The UKs #1 Data Protection Consultancy

Data Protection & Information Security Experts

Data Protection Made Easy.

GDPR Support Cyber Security Support
Join our extensive list of clients who have their data privacy under control

Accelerate Your Data Protection Compliance

Save Time, Save Money and Relax: You’re In Safe Hands

Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.

GDPR Training

Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.

Contact Us

Information Management Software

DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.

Contact Us

Data Protection Consultancy

Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.

Contact Us

Outsourced DPO

A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.

Contact Us
View All

Need Help With Cyber Security Compliance?

We Have You Covered!

At Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.

PCI DSS Compliance Services for Merchants

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

PCI DSS Compliance Services for Service Providers

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

External Attack Surface Management

Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.

Contact Us

ISO 27001

Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.

Contact Us
View All
Rofi Hendra Support Desk Data Protection People

Supporting DPOs

Flexible Support When You Need It

At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.

Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.

Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.

Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.

Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.

Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.

Diverse Sector Experience

Access to a Team of Industry Experts

At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.

Commercial Sector

Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.

SMEs

Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.

Third Sector

Third Sector

For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.

Multi Nationals

For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.

Public Sector

In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.

Why Use Our Outsourced DPO Services?

Save Time, Money and Guarantee Compliance

Navigating the intricate landscape of data protection demands more than just a DPO — it requires a dedicated team committed to excellence. Our Outsourced DPO Services extend beyond the traditional role, offering a comprehensive approach to legal compliance and pragmatic solutions.

Why Choose Outsourcing?

An outsourced DPO brings a wealth of experience, not just in the law but also in crafting workable solutions. Their impartiality is fortified by a team of privacy practitioners, ensuring that your organization benefits from a spectrum of expertise. Should the need arise, seamless coverage during absences is guaranteed, eliminating the vulnerability associated with a single in-house DPO.

Staying Headache-Free

Concerned about the disruption if your DPO moves on? With an outsourced model, transitions are smooth, and you won’t experience the sudden headache of a critical role vacancy. The continuity provided by a team ensures that your data protection responsibilities are seamlessly handled.

Compliance Tailored to You

Our Outsourced DPO Services align seamlessly with your legal obligations, whether you’re mandated to appoint a DPO or choose to do so voluntarily. We understand that compliance is not just about ticking boxes but about ensuring a robust, practical approach to data protection. Choose Data Protection People for a worry-free, compliance-driven outsourced DPO solution — because your data protection journey should be as smooth as it is secure.

“I cant recommend Data Protection People enough, they have helped me in so many different areas, no matter how complex the challenge or how large the obstacle, DPP always has the answer.

I can call the team at any time and have built an amazing relationship with them, in times of frustration they are here to calm me down and create a plan, they are a pleasure to work with.”

Mark Leete
Eastlight Community Homes
TDC_logo

‘I found the FOI training session to be highly informative and well-structured. It covered all the key areas comprehensively and provided clear, practical guidance throughout. The content was easy to follow, and the delivery by Gary was engaging, making complex topics accessible and understandable’. 

‘The training session has really helped me to understand the IG rep role a bit more and what I need to be thinking about when receiving a request for information’. 

Charlene Haynes & Team
Tendring District Council
dyslexia-action-logo-2023

“I have worked with the Data Protection People for some time now. Their expertise has been drawn upon to assist us with our GDPR compliance gap analysis project, ROPA design and production through to conducting objective reviews and surveys. They are always available to help us out and their advice and guidance is excellent and delivered in a timely way. Special mentions to Kathy Midgley, Phil Brining, and David Hendry. A great, reliable and dependable service!”

Judy Barker
Dyslexia Action
Veritau

“A great service and peace of mind. Data Protection People provides a well-rounded service to ensure customers are fully supported in their approach to GDPR compliance. My interaction has largely been with the following people: Kathy Midgley – another great asset to the organisation. Always approachable, always helpful and consistently supportive to the team and customers.

Julie Ferguson
Veritau
Woodgate & Clark

“We have been working with the Data Protection People for many years now, and have found them to be insightful, helpful, and knowledgeable in all areas of Data Protection Compliance. Data Protection People have taken the time to understand our business, the regulatory environment we sit under, and the unique challenges we face in the industry. They have supported us in all areas of Information and Data Security, assisting in assessments of our policies and changes to our processes. They are always willing to go the extra mile and prioritise support where required.”

Nia Roberts
Woodgate & Clarke

Data Protection People Blogs & Podcasts

Data Privacy Learning & Guidance

Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.

Data Protection Consultant Job Opportunity

Data Protection Consultant Opportunities, Leeds

Salary: Up to £45,000 DOE
Location: Leeds Head Office, Hybrid
Contract: Full time, 37 hours per week
Date posted: 26 August 2025

About Data Protection People

Data Protection People (DPP) is one of the UK’s leading data protection consultancies. We support hundreds of clients across many sectors with practical, expert advice. Our work is varied and fast moving, and no two days are the same. You will join a collaborative team of Data Protection Consultants who share knowledge and solve problems together.

We are hiring two standout Data Protection Consultants to join our consulting team. Both roles are client facing and will act as outsourced Data Protection Officers for a portfolio of organisations. You will gain experience across many sectors, learn from colleagues with different backgrounds and specialities, and deliver clear, pragmatic solutions for clients.

Many successful Data Protection Consultants began their careers as a Data Protection Officer. If you have worked as a DPO and want to broaden your impact across multiple organisations, this is an excellent next step.

Key Responsibilities

Consulting and outsourced DPO services

  • Act as an outsourced Data Protection Officer for clients across different sectors.
  • Deliver consultancy across GDPR, UK DPA 2018, and FOI, including audits, advisory projects, and compliance reviews.
  • Guide clients through SARs, DPIAs, RoPAs, data breach handling, and regulator engagement where appropriate.
  • Translate legal and technical requirements into practical actions that non specialists can follow.
  • Keep clients informed about regulatory changes and best practice, and help them plan improvements.

Quality, collaboration, and knowledge sharing

  • Work with fellow consultants to review approaches, share insight, and produce strong solutions.
  • Contribute to DPP toolkits, templates, and our internal reference library.
  • Support thought leadership, for example blogs, webinars, and our GDPR podcast where relevant.

What We Are Looking For

Essential

  • Proven experience in data protection, for example GDPR, UK DPA 2018, FOI.
  • Recognised data protection qualification, for example CIPP/E, CIPM, or similar.
  • Excellent communication skills, with the ability to build trust and explain complex topics clearly.
  • Strong organisation and time management across multiple clients and projects.
  • Proactive, solution focused mindset, with attention to detail and quality.

Desirable

  • Previous experience as a Data Protection Officer.
  • Interest in contributing to blogs, webinars, or podcasts.

Why Join DPP

You will gain broad sector experience, clear career pathways, and support for further qualifications. Our team combines legal, technical, and operational expertise, which allows consultants to learn quickly and deliver measurable outcomes for clients.

Benefits

  • Competitive salary up to £45,000 DOE.
  • Up to 38 days holiday including bank holidays.
  • Hybrid working and free on site parking near Leeds city centre.
  • Company pension and life insurance.
  • Casual dress and regular company events.

Key Details

  • Job type: Full time, permanent.
  • Location: Hybrid, Leeds Head Office, LS3 1HS. You must be able to commute or plan to relocate.
  • Work authorisation: United Kingdom required.

How To Apply

Main contact and hiring manager: Catarina Santos.

Please email your CV and a short cover letter to
info@dataprotectionpeople.com and
catarina.santos@dataprotectionpeople.com.

Work location: Hybrid remote in Leeds LS3 1HS.

FAQ

Can a Data Protection Officer move into a Data Protection Consultant role

Yes. Many of our consultants previously worked as a Data Protection Officer. Consulting offers wider sector exposure, a broader range of projects, and the chance to deliver outcomes across multiple organisations.

What makes consulting at DPP a strong next step

You will join a supportive team, access shared toolkits and templates, and collaborate with specialists from different backgrounds. This helps you deliver high quality work and develop faster than in most single organisation roles.

South Yorkshire Police Data Loss

ICO Reprimands South Yorkshire Police Over Deletion of 96,000 Bodycam Videos

In July 2023, South Yorkshire Police (SYP) accidentally deleted over 96,000 pieces of body-worn video (BWV) evidence. The fallout has raised serious questions around data governance, SAR compliance, and organisational accountability. The Information Commissioner’s Office (ICO) has now formally reprimanded SYP, stating that the data loss was avoidable and the result of governance failures, not just technical issues.

For data protection professionals and organisations handling personal data, this case is more than a headline. It’s a warning sign.

What Happened at South Yorkshire Police?

Following a system upgrade in May 2023, South Yorkshire Police experienced issues processing BWV footage. A temporary workaround was introduced but, on 26 July 2023, 96,174 original video files were permanently deleted.

While 95,033 of those files had reportedly been copied to a new system before deletion, SYP admitted that incomplete record-keeping made it impossible to confirm exactly how much data was lost.

The damage wasn’t just operational. The loss impacted 126 criminal cases, and significantly, it also compromised the force’s ability to respond to Subject Access Requests (SARs).

Why This Matters for Subject Access Requests (SARs)

Under UK GDPR, individuals have the right to access their personal data. When records are lost because of poor governance, those rights disappear.

Article 15 gives individuals the right to access their data. Article 5(1)(d) requires organisations to keep data accurate and up to date. Deleting thousands of files by mistake is the opposite of compliance.

It’s a reminder that SARs aren’t just an administrative process. They depend on good governance, reliable systems, and a culture that treats data as valuable.

What Went Wrong at SYP

The ICO identified several failings:

  • No adequate backup solution in place
  • Poor or missing risk assessments before transferring data between systems
  • Weak or inconsistent record-keeping
  • Inadequate documentation of file retention and deletion

These are not isolated technical failures. They are systemic governance gaps that many organisations, public and private, may unknowingly share.

Lessons for Organisations: Building a Resilient Data Governance Framework

So, what can we learn from this? Here are four actions that every organisation should consider:

1. Robust Data Mapping
Know what personal data you hold, where it’s stored, and who has access to it. Without this, even the best systems are blind spots waiting to happen.

2. Turn Policies Into Practice
Define procedures for data collection, access, transfer, backup, and deletion. Make sure these are enforced, not just written.

3. Proactive Risk Assessments
New systems, upgrades, or vendors all bring risks. Identify them before switching anything on.

4. Audit and Stress-Test Regularly
Don’t wait for an ICO reprimand to discover your governance is failing. Run reviews and spot-checks as part of business as usual.

FAQs: Data Loss, SARs, and Governance

What is the risk of poor data governance?
It’s more than just an IT headache. Poor governance can block SAR responses, lead to regulatory action, damage your reputation, and even trigger legal claims.

What happens if you can’t fulfil a SAR because the data is lost?
You’re still expected to respond. You must tell the individual that the data is no longer available and explain why. But if the loss was avoidable, the ICO may still see it as a failure to meet your GDPR duties.

Is it a breach if the data was deleted but not accessed by a third party?
Yes. A personal data breach isn’t just about leaks. Under Article 33, loss, destruction, or unauthorised alteration of personal data can all count as breaches — even if no third party saw the data.

Do backups need to be GDPR compliant too?
Absolutely. Backups are still personal data. They must follow the same rules on security, retention, access, and lawful processing. A backup that isn’t GDPR-compliant isn’t really a backup at all.

How Data Protection People Can Help

At Data Protection People, we specialise in helping organisations build proactive, scalable data governance frameworks that reduce risk and support GDPR compliance.

We support clients with:

  • Data mapping and retention policies
  • SAR readiness assessments
  • Back-up and deletion strategy audits
  • Staff training and policy creation
  • DPIAs for system changes and upgrades

Whether you’re a police force, public authority, or commercial business, we’ll help you move from reactive data management to proactive governance.

Need help improving your data governance or SAR processes?

Contact us to speak to one of our consultants or enquire about our GDPR audit or SAR management services.

How to Prepare for the Data (Use & Access) Act 2025

Between June 2025 and June 2026, the government will implement the Data (Use & Access) Act (DUAA) to promote innovation and economic growth nationwide. 

The DUAA makes several updates to data protection law, of which the ICO says ‘make things easier for organisations, while [protecting] people and their rights’. But with changes comes uncertainty, leaving businesses and data protection experts alike wondering how they can prepare themselves.

In this blog, we cover your next steps and the opportunities available to simplify data protection compliance. 

To Prepare for the DUAA, You Should:

  • Familiarise Yourself with the Changes
  • Implement a Complaints Procedure
  • Meet New Requirements for Children’s Online Services
  • Update Your DSAR Response Procedure
  • Update Cookie Consent
  • Review Use of Automation
  • Organise Data Protection Training

1. Familiarise Yourself with the Changes

The Data (Use & Access) Act is as technical a read as the UK GDPR, PECR and Data Protection Act (DPA). Your Data Protection Officer (DPO) or the people responsible for managing compliance will need to spend time assessing the changes the DUAA makes to data protection law

In our podcast, Data Protection Made Simple, we break the DUAA down into simple terms and provide practical tips for staying compliant with the law. Listen in now:

If you need more support, our data protection consultancy can help run through which changes impact your business the most. 

2. Implement a Complaints Procedure

Under the DUA Act, data subjects now have the right to complain directly to a data controller if they believe their personal data is being processed unlawfully. Initially dealt with by the ICO, controllers now must have a formal complaints process for handling data protection concerns.  

Your complaints procedure should include:

  • Clear instructions on how and where to file complaints
  • An easily accessible form for individuals to submit complaints
  • The steps you’ll take to resolve and respond* to complaints
  • How you will keep individuals informed of outcomes 
  • Appointed staff members trained in handling complaints

*Responses must be within 30 days of receiving the complaint.

3. Meet New Requirements for Children’s Online Services

One in five UK internet users is a child, so there’s every chance your online service may be used by an age group you never designed for. The DUAA expects you to prioritise the best interests of a child when designing and developing online services, ensuring they are protected in the digital age.

This applies to a variety of services, including apps, websites and connected toys. If you meet the existing Age Appropriate Design Code (AADC), you will have already satisfied this new requirement. 

4. Update Your DSAR Response Procedure   

The DUAA is expected to make subject access request (SAR or DSAR) handling and response easier; therefore, your internal procedure should now provide this flexibility. 

Your procedure should make clear: 

  • Your refined search scope – You should only make ‘reasonable and proportionate searches’ when fulfilling a subject access request. 
  • Stop the clock provision – Guidance on how your staff can pause the one-month deadline for responding to DSARs if they’re waiting for identity verification or further clarification of scope.

5. Update Cookie Consent 

Under the DUA Act, consent is no longer required where cookies or similar technologies fall within low-risk processing. These exempted purposes include:

  • Statistical/analytics purposes to improve services
  • System security and fraud detection
  • Improving website functionality or tailoring the website to user preferences

You must assess whether your website’s analytics or functional cookies qualify for this exemption, considering whether they are strictly necessary and low risk. With this in mind, you’ll need to update cookie consent banners, policies and internal documentation to reflect the change in consent. 

For charities, you will also have to implement a clear opt-out option for direct marketing sent based on the soft opt-in rule. 

6. Review Use of Automation 

One way the DUAA is promoting innovation is through its new provisions (Articles 22A-22D of the UK GDPR) governing automated decision-making (ADM). 

To welcome this innovation, make sure you:

  • Include the new provisions under Articles 22A-22D in any data protection impact assessments (DPIAs) covering ADM
  • Confirm the legal basis when special category data is required 
  • Add transparency statements and human review protocols where ADAM affect individuals significantly 

7. Organise Data Protection Training 

You may know what to do, but how you need to do it might not be as clear. Now is the perfect time to schedule some refresher data protection training to ensure everyone is up to speed. 

As a training provider, we can support your business with training tailored to your sector and processing requirements. All courses are up to date with the DUA Act, so your team will receive the latest insights on maintaining compliance. 

How Does the DUA Act Help Your Business?

  • Research provisions: The Act clarifies when personal data can be used for scientific research (including commercial) and permits ‘broad consent’ for such purposes.
  • Automated decision-making: It broadens the ‘lawful bases’ that can be relied upon for significant automated decisions using personal data, potentially including ‘legitimate interests’, provided suitable safeguards are in place.
  • Cookie rules: The DUAA permits the use of certain types of cookies, such as those employed for statistical analysis or enhancing website functionality, without requiring explicit consent.
  • New ‘recognised legitimate interests’: For specific ‘recognised legitimate interests’ (e.g., public security), businesses no longer need to balance the impact on individuals against the benefits of data use.
  • ‘Soft opt-in’ for charities: Charities can send electronic marketing to individuals who’ve supported or shown interest in their work, unless they object.
  • Subject access requests (SARs): The Act clarifies that only ‘reasonable and proportionate’ searches are required when responding to SARs.
  • Improved clarity: The legislation’s wording and structure have been refined to facilitate easier understanding and application.

Need Help? Contact Our Data Protection Consultants Today

As a GDPR consultancy, our goal is to make data protection easy to understand and easy to do. If you need expert support navigating the DUAA, please contact our team, and we’ll be in touch. 

How the Data (Use and Access) Act Is Changing Data Protection Law

The Data (Use and Access) Bill was first introduced in October 2024 to replace its failed predecessor, the Data Protection and Digital Information (DPDI) Bill

On June 19th, 2025, this bill became an Act of Parliament. Now known as the Data (Use and Access) Act (DUAA), this Act is one of the most significant changes to the UK data protection law since the GDPR. 

In this article, we examine the key provisions in the Act that will impact the UK GDPR, DPA and PECR legislation. 

Does the DUAA Impact Any Data Protection Laws? 

Yes – the Data (Use and Access) Act (2025) makes changes to the following UK data protection laws:

  • The UK General Data Protection Regulation (UK GDPR)
  • The Data Protection Act 2018 (DPA 2018)
  • The Privacy and Electronic Communications Regulations 2003 (PECR 2003)  

The DUAA does not replace any laws; it only amends and introduces new provisions. 

What Changes Has the DUA Act Made to the UK GDPR & DPA 2018?

The Data (Use and Access) Act has made changes in the following areas:

  • Automated Decision-Making
  • Data Subject Access Requests
  • Children’s Data Protection Obligations
  • Scientific Research
  • Legitimate Interests
  • International Data Transfers
  • New Complaints Procedure
  • Reforms to the ICO

1. Automated Decision-Making (ADM)

Prior to the DUAA, Article 22 of the UK GDPR restricted automated decision-making unless it was done with the individual’s consent, permitted by UK law, or necessary for a contract between an individual and a business.

The DUAA replaces this Article with Articles 22A-22D, which allow for greater flexibility in using ADM, provided that the necessary safeguards are in place. These include:

  • Providing the individual whose personal data was used for ADM with complete transparency about the decision
  • Offering human intervention if requested by the individual
  • Enabling the individual to contest the decision
  • Allowing the individual to make representations 

Restrictions are only in place when using special category data (e.g., race, health, or biometric data), reinstating what was required pre-DUAA. Organisations can only use this data for ADM if they have consent, or where necessary for substantial public interest. 

2. Data Subject Requests (DSARs)

The DUAA now provides further transparency of a business’s obligations when handling DSARs (also known as SARs). 

Previously, businesses had one month to respond to a subject access request as soon as it was received. The DUAA introduces a “stop the clock” provision, which allows organisations to pause the response time until they have enough information from the individual to clarify the request. 

Once they have the relevant information, the one-month response time continues. 

Previously, the law did not explicitly state that responding to DSARs had to be “reasonable and proportionate” (i.e., not requiring undue effort to complete the search). The DUAA clarifies what constitutes disproportionate effort, offering more flexibility to DPOs managing complex or voluminous requests. 

3. Controller Obligations –  Children’s Data Protection 

Section 81 of the DUAA introduces an explicit duty of care for providers of online services accessed by children. These controllers must take into account the “children’s higher protection matters” (Article 25(1B)) when designing services for children. 

When choosing the appropriate technical and organisational measures, controllers must consider:

  • How best can they support and protect children using their services
  • How children may be less aware of the risks and consequences of personal data processing
  • How children have unique needs at different ages and stages of development

4. Scientific Research

The DUAA introduces the concept of ‘broad consent’, previously outlined in the UK GDPR recitals, into the main text of the legislation. 

This measure allows researchers to rely on broad consent, whereby individuals consent to their information being used for an “area of scientific research” rather than a more specific purpose. Gaining broad consent is contingent upon meeting the ethical standards relevant to the area of research. 

5. Legitimate Interests

There is now a list of recognised legitimate interests under Article 6(1)(f) of the UK GDPR, which includes:

  • National security, public safety and defence
  • Emergency response
  • Safeguarding of vulnerable individuals
  • Crime prevention 
  • Disclosure of data in the public interest 

When data processing is based on any of these interests, no balancing test is required. This test, also known as a legitimate interests assessment, balances the controller’s interests against the individual’s rights and freedoms to ensure processing is fair. 

Removing the balancing test recognises the ‘societal value of the processing in specified situations and the potential negative impacts of any delay.’ 

6. International Data Transfers

Under the DUAA, international data transfers are permitted if the receiving country has data protection standards that are similar (not materially lower) to those of the UK. This replaces the EU-style adequacy framework, making it easier to approve data transfers to a wider range of countries. 

Rather than being ‘essentially equivalent’ and now ‘materially lower’, the UK has more flexibility to transfer data outside of the EU’s stricter standards. 

7. New Complaints Procedure 

Data subjects now have the right to complain to a data controller if they’re concerned that the way their information is processed breaches data protection law.

While individuals have always had the right to complain, the DUAA now places the burden for acting on that complaint with the controller, rather than the ICO. 

In response to this, controllers must implement a clear response procedure, whereby all complaints are acknowledged within 30 days of receipt. Controllers are also required to respond without undue delay and inform the individual of the outcome. 

For more insight, read our recent blog on this new complaints provision to find out how you can prepare.  

8. Reforms to the ICO

Currently, all powers and responsibilities are held by one individual, the Information Commissioner. The DUAA will replace the ICO with the Information Commission, which will be led by a chair and a chief executive, with other non-executive and executive members also in place.   

This significant institutional change will promote diversity in decision-making by sharing across the board, rather than a sole decision-maker.

The Information Commissioner will have additional duties to consider, which you can learn about on GOV.UK’s ICO factsheet.  

How Has the DUA Act Changed the PECR?

1. Time Period to Report Breach

The Data (Use and Access) Act now requires communication providers to report personal data breaches to the ICO ‘without undue delay’ and no later than 72 hours of becoming aware.

The PECR currently requires businesses to report breaches within 24 hours, so the new time period (72 hours) is in line with the reporting period under the UK GDPR. 

2. Non-Compliance Fines

The DUAA aligns the maximum fines for PECR breaches with the UK GDPR, increasing them to £17.5 million or 4% of a company’s global annual turnover, whichever is greater.

With the original fine at £500,000, this increase places significant responsibility on businesses to strengthen PECR compliance

3. Soft Opt-In Rule for Charities

Charities can send marketing emails and texts to individuals who have expressed interest or offered support to the charity. This is known as the ‘soft opt-in rule’, which allows charities to send electronic marketing without needing explicit consent.  

Individuals must be able to opt out at any time, whether it’s at the first instance or later down the line. This means charities can continue to send communications to an individual until they explicitly opt out.

4. Cookie Compliance Exemptions 

While the PECR required consent for all but ‘strictly necessary’ cookies, the DUAA introduces new exemptions for specific ‘low-risk’ scenarios, provided that clear information and an opt-out option are offered to users.

Under the new rules, consent is no longer required for the use of cookies for the following purposes:

  • Statistical analysis for service improvement (e.g., website analytics).
  • Website functionality and improvement, such as adapting a website to a user’s preferences.
  • Security and fraud prevention.

When Will the DUAA Changes Take Effect? 

Changes to data protection law will come into force two to twelve months after Royal Assent (June 2025). GOV.UK will announce further details of the regulations and the exact dates when each measure will commence. 

Want to Learn More? Subscribe to Our Podcast

Our podcast, Data Protection Made Easy, is your go-to hub for the latest news and changes in data protection law. Recently, our team hosted two live sessions discussing the DUA Act and how businesses can prepare going forward. 

Catch up and listen to:

Our award-winning podcast is available on Spotify, Amazon Music and many other podcast sites. Subscribe now to avoid missing out. 

Speak to Our Data Protection Consultants Today

Our data protection consultancy can help you prepare for all the changes in the DUAA. Whether it’s setting up a complaints procedure or updating cookie consent, we’re here to guide you through. 

Need support? Get in touch with our team today

DUA Act – Part Two

The Data (Use and Access) Act 2025 – Podcast Part Two

On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.

Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.

If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.

Listen on Spotify

Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.

Download the Slides

We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides

What We Covered

  • Real-life scenarios and case study examples based on DUA Act principles
  • Detailed Q&A on legitimate interest balancing tests, soft opt-in rules, and data subject rights
  • Compliance challenges and how to overcome them using good governance frameworks
  • The DUA Act’s expected impact on privacy management programmes and internal policies
  • Preparing your teams, clients, and data flows for the changes ahead

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

  • Early access to upcoming podcast sessions and event invites
  • Weekly insights into legislation like the DUA Act and GDPR
  • Exclusive downloads including templates, tools, and guides
  • Invitations to in-person events across the UK
  • Access to session recordings and slides
  • A place to ask questions, share experiences, and stay ahead

We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 – Podcast Part One Recap

On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.

Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.

Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.

Listen back on Spotify

Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.

Download the Slides

We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides

What We Covered

  • What the DUA Act is and how it evolved from the DPDI Bill
  • Key changes to Subject Access Requests, Legitimate Interests, and the role of the ICO
  • Updates to PECR enforcement powers and cookie consent exemptions
  • The Act’s impact on data sharing, organisational accountability, and regulatory expectations
  • What public and private sector organisations need to prepare for

Part Two – Live on Thursday 18th July

Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.

Click here to visit the Part Two event page and register your place: View Part Two

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

  • Early access to future podcast sessions
  • Weekly email updates with analysis and guidance on the DUA Act
  • Exclusive content including white papers, practical templates, and checklists
  • Invites to free in-person events across the UK
  • Recordings and slides from every live session
  • A chance to ask questions and share challenges with other professionals

We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.

Managing Subject Access Requests from Employees & Ex-Employees- Part 2

Managing Subject Access Requests from Employees & Ex-Employees- Part 2

Data Protection Made Easy Podcast – Episode 214

After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.

Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.

Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.

What We Covered

Understanding What Drives SARs

We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.

When You Must Respond – And When You Don’t

We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.

Managing Excessive or Repetitive Requests

Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.

Balancing Transparency and Internal Protection

Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.

Lessons from Real Grievance and Disciplinary Cases

We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.

Proactive Preparation: Getting Ahead of SARs

Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.

Avoiding Common Mistakes

From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.

Handling Escalation and Risk

Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.

Want More Like This?

The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.

Subscribe to our mailing list by emailing info@dataprotectionpeople.com
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables

Meet the Panel

Looking Ahead

As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.

Know someone who would benefit? Share the podcast link  and help others take the complexity out of compliance.

Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.

Managing Employee SARs

Managing Subject Access Requests from Employees & Ex-Employees

Data Protection Made Easy Podcast – Episode 114

Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.

If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.

Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.

What We Covered

This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:

🔹 Common Triggers and Misconceptions

From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”

As Catarina Santos explained, it’s essential to reframe the narrative:

“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”

🔹 SARs and Organisational Culture

The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.

🔹 The Community Speaks

This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.

Philip Brining highlighted the value of the community:

“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”

🔹 Tools of the Trade: Teams, WhatsApp & Chat Platforms

Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.

🔹 Balancing Access, Proportionality, and Security

SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:

“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”

The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.

What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:

“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”

Want More Like This?

The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.

Subscribe to our mailing list by emailing info@dataprotectionpeople.com
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables

Meet the Panel

Looking Ahead

Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.

Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.

Special May Promotion: Free SAR Consultations

This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.

Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.

📩 Simply email us at info@dataprotectionpeople.com with the subject line SAR Support, and we’ll book in a free 30-minute consultation.

 

Our Events & Webinars

Industry Leading Discussions

We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.

View All
Caught in the Act The UK’s New Age Verification Law
29 August 25 12:30 - 1:30 pm

Caught in the Act

The Data (Use and Access) Act – Part Two
18 July 25 12:30 - 1:30 pm

The DUA Act (Part 2)

Get Support With Data Protection And Cyber Security

Our mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.