European Data Protection Board (EDPB) and will need approval from EU member states. The European Parliament also retains the right to scrutinise the decision. Once this process is complete, the Commission can formally adopt the final adequacy decision.
Like other adequacy decisions, this one will be subject to periodic review to ensure it continues to offer a sufficient level of protection.
This is great news for organisations involved in international operations with Brazil. It will simplify data flows, reduce the need for Standard Contractual Clauses or Transfer Impact Assessments, and enhance business agility across borders. It also sends a clear signal that robust privacy frameworks support, not hinder, global innovation and cooperation.
A data adequacy decision is a ruling by the European Commission confirming that a non-EU country provides data protection that is essentially equivalent to the EU’s GDPR. It allows personal data to be transferred freely to that country without extra safeguards.
Brazil has built a strong legal framework for protecting personal data, similar to the GDPR. The EU sees Brazil as a key economic and political partner, and mutual adequacy will simplify data transfers while maintaining high privacy standards.
A similar decision will likely be adopted by the UK to grant an adequacy to Brazil, making it easier and faster for businesses to share personal data without needing Standard Contractual Clauses or other legal tools.
No. The draft decision is currently under review by the European Data Protection Board, EU member states, and the European Parliament. It will become final once it passes through the formal adoption process.
Need help understanding how this impacts your organisation? Our consultancy team can support you in navigating international data transfers, assessing adequacy decisions, and updating your data transfer mechanisms. Contact us today to find out how we can help.
If your organisation uses cookies, tracking pixels, local storage or other tech that stores or accesses data on someone’s device, this update is for you. The ICO has released a refreshed draft of its guidance on the Privacy and Electronic Communications Regulations (PECR), following the Data (Use and Access) Act 2025. Here’s an easy-to-understand breakdown of what’s changed and what it means for you.
This guidance explains how to stay compliant with PECR, particularly when using cookies and similar technologies. It now includes new chapters, better examples, and clearer expectations using the language of “must,” “should” and “could” to define compliance requirements.
It also reflects the changes introduced by the Data (Use and Access) Act 2025, including a new chapter on exceptions to the rules.
A brand-new chapter explains the five exceptions to cookies that typically require the consent or similar technologies deployed on the website. This is vital for understanding when you may be exempt from needing consent.
Cookies do not require consent where they are used for:
This section now provides clearer explanations about the types of technologies PECR covers, beyond just cookies. It includes things like:
A new chapter titled “How do we manage consent in practice?” includes updated examples of good and bad consent mechanisms and outlines what a compliant consent process looks like.
The new chapter on online advertising explains how PECR applies to targeted ads and audience profiling. This is a significant addition as the ICO has set clearer boundaries around tracking technologies used for ad purposes.
The guidance reflects the evolving enforcement regime. If your organisation doesn’t follow the rules, expect increased scrutiny.
The guidance also includes many small updates to existing chapters to align with changes in law and case law. These improve consistency and clarity.
If you’re any of the following, this applies to you:
Whether you use Google Analytics, embedded YouTube videos, chat widgets, or email marketing tools, you’re likely affected.
The ICO now uses three terms to guide your compliance:
This makes it easier to know what you have to do versus what is simply recommended.
This update is a step forward in clarifying how organisations should handle cookies and tracking. It brings PECR more in line with modern technology, while still focusing on protecting individual privacy.
We welcome the inclusion of practical examples and the clarification of consent expectations. However, the new rules also mean organisations can no longer rely on vague cookie banners or ignore tracking tools outside of traditional cookies.
Do I still need consent for cookies after the DUAA?
Yes. Consent is still required unless one of the exceptions applies.
What are the exceptions to the cookie rules?
You don’t need consent if the cookie is strictly necessary for a service explicitly requested by the user. The full list of five exceptions is detailed in the ICO guidance.
Are analytics cookies exempt from consent?
No. Analytics cookies are not exempt and still require valid user consent.
Can I use cookie walls to force users to consent?
Generally no. The ICO considers this practice to be non-compliant if users aren’t given a genuine choice.
What’s changed for online advertising?
The ICO now expects clearer, more specific consent for targeting and profiling, with examples of good and bad practice.
Does this guidance apply to mobile apps as well?
Yes. Any app storing or accessing data on a user’s device must follow PECR rules.
What happens if we don’t comply?
You could face ICO enforcement, including audits, fines, or formal reprimands
At Data Protection People, we help organisations:
If you’re not sure whether your current approach is compliant, we’re here to support you.
Contact our consultancy team for help embedding these updates into your website, app or ad campaigns.
Last week we marked not one, but two major milestones, 10 years of Data Protection People and the 5th birthday of the Data Protection Made Easy Podcast. To celebrate, we hosted a special live session with Philip Brining, Caine Glancy, Catarina Santos, and returning host Joe Kirk. Together, we looked back at the Top 10 Most Streamed Episodes from the past five years, revisiting the conversations that have shaped our community.
The team also reflected on why topics like ROPA and audits don’t always feature as highly among listeners, and why broad themes resonate more strongly than sector-specific discussions.
Our special guest Joe Kirk shared valuable insights from moving into an in-house DPO role, including the importance of tackling cookie compliance and ensuring correct ICO registration. The panel also discussed the ICO’s new guidance on complaints handling and recognised legitimate interests, highlighting the practical steps organisations should take ahead of expected implementation in June 2026.
To celebrate our 10-year anniversary and the continued growth of our community, we are excited to announce that the Data Protection Made Easy Podcast is returning to a weekly schedule. Every Friday at lunchtime, we’ll be live with fresh discussions, community insights, and practical guidance for data protection professionals.
You can sign up on our Events Page to join future live sessions, or contact us here to subscribe and become part of the UK’s biggest data protection community.
If you missed it live, you can catch up now on Spotify using the player below:
Here’s to 10 years of making data protection easier, and 5 years of building a community where professionals can learn, share, and grow together. Thank you to everyone who has been part of the journey so far.
Recorded on Friday 29 August 2025, this live episode of Data Protection Made Easy brings together Catarina Santos, Caine Glancy and Philip Brining to explain what the latest Online Safety Act changes mean in practice. The team walk through how age verification works, why VPN downloads have surged in the UK, and the real impact on privacy, user experience and compliance.
Episode: 218, Data Protection Made Easy
Recorded: late August, Leeds and online
Hosts: Philip Brining, Catarina Santos, Caine Glancy
We are Data Protection People, a consultancy and a community. More than 1,500 practitioners join our live sessions for practical help and straight talking advice. We keep things human, current, and useful.
Prefer Spotify in a new tab,
open the episode,
or browse the full show feed.
Scope and categories. Ofcom guidance gives the most usable overview. Scale drives duties, category one providers face the heaviest lift. Smaller services still need proportionate controls.
“The Act is about content, the Children’s Code is about design, together they set expectations for what people actually see and share.” — Philip
Age checks in practice. Facial estimation and ID checks can help, they are not perfect. People will try VPNs and workarounds, so policy and education must sit alongside technology.
“There is no magic potion for age checks, the solution cannot be technology alone.” — Catarina
“If suppliers rush controls without thinking about retention and purpose limitation, we move risk rather than reduce it.” — Caine
Supply chain failures. Contracts need clear migration and deletion steps, restore tests must be real, controller oversight must be active, not paper based.
“Where is the weak link, backups, migration steps, subprocessors, or the missing instructions in the DPA.” — Philip
Freedom of expression and harm. Public concern is real. The intent is to reduce harm to children, not silence debate. Practical application will need careful balancing.
Data Protection Made Easy is the live podcast and discussion space run by Data Protection People. More than 1,500 members join to share cases, templates, and practical steps. We will return to weekly sessions in September, short and focused, with time for questions.
We are always looking for contributors and topics, case studies, SAR puzzles, transfer questions, or views on the Online Safety Act. Get support or advice, or pitch a slot for an upcoming episode.
Explore more in our Resource Centre, including recent episodes and guides.
On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.
Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.
If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.
Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.
Download the Slides
We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides
By joining our free community, you’ll get:
We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.
On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.
Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.
Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.
Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.
Download the Slides
We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides
Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.
Click here to visit the Part Two event page and register your place: View Part Two
By joining our free community, you’ll get:
We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
