Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact Us
Data Protection People's world-class GDPR Support Desk. If you're navigating the complex landscape of data protection, PCI DSS, and cybersecurity, our support desk is your reliable compass.
Contact Us
A range of high level reviews, detailed audits and mid-range assessments to test compliance with data protection laws and standards
Contact Us
Explore our Subject Access Request (SAR) Handling Service and understand how Data Protection People can support your organisation
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
Ever looked at your signature and thought, “It’s just a fancy way I write my name”? Think again. In our increasingly digital world, that casual scribble at the bottom of forms is gaining new significance, particularly in places like Jamaica, where the Jamaican Data Protection Act (JDPA) now classifies signatures as sensitive biometric data, putting them in the same category as fingerprints and DNA.
This classification isn’t just fancy legal talk, it’s recognising that your signature has unique behavioural patterns that only you make.
Under Jamaica’s Data Protection Act, biometric data is defined as “any information relating to the physical, physiological or behavioural characteristics of an individual, which allows for the unique identification of the individual.” But what exactly makes a signature biometric?
Consider what happens when you sign your name:
The way you make loops in your letters, the special touches you add, and how fast you move the pen on the paper. These things are just as unique to you as your face or fingerprints.
In today’s digital landscape, e-signatures take this biometric data collection even further:
Signatures occupy a unique position in the spectrum of biometric identifiers:
This duality creates an interesting challenge. People easily give signatures without concern, unlike fingerprints or facial scans, which raise privacy worries. However, the JDPA classifies signatures as “sensitive personal data,” meaning they need extra protection.
Take a moment to count how many times you’ve signed something in the last month alone:
Each instance represents you handing over sensitive personal data without giving it a second thought!
The classification of signatures as biometric data has several significant implications:
Organisations processing signatures should consider taking these steps:
Your signature is more than just a name. It is a piece of YOU. It is a biological data that reveals how your brain and body work together. It contains patterns as unique as a fingerprint. Yet, we share it freely without much thought. By classifying signatures as “sensitive personal data,” the JDPA highlights their role as unique personal identifiers. This recognition ensures they receive the protection they deserve.
Next time someone casually asks you to “sign here,” remember you’re not just confirming something, you’re handing over biometric data (a sensitive personal data) that’s increasingly protected by law around the world.
As businesses adjust to new regulations, they need to balance their practical needs with stronger data protection, keeping signatures both secure and easy to use.
With growing concerns about data privacy, it’s time we give our “John Hancock”, the protection they truly deserve.
Organisations have varying degrees of responsibility when it comes to processing personal data. Depending on your involvement, you may be either a data controller, processor, joint controller or sub-processor.
So, which category does your business fall into? In this article, we’ll cover the responsibilities of a data controller and processor, and determine which role applies to you.
A data controller is an individual or legal entity, such as a company or public authority, that makes decisions about how to process data. They have sole control and responsibility for the processing, including how personal data is collected, used, stored, altered and disclosed.
As data controllers bear greater risk, they are subject to stricter compliance obligations. You can also be classified as a joint controller, whereby two or more controllers determine the purposes and means of processing. Essentially, joint controllers have the same or shared purpose for their processing activities.
Data controllers must comply with the UK GDPR for all processing activities, including any carried out by a third-party processor.
You must:
A data processor is an individual (external to the controller’s workforce) or legal body that processes personal data on the controller’s behalf.
For example, an employer (the data controller) provides an employee’s salary and personal details to a payroll accountant. The accountant (processor) processes this data to generate payslips, acting on the employer’s instructions without deciding what data is collected or how it’s used.
As such, a processor cannot act in their own interests. They can, however, subcontract some or all of the processing to another processor. Doing this makes you a sub-processor.
While data processors may have fewer responsibilities, they still must:
The GDPR obligations for a data controller and a data processor may overlap, but their roles are distinct. Data controllers hold more responsibility than a processor, as they have total control over the processing activities. This doesn’t mean, however, that processors can be negligent of their obligations. Both parties are just as accountable for their own compliance.
If you’re a controller, you must ensure your processing activities uphold the UK GDPR; otherwise, you’re liable for non-compliance. Your responsibility also extends to your processors’ compliance. This means you’re obligated to assess and contractually bind any third parties on your behalf. Should a data breach occur on the processor’s behalf, you will also be held liable, unless you can prove otherwise.
By knowing your part, you (the controller or processor) will be able to carry out everything expected of your role. This avoids any unnecessary fines, penalties and security risks that come from non-compliance.
The data processor vs controller distinction isn’t clear-cut for every company, so it’s wise to speak to a GDPR consultancy before taking any other actions.
Confused about your responsibilities under the UK GDPR? We’ll help you understand your role, including the steps needed to achieve and maintain compliance.
We offer flexible GDPR support, ranging from ad-hoc SARs support to fully outsourced DPO services. Want to find out how we can help? Speak to our team today, and we’ll be in touch.
Recent cyber incidents involving major UK retailers and service providers have reignited public concern about how personal information is stored and used. As data breaches dominate the headlines, individuals are becoming more proactive about protecting their privacy and one of the most powerful tools available to them is the Subject Access Request (SAR).
At Data Protection People, we anticipate a significant increase in SARs over the coming months. When public trust is shaken, it’s common for people to ask questions like, “What information do you hold about me?” and “What are you doing with it?” For data protection teams, this means more scrutiny, tighter deadlines, and a greater need for internal coordination.
If your organisation isn’t yet braced for this wave, now is the time. The Information Commissioner’s Office (ICO) expects timely responses, regardless of resource pressure. Here’s how to manage SARs effectively, even under increased demand and maintain compliance without compromise.
A Subject Access Request (SAR) is a legal right that enables individuals to access information about how an organisation handles their personal data. This typically involves providing copies of the personal data held by the organisation, as well as details about the purpose of processing, the duration of data retention, and any third parties with whom the data may be shared. This right is granted under the UK General Data Protection Regulation (UK GDPR) , specifically Article 15 of the Regulation.. The purpose is to give people greater visibility and control over how their personal information is being collected, used, and shared.
“Personal data” refers to any information that can identify an individual, either directly or indirectly. This could include names, addresses, contact details, email correspondence, CCTV footage, HR records, medical notes, or even recorded phone calls. Essentially, any data linked to an identifiable person.
Organisations have a duty to recognise and act on these requests promptly, even if the request is informal. Failing to respond appropriately can lead to enforcement action by the Information Commissioner’s Office (ICO) and potentially damage the trust and reputation your organisation has worked hard to build.
Responding to SARs effectively isn’t just about ticking a compliance box, it’s about respecting individuals’ rights and demonstrating your organisation’s commitment to data protection and transparency.
The first step in successfully handling a Subject Access Request (SAR) is being able to identify one in the first place and it’s not always obvious. SARs don’t need to come with legal language or follow a specific format. In fact, many individuals won’t use the words “Subject Access Request” at all. They may simply say something like, “Can I see the data you’ve got on me?” or “I want copies of all emails where I’m mentioned.”
These types of requests can arrive in a wide range of ways, via email, contact forms, live chat, social media, phone calls, or even through face-to-face interactions. This means any employee, not just those in legal or compliance, could be the first point of contact.
Top tip: Always log the exact date the request was received. This marks day one of your legal deadline, which is one calendar month to respond in full.
Before you disclose any personal data, it’s essential to ensure that the requestor is who they say they are. If you have genuine doubts about their identity, you’re entitled to ask for additional information to verify it.
However, this should always be reasonable and proportionate. For example, asking for a utility bill or photo ID might be acceptable in some contexts, but overly intrusive checks can be seen as obstructive and may breach data protection principles themselves.
Not all SARs will be clear. Some may ask for “all the data you have on me,” which can span thousands of documents across multiple systems. In these cases, it’s acceptable and often helpful to ask the individual to clarify their request. This could involve:
However, it’s important to understand that you cannot refuse or delay processing the request purely because it’s broad. Start gathering what you can while awaiting clarification.
This is often the most time-consuming part of the SAR process. Identifying and locating all personal data related to the individual. This includes both digital and physical records, structured and unstructured data, and any data that directly or indirectly identifies the individual.
Areas to check may include:
It’s easy to overlook less formal storage locations such as inbox folders or team-shared documents. Make sure your organisation has a comprehensive SAR search protocol to avoid missing key data. In order to make the search process as simple as possible organisations should document their common search areas and ensure that data is only stored within specified locations to allow for easy retrieval.
Once the relevant data has been gathered, it’s critical to review all of it carefully before disclosure. You are legally required to protect the rights and freedoms of others, which includes ensuring you don’t inadvertently release information that belongs to a third party.
This is where redaction becomes essential. Any reference to other individuals (names, emails, opinions, etc.) may need to be removed or anonymised.
In addition, certain exemptions under the Data Protection Act 2018 may apply. Common exemptions include:
Tip: Document your decision-making process when applying exemptions or redactions, this can help protect your organisation if challenged.
Once you’ve reviewed and prepared the data, you must respond to the individual within one calendar month of receiving the request. If the request is particularly complex, involving multiple data sources or large volumes of information, you may extend the deadline by a further two months, but you must inform the individual of this within the original one-month window.
Your response must include:
Important note: The response should be clear and easy to understand. Avoid jargon and make the data as digestible as possible especially when responding to members of the public.
With SAR volumes likely to rise this summer, preparation is key. Here’s how your organisation can get ahead:
Understand what personal data you hold, where it lives, and who is responsible for it. The more you know about your systems, the faster you can respond to a SAR.
Have a clear, documented workflow in place that outlines roles, responsibilities, and timeframes. Automating parts of this process. Such as search and redaction, this can save valuable time.
Ensure staff across departments know how to spot a SAR and escalate it. Offer training or guidance to reduce the risk of delays or mismanagement.
Plan for peak periods by ensuring your data protection team isn’t stretched too thin. Consider temporary support or tools that can streamline response tasks.
A well-handled SAR isn’t just a regulatory obligation, it’s a reflection of your organisation’s commitment to transparency and trust. In the wake of data breaches and public concern, timely and accurate responses help rebuild confidence and show that you take data protection seriously.
Delays, missed deadlines, or incomplete responses won’t just frustrate individuals. They could trigger investigations or fines from the ICO.
As the UK’s number one data protection consultancy, Data Protection People supports organisations of all sizes in handling SARs quickly, securely, and lawfully. Whether you need a one-off audit or an end-to-end SAR handling solution, we’re here to help.
Get in touch today — and stay one step ahead of the summer SAR surge.
The UK’s Online Safety Act introduces one of the most comprehensive frameworks for regulating online content to date. Among its more debated proposals are two high-impact, child-focused measures: mandatory proof-of-age verification and a potential legally enforced social media curfew for under-18s. While the public discussion has largely centred on intent—protecting children from harm online—the critical issues lie in feasibility, privacy, and precedent.
As data protection and information security professionals, we believe these measures warrant deeper analysis, especially given the serious implications for data protection, user rights, and technical enforcement.
The Online Safety Act mandates that platforms hosting potentially harmful content accessible to children must take active measures to prevent underage access. While the Act doesn’t prescribe a single, uniform age verification method, it strongly encourages the use of age assurance mechanisms, particularly for high-risk content such as pornography, gambling, and social media features that could be addictive or algorithmically manipulative.
Under the Act, platforms are required to assess the potential risks to children using their services and ensure that children have access only to age-appropriate content. This includes enforcing age restrictions consistently across platforms, making it clear to users what measures are in place to protect children from harmful content. These age verification mechanisms may include:
However, the Act does not mandate a specific method. Instead, platforms are expected to take a proportionate approach based on the nature of the content and the platform. They must also ensure that these age restrictions are enforced consistently and transparently, with clear communication of these measures in their terms of service.
Despite these flexible requirements, there are trade-offs with each method:
Age verification frameworks have been trialled in Germany, where the Kommission für Jugendmedienschutz (KJM) began issuing enforcement orders in 2021 against adult content platforms that failed to implement robust age gates. These efforts, however, drew criticism from German privacy and civil rights groups such as Gesellschaft für Freiheitsrechte (GFF) and Chaos Computer Club, who warned that such systems eroded online anonymity and lacked transparency about data retention.
Similarly, in France, legislation passed in 2023 authorised ARCOM (Autorité de régulation de la communication audiovisuelle et numérique) to mandate age checks on adult sites. Non-compliance could result in site blocking. This sparked strong opposition from digital rights organisation La Quadrature du Net, which argued that the measures created an infrastructure for mass digital identification, with little oversight or clarity on data protection.
In both jurisdictions, concerns were raised that age verification—though well-intentioned—risked breaching Article 8 of the European Convention on Human Rights, which guarantees the right to privacy.
The notion of a legally mandated curfew—preventing under-18s from accessing platforms like TikTok, Instagram, and Snapchat after 10pm—is now under active consideration by UK policymakers. Technology Secretary Peter Kyle recently acknowledged the potential to act in this space, referencing TikTok’s voluntary 10pm shutdown feature for under-16s as a possible model.
While the motivation is understandable—late-night usage has been linked to sleep disruption and increased vulnerability to online harms—the implementation is far from straightforward. A legally enforceable curfew would require platforms to:
This raises obvious questions about technical feasibility and proportionality. Any system that enables real-time age-based content restrictions risks intrusive tracking and surveillance of young users. It also presumes universal compliance by platforms and seamless integration across services—conditions that are not currently met.
Moreover, such curfews may prove ineffective in practice. Children and teenagers are often more digitally agile than policy anticipates. Workarounds like VPNs, secondary accounts, or logging in via devices registered to adults could easily circumvent restrictions. Worse still, excessive restrictions may push vulnerable users toward less regulated, offshore platforms where they are at greater risk.
Both Germany and France offer cautionary lessons. In each case, aggressive legislative attempts to introduce age verification have been hampered by having legal challenges from civil society groups, public backlash over data privacy and data protection and technical uncertainty about accuracy and coverage.
In Australia, the eSafety Commissioner has also trialled age assurance tools as part of a broader child safety initiative. However, rollout has been cautious, with a focus on balancing protection with privacy, and an acknowledgment that no single verification system can yet meet all the criteria of accuracy, inclusivity, security, and usability.
Even in the United States, where several states have passed age-appropriate design bills inspired by the UK’s earlier code, implementation has been slowed by constitutional challenges over free speech and privacy.
The UK is at a regulatory crossroads. The Online Safety Act presents an opportunity to improve digital protections for children. But that ambition must not be undermined by rushed implementation or headline-driven policy. For any age verification or curfew measure to be credible, it must:
Be part of a wider ecosystem that includes education, parental controls, and platform design changes. Without these safeguards, we risk enacting policies that are symbolic rather than effective and potentially damaging to privacy rights for all internet users.
The intention to protect children online is both right and necessary. But the tools we choose must not compromise the very principles we seek to uphold.
Written by Catarina Santos – Data Protection Expert
Data Protection Made Easy Podcast – Episode 114
Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.
If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:
From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”
As Catarina Santos explained, it’s essential to reframe the narrative:
“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”
The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.
This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.
Philip Brining highlighted the value of the community:
“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”
Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.
SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:
“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”
The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.
What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:
“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.
Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.
📩 Simply email us at [email protected] with the subject line “SAR Support”, and we’ll book in a free 30-minute consultation.
In this special episode of the Data Protection Made Easy podcast, long-time host and data protection consultant Joe Kirk reflects on his journey through the world of privacy and compliance—from his early days in sales, speaking to hundreds of DPOs across the UK, to becoming a consultant himself and working with a wide range of clients across every major sector.
As this marks Joe’s final regular appearance on the podcast, we dedicated the session to the Top 10 Lessons He’s Learned over the last four years. These are practical, honest, and experience-based takeaways that he hopes will help current and aspiring DPOs make a meaningful impact in their roles.
These tips are relevant whether you’re new to data protection, already in a DPO role, or even an employer looking to build a successful privacy function.
Joe’s departure also marks the beginning of a new phase for the Data Protection Made Easy community. As we look to evolve and bring even more value to our subscribers, we’re making some important changes:
Podcast Frequency
We will now host one episode per month, instead of weekly. This allows us to:
In-Person Events
To complement our podcast, we’ll be launching monthly in-person events, starting with a Housing Sector Roundtable in Leeds. These will be free to attend and packed with:
If you’re in the housing sector or work in data protection in Yorkshire, this is a great chance to connect with our team face-to-face. More info coming soon.
Monthly Newsletter
To replace our weekly GDPR Radio news episodes, we’ve launched a monthly email newsletter with:
If you’re a subscriber, your first issue should already be in your inbox! If not, sign up here:
We’ll soon be publishing a full article on Joe’s Top 10 Tips for DPOs, expanding on the episode with real-life examples, links to useful tools, and guidance from our team. This will be available in the Resource Centre and shared with our newsletter subscribers.
We’ll also be sharing details on our 10-Year Anniversary Celebration taking place in July 2025. If you’re based in Leeds and would like to attend this free event, keep an eye out for the invitation — food, drinks, music, and privacy professionals all under one roof (plus a special guest DJ set from Joe himself!).
While Joe is stepping away from the podcast, you may still hear him pop up as a guest speaker in future episodes or events. He’s made a lasting impact on our community and we’d love for you to stay connected with him: Connect with Joe on LinkedIn
Listen to Episode 213 – Joe Kirk’s Top 10 Tips on Spotify
Or find us on Apple Podcasts, Amazon Music, and all major streaming platforms.
Thank you to Joe for four years of thoughtful, passionate, and incredibly valuable contributions to the Data Protection Made Easy community. We’ll miss him as a regular host, but we know this isn’t goodbye – just see you later.
In Episode 212 of GDPR Radio, the news-focused arm of the Data Protection Made Easy podcast, our hosts Phil, Catarina, and Joe returned to unpack the latest headlines and developments in the world of data protection.
This interactive session offered an hour of engaging, thought-provoking discussion with a live audience made up of DPOs, legal professionals, cyber security experts, and privacy enthusiasts. As always, we covered what matters most to the data protection community—breaking down key cases, legislative shifts, and industry commentary in a simple, digestible way.
In this episode, we explored:
Latest ICO enforcement actions and what they mean for organisations in regulated sectors
Notable data breaches from the past fortnight and the implications for incident response practices
The future of AI & consent – how regulators are shaping their approach to emerging technologies
UK data reform updates and their impact on DPO responsibilities
Plus, we answered live questions from our audience in real-time!
Whether you joined us live or plan to catch up later, Episode 212 was packed with valuable insights for data protection professionals at all levels.
We host live podcast episodes every Friday between 12:30 and 13:30. These sessions are free to attend and open to anyone with an interest in data protection or cyber security. To receive weekly invitations straight to your inbox, simply sign up via our website:
👉 Subscribe to Podcast Invites
Listening to Data Protection Made Easy live or on-demand may qualify you for Continuing Professional Education (CPE) credits with the IAPP. Attendees can self-certify their participation by keeping a record of attendance or listening history.
The Data Protection Made Easy podcast isn’t just a podcast—it’s a growing community. With over 1,500 subscribers and 200+ episodes, we’re proud to offer a space where professionals can learn, share ideas, and stay ahead of the curve. Each week, our live chat is buzzing with questions, opinions, and useful links from fellow practitioners.
Missed the live session? You can listen to Episode 212 and all previous episodes on Spotify, Amazon Music, Apple Podcasts, or wherever you get your podcasts.
🎧 Listen to GDPR Radio – Episode 212 on Spotify
Let us know what you thought of the episode or share a topic you’d like to see covered in a future edition of GDPR Radio!
In this week’s episode of the Data Protection Made Easy podcast, our expert hosts Joe Kirk, Catarina Santos, and Phil Brining came together to explore one of the most popular and debated topics in the data protection space: what it takes to stand out as a Data Protection Officer (DPO) in today’s fast-evolving landscape.
With over 200 episodes under our belt, Data Protection Made Easy has always been about honest, accessible conversations—and this one was no different. Episode 211 sparked lively discussion, professional debate, and some healthy disagreements between our hosts, all of which reflect the complexity and diversity of views in our field.
We tackled the key ingredients that make a truly exceptional DPO:
One of the biggest takeaways from this episode is that there is no single “correct” route to becoming a successful DPO. Some of our speakers emphasised strong legal backgrounds, while others focused on communication, pragmatism, and an understanding of real-world implementation. It’s this range of perspectives—and the opportunity for our community to challenge and expand on them—that makes our podcast so valuable.
Whether you’re:
this episode is packed with practical advice, reflection, and a few strong opinions that will get you thinking.
Our sessions are completely free to join and happen live every Friday from 12:30 – 13:30 (UK time) via Microsoft Teams. When you attend live, you’ll be part of our interactive chat, gain access to shared resources, and have the opportunity to ask questions or share your perspective.
If you can’t make it live, don’t worry—every episode is available on Spotify and all major streaming platforms so you can catch up any time.
👉 Subscribe to join future episodes
🎧 Listen back on Spotify
📩 Or sign up to receive weekly invites straight to your inbox.
Join us next Friday for GDPR Radio, our fortnightly roundup of data protection news, enforcement actions, and thought-provoking discussions. If you want to stay ahead of regulatory developments and understand what’s shaping our industry in real time, this is the place to be.
Thank you for being part of the Data Protection Made Easy community—see you next week!
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
