Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Secure your organisation with Data Protection People's Cyber Security Support. Our expert team ensures cybersecurity excellence, offering tailored support for ISO27001, PCI DSS, Cyber Maturity, Cyber Essentials Plus, and more.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
Subject Access Requests (SARs) are a powerful tool for individuals. This grants them the right to access their personal data held by organisations. Yet, compliance with SARs can be challenging for organisations, particularly when requests are burdensome or potentially abusive. While it’s essential to respect individual privacy rights, there are legitimate situations where an organisation can lawfully refuse a SAR. This guide delves into the question when can you refuse a subject access request (SAR)? and the circumstances under which an organisation can deny access and the considerations needed to ensure compliance with the UK GDPR and the Data Protection Act 2018.
The UK GDPR allows organisations to refuse SARs that are “manifestly unfounded or excessive,”. But what does this mean in practice? Let’s break down these terms to understand when a SAR may qualify for refusal under these conditions.
A SAR may be considered “manifestly unfounded” if it’s clear that the requester has no genuine desire to exercise their rights. This could involve situations where the SAR is filed purely to disrupt operations, harass the organisation, or attempt to exert leverage. For example:
A request is “manifestly excessive” if it’s clearly unreasonable in scope or frequency, especially when compared to the benefit or purpose of the request. Factors to weigh include:
As part of ongoing data protection reform, the UK government is considering updating the criteria for refusing SARs from “manifestly unfounded or excessive” to “vexatious or excessive.” This new standard would broaden the range of refusals and potentially offer more protection to organisations:
Although the government has not finalised these changes, understanding the current standard allows you to prepare should they take effect.
If a SAR does not meet the “manifestly unfounded or excessive” criteria, there may still be a basis for lawful refusal via exemptions. The UK Data Protection Act 2018 provides a variety of specific exemptions in Schedule 2, which can be used to withhold certain data. It’s essential to apply each exemption thoughtfully to ensure compliance and transparency.
When using exemptions, bear in mind that each data item in the SAR must be evaluated separately. If the majority of the data can be shared without issue, it should be, with any exempt information clearly redacted.
The UK GDPR and the DPA 2018 mandate that third-party data is protected when responding to SARs. This requirement is based on the principle that individuals have a right to their own data but not to the data of others unless they have appropriate consent. Here’s how to handle third-party data in a SAR:
Legal privilege is a powerful exemption that protects communications made in the context of seeking legal advice or related to ongoing or anticipated legal proceedings. SARs cannot compel the disclosure of privileged information, including:
Management information related to strategic planning, such as restructuring efforts or redundancy plans, can often be withheld under the DPA 2018 if disclosing it would compromise organisational goals.
SARs commonly target information in HR records. Confidential references, however, are typically exempt from disclosure to protect the integrity of employment references.
Another specific exemption relates to exam scripts and academic assessments. Students are entitled to their exam results and examiner comments. However, they are not automatically entitled to copies of the exam scripts themselves.
Responding to SARs, particularly when using exemptions, requires a careful and transparent approach. Here are best practices to ensure compliance and minimise risk:
Lawfully refusing a SAR can be complex. Requiring a solid understanding of GDPR, UK data protection laws, and your organisation’s data handling policies. By carefully assessing each request wisely, you can meet compliance obligations while protecting organisational resources.
Need Expert Help with SARs?. We are here to guide you through SAR responses and when to refuse a subject access request (SAR). Reach out to simplify your data protection strategy today.
Artificial intelligence (AI) and facial recognition technologies are constantly continuing to evolve. AI and facial recognition technologies are being used for a surprising range of applications, including determining a person’s age. From verifying age for restricted purchases to protecting minors online, age-detection technology has both compelling benefits and serious concerns. In this article, we’ll explore the potential of using AI and facial recognition for age estimation. Including, the key ethical, legal, and privacy implications that organisations and consumers need to consider.
AI-powered facial recognition systems analyse images of faces to estimate age by examining facial features. These features include: skin texture, and other markers that typically change over time. These systems rely on large datasets and machine learning models trained to recognise and interpret age-related patterns. Many sectors are testing or deploying this technology. This includes retail, gaming, online platforms, and social media, to verify age and restrict access to age-sensitive content and services.
AI-driven age verification offers a range of applications that could reshape how age-restricted services are delivered:
While the technology offers convenience and enhanced safety, it also comes with significant concerns around privacy, consent, and accuracy.
Using facial recognition for age estimation raises several ethical and privacy concerns that organisations must address:
The use of facial recognition to determine age is governed by data protection laws that vary by region:
For organisations interested in using AI and facial recognition for age determination, careful consideration is essential. Here are a few best practices for responsible use:
AI and facial recognition technology offer exciting possibilities for age verification. However, organisations must weigh the benefits against significant ethical, privacy, and compliance challenges. By implementing these practices, businesses can responsibly leverage age estimation technology while respecting users’ rights and building trust.
In the complex landscape of data protection, knowing whether you are a data controller, joint controller, or processor is essential. This clarity ensures that you comply effectively with UK data protection laws.
For organisations, particularly in fields like political campaigns, understanding these roles is critical, as responsibilities can vary significantly depending on the structure and purpose of data usage.
1. Controllers, Joint Controllers, and Processors Defined
Both roles are essential under UK GDPR, and the ICO can enforce penalties against both controllers and processors for non-compliance.
2. Data Controllership in Political Campaigns In political campaigns, controllership roles can vary significantly due to the diverse structures and legal arrangements among political parties, campaign groups, and elected representatives. For example:
Political candidates, campaign groups, and political parties can access the electoral register, each serving as a controller for this data. Any data sharing between elected representatives and party offices requires careful consideration to meet UK GDPR standards, ensuring compliance in all data handling activities.
3. Real-World Controllership Examples in Campaigning
For effective GDPR compliance, organisations should clearly identify who controls each data set and under what circumstances. Mapping data flows and documenting which organisations are responsible for which data can be useful steps. It’s essential to clarify whether data is processed for a shared purpose or not, as this distinction affects the type of relationship (controller vs. joint controller) and compliance obligations.
For more information on mapping and documenting controllership relationships, consider completing a Data Protection Impact Assessment (DPIA).
After determining if you are a controller, joint controller, or processor, it’s crucial to formalise each relationship according to UK GDPR standards:
For organisations in politically sensitive areas, it’s also important to remember that the public may not fully understand the nuances of these roles. Ensuring clear and accessible ways for individuals to exercise their data rights can prevent misunderstandings and enhance trust.
Under the Data Protection (Charges and Information) Regulations 2018, most controllers processing personal data are required to pay a data protection fee to the ICO. There are exceptions for elected representatives, prospective representatives, and House of Lords members. Most political parties and campaign groups, however, are required to pay this fee. Visit the ICO website for full details on payment and exemptions.
By understanding the complex relationships in data protection and documenting your role you can ensure compliance with data protection regulations. Particularly under complex arrangements like political campaigns. Following these best practices enhances accountability, transparency, and compliance with data protection laws. This helps you manage data responsibly and maintain trust with the public.
At Data Protection People, we make data protection simple. Our expert team clarifies your role and responsibilities, ensuring GDPR compliance even in complex setups like political campaigns. With tailored training, audits, and assessments, we help keep your organisation fully compliant. Get in touch today to make data protection easy.
Accountability is one of the most significant principles of the UK GDPR. It shows to your clients, key stakeholders and employees that you’re committed to protecting personal data and take data protection seriously.
But how do you show accountability in practice? Previously, we covered example ways that guide this, and now, we’ll explore each method in detail.
Under Article 5(2), the GDPR states that organisations are responsible for complying with the six following data protection principles:
This responsibility falls within the accountability principle, which goes beyond knowing your obligations to being able to prove your compliance.
You need to demonstrate the measures you’ve taken to protect data subjects’ rights and freedoms so they can feel assured their personal data is in safe hands. Meeting this principle will improve overall compliance with the UK GDPR and demonstrate your organisation respects people’s privacy.
So, how do you comply with the accountability principle? While there may be no specific way, below, we outline some of the best measures you can take:
Under the UK GDPR, you must implement data protection policies where appropriate. It’s just one part of the GDPR documentation required to help comply with your legal obligations.
What policies you may have will vary from business to business, but there are some that should be mandatory across all:
For more guidance, see our latest guide on writing a data protection policy. We outline what needs to be covered and why policies are essential for your business.
Once the policies are approved, the real work begins. Your data protection officer (DPO) or senior management must ensure your employees know these policies and what is required of them in their day-to-day roles when handling personal data.
If you engage with organisations who handle personal data on your behalf, such as a CRM, you should enter a written binding contract called a Data Processing Agreement (DPA). This agreement outlines the roles and responsibilities of both parties for the processing, holding both accountable in meeting the obligations.
The contract or legal agreement should specify that the processor must follow your documented instructions unless the law requires otherwise and ensure their staff keeps the data confidential. It should also state that the processor must help the controller manage individuals’ rights requests and agree to audits and inspections.
The ICO provides more detail on what to include in your contract. A contract will help key parties understand their obligations and demonstrate good accountability.
Assessing and recording your processing activities shows you’re doing everything in line with your accountability obligations.
Before completing a record of processing activities (RoPA), we recommend a data mapping exercise. A data map draws out what personal data you process, where it comes from and goes, and how you store it. This is the foundation of your RoPA, which documents how and why you’re processing data. Listen to part one and part two of our RoPA roundup for more insight.
Where processing is considered a high risk to data subject’s rights and freedoms, you should assess potential data protection risks alongside recording your activities. A data protection impact assessment (DPIA) helps identify and minimise these risks from the start of new projects, allowing you to address these risks before they potentially arise.
This GDPR documentation helps maintain transparency and accountability across your organisation. To maintain this, make it easily accessible so employees can keep it up-to-date and accurate.
Organisations should identify a responsible person to assist in the organisations efforts towards data protection compliance. Where applicable, organisations will hire a data protection officer (DPO) who has specific tasks they should carry out under Article 39 of the UK GDPR. There are certain criteria that is met where appointing a DPO is a legal requirement, you can Discover if you need to appoint a DPO in our blog.
You can hire your DPO in-house or outsource it, the latter being ideal for eliminating conflicts of interest. At Data Protection People, our outsourced DPOs work independently from internal affairs and act solely on behalf of the law. Should you not require one, you should ensure someone is responsible for managing your obligations.
Now that you have organised all the policies, procedures and measures, you need to implement them. Your employees should receive appropriate data protection training to ensure they are aware of their responsibilities.
Essential training may include handling subject access requests (SARs), managing personal data breaches or becoming a Data Champion. This training should be regularly refreshed to demonstrate your commitment to data protection.
Information security protects personal data from falling into the wrong hands. To demonstrate accountability, you must have the following:
Complying with the accountability principle is not a one-off task. You need to nurture a strong data protection culture in which your employees prioritise data privacy.
Our outsourced DPOs will continuously monitor your compliance, providing expert advice, managing risks and implementing best practices tailored to your business needs. Contact our team to learn more.
Welcome to Episode 189 of GDPR Radio! Last week’s live session was another fantastic discussion with over 100 community members tuning in to keep up to date with the latest news in the world of data protection. GDPR Radio is our bi-weekly series designed to provide fresh insights and cover the latest in GDPR developments, data protection trends, and regulatory updates.
Our hosts took a deep dive into the pressing issues affecting data protection this month. Each episode of GDPR Radio is carefully structured to highlight recent changes in legislation, cover high-profile data breaches, and provide updates on data privacy initiatives both in the UK and across the EU. For Episode 189, we focused on a mix of timely topics, covering both the latest legal changes and practical tips to help organisations stay compliant in today’s fast-evolving privacy landscape.
The GDPR Radio series isn’t just a podcast—it’s an interactive platform where data protection professionals, enthusiasts, and anyone curious about data privacy can connect, ask questions, and share insights. If you’re keen to join our next live session, becoming part of our community is easy. By joining, you’ll gain access to exclusive content, networking opportunities, and direct communication with industry experts. Sessions are held every other week, giving our listeners an ongoing touchpoint with all things GDPR.
Each GDPR Radio episode is packed with practical information to help organisations navigate the challenges of data compliance and stay up to date on the most important data protection news. With over 1,300 subscribers and a thriving community, it’s a trusted source for reliable, timely information on the issues shaping data privacy today. Missed an episode? No worries! You can catch up on all past episodes, including Episode 189, on Spotify, Audible, and other major streaming platforms.
Stay connected, stay compliant, and join us on GDPR Radio for expert analysis, in-depth discussions, and a look ahead at what’s next in the world of data protection.
On Friday, we hosted an engaging episode of the Data Protection Made Easy podcast on Using Artificial Intelligence In The Workplace. Joined by a live audience of over 150 data protection professionals, our hosts Jasmine Harrison, Joe Kirk, and Philip Brining brought their data protection expertise to a lively discussion on the potential risks and challenges that AI presents in today’s workplace.
While none of our hosts claim to be AI experts, they explored the practical implications of integrating AI responsibly, covering key legislation, new tools, and global standards. With a balanced perspective, they offered insights without scare tactics, engaging with an audience eager to better understand AI’s evolving role.
Before diving into AI, our hosts kicked things off with their popular “news of the week” segment, where they discussed recent developments in data protection, cybersecurity, and compliance. From regulatory updates to emerging best practices, this segment set the stage for a thought-provoking main discussion.
After covering current news, Jasmine, Joe, and Philip transitioned into the AI discussion, addressing some of the latest and most critical elements impacting AI’s role in data protection. Here’s a closer look at the three main topics they covered:
In wrapping up, our hosts emphasised that AI in the workplace presents significant potential alongside its risks. They touched on a range of data protection considerations, from safeguarding personal data to maintaining accountability when using automated tools. Rather than instilling fear, Jasmine, Joe, and Philip encouraged the audience to look at AI as an opportunity for growth—provided it’s used with a strong commitment to data protection and ethical standards.
Couldn’t make it to the live session? No problem! Listen to Episode 192 of Data Protection Made Easy on Spotify, Audible, or any major podcast platform. You’ll gain valuable insights and hear from fellow data protection enthusiasts as they share their views on AI’s impact on the workplace.
Subscribe and Join the Conversation
With AI evolving rapidly, we’re committed to keeping our audience informed. Tune into Data Protection Made Easy every Friday for the latest on data protection trends, regulatory updates, and expert discussions. Don’t miss the opportunity to be part of our thriving community of data protection professionals!
In Episode 191 of GDPR Radio, the Data Protection Made Easy Podcast takes a critical look at the latest updates and developments in the world of data protection, with a special focus on the ethics and implications of tracking and profiling technologies. Hosted by industry experts Phil Brining, Catarina Santos, and Jasmine Harrison, this episode delivers in-depth conversations around pressing topics that influence the landscape of privacy and security.
When you join the Data Protection Made Easy community, you get access to a wealth of resources, including:
Why join?
Joining our community is simple! Just click here to sign up and become part of the conversation. Whether you’re a professional or just starting in the world of data protection, our community has something for everyone.
Listen to GDPR Radio – Episode 191 A Deep Dive into Data Protection News
In this insightful episode, our hosts Phil, Joe, and Jasmine dive deep into the complex world of Digital Footprints: The Ethics and Impact of Tracking and Profiling, focusing on its ethical implications and real-world impact.
The Data Protection Made Easy Podcast is your go-to source for understanding the world of data protection, privacy laws, and ethical considerations. Each week, we delve into timely topics that matter to businesses, professionals, and individuals concerned about their digital footprint. Whether you’re a data privacy novice or a seasoned professional, our episodes are crafted to be both informative and engaging.
By becoming a part of the Data Protection Made Easy community, you gain exclusive access to insightful discussions, industry updates, and practical tips on safeguarding your data. You’ll also connect with like-minded professionals and stay ahead of key trends in data privacy.
Joining is easy and free. Simply subscribe to the Data Protection Made Easy podcast on your favourite platform, such as Spotify, or participate in our live weekly sessions on Microsoft Teams. Stay informed, expand your network, and never miss out on critical updates in data protection.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
