Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Secure your organisation with Data Protection People's Cyber Security Support. Our expert team ensures cybersecurity excellence, offering tailored support for ISO27001, PCI DSS, Cyber Maturity, Cyber Essentials Plus, and more.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
Have you had a data breach? Your first thought may be to panic and worry about what to do next. But as long as you act on the breach quickly, you’ll prevent further damage down the line.
In this guide, we’ll touch on the immediate steps to take after a breach and ways to prevent them from happening again.
Data breaches happen all the time—in fact, 30 million people were affected in the UK just last year. So what actions cause one? Whether unlawfully or accidentally, a data breach results from loss, destruction, alterations, unauthorised access or disclosure of personal data processed.
Examples include your employees falling for a phishing attack, failure to use Blind Carbon Copy (BCC) on a group email, or someone stealing a company laptop with confidential files.
Human error is the root cause of most data breaches. While data protection is everyone’s responsibility, your senior team is responsible for minimising this negligence with data protection training.
Want to learn more about data breaches? Listen to the Data Protection Made Easy podcast for more insight.
You have 72 hours to report a data breach to the ICO unless it is unlikely to result in a risk to an individual’s rights and freedoms. If a risk is unlikely, you don’t need to notify the ICO, However, it is crucial to justify the reason why the breach was not reported in case a complaint arises from the personal data breach.
Depending on the data you process, a data breach can have serious implications, including financial loss, discrimination and loss of confidentiality. In serious cases, affected individuals, such as witnesses in high-profile cases, may be at higher risk of harm.
You should first investigate what data was compromised, how the breach happened and how many people were involved. You need to know the source of the data, who the recipient of the data was, who the impacted data subjects are and whether there is any relationship between the parties involved.
Data mapping will help identify who’s been affected and give insight into whether the data is high-risk or not.
Once you know the source of the breach, start implementing security measures to prevent further damage from happening. Here are some immediate actions to take depending on the cause:
Whether a breach is reportable or not depends on the risk it poses to others. At this point, you must conduct a risk assessment of the harm that may result from the breach. This assessment is different from a DPIA, which is conducted before processing activities begin.
First, you need to identify the personal data that has been breached (again, data mapping is essential here). The risk to individuals will increase if the data is sensitive or high-risk. For example, a breach of financial information may lead to identity theft, which is detrimental to the individual.
You also need to assess:
A risk assessment will determine the impact on individuals and identify ways to prevent this from happening again.
In a recent statement, the ICO commented on organisations’ responsibility to protect individuals and show empathy when communicating after a data breach.
Contacting the affected individuals is necessary if the data breach is high risk. When you acknowledge this incident, be empathic in your response and reassure them it won’t happen again. You may want to tell them what steps you’re taking and guide them on what they can do to stay safe during this time.
Even when not legally required to do so, organisations may opt to inform the data subjects affected in an attempt to maintain a reputation and to try to retain confidence between the data controller and the data subjects.
Once you’ve completed these steps, you may need to report your breach to the ICO. Remember, this has to be done within 72 hours of becoming aware of the breach, so don’t delay anything before doing it.
While these steps seem daunting, you don’t need to go through them alone. Data Protection People are skilled in handling data breaches for businesses of all sizes and sectors.
Our data protection support team will be with you throughout the process, from assessing the breach to preventing future risks with GDPR audits and training.
Need urgent help? Contact our team today.
55% of adults have experienced a data breach—that’s around 30 million people in the UK alone. Losing or stealing personal data is more common than we think, and the consequences can be life-altering.
Personal data isn’t just numbers seen on a screen. It’s bank details, addresses and medical information – the type of data you don’t share without a real purpose to do so.. A personal data breach exposes this information, allowing anyone to access it. Many believe the pain starts and stops there. But the real harm has only just begun.
In this blog, we’ll uncover the aftermath of a data breach from an individual and organisational perspective.
A personal data breach will need to be reported to the information commissioners office unless it is unlikely to result in a risk to the individuals rights and freedoms. The type of personal data matters, especially if you handle special category data. However, context is also ket, it is important to establish all of the facts as quickly as you can to help your judgement as to whether there is any risk to the affected data subjects.
A breach of sensitive or high-risk data can seriously affect someone’s health and well-being, put them in harm’s way or risk losing money or their job. A data protection impact assessment (DPIA) will identify and minimise the risks involved in processing personal data. This is a preventative measure, though, and it is not something done after.
In this case, you should follow our steps to respond to a data breach.
Organisations could experience considerable financial loss from the clean-up of a data breach. You may nned to compensate affected individuals, invest in better cyber security measures, pay legal fees and outsource a data protection consultant to help get you back on your feet.
A personal data breach is also a fineable offence from the ICO, which could cost up to £17.5 million or 4% of your total annual turnover (whichever is higher).
When you lose the trust of your customers, stakeholders and staff, reputational damage comes as no surprise. News travels fast. Customers will turn to social media or the press to share their frustrations, driving prospects away from doing business with you.
Reputational damage is long-lasting and will affect your chances to conduct new business in the future.
Depending on the size of the breach, you may have to shut down your operations until all investigations have been conducted. Your data champion or data protection officer (DPO) will need to assess the severity of the breach, implement safeguards and address the ICO’s questions. This may take days or even weeks.
Whether a data breach resulted intentionally or not, individuals have the right to seek legal compensation. This will contribute to your financial losses and potentially lead to more serious actions taken by the ICO.
A data breach, if not addressed quickly, can have serious effects on individuals, which include:
In a recent article, the ICO expressed concerns about organisations’ empathy and actions towards data breaches. These businesses must look beyond the operational damage and consider the “far-reaching ripple effect that disrupts [individuals’] lives in ways that some may not fully appreciate.”
If you ever go through a data breach, consider its impact on others. Take responsibility for what you’ve done, and as the ICO says, “step up, […] do better, and [….] recognise the critical importance of data protection in safeguarding people’s lives.”
Listen to episode 193 of The Data Protection Made Easy podcast to learn more about ripple effects.
With a GDPR audit, you can gain peace of mind knowing that your business is meeting the law’s requirements. Our expert team will assess your data-handling processes, identify weaknesses and implement a plan for continuous improvement to remain compliant year-round. Contact our team to learn more.
Had a data breach? Get urgent support now.
As we close out 2024, our Data Protection Made Easy hosts reflect on the year’s highlights and share the latest insights to help you overcome the challenges of the holiday season.
From practical tips to pressing data protection news, our episodes are packed with practical advice to keep your business secure during the festive break. Find out what you missed below.
We began December with our regular GDPR Radio coverage, which delves into recent news in data protection. Our hosts, Joe and Phil, invited Catarina Santos, a data protection consultant, back to discuss recent regulatory changes, industry trends and data breaches in the UK and EU.
In our live discussion, we answered questions from listeners, providing practical advice they can take into their roles. Over 1,400 subscribers tune in monthly to hear from our experts, so if you want to stay up-to-date with the latest, subscribe to our podcast and find out what’s new.
Need to catch up with GDPR Radio? Listen to episode 197 now.
While you may have already settled down, now is not the time to let your data protection and cyber security measures take a back seat. The festive season often sees businesses letting their guard down, making them more susceptible to data security incidents as employees shift into ‘holiday mode’ and resources become stretched.
Amidst the festive cheer and goodwill, even seemingly harmless actions can pose security threats. Caine Glancy, our GDPR support desk consultant, joined us to discuss the risks of sending and receiving Christmas greetings, which are often used in phishing attacks to hook victims in.
Always double-check your emails and sender address before opening an attachment or link. Otherwise, the only gift you’ll get is a data breach from a cyber criminal!
If you plan to send your customers Christmas wishes, don’t forget to use blind carbon copy (BBC) to avoid exposing email addresses in bulk emails. You must also consider the Privacy and Electronic Communications Regulations (PECR) if your email includes promotional material. The PECR requires you to have explicit, informed consent from your customers, so don’t press send until you’re sure.
For more guidance, head to our blog to learn how to avoid data protection incidents this Christmas. Prefer to hear straight from us? Catch up with episode 198 on Spotify.
We end 2024 with our 199th episode of Data Protection Made Easy. In this episode, we reflect on the most popular episodes of 2024, which include:
We also have a heartfelt send-off for our long-standing host, Jasmine Harrison, who is leaving to travel the world. Jasmine has been an essential part of our team, and we wish her the best time travelling!
Listen to the last episode of 2024 here.
Data Protection Made Easy is an award-winning GDPR and cyber security podcast with a community of over 1,400 subscribers. By subscribing, you can participate in live sessions with industry experts, catch up on the latest news and network with our growing community.
To start the new year off right, subscribe to Data Protection Made Easy on Spotify, YouTube and Amazon Music.
When the Labour Party won the general election in July 2024, the previous government’s Data Protection and Digital Information (DPDI) Bill went out the window.
The years the DPDI Bill progressed in parliament raised much commentary, with several discussions from our hosts at Data Protection People. With Labour in power, a new Bill has arrived – the Data (Use and Access) (DUA) Bill.
Many have welcomed the changes proposed in the DUA, but how do they impact the existing data protection framework? Discover the key reforms set out in the DUA Bill in our guide.
The Data (Use and Access) Bill aims to “unlock the secure and effective use of data for the public interest” while driving economic growth and improving people’s lives. The DUA Bill was published on 24 October 2024 to replace the previous government’s failed Data Protection and Digital Information (DPDI) Bill.
This Bill carries over similar provisions set out in the DPDI Bill, including Smart Data schemes and digital ID. Some significant reforms have been dropped, such as changes to DPIAs and RoPAs. The controversial plan to remove the requirement for Data Protection Officers (DPOs) under certain criteria has been removed.
For a complete list of its predecessor’s changes, read our summary on the DPDI Bill here.
The DUA Bill introduces a new article (12A) into the UK GDPR, setting clearer boundaries for managing subject access requests (SARs). Some notes include:
This provision varies from the DPDI Bill, in which data controllers no longer have the right to refuse SARs based on it being ‘vexatious or excessive’. The DUA Bill maintains the UK GDPR’s grounds for refusal if the SAR is ‘manifestly unfounded or excessive’.
The Bill proposes that controllers will be exempt from conducting a Legitimate Interests Assessment (LIA) if ‘recognised legitimate interests’ apply. These circumstances include processing necessary for national security, safeguarding vulnerable individuals or emergency response. (See Annex 1 in Schedule 4 of the Bill for all legitimate interests.)
The DUA Bill also includes examples that may qualify as necessary for legitimate interests, including:
These examples are lifted from the EU GDPR (Recitals 47-49). Previously, organisations were uncertain whether these Recitals carried the same weight as the main text. By formalising these examples, the Bill delivers much-needed certainty for controllers about when they can rely on legitimate interests on a lawful basis.
Significant provisions surround automated decision-making. The DUA Bill intends to replace Article 22 with new Articles 22A—22D. The existing, stricter regime (Article 22) provides data subjects with the right to not be subject to a decision based solely on automated decision making unless certain conditions apply such as where the processing is –
Reducing this scope threatens individuals’ rights regarding automated decisions. Article 22C, however, sets out safeguards for protecting the individual’s rights, freedoms and legitimate interests. Measures include providing information about the decisions taken regarding the data subject and enabling them to contest such decisions.
Like the DPDI Bill, the DUA Bill looks to amend the rules for international data transfers set out in Chapter V of the UK GDPR. Small changes include adapting the rules to a UK context, but most importantly, a ‘data protection test’ is introduced.
The Secretary of State will assess whether a recipient country’s data protections provided to an individual are ‘not materially lower’ than UK standards rather than an exact likeness. This approach gives flexibility when conducting data transfers but requires organisations to be aware of the differing standards set internationally.
The DUA Bill proposes that organisations are not required to provide privacy information under Articles 13 and 14 (e.g., via a privacy notice) if doing so is deemed ‘impossible or would involve a disproportionate effort’.
This means controllers aren’t required to inform individuals about processing if the data is ‘de-identified’ or the notification would be impractical or unjustifiably costly. Watering down these transparency rules causes some concern, as it puts individuals’ rights at risk.
Along with these five areas, the Data Bill proposes several other changes that impact data processing for research purposes, as well as an increase in PECR fines.
The DUA Bill is still in its initial stages, meaning everything is subject to change as it passes parliament. As a close revision of the DPDI Bill, we expect it to progress quicker than its predecessor.
Subscribe to the Data Protection Made Easy podcast for regular updates on the progression of the DUA Bill and expert commentary on industry events.
Our expert data protection services keep organisations compliant and their customers’ personal data safe. With years of sector experience, our GDPR consultants stay ahead of the latest regulatory changes, providing tailored advice to meet your compliance needs.
Contact our team to find out how we can help you.
As we close out 2024, we celebrate the remarkable journey of the Data Protection Made Easy Podcast with a special episode dedicated to reflecting on the year gone by and bidding a heartfelt farewell to our esteemed co-host, Jasmine Harrison.
In this final episode, we take a trip down memory lane to revisit some of the top episodes and most memorable moments of the year. From insightful discussions on data protection challenges to deep dives into the latest cybersecurity trends. 2024 has been a year filled with engaging content and expert insights. But today, we also pause to celebrate Jasmine’s incredible contributions to the podcast, her dedication to the data protection community, and the impact she’s made over the years.
While we’ll miss Jasmine’s insight and energy on the podcast, we’re excited to continue delivering top-tier data protection and cybersecurity content in 2025. Stay tuned for more exciting episodes, new guest speakers, and fresh perspectives in the year ahead.
Jasmine, your contributions have been invaluable, and we wish you nothing but the best in your future pursuits. Thank you for being a key part of our journey!
Listen to the final episode of 2024 and join us in celebrating Jasmine’s legacy on the podcast. You can listen back via the player below or you can tune in on Spotify and listen back on demand.
The festive period is a time of celebration and reflection, but for organisations, it’s also a time when data protection risks can reach their peak. In episode 198 of the Data Protection Made Easy podcast, hosted by Caine Glancy, Phil Brining, and Susanne Reid, we explored the unique challenges businesses face during the holidays and shared actionable tips to keep your organisation’s data secure.
For many organisations, the festive period brings:
In this insightful session, our hosts discussed the critical areas organisations should focus on during the holiday period:
Whether you’re a data protection officer, a business owner, or a professional tasked with managing compliance, this episode offers essential tips to navigate the unique challenges of the holiday season. From safeguarding sensitive data to ensuring smooth operations, our hosts provide a roadmap for staying compliant and secure.
For the complete discussion, tune in to episode 198 of the Data Protection Made Easy podcast. Hear real-world examples, actionable advice, and expert insights tailored to help your organisation mitigate risks and thrive during the festive period.
With over 1,400 subscribers, the Data Protection Made Easy podcast is your trusted source for staying ahead in data protection. Subscribe on Spotify, Amazon Music, or your favourite platform to ensure you never miss an episode.
Prepare your organisation for the challenges and opportunities of the festive season with the expert guidance shared in this episode.
At Data Protection People, our GDPR Radio episodes have become a cornerstone of the Data Protection Made Easy podcast, offering a dynamic platform to explore the latest trends, regulatory updates, and challenges in data protection. In our December episode, hosted on 1st December 2024, we delved into some of the most significant topics in the world of GDPR and data protection, keeping our listeners informed and ahead of the curve.
GDPR Radio is more than just a podcast—it’s a community-driven conversation designed to keep businesses, data protection professionals, and enthusiasts informed about the rapidly evolving data protection landscape. Each episode, our expert hosts break down the latest news, provide actionable insights, and tackle pressing questions from our live audience.
This episode featured Philip Brining, Joe Kirk, and Catarina Santos, who brought their unique expertise to the table, ensuring a comprehensive discussion. From regulatory updates to practical compliance advice, this session offered invaluable insights for organisations of all sizes.
During this episode of GDPR Radio, our hosts unpacked:
At the heart of GDPR Radio is its thriving Data Protection Made Easy community, comprising over 1,400 subscribers from diverse industries. Joining our sessions isn’t just about listening—it’s about engaging with like-minded professionals, sharing insights, and staying connected with the latest in data protection.
As a subscriber, you gain access to:
Becoming a part of the Data Protection Made Easy community is simple:
If you missed this episode of GDPR Radio, don’t worry! You can listen back to the discussion and catch every detail by clicking the Spotify widget below.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
