Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
Salary: Up to £45,000 DOE
Location: Leeds Head Office, Hybrid
Contract: Full time, 37 hours per week
Date posted: 26 August 2025
Data Protection People (DPP) is one of the UK’s leading data protection consultancies. We support hundreds of clients across many sectors with practical, expert advice. Our work is varied and fast moving, and no two days are the same. You will join a collaborative team of Data Protection Consultants who share knowledge and solve problems together.
We are hiring two standout Data Protection Consultants to join our consulting team. Both roles are client facing and will act as outsourced Data Protection Officers for a portfolio of organisations. You will gain experience across many sectors, learn from colleagues with different backgrounds and specialities, and deliver clear, pragmatic solutions for clients.
Many successful Data Protection Consultants began their careers as a Data Protection Officer. If you have worked as a DPO and want to broaden your impact across multiple organisations, this is an excellent next step.
You will gain broad sector experience, clear career pathways, and support for further qualifications. Our team combines legal, technical, and operational expertise, which allows consultants to learn quickly and deliver measurable outcomes for clients.
Main contact and hiring manager: Catarina Santos.
Please email your CV and a short cover letter to
info@dataprotectionpeople.com and
catarina.santos@dataprotectionpeople.com.
Work location: Hybrid remote in Leeds LS3 1HS.
Yes. Many of our consultants previously worked as a Data Protection Officer. Consulting offers wider sector exposure, a broader range of projects, and the chance to deliver outcomes across multiple organisations.
You will join a supportive team, access shared toolkits and templates, and collaborate with specialists from different backgrounds. This helps you deliver high quality work and develop faster than in most single organisation roles.
In July 2023, South Yorkshire Police (SYP) accidentally deleted over 96,000 pieces of body-worn video (BWV) evidence. The fallout has raised serious questions around data governance, SAR compliance, and organisational accountability. The Information Commissioner’s Office (ICO) has now formally reprimanded SYP, stating that the data loss was avoidable and the result of governance failures, not just technical issues.
For data protection professionals and organisations handling personal data, this case is more than a headline. It’s a warning sign.
Following a system upgrade in May 2023, South Yorkshire Police experienced issues processing BWV footage. A temporary workaround was introduced but, on 26 July 2023, 96,174 original video files were permanently deleted.
While 95,033 of those files had reportedly been copied to a new system before deletion, SYP admitted that incomplete record-keeping made it impossible to confirm exactly how much data was lost.
The damage wasn’t just operational. The loss impacted 126 criminal cases, and significantly, it also compromised the force’s ability to respond to Subject Access Requests (SARs).
Under UK GDPR, individuals have the right to access their personal data. When records are lost because of poor governance, those rights disappear.
Article 15 gives individuals the right to access their data. Article 5(1)(d) requires organisations to keep data accurate and up to date. Deleting thousands of files by mistake is the opposite of compliance.
It’s a reminder that SARs aren’t just an administrative process. They depend on good governance, reliable systems, and a culture that treats data as valuable.
The ICO identified several failings:
These are not isolated technical failures. They are systemic governance gaps that many organisations, public and private, may unknowingly share.
So, what can we learn from this? Here are four actions that every organisation should consider:
1. Robust Data Mapping
Know what personal data you hold, where it’s stored, and who has access to it. Without this, even the best systems are blind spots waiting to happen.
2. Turn Policies Into Practice
Define procedures for data collection, access, transfer, backup, and deletion. Make sure these are enforced, not just written.
3. Proactive Risk Assessments
New systems, upgrades, or vendors all bring risks. Identify them before switching anything on.
4. Audit and Stress-Test Regularly
Don’t wait for an ICO reprimand to discover your governance is failing. Run reviews and spot-checks as part of business as usual.
What is the risk of poor data governance?
It’s more than just an IT headache. Poor governance can block SAR responses, lead to regulatory action, damage your reputation, and even trigger legal claims.
What happens if you can’t fulfil a SAR because the data is lost?
You’re still expected to respond. You must tell the individual that the data is no longer available and explain why. But if the loss was avoidable, the ICO may still see it as a failure to meet your GDPR duties.
Is it a breach if the data was deleted but not accessed by a third party?
Yes. A personal data breach isn’t just about leaks. Under Article 33, loss, destruction, or unauthorised alteration of personal data can all count as breaches — even if no third party saw the data.
Do backups need to be GDPR compliant too?
Absolutely. Backups are still personal data. They must follow the same rules on security, retention, access, and lawful processing. A backup that isn’t GDPR-compliant isn’t really a backup at all.
At Data Protection People, we specialise in helping organisations build proactive, scalable data governance frameworks that reduce risk and support GDPR compliance.
We support clients with:
Whether you’re a police force, public authority, or commercial business, we’ll help you move from reactive data management to proactive governance.
Contact us to speak to one of our consultants or enquire about our GDPR audit or SAR management services.
Between June 2025 and June 2026, the government will implement the Data (Use & Access) Act (DUAA) to promote innovation and economic growth nationwide.
The DUAA makes several updates to data protection law, of which the ICO says ‘make things easier for organisations, while [protecting] people and their rights’. But with changes comes uncertainty, leaving businesses and data protection experts alike wondering how they can prepare themselves.
In this blog, we cover your next steps and the opportunities available to simplify data protection compliance.
The Data (Use & Access) Act is as technical a read as the UK GDPR, PECR and Data Protection Act (DPA). Your Data Protection Officer (DPO) or the people responsible for managing compliance will need to spend time assessing the changes the DUAA makes to data protection law.
In our podcast, Data Protection Made Simple, we break the DUAA down into simple terms and provide practical tips for staying compliant with the law. Listen in now:
If you need more support, our data protection consultancy can help run through which changes impact your business the most.
Under the DUA Act, data subjects now have the right to complain directly to a data controller if they believe their personal data is being processed unlawfully. Initially dealt with by the ICO, controllers now must have a formal complaints process for handling data protection concerns.
Your complaints procedure should include:
*Responses must be within 30 days of receiving the complaint.
One in five UK internet users is a child, so there’s every chance your online service may be used by an age group you never designed for. The DUAA expects you to prioritise the best interests of a child when designing and developing online services, ensuring they are protected in the digital age.
This applies to a variety of services, including apps, websites and connected toys. If you meet the existing Age Appropriate Design Code (AADC), you will have already satisfied this new requirement.
The DUAA is expected to make subject access request (SAR or DSAR) handling and response easier; therefore, your internal procedure should now provide this flexibility.
Your procedure should make clear:
Under the DUA Act, consent is no longer required where cookies or similar technologies fall within low-risk processing. These exempted purposes include:
You must assess whether your website’s analytics or functional cookies qualify for this exemption, considering whether they are strictly necessary and low risk. With this in mind, you’ll need to update cookie consent banners, policies and internal documentation to reflect the change in consent.
For charities, you will also have to implement a clear opt-out option for direct marketing sent based on the soft opt-in rule.
One way the DUAA is promoting innovation is through its new provisions (Articles 22A-22D of the UK GDPR) governing automated decision-making (ADM).
To welcome this innovation, make sure you:
You may know what to do, but how you need to do it might not be as clear. Now is the perfect time to schedule some refresher data protection training to ensure everyone is up to speed.
As a training provider, we can support your business with training tailored to your sector and processing requirements. All courses are up to date with the DUA Act, so your team will receive the latest insights on maintaining compliance.
As a GDPR consultancy, our goal is to make data protection easy to understand and easy to do. If you need expert support navigating the DUAA, please contact our team, and we’ll be in touch.
The Data (Use and Access) Bill was first introduced in October 2024 to replace its failed predecessor, the Data Protection and Digital Information (DPDI) Bill.
On June 19th, 2025, this bill became an Act of Parliament. Now known as the Data (Use and Access) Act (DUAA), this Act is one of the most significant changes to the UK data protection law since the GDPR.
In this article, we examine the key provisions in the Act that will impact the UK GDPR, DPA and PECR legislation.
Yes – the Data (Use and Access) Act (2025) makes changes to the following UK data protection laws:
The DUAA does not replace any laws; it only amends and introduces new provisions.
The Data (Use and Access) Act has made changes in the following areas:
Prior to the DUAA, Article 22 of the UK GDPR restricted automated decision-making unless it was done with the individual’s consent, permitted by UK law, or necessary for a contract between an individual and a business.
The DUAA replaces this Article with Articles 22A-22D, which allow for greater flexibility in using ADM, provided that the necessary safeguards are in place. These include:
Restrictions are only in place when using special category data (e.g., race, health, or biometric data), reinstating what was required pre-DUAA. Organisations can only use this data for ADM if they have consent, or where necessary for substantial public interest.
The DUAA now provides further transparency of a business’s obligations when handling DSARs (also known as SARs).
Previously, businesses had one month to respond to a subject access request as soon as it was received. The DUAA introduces a “stop the clock” provision, which allows organisations to pause the response time until they have enough information from the individual to clarify the request.
Once they have the relevant information, the one-month response time continues.
Previously, the law did not explicitly state that responding to DSARs had to be “reasonable and proportionate” (i.e., not requiring undue effort to complete the search). The DUAA clarifies what constitutes disproportionate effort, offering more flexibility to DPOs managing complex or voluminous requests.
Section 81 of the DUAA introduces an explicit duty of care for providers of online services accessed by children. These controllers must take into account the “children’s higher protection matters” (Article 25(1B)) when designing services for children.
When choosing the appropriate technical and organisational measures, controllers must consider:
The DUAA introduces the concept of ‘broad consent’, previously outlined in the UK GDPR recitals, into the main text of the legislation.
This measure allows researchers to rely on broad consent, whereby individuals consent to their information being used for an “area of scientific research” rather than a more specific purpose. Gaining broad consent is contingent upon meeting the ethical standards relevant to the area of research.
There is now a list of recognised legitimate interests under Article 6(1)(f) of the UK GDPR, which includes:
When data processing is based on any of these interests, no balancing test is required. This test, also known as a legitimate interests assessment, balances the controller’s interests against the individual’s rights and freedoms to ensure processing is fair.
Removing the balancing test recognises the ‘societal value of the processing in specified situations and the potential negative impacts of any delay.’
Under the DUAA, international data transfers are permitted if the receiving country has data protection standards that are similar (not materially lower) to those of the UK. This replaces the EU-style adequacy framework, making it easier to approve data transfers to a wider range of countries.
Rather than being ‘essentially equivalent’ and now ‘materially lower’, the UK has more flexibility to transfer data outside of the EU’s stricter standards.
Data subjects now have the right to complain to a data controller if they’re concerned that the way their information is processed breaches data protection law.
While individuals have always had the right to complain, the DUAA now places the burden for acting on that complaint with the controller, rather than the ICO.
In response to this, controllers must implement a clear response procedure, whereby all complaints are acknowledged within 30 days of receipt. Controllers are also required to respond without undue delay and inform the individual of the outcome.
For more insight, read our recent blog on this new complaints provision to find out how you can prepare.
Currently, all powers and responsibilities are held by one individual, the Information Commissioner. The DUAA will replace the ICO with the Information Commission, which will be led by a chair and a chief executive, with other non-executive and executive members also in place.
This significant institutional change will promote diversity in decision-making by sharing across the board, rather than a sole decision-maker.
The Information Commissioner will have additional duties to consider, which you can learn about on GOV.UK’s ICO factsheet.
The Data (Use and Access) Act now requires communication providers to report personal data breaches to the ICO ‘without undue delay’ and no later than 72 hours of becoming aware.
The PECR currently requires businesses to report breaches within 24 hours, so the new time period (72 hours) is in line with the reporting period under the UK GDPR.
The DUAA aligns the maximum fines for PECR breaches with the UK GDPR, increasing them to £17.5 million or 4% of a company’s global annual turnover, whichever is greater.
With the original fine at £500,000, this increase places significant responsibility on businesses to strengthen PECR compliance.
Charities can send marketing emails and texts to individuals who have expressed interest or offered support to the charity. This is known as the ‘soft opt-in rule’, which allows charities to send electronic marketing without needing explicit consent.
Individuals must be able to opt out at any time, whether it’s at the first instance or later down the line. This means charities can continue to send communications to an individual until they explicitly opt out.
While the PECR required consent for all but ‘strictly necessary’ cookies, the DUAA introduces new exemptions for specific ‘low-risk’ scenarios, provided that clear information and an opt-out option are offered to users.
Under the new rules, consent is no longer required for the use of cookies for the following purposes:
Changes to data protection law will come into force two to twelve months after Royal Assent (June 2025). GOV.UK will announce further details of the regulations and the exact dates when each measure will commence.
Our podcast, Data Protection Made Easy, is your go-to hub for the latest news and changes in data protection law. Recently, our team hosted two live sessions discussing the DUA Act and how businesses can prepare going forward.
Catch up and listen to:
Our award-winning podcast is available on Spotify, Amazon Music and many other podcast sites. Subscribe now to avoid missing out.
Our data protection consultancy can help you prepare for all the changes in the DUAA. Whether it’s setting up a complaints procedure or updating cookie consent, we’re here to guide you through.
Need support? Get in touch with our team today.
On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.
Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.
If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.
Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.
Download the Slides
We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides
By joining our free community, you’ll get:
We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.
On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.
Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.
Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.
Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.
Download the Slides
We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides
Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.
Click here to visit the Part Two event page and register your place: View Part Two
By joining our free community, you’ll get:
We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.
Data Protection Made Easy Podcast – Episode 214
After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.
Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
Understanding What Drives SARs
We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.
When You Must Respond – And When You Don’t
We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.
Managing Excessive or Repetitive Requests
Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.
Balancing Transparency and Internal Protection
Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.
Lessons from Real Grievance and Disciplinary Cases
We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.
Proactive Preparation: Getting Ahead of SARs
Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.
Avoiding Common Mistakes
From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.
Handling Escalation and Risk
Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing info@dataprotectionpeople.com
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.
Know someone who would benefit? Share the podcast link and help others take the complexity out of compliance.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
Data Protection Made Easy Podcast – Episode 114
Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.
If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:
From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”
As Catarina Santos explained, it’s essential to reframe the narrative:
“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”
The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.
This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.
Philip Brining highlighted the value of the community:
“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”
Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.
SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:
“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”
The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.
What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:
“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing info@dataprotectionpeople.com
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.
Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.
📩 Simply email us at info@dataprotectionpeople.com with the subject line “SAR Support”, and we’ll book in a free 30-minute consultation.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
