The UKs #1 Data Protection Consultancy

Data Protection & Information Security Experts

Data Protection Made Easy.

GDPR Support Cyber Security Support
Join our extensive list of clients who have their data privacy under control

Accelerate Your Data Protection Compliance

Save Time, Save Money and Relax: You’re In Safe Hands

Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.

Outsourced DPO

A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.

Contact Us

Data Protection Support

Data Protection People's world-class GDPR Support Desk. If you're navigating the complex landscape of data protection, PCI DSS, and cybersecurity, our support desk is your reliable compass.

Contact Us

GDPR Audits

A range of high level reviews, detailed audits and mid-range assessments to test compliance with data protection laws and standards

Contact Us

SAR Support

Explore our Subject Access Request (SAR) Handling Service and understand how Data Protection People can support your organisation

Contact Us
View All

Need Help With Cyber Security Compliance?

We Have You Covered!

At Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.

PCI DSS Compliance Services for Merchants

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

PCI DSS Compliance Services for Service Providers

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

External Attack Surface Management

Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.

Contact Us

ISO 27001

Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.

Contact Us
View All
Rofi Hendra Support Desk Data Protection People

Supporting DPOs

Flexible Support When You Need It

At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.

Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.

Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.

Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.

Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.

Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.

Diverse Sector Experience

Access to a Team of Industry Experts

At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.

Commercial Sector

Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.

SMEs

Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.

Third Sector

Third Sector

For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.

Multi Nationals

For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.

Public Sector

In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.

Why Use Our Outsourced DPO Services?

Save Time, Money and Guarantee Compliance

Navigating the intricate landscape of data protection demands more than just a DPO — it requires a dedicated team committed to excellence. Our Outsourced DPO Services extend beyond the traditional role, offering a comprehensive approach to legal compliance and pragmatic solutions.

Why Choose Outsourcing?

An outsourced DPO brings a wealth of experience, not just in the law but also in crafting workable solutions. Their impartiality is fortified by a team of privacy practitioners, ensuring that your organization benefits from a spectrum of expertise. Should the need arise, seamless coverage during absences is guaranteed, eliminating the vulnerability associated with a single in-house DPO.

Staying Headache-Free

Concerned about the disruption if your DPO moves on? With an outsourced model, transitions are smooth, and you won’t experience the sudden headache of a critical role vacancy. The continuity provided by a team ensures that your data protection responsibilities are seamlessly handled.

Compliance Tailored to You

Our Outsourced DPO Services align seamlessly with your legal obligations, whether you’re mandated to appoint a DPO or choose to do so voluntarily. We understand that compliance is not just about ticking boxes but about ensuring a robust, practical approach to data protection. Choose Data Protection People for a worry-free, compliance-driven outsourced DPO solution — because your data protection journey should be as smooth as it is secure.

“I cant recommend Data Protection People enough, they have helped me in so many different areas, no matter how complex the challenge or how large the obstacle, DPP always has the answer.

I can call the team at any time and have built an amazing relationship with them, in times of frustration they are here to calm me down and create a plan, they are a pleasure to work with.”

Mark Leete
Eastlight Community Homes

Data Protection People Blogs & Podcasts

Data Privacy Learning & Guidance

Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.

Business Development Executive Job

Join Our Team as a Business Development Executive

Location: Leeds (Hybrid – 4 days in office)
Department: Sales & Marketing
Contract Type: Full-Time, Permanent
Salary: £28,000–£35,000 + Uncapped Commission (DOE)
Start Date: Immediate

Are You Ready to Grow With a Business That’s Going Places?

We’re hiring a Business Development Executive at a pivotal moment for Data Protection People. With a new Sales & Marketing Director onboard and a full-scale transformation underway, this is your chance to join a team on the rise.

You’ll take ownership of lead generation, build meaningful B2B relationships, and support our mission to simplify data protection and cyber security. If you’re target-driven, motivated by growth, and ready to shape your sales career, we want to hear from you.

What Will You Be Doing?

  • Generate new business leads through outbound activity and referrals
  • Follow up on warm prospects and re-engage past clients
  • Manage your pipeline using Salesforce and keep the CRM up to date
  • Book and attend meetings (in-person or virtual) to understand client needs
  • Support product demonstrations and help close deals
  • Achieve monthly KPIs and contribute to revenue targets
  • Cross-sell new services to existing clients
  • Attend industry events to represent the business and generate leads
  • Work closely with delivery teams to ensure smooth handovers

Who We’re Looking For

Essential:

  • Proven B2B sales or business development experience
  • Excellent communication, negotiation, and relationship-building skills
  • Confident using CRM systems and Microsoft Office
  • Motivated, self-driven, and ready to hit the ground running

Desirable:

  • Experience with Salesforce CRM
  • Sales background in consultancy, tech, or professional services

What You’ll Get

  • £28k–£35k base salary + commission (depending on experience)
  • Hybrid working – 3 days per week in our Leeds office
  • Free onsite parking at The Tannery
  • Up to 30 days holiday + bank holidays
  • Access to expert mentoring and career development support
  • Regular team socials, charity events, and wellness perks

About Our Location

You’ll work from our vibrant office at The Tannery, 91 Kirkstall Road, LS3 1HS. We’re just a 10-minute walk from Leeds train station, with excellent public transport links and free parking available.

Ready to Apply?

If you’re excited by the opportunity to grow your sales career with a forward-thinking, purpose-led organisation—apply today. Email [email protected] Submit your CV and tell us why you’re the right fit for the team.

 

Subject Access Requests and Internal Conflicts of Interest

Subject Access Requests and Internal Conflicts of Interest: Navigating the Grey Areas

When it comes to Subject Access Requests (SARs), few are more complex, or more sensitive, than those submitted by employees and ex-employees. Unlike customer SARs, which are often straightforward, staff-related requests are frequently wrapped up in wider disputes, grievances, or pending legal claims. At Data Protection People, we see it time and again: an employee leaves under difficult circumstances, then shortly afterwards, a SAR lands in HR or Legal’s inbox. It’s no coincidence. These types of requests are often tactical, designed to uncover evidence, test procedural fairness, or support an employment tribunal claim. That’s perfectly within the rights of the data subject but it raises real challenges for employers, especially when conflicts of interest are involved. This blog is about Subject Access Requests and Internal Conflicts of Interest.

Why Internal SARs Are So Tricky

Employee SARs don’t just trigger administrative effort — they often force organisations to walk a tightrope between transparency and risk. You’re being asked to hand over information that may include:

  • Emails between managers

  • Notes from disciplinary meetings

  • Internal chats or instant messages

  • Performance reviews

  • Legal advice (potentially exempt)

All of this might involve opinions, judgements, or allegations made by other staff members — sometimes senior managers, sometimes HR personnel. And when the very people handling the SAR are involved in the subject matter, conflicts of interest can quietly undermine the integrity of the process.

What Is a Conflict of Interest in SAR Handling?

A conflict of interest occurs when someone involved in responding to a SAR has a personal stake, consciously or not, in the outcome. This could be the HR officer who issued the warning the requester is contesting. Or the manager whose conduct is under scrutiny. Or even an internal investigator who has exchanged emails about the subject.

When these individuals are responsible for locating, reviewing, or redacting data, impartiality is compromised. There’s a risk of information being withheld, over-redacted, or delayed, not necessarily out of malice, but due to unconscious bias or protective instincts.

And that’s a problem. Because if the data subject suspects foul play or receives an incomplete response, they can escalate to the ICO, lodge a complaint, or use it to strengthen their legal case.

Practical Steps to Manage Subject Access Requests and Internal Conflicts of Interest

Organisations should assume that internal SARs will be scrutinised more heavily and act accordingly. Here are practical steps to manage them with confidence and compliance:


1. Separate the People from the Process

Ensure that anyone directly involved in the dispute does not participate in locating, reviewing, or approving the SAR response. Where possible, assign SAR handling to someone independent, ideally within your data protection or legal team.

2. Document Everything

Keep a clear record of:

  • Who handled the request

  • What searches were conducted

  • What redactions were applied and why

  • What exemptions were used

This is your audit trail, invaluable if the decision is challenged or reviewed by the ICO.

3. Be Transparent About Exemptions

If you’re withholding data under an exemption (e.g., legal privilege or management planning), be upfront about it in your response. You’re not required to give full detail, but clarity fosters trust.

4. Use a SAR Triage Approach

Have a process in place to flag SARs that involve:

  • Internal disputes or grievances

  • Legal proceedings or tribunal claims

  • High volumes of emails involving senior staff

These should be prioritised and escalated to senior data protection personnel, not left to junior HR or admin staff.

5. Treat SARs as More Than Admin

A SAR isn’t just a compliance exercise,  it’s an insight into how your organisation handles people, transparency, and power. Even when there’s legal protection to withhold certain content, always consider the human context and reputational risk.


The Legal Landscape: Don’t Cut Corners

There’s a temptation in contentious SARs to protect the organisation first. But the law is clear: SARs are a right, not a favour. Employers cannot ignore, delay, or heavily redact responses purely to protect internal politics.

Yes, exemptions under the Data Protection Act 2018 may apply, such as:

  • Legal advice and privilege

  • Confidential references

  • Management forecasting or planning

But these must be applied fairly and justifiably. Misuse of exemptions can lead to enforcement action or reputational damage.


Final Thoughts: Integrity is Everything

When a SAR becomes part of a wider conflict, the stakes are higher, for both the data subject and the organisation. Mishandling the process, whether intentionally or through poorly managed conflicts of interest, risks turning a manageable issue into a major liability.

At Data Protection People, we support organisations with complex and high-risk SARs, especially those involving internal dynamics. From independent reviews to redaction support and strategic advice, our goal is to help you handle even the toughest SARs with clarity, consistency, and compliance. To find out more about Subject Access Requests and Internal Conflicts of Interest listen to our podcast episode here.


Need help with a sensitive SAR?
Get in touch with Data Protection People,  the UK’s leading data protection consultancy. Our experts are on hand to help you manage requests professionally, fairly, and legally.

The UK Data Bill

More Delays, More Questions – What’s Really Happening with the UK Data Bill?

In a significant turn of events for the UK’s data governance landscape, the House of Lords has delivered a powerful rebuke to the government’s ongoing attempts to relax rules for artificial intelligence companies. Peers backed an amendment to the Data Use and Access Bill (DUA Bill) that would require AI developers to disclose which copyright-protected materials they have used to train their models. 

This legislative pushback is not only a victory for creators and rights holders, but also a necessary check against opaque AI development practices that clash with the fundamental transparency and accountability principles enshrined in UK GDPR. 

While this debate may appear niche, it’s about far more than copyright. It’s about direction, principle, and pace. The government finds itself caught between wanting to move fast on digital reform and the growing public and professional concern that it’s leaving too many critical rights and safeguards behind. 

The UK Data Bill – More than a technicality 

This is the second time peers have tried to build stronger protections into the UK data bill, and the concern is clear: that certain sectors in this case, the UK’s creative industries are being asked to sacrifice their intellectual property without proper consultation, clarity, or compensation.  

The amendment, passed in the House of Lords on 12 May 2025 and led by Baroness Beeban Kidron, requires AI developers to declare which copyrighted content has been used during the training of their large language models (LLMs) or generative AI systems.  

For AI providers, this requirement introduces several new burdens: 

  • Model provenance tracking – AI companies will now be expected to identify and document source materials with precision. 
  • Copyright rights-holder mapping – The relationship between copyright and personal data may overlap, requiring hybrid legal assessments. 
  • Further legislative delays – The amendment sends the bill back to the Commons and sets up a likely back-and-forth (“ping-pong”) between chambers. 

Tightening the Definition of Scientific Research: Why Amendment 43B Matters 

Another key flashpoint in the Lords’ debate was the definition of “scientific research”. Critics have feared that overly vague language could allow companies to justify data processing under the loose guise of research, blurring the line between genuine science and commercial experimentation. 

To address this, Amendment 43B, tabled by Viscount Colville, proposes a more structured approach. It defines scientific research using the internationally recognised OECD Frascati Manual and requires that such activity adhere to appropriate ethical, legal, and professional frameworks. 

Supporters say this brings much-needed clarity and protects public trust, particularly in sensitive areas like health and AI. But others warn it could impose unnecessary red tape. Critics, including the government, argue that most researchers already work under existing ethical standards, and that formalising these requirements in legislation could add bureaucratic burdens without clear benefits. 

As the Minister put it, this might risk “chilling basic and curiosity-driven research”, especially in universities and early-stage innovation. The question is whether this safeguard enhances public interest, or simply slows scientific progress without fixing a clearly defined problem. 

Meanwhile, the clock is ticking 

There’s another reason this matters. The current data adequacy agreement with the European Union, the legal basis that allows personal data to flow freely from the EU to the UK, expires at the end of 2025. It may seem far away, but in regulatory terms, that’s the blink of an eye. 

If the EU concludes that the UK’s new data regime no longer offers “essential equivalence” to GDPR, there’s a real risk the adequacy decision won’t be renewed. This would be a major headache for businesses that operate across borders, especially SMEs that don’t have the resources to manage complex legal workarounds. 

The EU has made clear that it’s watching UK reforms closely. Every amendment, every concession, every consultation outcome will be weighed against the EU’s high bar for data protection. And right now, it’s not entirely clear where the UK will land. 

So where does that leave us? 

For now, the UK data bill returns to the Commons. The government can either accept the Lords’ changes or try to remove them, which would trigger another confrontation in the upper house. That back-and-forth could mean more delays, and more uncertainty for businesses trying to plan ahead. 

It’s a frustrating situation. The UK does need a modern, responsive data regime. But reform without clarity, trust, and proper engagement will only slow things down further. 

At this point, we urge organisations not to wait on the sidelines. Review your data flows, understand where your EU connections lie, and keep a close eye on how the adequacy conversation develops over the next 6–12 months. The decisions made in Parliament today could have serious operational and legal implications tomorrow. 

As ever, our team is here to help clients navigate this shifting landscape. Check out our podcast on the DUA Bill here

 

Exploring Signatures as Biometrics

When Your “John Hancock” Becomes Sensitive Data: Exploring Signatures as Biometrics

Ever looked at your signature and thought, “It’s just a fancy way I write my name”? Think again. In our increasingly digital world, that casual scribble at the bottom of forms is gaining new significance, particularly in places like Jamaica, where the Jamaican Data Protection Act (JDPA) now classifies signatures as sensitive biometric data, putting them in the same category as fingerprints and DNA.

This classification isn’t just fancy legal talk, it’s recognising that your signature has unique behavioural patterns that only you make.

What Makes Your Signature Biometric Data?

Under Jamaica’s Data Protection Act, biometric data is defined as “any information relating to the physical, physiological or behavioural characteristics of an individual, which allows for the unique identification of the individual.” But what exactly makes a signature biometric?

Consider what happens when you sign your name:

  • Your hand moves in patterns nobody else can perfectly replicate
  • You apply distinctive pressure with your pen
  • Your personal hand-eye coordination manifests in each stroke
  • Your signature even reveals subtle hints about your personality and current mood

The way you make loops in your letters, the special touches you add, and how fast you move the pen on the paper. These things are just as unique to you as your face or fingerprints.

In today’s digital landscape, e-signatures take this biometric data collection even further:

  • They capture exactly how quickly you move the stylus
  • They note when you pause (even for milliseconds)
  • They measure precisely how much pressure you’re applying
  • They record the exact timing between each stroke

The Dual Nature of Signatures

Signatures occupy a unique position in the spectrum of biometric identifiers:

  1. A traditional form of verification – Signatures have been used for centuries as a means of authentication, predating modern digital identification methods
  2. A behavioural biometric – Each signature contains distinctive characteristics including pressure points, speed, stroke order, and style that can be analysed to verify identity.

This duality creates an interesting challenge. People easily give signatures without concern, unlike fingerprints or facial scans, which raise privacy worries. However, the JDPA classifies signatures as “sensitive personal data,” meaning they need extra protection.

Take a moment to count how many times you’ve signed something in the last month alone:

  • Credit card receipts
  • Package delivery confirmations
  • Work documents
  • Medical intake forms

Each instance represents you handing over sensitive personal data without giving it a second thought!

Implications for Organisations

The classification of signatures as biometric data has several significant implications:

  1. Data Protection Officer Requirement: Organisations regularly collecting signatures may need to appoint a dedicated officer to oversee data protection compliance.
  2. Enhanced Security Measures: Signatures require stronger security measures than ordinary personal data, including appropriate technical and organisational safeguards.
  3. Explicit Consent Requirements: Organisations collecting signatures need proper consent mechanisms that specifically address the biometric nature of signature data.
  4. Records Management Challenges: Both physical and digital signatures must be properly stored, retained, and eventually disposed of with appropriate security measures.

Practical Steps Forward

Organisations processing signatures should consider taking these steps:

  1. Audit current signature collection practices
  2. Assess whether a Data Protection Officer appointment is necessary
  3. Review consent mechanisms to ensure they address the sensitive nature of signature data
  4. Implement appropriate security measures for both physical and digital signature storage
  5. Develop retention policies that limit unnecessary storage of signature data

Conclusion

Your signature is more than just a name. It is a piece of YOU. It is a biological data that reveals how your brain and body work together. It contains patterns as unique as a fingerprint. Yet, we share it freely without much thought. By classifying signatures as “sensitive personal data,” the JDPA highlights their role as unique personal identifiers. This recognition ensures they receive the protection they deserve.

Next time someone casually asks you to “sign here,” remember you’re not just confirming something, you’re handing over biometric data (a sensitive personal data) that’s increasingly protected by law around the world.

As businesses adjust to new regulations, they need to balance their practical needs with stronger data protection, keeping signatures both secure and easy to use.

With growing concerns about data privacy, it’s time we give our “John Hancock”, the protection they truly deserve.

 

Managing Employee SARs

Managing Subject Access Requests from Employees & Ex-Employees

Data Protection Made Easy Podcast – Episode 114

Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.

If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.

Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.

What We Covered

This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:

🔹 Common Triggers and Misconceptions

From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”

As Catarina Santos explained, it’s essential to reframe the narrative:

“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”

🔹 SARs and Organisational Culture

The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.

🔹 The Community Speaks

This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.

Philip Brining highlighted the value of the community:

“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”

🔹 Tools of the Trade: Teams, WhatsApp & Chat Platforms

Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.

🔹 Balancing Access, Proportionality, and Security

SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:

“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”

The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.

What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:

“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”

Want More Like This?

The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.

Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables

Meet the Panel

Looking Ahead

Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.

Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.

Special May Promotion: Free SAR Consultations

This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.

Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.

📩 Simply email us at [email protected] with the subject line SAR Support, and we’ll book in a free 30-minute consultation.

 

Joe Kirk’s Top 10 Tips

Joe Kirk’s Top 10 Tips: Lessons from a Career in Data Protection

In this special episode of the Data Protection Made Easy podcast, long-time host and data protection consultant Joe Kirk reflects on his journey through the world of privacy and compliance—from his early days in sales, speaking to hundreds of DPOs across the UK, to becoming a consultant himself and working with a wide range of clients across every major sector.

As this marks Joe’s final regular appearance on the podcast, we dedicated the session to the Top 10 Lessons He’s Learned over the last four years. These are practical, honest, and experience-based takeaways that he hopes will help current and aspiring DPOs make a meaningful impact in their roles.

Key Themes Discussed

  • How sales and consulting provide different but complementary perspectives on data protection
  • The common challenges DPOs face regardless of sector or organisation size
  • The importance of empathy, curiosity, and communication in building trust
  • Avoiding the “tick-box” mentality and becoming a strategic advisor
  • Keeping your knowledge current in a fast-moving legal and tech landscape
  • How to show your value to the business even when you’re not customer-facing
  • Why DPOs should be involved in decision-making at the earliest possible stage
  • Balancing legal risk with operational reality
  • Encouraging a culture of accountability, not fear
  • The importance of continuous learning – and what Joe would do differently if starting today

These tips are relevant whether you’re new to data protection, already in a DPO role, or even an employer looking to build a successful privacy function.

A Time of Transition for Data Protection Made Easy

Joe’s departure also marks the beginning of a new phase for the Data Protection Made Easy community. As we look to evolve and bring even more value to our subscribers, we’re making some important changes:

Podcast Frequency
We will now host one episode per month, instead of weekly. This allows us to:

  • Deep dive into more meaningful topics
  • Reintroduce guest speakers and expert panels
  • Focus on sector-specific challenges and use cases
  • Provide more actionable takeaways for our listeners

In-Person Events
To complement our podcast, we’ll be launching monthly in-person events, starting with a Housing Sector Roundtable in Leeds. These will be free to attend and packed with:

  • Expert guest speakers
  • Open discussion sessions
  • Networking opportunities
  • Food, drink, and sector-specific guidance

If you’re in the housing sector or work in data protection in Yorkshire, this is a great chance to connect with our team face-to-face. More info coming soon.

Monthly Newsletter
To replace our weekly GDPR Radio news episodes, we’ve launched a monthly email newsletter with:

  • Top stories from the ICO and UK government
  • Regulation changes and enforcement action recaps
  • Insights from the Data Protection People team
  • Highlights from recent podcasts and events

If you’re a subscriber, your first issue should already be in your inbox! If not, sign up here:

Subscribe to the Newsletter

What’s Next?

We’ll soon be publishing a full article on Joe’s Top 10 Tips for DPOs, expanding on the episode with real-life examples, links to useful tools, and guidance from our team. This will be available in the Resource Centre and shared with our newsletter subscribers.

We’ll also be sharing details on our 10-Year Anniversary Celebration taking place in July 2025. If you’re based in Leeds and would like to attend this free event, keep an eye out for the invitation — food, drinks, music, and privacy professionals all under one roof (plus a special guest DJ set from Joe himself!).

Keep in Touch with Joe

While Joe is stepping away from the podcast, you may still hear him pop up as a guest speaker in future episodes or events. He’s made a lasting impact on our community and we’d love for you to stay connected with him: Connect with Joe on LinkedIn

Catch Up On Demand

Listen to Episode 213 – Joe Kirk’s Top 10 Tips on Spotify

Or find us on Apple Podcasts, Amazon Music, and all major streaming platforms.

Thank you to Joe for four years of thoughtful, passionate, and incredibly valuable contributions to the Data Protection Made Easy community. We’ll miss him as a regular host, but we know this isn’t goodbye – just see you later.

GDPR Radio – Episode 212

GDPR Radio – Data Protection News of the Week

In Episode 212 of GDPR Radio, the news-focused arm of the Data Protection Made Easy podcast, our hosts Phil, Catarina, and Joe returned to unpack the latest headlines and developments in the world of data protection.

This interactive session offered an hour of engaging, thought-provoking discussion with a live audience made up of DPOs, legal professionals, cyber security experts, and privacy enthusiasts. As always, we covered what matters most to the data protection community—breaking down key cases, legislative shifts, and industry commentary in a simple, digestible way.

What We Discussed

In this episode, we explored:

  • Latest ICO enforcement actions and what they mean for organisations in regulated sectors

  • Notable data breaches from the past fortnight and the implications for incident response practices

  • The future of AI & consent – how regulators are shaping their approach to emerging technologies

  • UK data reform updates and their impact on DPO responsibilities

  • Plus, we answered live questions from our audience in real-time!

Whether you joined us live or plan to catch up later, Episode 212 was packed with valuable insights for data protection professionals at all levels.


How to Join Future Episodes

We host live podcast episodes every Friday between 12:30 and 13:30. These sessions are free to attend and open to anyone with an interest in data protection or cyber security. To receive weekly invitations straight to your inbox, simply sign up via our website:

👉 Subscribe to Podcast Invites


Earn IAPP CPE Credits

Listening to Data Protection Made Easy live or on-demand may qualify you for Continuing Professional Education (CPE) credits with the IAPP. Attendees can self-certify their participation by keeping a record of attendance or listening history.


Be Part of the Community

The Data Protection Made Easy podcast isn’t just a podcast—it’s a growing community. With over 1,500 subscribers and 200+ episodes, we’re proud to offer a space where professionals can learn, share ideas, and stay ahead of the curve. Each week, our live chat is buzzing with questions, opinions, and useful links from fellow practitioners.


Catch Up On Demand

Missed the live session? You can listen to Episode 212 and all previous episodes on Spotify, Amazon Music, Apple Podcasts, or wherever you get your podcasts.

🎧 Listen to GDPR Radio – Episode 212 on Spotify


Let us know what you thought of the episode or share a topic you’d like to see covered in a future edition of GDPR Radio!

How to Stand Out as a DPO

How to Stand Out as a DPO – Episode 211 of the Data Protection Made Easy Podcast

In this week’s episode of the Data Protection Made Easy podcast, our expert hosts Joe Kirk, Catarina Santos, and Phil Brining came together to explore one of the most popular and debated topics in the data protection space: what it takes to stand out as a Data Protection Officer (DPO) in today’s fast-evolving landscape.

With over 200 episodes under our belt, Data Protection Made Easy has always been about honest, accessible conversations—and this one was no different. Episode 211 sparked lively discussion, professional debate, and some healthy disagreements between our hosts, all of which reflect the complexity and diversity of views in our field.

We tackled the key ingredients that make a truly exceptional DPO:

  • What skills separate a great DPO from a good one?
  • How much does certification and formal training matter?
  • Is legal knowledge more important than technical awareness?
  • How do you build influence within an organisation as a DPO?
  • What are hiring managers really looking for in a data protection lead?

One of the biggest takeaways from this episode is that there is no single “correct” route to becoming a successful DPO. Some of our speakers emphasised strong legal backgrounds, while others focused on communication, pragmatism, and an understanding of real-world implementation. It’s this range of perspectives—and the opportunity for our community to challenge and expand on them—that makes our podcast so valuable.

Whether you’re:

  • An aspiring DPO looking to break into the industry,
  • A practicing DPO interested in sharpening your approach,
  • Or an employer or recruiter trying to understand what makes an impactful DPO,

this episode is packed with practical advice, reflection, and a few strong opinions that will get you thinking.


Want to Join the Conversation?

Our sessions are completely free to join and happen live every Friday from 12:30 – 13:30 (UK time) via Microsoft Teams. When you attend live, you’ll be part of our interactive chat, gain access to shared resources, and have the opportunity to ask questions or share your perspective.

If you can’t make it live, don’t worry—every episode is available on Spotify and all major streaming platforms so you can catch up any time.

👉 Subscribe to join future episodes
🎧 Listen back on Spotify
📩 Or sign up to receive weekly invites straight to your inbox.


Up Next: Episode 212 – GDPR Radio

Join us next Friday for GDPR Radio, our fortnightly roundup of data protection news, enforcement actions, and thought-provoking discussions. If you want to stay ahead of regulatory developments and understand what’s shaping our industry in real time, this is the place to be.

Thank you for being part of the Data Protection Made Easy community—see you next week!

 

Our Events & Webinars

Industry Leading Discussions

We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.

View All
AI Tools & GDPR What You Need to Know (1)
13 June 25 12:30 - 1:30 pm

AI Tools & GDPR: What You Need to Know

Housing Sector SARs Rising Risks, Real Solutions (2)
29 May 25 10:00 - 2:00 pm

Housing Sector SARs

Get Support With Data Protection And Cyber Security

Our mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.