The UKs #1 Data Protection Consultancy

Data Protection & Information Security Experts

Data Protection Made Easy.

GDPR Support Cyber Security Support
Join our extensive list of clients who have their data privacy under control

Accelerate Your Data Protection Compliance

Save Time, Save Money and Relax: You’re In Safe Hands

Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.

GDPR Training

Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.

Contact Us

Information Management Software

DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.

Contact Us

Data Protection Consultancy

Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.

Contact Us

Outsourced DPO

A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.

Contact Us
View All

Need Help With Cyber Security Compliance?

We Have You Covered!

At Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.

PCI DSS Compliance Services for Merchants

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

PCI DSS Compliance Services for Service Providers

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

External Attack Surface Management

Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.

Contact Us

ISO 27001

Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.

Contact Us
View All
Rofi Hendra Support Desk Data Protection People

Supporting DPOs

Flexible Support When You Need It

At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.

Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.

Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.

Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.

Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.

Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.

Diverse Sector Experience

Access to a Team of Industry Experts

At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.

Commercial Sector

Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.

SMEs

Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.

Third Sector

Third Sector

For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.

Multi Nationals

For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.

Public Sector

In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.

Why Use Our Outsourced DPO Services?

Save Time, Money and Guarantee Compliance

Navigating the intricate landscape of data protection demands more than just a DPO — it requires a dedicated team committed to excellence. Our Outsourced DPO Services extend beyond the traditional role, offering a comprehensive approach to legal compliance and pragmatic solutions.

Why Choose Outsourcing?

An outsourced DPO brings a wealth of experience, not just in the law but also in crafting workable solutions. Their impartiality is fortified by a team of privacy practitioners, ensuring that your organization benefits from a spectrum of expertise. Should the need arise, seamless coverage during absences is guaranteed, eliminating the vulnerability associated with a single in-house DPO.

Staying Headache-Free

Concerned about the disruption if your DPO moves on? With an outsourced model, transitions are smooth, and you won’t experience the sudden headache of a critical role vacancy. The continuity provided by a team ensures that your data protection responsibilities are seamlessly handled.

Compliance Tailored to You

Our Outsourced DPO Services align seamlessly with your legal obligations, whether you’re mandated to appoint a DPO or choose to do so voluntarily. We understand that compliance is not just about ticking boxes but about ensuring a robust, practical approach to data protection. Choose Data Protection People for a worry-free, compliance-driven outsourced DPO solution — because your data protection journey should be as smooth as it is secure.

“I cant recommend Data Protection People enough, they have helped me in so many different areas, no matter how complex the challenge or how large the obstacle, DPP always has the answer.

I can call the team at any time and have built an amazing relationship with them, in times of frustration they are here to calm me down and create a plan, they are a pleasure to work with.”

Mark Leete
Eastlight Community Homes
TDC_logo

‘I found the FOI training session to be highly informative and well-structured. It covered all the key areas comprehensively and provided clear, practical guidance throughout. The content was easy to follow, and the delivery by Gary was engaging, making complex topics accessible and understandable’. 

‘The training session has really helped me to understand the IG rep role a bit more and what I need to be thinking about when receiving a request for information’. 

Charlene Haynes & Team
Tendring District Council
dyslexia-action-logo-2023

“I have worked with the Data Protection People for some time now. Their expertise has been drawn upon to assist us with our GDPR compliance gap analysis project, ROPA design and production through to conducting objective reviews and surveys. They are always available to help us out and their advice and guidance is excellent and delivered in a timely way. Special mentions to Kathy Midgley, Phil Brining, and David Hendry. A great, reliable and dependable service!”

Judy Barker
Dyslexia Action
Veritau

“A great service and peace of mind. Data Protection People provides a well-rounded service to ensure customers are fully supported in their approach to GDPR compliance. My interaction has largely been with the following people: Kathy Midgley – another great asset to the organisation. Always approachable, always helpful and consistently supportive to the team and customers.

Julie Ferguson
Veritau
Woodgate & Clark

“We have been working with the Data Protection People for many years now, and have found them to be insightful, helpful, and knowledgeable in all areas of Data Protection Compliance. Data Protection People have taken the time to understand our business, the regulatory environment we sit under, and the unique challenges we face in the industry. They have supported us in all areas of Information and Data Security, assisting in assessments of our policies and changes to our processes. They are always willing to go the extra mile and prioritise support where required.”

Nia Roberts
Woodgate & Clarke

Data Protection People Blogs & Podcasts

Data Privacy Learning & Guidance

Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.

Ransomware Strikes London Nurseries

Ransomware Strikes London Nurseries – A Wake-Up Call for Child Data Security

What Happened?

In early October 2025, the Met Police announced the arrest of two 17-year-olds in Bishop’s Stortford on suspicion of computer misuse and blackmail, after a ransomware attack on Kido International, a London nursery group. The attackers, calling themselves “Radiant”,  stole personal data on roughly 8,000 children (names, photographs, addresses and parent contacts) from the nurseries’ cloud system.

They then threatened to publish more records unless Kido paid about £600,000 in Bitcoin. A small sample of 10 children’s profiles was posted on a dark-web site to pressure the company, and the group even began phoning parents directly. (After public outcry the hackers later blurred and claimed to delete the images.) Kido says the breach came via its nursery software provider Famly, although Famly insists its own infrastructure was not compromised. Regardless, the data loss forced Kido to notify authorities (via Action Fraud) and affected families.

Metropolitan Police Head of Economic and Cybercrime Will Lyne urged calm but vigilance, noting that specialist investigators have been working “at pace” on the case. He acknowledged that such reports “can cause considerable concern” for families, but reassured the public that the matter is being “taken extremely seriously”. These arrests, though welcome, are only a “significant step” in the ongoing investigation to bring the perpetrators to justice. The police continue to gather intelligence and warn that the inquiry is far from over.

Why Children’s Data Is So Valuable

Children’s personal data is a prised commodity for fraudsters. In the U.S., for example, child identity fraud has long been a hidden epidemic, costing victims nearly $1 billion per year. Because children have clean credit histories (and typically don’t monitor their credit until adulthood), their stolen data can be used to open accounts or commit financial fraud undetected. As one report notes, an infant’s information essentially provides a “clean credit history” for criminals, since child identity theft often goes unnoticed for years. Criminals prise children’s records for the same reason: they are fresh, untarnished by previous misuse, and can fuel years of fraudulent activity. In short, any breach of nursery or school data exposes families to the risk of long-term identity theft and financial loss.

Education and childcare organisations have become major ransomware targets. Early years settings handle highly sensitive personal information and even payments, making them “appealing target[s] for cybercriminals due to the sensitive information they hold,” according to the UK’s National Cyber Security Centre (NCSC). The risk is acute: schools and nurseries often hold medical records, safeguarding notes, and other sensitive data on each child, plus contact details for parents. Like healthcare, the education sector has very low tolerance for downtime; attackers know institutions may pay to restore operations quickly. Indeed, the ICO has reported that student attackers themselves are behind many school data breaches. 57% of insider breaches in UK schools (2022–24) were caused by pupils exploiting weak passwords or misconfigured systems. Whether the threat comes from external gangs or curious teens, regulators say the findings are “worrying” and urge education settings to step up cybersecurity immediately.

Recommendations for Nurseries and Education Providers

To protect children’s data and comply with UK GDPR and the Data Protection Act, nurseries should implement strong security and incident-preparation measures. Key steps include:

Risk Assessment and DPIAs

Treat any system holding children’s records as high risk. Conduct a Data Protection Impact Assessment that explicitly considers children’s rights, as required under the ICO’s Age-Appropriate Design Code. Classify large databases and any children’s personal data as requiring enhanced security.

Technical Controls

Follow NCSC ransomware mitigations and the ICO’s guidance on data security. This means patching devices promptly, using firewalls and anti-malware tools, and enforcing strong access controls (unique accounts, least privilege, multi-factor authentication) on all systems containing pupil or staff data. Where possible, encrypt sensitive files and emails, so that stolen data remains unreadable.

Backup and Recovery

Maintain up-to-date, offline or air-gapped backups of all critical systems and data. Test your disaster recovery plan regularly. If systems are encrypted by ransomware, you must have a way to restore operations from backups without paying the ransom.

Staff Training and Policies

Provide staff with regular cybersecurity awareness training (phishing simulations, password hygiene, device security). Train reception and finance teams especially, since attackers often use phone calls or fake invoices to breach schools. Remind all employees that data protection is not “just an IT problem”,  even leaving a tablet unlocked or sending information to personal email can cause reportable breaches. Refresh UK GDPR and security training at least annually, as recommended by the ICO. You can learn more about our Data Protection Training programmes here.

Third-Party Oversight

Vet any outsourced providers (like cloud software or payroll firms). For example, Kido’s incident involved a nursery-management app. Make sure contracts require prompt breach notification by vendors, and verify their compliance with GDPR. If a supplier reports a security issue, treat it as a potential breach of your own data.

Incident Response Plan

Prepare and practice an incident response plan (use the NCSC’s “Exercise in a Box” tool). Define roles and notification procedures in advance. Know the legal requirements: under UK GDPR, report any personal data breach that poses a risk to individuals to the ICO within 72 hours, and inform affected families without undue delay. The ICO’s ransomware guidance emphasises having an IR plan with clear thresholds for ICO and data-subject notification. Remember that loss of availability (ransomware lockout) is itself a notifiable personal data breach.

Cyber Essentials and Audits

Consider certification under Cyber Essentials (basic cybersecurity standard for UK organisations) and perform regular security audits or penetration tests. Keep logs of access and reviews of user accounts, and rectify any dormant or excessive privileges. Learn more about our Data Protection Support services to help with audit readiness.

Guidance for Parents

Parents and carers play a key role in mitigating risk. The Kido attack shows that no data is 100% safe once breached, but families can take precautions:

Verify Communications

Ignore unsolicited calls, texts or emails demanding payment or personal information. In this case, parents were directly threatened by the attackers, if your child’s nursery contacts you, expect it to be through official channels (direct lines or named staff). If in doubt, hang up and call the nursery’s main office or law enforcement.

Protect Personal Data

Limit how much your child’s identifying information you share online. Avoid posting school ID numbers, addresses, or birthdays alongside photos on social media. Even innocent sharing can give fraudsters clues. Teach older children not to divulge personal details to strangers or on public forums.

Monitor for Identity Theft

Consider checking or freezing your child’s credit files. In the UK, parents can request a report for their child (or freeze it) with major credit agencies once the child is old enough to have a credit file. If you suspect your child’s identity has been misused, report it to Action Fraud and the relevant financial institutions immediately. The long-term impact of child ID theft can linger (as in a noted case where a teen only discovered years later that her infant data was used to open accounts).

Follow Official Guidance

Stay informed via reputable sources. The NCSC and ICO both stress the importance of baseline security for families, such as using strong unique passwords and up-to-date software on home devices. The NCSC has published specific advice for early years settings and for individuals worried about breaches. Resources like GetSafeOnline.org and the ICO’s breach recovery guides can help you and your child respond to any suspicious activity.

Conclusion

This incident is a stark reminder that even trusted institutions can be breached, and that children’s data is uniquely valuable to cybercriminals. While law enforcement works to hold the culprits to account, nurseries and parents must both shore up defences and remain vigilant. Following official guidance, from the ICO and NCSC is key. By combining strong technical controls, clear policies and open communication with parents, early years providers can better protect the children in their care. Likewise, parents should use the tools and advice available to safeguard their family’s digital identity.

Sources

National Cyber Security Centre
ICO: Insider Threats in Schools
BBC News
National Crime Agency

ISO 27001 at 20

ISO 27001 at 20: Reflecting on Two Decades of Information Security Excellence

This year marks the 20th anniversary of ISO 27001 , the world’s leading information security management standard. Over two decades, ISO 27001 has become a global benchmark for protecting data, reducing cyber risk, and embedding security culture. As we approach the transition deadline for the 2022 update, now is the perfect time for organisations to take stock of their compliance journey.

What’s Changed: From BS 7799 to ISO 27001:2022

Before ISO 27001 became a global standard, its origins lay in the UK’s own BS 7799, first published in the 1990s. This framework evolved into ISO 27001 in 2005 and quickly gained international recognition for setting out what an effective Information Security Management System (ISMS) should look like.

The most recent version, ISO 27001:2022, modernises the standard for today’s digital landscape. While the management clauses remain largely familiar, the control set has been restructured to reflect new risks, technologies, and ways of working.

Main updates in ISO 27001:2022

  • The number of controls has reduced from 114 to 93.
  • Controls are grouped into four new categories: organisational, people, physical, and technological.
  • New controls have been introduced to address modern risks such as cloud services, threat intelligence, and remote working.
  • Each control now includes attributes that describe its purpose, making the standard more flexible and user-friendly.

These changes bring ISO 27001 in line with other management system standards through the Annex SL structure, which simplifies integration with frameworks like ISO 9001 (Quality Management) and ISO 22301 (Business Continuity).

Why It Matters for UK Organisations

ISO 27001 remains the gold standard for demonstrating information security maturity, and the 2022 update represents a significant evolution. For UK businesses, this update isn’t optional, it’s a mandatory transition with a clear deadline.

  • Transition deadline: All ISO 27001:2013 certifications will expire on 1 November 2025. After this date, organisations must be certified to ISO 27001:2022.
  • Improved alignment: The new structure makes it easier to integrate with other ISO standards, streamlining management processes.
  • Modern security relevance: Updated controls address emerging threats such as cloud computing, supply chain security, and hybrid working environments.
  • Enhanced business credibility: Certification to the latest version signals strong governance and builds trust with clients, partners, and regulators.

What You Should Be Doing Now

With less than a year until the transition deadline, organisations certified under ISO 27001:2013 should be well underway with their upgrade plans. Here’s how to get started:

  • Confirm your certification status: Check which version of ISO 27001 your organisation is currently certified against and when your next audit is due.
  • Conduct a gap analysis: Compare your existing ISMS against the 2022 control set. Identify any new, merged, or removed controls that affect your environment.
  • Update policies and documentation: Ensure your ISMS documentation reflects new control terminology, roles, and risk management processes.
  • Train your team: Make sure everyone involved in your ISMS,  from IT to HR, understands the new structure and control requirements.
  • Engage your certification body: Confirm they are accredited for ISO 27001:2022 and schedule your transition audit well before the November 2025 deadline.
  • Seek expert support: If resources are stretched, external consultants can provide transition planning, control mapping, or pre-audit support to make the process smoother.

Our View / Final Thoughts

Twenty years on, ISO 27001 continues to be the cornerstone of information security best practice. Its evolution shows how adaptable the framework is, maintaining timeless governance principles while responding to modern threats such as AI, remote work, and data sovereignty challenges.

At Data Protection People, we see ISO 27001:2022 not just as a compliance exercise, but as a strategic opportunity. Transitioning effectively strengthens resilience, improves stakeholder trust, and demonstrates that your organisation takes information security seriously.

If your certification is still under the 2013 version, now is the time to act. Our experts can support your transition with ISO audits, staff training, and ongoing compliance support.

FAQs

When do we need to transition to ISO 27001:2022?

All certifications under ISO 27001:2013 will expire on 1 November 2025. Transition audits should be completed before that date to avoid a lapse in certification.

What are the biggest changes in ISO 27001:2022?

The most significant updates are the streamlined control set (from 114 to 93), new control categories, and the addition of modern topics such as cloud security and threat intelligence.

Do all organisations need to adopt the new controls?

Every organisation must review all 93 controls, but not every control will apply. Applicability depends on your ISMS scope and risk assessment.

What happens if we don’t transition in time?

Your ISO 27001:2013 certification will become invalid after November 2025, and you may need to restart the full audit process, which is more costly and time-consuming than a transition audit.

Can DPP help with our ISO 27001 transition?

Yes. Our consultants can guide you through the transition process, from gap analysis and policy updates to training and audit preparation. Get in touch to learn more.

References and Useful Sources

Keeping Your Data Safe: A Practical Guide for UK Businesses

Data breaches and GDPR compliance can feel overwhelming for UK businesses. The cost of getting it wrong is significant, i.e. fines, reputation damage and the potential for massive business disruption

Protecting your company’s data is both a legal and operational necessity, but it doesn’t have to be complicated. In this guide, we will look at how regular audits, strong internal controls and even a dedicated role within your organisation can make data protection straightforward.

Understand Your Data Landscape

The first step to protecting your company’s data is simply understanding what you’re working with. The questions you need to answer are:

  • What kind of personal data does your company hold?
  • Where is it stored? 
  • Who has access?

If you can’t answer these questions confidently, undertaking a data mapping project will help you identify and understand the data that you collect, hold and store. 

Carry Out Regular GDPR Audits

A GDPR audit is a review of your organisation’s data handling practices to assess whether they are compliant with the UK General Data Protection Regulations. It’s essential to ensure that your business meets its legal obligations, mitigates any risks of data breaches and implements necessary improvements.

Appoint a Data Protection Officer (DPO)

If your business carries out large-scale processing activities or is a public authority or body, then you need to hire a Data Protection Officer or outsource one. 

A DPO monitors GDPR compliance, leads audits and acts as liaison with ICO. They also provide guidance to management and employees who handle data.

If you’re a small or medium-sized business, then outsourcing a DPO might be more cost-effective, more impartial and expert-led than hiring one in-house. 

Strengthen Access Controls and Staff Training

One of the key measures you can take to keep your company’s data safe is implementing user access control. This means granting access to systems and data only to those who require it for their role. It also includes things like two-factor authentication and password control.

Regular training on data handling for all staff is also important, even if it’s just the basics, such as reporting incidents, phishing awareness and device locking. 

Have a Breach Response Plan

Do you know what to do if you’ve suffered a data breach? If you don’t, you could inadvertently be making the situation worse. Quick detection and response can not only potentially reduce the scale of the breach, but it can also reduce ICO penalties and reputational damage. 

Your DPO will help you manage any data breaches by assessing their severity, coordinating the response and notifying relevant authorities. 

Stay Up-to-Date with Regulation and Technology

GDPR and data protection law are always changing, especially after Brexit, so it’s important to keep up to date with the latest legislative changes

Technology can help you stay on the cutting edge of data protection, particularly in areas such as encryption, anonymisation and secure backups.

Your ongoing GDPR audits, along with your DPO’s responsibilities to monitor changes, should keep you informed.

Keep Your Data Safe with Data Protection People

Data protection is an ongoing business activity. With regular audits, internal controls and a knowledgeable DPO, you can keep your customers and your reputation safe. 

We offer a range of services to help you keep your company’s data protected from cyber criminals and accidental data breaches, from an outsourced DPO to GDPR audits. Get in touch with us today.

Location Data for Sale: A Wake-Up Call for UK Organisations

Location Data for Sale: A Wake-Up Call for UK Organisations

A recent RTÉ Prime Time investigation exposed how the real-time movement of tens of thousands of smartphones was being sold on the open market. The story, though focused on Ireland, is a stark warning for UK organisations that process or share location data. If location data can be traced back to individuals, it is personal data under UK GDPR. Misusing it could lead to serious enforcement action and loss of public trust.

What Happened

Undercover journalists posed as a data analytics company and purchased location data showing two weeks of movement for around 64,000 mobile phones. The dataset revealed daily routines, routes and even visits to sensitive sites like government buildings and prisons. Despite claims of “anonymisation”, investigators easily re-identified users by tracing data to home addresses and workplaces.

In response, Ireland’s Data Protection Commission launched an investigation into the data broker’s practices. The case mirrors ongoing global concerns about the misuse of mobile location data, issues that are equally relevant under UK GDPR and PECR.

Location Data as Personal Data

UK GDPR explicitly treats location information as personal data. In its definition of personal data, the UK GDPR lists “location data” alongside names and online identifiers. In practice, this means a person’s physical movements, whether by GPS, Wi-Fi or cell towers, identify them and are protected. GDPR examples of “private and subjective” data include location data on the same list as religion or political views. In other words, even though raw GPS coordinates aren’t a “special category”, location trails can quickly become as revealing as declared sensitive information.

  • Location data comes with high responsibility: organisations must treat it carefully under UK GDPR’s principles (lawfulness, purpose limitation, data minimisation, etc.). They should be transparent, provide clear privacy notices, and obtain valid consent or other lawful basis before tracking.

Location Data Can Reveal Sensitive Details

Long-term tracking of movement patterns can expose highly personal traits. For example, ICO guidance emphasises that a 24/7 log of someone’s whereabouts is “highly intrusive”, as it “is likely to reveal a lot of information about them, including the potential to infer sensitive information such as their religion, sexuality, or health status.”

FTC regulators in the US have made similar points. In a complaint against a location-broker, the FTC noted that “Location data can expose sensitive information such as medical conditions, sexual orientation, political activities, and religious beliefs.”

In practice, detailed location logs can be cross-referenced with public data to infer private traits. For example, regular attendance at a particular church or mosque can reveal faith, frequent visits to a clinic or mental-health centre can imply medical issues, and patterns of travel to political rallies or social venues can hint at ideologies or sexuality.

  • Examples of sensitive inferences: A person’s home, work, places of worship, or health clinics are obvious “sensitive” sites. Data brokers have sold segments like “pregnant women” or “people going to abortion clinics” by detecting patterns in GPS data.
  • Risk of profiling and ads: Online ad networks also use location to profile users. Under UK law, using tracking data for targeted advertising requires strict consent. However, in reality many apps leak precise location to marketing firms. Investigations found that even innocuous apps (games, fitness or prayer apps) have been co-opted to harvest location data for sale. This means a user may see ads not only for local restaurants, but also for sensitive services, such as medical treatments, based on inferred profile.

Re-identifying “Anonymous” Location Trails

Simply stripping names off GPS data is not enough to make it safe. Mobility records are notoriously unique. The EU’s data protection board warns that supposedly “anonymised” location traces “are known to be notoriously difficult to anonymise.” They cite research showing that even a few points of a person’s movement make them re-identifiable.

In one landmark study, only four random spatio-temporal points (latitude/longitude plus time) were enough to uniquely identify 95% of individuals in a large mobility dataset. Even coarse data (such as cell-tower regions and hours rather than exact GPS minutes) proved only marginally safer, most people remained unique with just a handful of points. In short, an “anonymised” location database can often be re-linked to individuals by matching with outside information, such as known home or work addresses or social media check-ins.

User Consent Issues

Beyond official cases, everyday privacy concerns arise with location tracking:

  • Mobile App Permissions: Many smartphone apps request location permission (for “better experience” or ads) and users often grant it without realising. Studies show thousands of popular apps, even games or utility apps, leak location via ad networks. In many cases users are unaware their movements are shared with marketing brokers.
  • Behavioural Advertising: Companies build profiles from location info. Under UK law, using tracking cookies or device signals for targeted advertising requires clear consent. However, some websites push “cookie walls” or confusing consent banners (a form of “dark pattern”) to force acceptance. ICO guidance warns that mandatory “take-it-or-leave-it” consent (no free choice) is usually invalid.
  • Surveillance Advertising: Location-based surveillance advertising, showing ads based on precise location behaviour, poses GDPR challenges. For instance, an ad network could infer health or beliefs (e.g. showing ads for political causes to someone who visited a rally). ICO guidance is clear that any profiling of user attitudes or preferences, which location-based targeting does, requires transparency and consent.

What You Should Be Doing Now

Principles for Responsible Processing

  • Necessity and Justification: Only collect location if essential for the service. As the ICO puts it, tracking people’s movements “requires a strong justification”. Consider less intrusive alternatives first.
  • Consent and Notice: Be clear with users why you need location data, how you use it, and get valid consent when profiling or advertising. Avoid dark patterns in consent requests.
  • Data Minimisation and Retention: Store the minimum location detail needed, for example use coarse location if possible, and retain it only as long as required. Given the risk of re-identification, controllers should destroy or truly anonymise logs when no longer needed.
  • Security and Access Controls: Because location data is sensitive, it must be well secured, with encryption and strict access controls. Log who accesses location information, and have a robust breach response plan.
  • Right to Object: Remember that data subjects have the right to object to profiling. Companies should provide easy ways for users to opt out of location-based tracking or data sharing.

By following these principles and keeping abreast of ICO and EDPB guidance, organisations can handle location data more responsibly. The Home Office case shows regulators will scrutinise any 24/7 monitoring. With “always-on” location services on our phones and devices, businesses and governments alike must respect that location trails reveal the contours of people’s private lives.

Practical Steps

  • Audit your data flows – Map out all sources and uses of location or behavioural data, including mobile apps, analytics tools and advertising platforms.
  • Review contracts and suppliers – If you use data brokers or adtech partners, ensure they comply with UK GDPR and do not sell or re-use data unlawfully.
  • Strengthen anonymisation practices – Follow the ICO’s Anonymisation and Pseudonymisation Guidance to assess and document re-identification risks.
  • Refresh consent and transparency notices – Make sure privacy notices clearly explain any sharing or selling of location data, including the lawful basis for doing so.
  • Carry out a DPIA – Conduct a Data Protection Impact Assessment for any project involving tracking or profiling users through location or behavioural data.
  • Train staff and developers – Everyone involved in collecting or processing location data should understand their obligations and the potential risks.

At Data Protection People, we help organisations conduct DPIAs, assess anonymisation standards, and audit third-party data flows. If your organisation collects or shares location data, now is the time to act before regulators come knocking.

Our View / Final Thoughts

The RTÉ revelations underscore a growing issue: location data is among the most valuable, but also the most dangerous, forms of personal data. For UK businesses, this means tightening internal controls, demanding transparency from suppliers, and taking accountability seriously. “Anonymous” data is not always anonymous, and claiming so will not protect you from enforcement.

The ICO has already signalled a tougher stance on data brokers, consent mechanisms, and dark patterns. Organisations that proactively embed privacy-by-design and transparency will not only avoid penalties, but also strengthen customer trust in an era of growing data awareness.

FAQs

Does UK GDPR treat location data as personal data?

Yes. Location data can directly or indirectly identify an individual, which makes it personal data under Article 4 of the UK GDPR.

Is selling anonymised data allowed in the UK?

Only if it is genuinely anonymous and cannot be re-identified. If there is any realistic possibility of re-identification, it remains subject to UK GDPR.

What if our organisation uses third-party analytics tools?

You remain responsible for compliance. Review contracts, verify privacy practices, and complete DPIAs where tracking or profiling occurs.

Has the ICO fined organisations for data misuse before?

Yes. Examples include Experian’s enforcement notice (2023) and Clearview AI’s £7.5 million fine (2022) for unlawful data scraping. Location data misuse could attract similar penalties.

What support is available?

If you’re unsure about your obligations, Data Protection People’s support services can help with audits, DPIAs and policy reviews.

If you process, share or purchase location data, take action now. Our team at DPP can help ensure your practices are compliant, ethical and defensible.

References and Useful Sources

UK Cookies in 2025

Data Protection Made Easy Podcast: Cookies in 2025, What Changes and What To Do Now

Hosts, Catarina Santos with guests Oluwagbenga Onojobi (Gbenga) and Holly Miller. A brief cameo from Phil Brining.

Episode overview

In this 30 minute session we explain what cookies are, how the main types work, and what the 2025 UK reforms mean in practice. We look at PECR and UK GDPR, rising enforcement in Europe, consent or pay models, fingerprinting, Google Topics API, and the differences between the UK and EU approaches. The goal is simple, give you clear next steps that reduce risk without killing conversions.

Listen now

Also available on all major platforms, Spotify, Apple Podcasts, Audible, and popular Android apps. Many DPOs tell us they listen back on walks, in the gym, or while cooking, so feel free to enjoy this one at your leisure.

What we cover

  • Cookies 101, first party, third party, strictly necessary, functionality, performance, and tracking.
  • Hot topics, Google Topics API, cookie less advertising, fingerprinting, consent or pay models.
  • Rules that matter, PECR and UK GDPR basics, lawful consent, transparency, and user choice.
  • 2025 UK changes, low risk cookie exemptions, higher fine levels, and the ICO consultation.
  • UK vs EU, where approaches differ, how to handle cross border users, and common pitfalls.

Practical takeaways

  • Give Reject all equal prominence, avoid pre ticked boxes, explain purposes in plain English.
  • Keep a cookie register, map scripts to purposes, owners, and retention.
  • Update your cookie policy and link it clearly in the footer, keep a separate document from the privacy notice.
  • Record consent events, banner version, time, and preferences, and honour withdrawal with no detriment.
  • If you operate in the EU, follow the stricter position where needed, and use geo logic carefully.

Stay connected

You can always get in touch via our website or on LinkedIn. If you enjoy the podcast, share it with a colleague who looks after cookies, consent, or analytics.

Data Protection Made Easy is one of the UK’s largest data protection communities, over 1,500 subscribers, with more than 200 episodes available on major audio platforms.

10 Years of Data Protection People

Celebrating 10 Years of Data Protection People & 5 Years of the Data Protection Made Easy Podcast

Last week we marked not one, but two major milestones, 10 years of Data Protection People and the 5th birthday of the Data Protection Made Easy Podcast. To celebrate, we hosted a special live session with Philip Brining, Caine Glancy, Catarina Santos, and returning host Joe Kirk. Together, we looked back at the Top 10 Most Streamed Episodes from the past five years, revisiting the conversations that have shaped our community.

Key Themes from the Session

  • Subject Access Requests (SARs) – still one of the most complex and frequently discussed areas of data protection.
  • Data Protection Impact Assessments (DPIAs) – exploring challenges around risk, practicality, and when a DPIA is truly needed.
  • Legislative Changes – including Brexit, the Data Protection and Digital Information Bill, and the new DUA Act.

The team also reflected on why topics like ROPA and audits don’t always feature as highly among listeners, and why broad themes resonate more strongly than sector-specific discussions.

Insights from Our Community

Our special guest Joe Kirk shared valuable insights from moving into an in-house DPO role, including the importance of tackling cookie compliance and ensuring correct ICO registration. The panel also discussed the ICO’s new guidance on complaints handling and recognised legitimate interests, highlighting the practical steps organisations should take ahead of expected implementation in June 2026.

The Return of Weekly Podcasts

To celebrate our 10-year anniversary and the continued growth of our community, we are excited to announce that the Data Protection Made Easy Podcast is returning to a weekly schedule. Every Friday at lunchtime, we’ll be live with fresh discussions, community insights, and practical guidance for data protection professionals.

You can sign up on our Events Page to join future live sessions, or contact us here to subscribe and become part of the UK’s biggest data protection community.

Listen Back to the Anniversary Episode

If you missed it live, you can catch up now on Spotify using the player below:

Here’s to 10 years of making data protection easier, and 5 years of building a community where professionals can learn, share, and grow together. Thank you to everyone who has been part of the journey so far.

Caught in the Act: The UK’s New Age Verification Law

Online Safety Act, age checks, and real world risks, highlights from Episode 218

Recorded on Friday 29 August 2025, this live episode of Data Protection Made Easy brings together Catarina Santos, Caine Glancy and Philip Brining to explain what the latest Online Safety Act changes mean in practice. The team walk through how age verification works, why VPN downloads have surged in the UK, and the real impact on privacy, user experience and compliance.

Episode: 218, Data Protection Made Easy
Recorded: late August, Leeds and online
Hosts: Philip Brining, Catarina Santos, Caine Glancy

We are Data Protection People, a consultancy and a community. More than 1,500 practitioners join our live sessions for practical help and straight talking advice. We keep things human, current, and useful.

Prefer Spotify in a new tab,
open the episode,
or browse the full show feed.

What we covered

  • Online Safety Act, where it fits with the Children’s Code, why it goes further on content and safety.
  • Age assurance, facial estimation, ID checks, open banking, and the privacy trade offs behind each approach.
  • Supply chain risk, real incidents in education and vetting, why processor controls and backups still fail.
  • Education, why literacy and resilience matter as much as technical gates.
  • Community update, weekly sessions return in September, likely in focused 30 minute formats.

Highlights and opinions

Scope and categories. Ofcom guidance gives the most usable overview. Scale drives duties, category one providers face the heaviest lift. Smaller services still need proportionate controls.

“The Act is about content, the Children’s Code is about design, together they set expectations for what people actually see and share.” — Philip

Age checks in practice. Facial estimation and ID checks can help, they are not perfect. People will try VPNs and workarounds, so policy and education must sit alongside technology.

“There is no magic potion for age checks, the solution cannot be technology alone.” — Catarina

“If suppliers rush controls without thinking about retention and purpose limitation, we move risk rather than reduce it.” — Caine

Supply chain failures. Contracts need clear migration and deletion steps, restore tests must be real, controller oversight must be active, not paper based.

“Where is the weak link, backups, migration steps, subprocessors, or the missing instructions in the DPA.” — Philip

Freedom of expression and harm. Public concern is real. The intent is to reduce harm to children, not silence debate. Practical application will need careful balancing.

Practical takeaways for organisations

  • Write a content risk assessment if your service can be accessed by children, update it on a schedule, record decisions.
  • Map processors and subprocessors, include precise steps for transfers and deletion, test restores, not only backups.
  • Choose proportionate age assurance, record lawful basis, retention, and vendor due diligence, avoid copying IDs unless necessary.
  • Blend controls with education, publish clear user guidance, support parents and teachers, avoid dark patterns.

About the community

Data Protection Made Easy is the live podcast and discussion space run by Data Protection People. More than 1,500 members join to share cases, templates, and practical steps. We will return to weekly sessions in September, short and focused, with time for questions.

Contribute to a future episode

We are always looking for contributors and topics, case studies, SAR puzzles, transfer questions, or views on the Online Safety Act. Get support or advice, or pitch a slot for an upcoming episode.

Explore more in our Resource Centre, including recent episodes and guides.

DUA Act – Part Two

The Data (Use and Access) Act 2025 – Podcast Part Two

On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.

Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.

If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.

Listen on Spotify

Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.

Download the Slides

We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides

What We Covered

  • Real-life scenarios and case study examples based on DUA Act principles
  • Detailed Q&A on legitimate interest balancing tests, soft opt-in rules, and data subject rights
  • Compliance challenges and how to overcome them using good governance frameworks
  • The DUA Act’s expected impact on privacy management programmes and internal policies
  • Preparing your teams, clients, and data flows for the changes ahead

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

  • Early access to upcoming podcast sessions and event invites
  • Weekly insights into legislation like the DUA Act and GDPR
  • Exclusive downloads including templates, tools, and guides
  • Invitations to in-person events across the UK
  • Access to session recordings and slides
  • A place to ask questions, share experiences, and stay ahead

We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.

Our Events & Webinars

Industry Leading Discussions

We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.

View All
Digital ID Under the Spotlight
10 October 25 12:30 - 1:00 pm

Digital ID Under the Spotlight

UK Cookie Compliance What You Need to Know
03 October 25 12:30 - 1:00 pm

UK Cookie Compliance in 2025

Get Support With Data Protection And Cyber Security

Our mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.