The UKs #1 Data Protection Consultancy

Data Protection & Information Security Experts

Data Protection Made Easy.

GDPR Support Cyber Security Support
Join our extensive list of clients who have their data privacy under control

Accelerate Your Data Protection Compliance

Save Time, Save Money and Relax: You’re In Safe Hands

Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.

GDPR Training

Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.

Contact Us

Information Management Software

DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.

Contact Us

Data Protection Consultancy

Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.

Contact Us

Outsourced DPO

A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.

Contact Us
View All

Need Help With Cyber Security Compliance?

We Have You Covered!

At Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.

PCI DSS Compliance Services for Merchants

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

PCI DSS Compliance Services for Service Providers

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

External Attack Surface Management

Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.

Contact Us

ISO 27001

Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.

Contact Us
View All
Rofi Hendra Support Desk Data Protection People

Supporting DPOs

Flexible Support When You Need It

At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.

Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.

Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.

Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.

Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.

Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.

Diverse Sector Experience

Access to a Team of Industry Experts

At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.

Commercial Sector

Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.

SMEs

Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.

Third Sector

Third Sector

For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.

Multi Nationals

For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.

Public Sector

In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.

Why Use Our Outsourced DPO Services?

Save Time, Money and Guarantee Compliance

Navigating the intricate landscape of data protection demands more than just a DPO — it requires a dedicated team committed to excellence. Our Outsourced DPO Services extend beyond the traditional role, offering a comprehensive approach to legal compliance and pragmatic solutions.

Why Choose Outsourcing?

An outsourced DPO brings a wealth of experience, not just in the law but also in crafting workable solutions. Their impartiality is fortified by a team of privacy practitioners, ensuring that your organization benefits from a spectrum of expertise. Should the need arise, seamless coverage during absences is guaranteed, eliminating the vulnerability associated with a single in-house DPO.

Staying Headache-Free

Concerned about the disruption if your DPO moves on? With an outsourced model, transitions are smooth, and you won’t experience the sudden headache of a critical role vacancy. The continuity provided by a team ensures that your data protection responsibilities are seamlessly handled.

Compliance Tailored to You

Our Outsourced DPO Services align seamlessly with your legal obligations, whether you’re mandated to appoint a DPO or choose to do so voluntarily. We understand that compliance is not just about ticking boxes but about ensuring a robust, practical approach to data protection. Choose Data Protection People for a worry-free, compliance-driven outsourced DPO solution — because your data protection journey should be as smooth as it is secure.

“I cant recommend Data Protection People enough, they have helped me in so many different areas, no matter how complex the challenge or how large the obstacle, DPP always has the answer.

I can call the team at any time and have built an amazing relationship with them, in times of frustration they are here to calm me down and create a plan, they are a pleasure to work with.”

Mark Leete
Eastlight Community Homes
TDC_logo

‘I found the FOI training session to be highly informative and well-structured. It covered all the key areas comprehensively and provided clear, practical guidance throughout. The content was easy to follow, and the delivery by Gary was engaging, making complex topics accessible and understandable’. 

‘The training session has really helped me to understand the IG rep role a bit more and what I need to be thinking about when receiving a request for information’. 

Charlene Haynes & Team
Tendring District Council
dyslexia-action-logo-2023

“I have worked with the Data Protection People for some time now. Their expertise has been drawn upon to assist us with our GDPR compliance gap analysis project, ROPA design and production through to conducting objective reviews and surveys. They are always available to help us out and their advice and guidance is excellent and delivered in a timely way. Special mentions to Kathy Midgley, Phil Brining, and David Hendry. A great, reliable and dependable service!”

Judy Barker
Dyslexia Action
Veritau

“A great service and peace of mind. Data Protection People provides a well-rounded service to ensure customers are fully supported in their approach to GDPR compliance. My interaction has largely been with the following people: Kathy Midgley – another great asset to the organisation. Always approachable, always helpful and consistently supportive to the team and customers.

Julie Ferguson
Veritau
Woodgate & Clark

“We have been working with the Data Protection People for many years now, and have found them to be insightful, helpful, and knowledgeable in all areas of Data Protection Compliance. Data Protection People have taken the time to understand our business, the regulatory environment we sit under, and the unique challenges we face in the industry. They have supported us in all areas of Information and Data Security, assisting in assessments of our policies and changes to our processes. They are always willing to go the extra mile and prioritise support where required.”

Nia Roberts
Woodgate & Clarke

Data Protection People Blogs & Podcasts

Data Privacy Learning & Guidance

Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.

Unlawful Robo-Calls: ICO Fines Energy Firms Over Automated Marketing Breach

Unlawful Robo-Calls: ICO Fines Energy Firms Over Automated Marketing Breach

The Information Commissioner’s Office (ICO) has cracked down on two energy firms, fining them a combined £550,000 for making unlawful automated marketing calls (robo-calls).

The firms used voice-avatar software to make millions of calls that misled recipients into believing they were speaking with local UK agents. In reality, the calls originated overseas and were generated using pre-recorded scripts voiced by actors.

This case highlights the rising risks in automated marketing as businesses adopt AI-driven communication tools, especially when organisations push boundaries with limited oversight.

Why This Case Matters

As automated and AI-driven tools become more accessible, companies may see robo-calls as an efficient outreach method. But the ICO’s enforcement shows regulators are watching closely.

Also, robo-calls are not a grey area. Under the Privacy and Electronic Communications Regulations (PECR), organisations must have clear, prior consent before making any automated marketing call. The ICO’s latest fines are a reminder that:

  • Automated calls attract stricter rules than live calls
  • Innovation is no excuse for non-compliance
  • Failures carry serious consequences regarding fines and reputational harm

This action reflects a wider regulatory trend. In recent months, the ICO and Ofcom have publicly warned of increasing misuse of AI-driven telemarketing. In the US, the Federal Trade Commission (FTC) has also fined firms for voice cloning and avatar call scams. The message is clear on both sides of the Atlantic: consent and transparency are non-negotiable.

The ICO’s Findings

The ICO fined Home Improvement Marketing Ltd (HIM) in Pembrokeshire £300,000. HIM used overseas call centres to make roughly 2.4 million automated calls from May to August 2023, using avatar software that masked the origin.

The ICO also fined Green Spark Energy Ltd (GSE) £250,000 after it made 9.5 million calls. Complaints poured in, nearly 500 people contacted the ICO or the Telephone Preference Service (TPS), including elderly and vulnerable individuals.

Key findings included:

  • Lack of consent: many recipients never agreed to receive automated calls.
  • Misleading practices: voice avatars masked overseas origins.
  • Vulnerable individuals targeted: nearly 500 complaints were lodged, many from elderly people.
  • Shared leadership: both companies were linked to a common director, Mathew Terry.

The ICO executed a search warrant in March 2024, seizing phones and documents that revealed instructions for evading detection and converting the calls into insulation product sales.

As Andy Curry, ICO Head of Investigations, commented:

“Advances in technology may make detection harder, but the rules remain the same. Companies using these systems must ensure they are lawful, transparent and fair.”

Our Legal Obligations Around Robo-Calls: PECR and UK GDPR

PECR: Automated marketing calls require prior, informed, and recorded consent. Organisations must identify themselves and provide an opt-out option.

UK GDPR: Organisations must handle personal data lawfully, transparently and fairly. When automation processes personal data for marketing, businesses must ensure people can understand how their data is used, including in decision-making.

ICO Direct Marketing Code of Practice: This statutory code sets out good practice and is essential reading for any organisation engaged in marketing.

How to Spot a Robo-Call

Consumers should remain vigilant. The ICO offers practical tips to recognise robo-calls:

  • Notice small pauses before responses, the system selects prerecorded clips.
  • Check if replies sound generic or irrelevant.
  • Listen for identical voices across “agents.”
  • Observe overly polished calls with no background noise.
  • Notice if conversations revert to fixed marketing language regardless of replies.

Reports can be made directly to the ICO or via the Telephone Preference Service (TPS), which remains a key enforcement tool.

What Organisations Should Do Now

If your organisation uses or plans to use automated calling or avatar-based outreach, follow these steps to stay compliant:

  • Consent mechanisms: Review contact lists to ensure valid, recorded consent exists before making any automated call.
  • Maintain evidence: Document consent records with timestamps, sources, and purpose.
  • Transparency: Ensure scripts clearly identify your organisation.
  • Opt-out options: Provide a straightforward way for customers to object.
  • Quality checks: Monitor call quality and avoid misleading avatars.
  • Training: Train marketing teams on PECR and GDPR obligations.
  • Auditing: Run regular audits to identify risks early.

We recommend running a Direct Marketing Audit as part of your data protection governance. You can integrate this into a broader GDPR Audit. Technology should support compliance, not bypass it.

Our View

At Data Protection People, we see this case as a clear signal from the ICO: using advanced technologies like avatar software and automated script systems does not exempt organisations from compliance. If anything, it heightens risk.

Compliance is not a barrier to innovation, it is a framework for deploying new technologies responsibly. Organisations that invest in consent, transparency, and accountability will not only stay on the right side of the law but also build lasting trust with customers.

FAQs

Are all robo-calls illegal?

No. Some automated calls are lawful, for example, where individuals have given prior, informed consent. Without consent, they breach PECR.

Do I need consent for avatar-style calls?

Yes. Whether calls use avatar software or a live agent, you must have explicit consent to make automated marketing outreach.

What type of consent qualifies?

Consent must be freely given, specific and informed. Keep detailed records showing the consent method, time and purpose.

What should I do if customers report robo-calls?

Investigate immediately, suspend suspect activities, review consent records, and cooperate with the ICO. Use our Data Protection Support if necessary. Consider SAR Support if the call involved personal data.

Contact Us

If your business engages in automated marketing, we can help you:

Contact us today to make sure your automated marketing complies with the law.

References:  

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/09/warning-over-robo-calls-as-energy-firms-fined-half-a-million-pounds-for-unlawful-marketing-calls/#:~:text=unlawful%20marketing%20calls-,Warning%20over%20robo%20calls%20as%20energy%20firms%20fined%20half,pounds%20for%20unlawful%20marketing%20calls&text=We%20are%20warning%20the%20public,for%20making%20automated%20marketing%20calls. 

https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/direct-marketing-guidance/ 

https://www.ofcom.org.uk/phones-and-broadband/unwanted-calls-and-messages/recorded-message-marketing-calls

Cookie Compliance Revolution: How DUAA 2025 Changes Everything

Cookie Compliance Revolution: How DUAA 2025 Changes Everything

Jenny runs a small bakery in Manchester. When GDPR first came into force, she panicked and copied a cookie banner from a template website. Two years later, she discovered that her innocent-looking banner was breaking the law in several ways. Her family bakery website had unknowingly drifted out of cookie compliance and risked fines of up to £17 million. What began as a simple online presence had turned into a potential compliance nightmare.

Jenny’s story is far from unique. Many UK businesses, large and small, have faced confusion over cookie compliance. In January 2025, the Information Commissioner’s Office (ICO) assessed the top 200 UK websites and found that 134 of them failed to meet cookie compliance standards. These findings formed part of the ICO’s wider strategy to ensure users have meaningful control over how their personal information is tracked and used online. The regulator has since expanded its review to the top 1,000 websites, highlighting just how widespread the problem remains.

Against this backdrop, the introduction of the Data Use and Access Act (DUAA) 2025 marks a major turning point. This legislation reshapes cookie compliance and introduces new rules that will affect almost every UK business with an online presence.

The Cookie Compliance Crisis Explained

Cookies are small files that websites place on a user’s device. Some are essential, like those that keep you logged in, remember your shopping basket, or provide security settings. Others, such as tracking cookies, follow your behaviour across the internet and build detailed profiles, often sold to data brokers. The distinction matters because under UK GDPR and PECR, organisations must treat different categories of cookies differently.

Common cookie compliance failures include:

  • Making it harder to reject cookies than to accept them
  • Using pre-ticked boxes for non-essential cookies
  • Giving vague or misleading explanations about cookie purposes
  • Denying website access if users refuse tracking cookies

These issues have already triggered significant enforcement. LinkedIn received a €310 million fine from the Irish Data Protection Commission for unlawful data processing and transparency failures. WhatsApp was fined €5.5 million for forcing users to consent through its terms of service. Both cases underline how regulators treat cookie compliance as central to data protection law.

DUAA 2025: The Cookie Compliance Game Changer

The Data Use and Access Act 2025 rewrites cookie rules and expands exemptions for cookies that no longer require consent. Section 112 and Schedule 12 of DUAA insert a new Schedule A1 into PECR, creating broader categories of “strictly necessary” cookies. For businesses, this means some analytics and optimisation cookies may now operate without explicit consent — provided strict conditions are met.

Expanded Cookie Exemptions

Under DUAA 2025, consent is no longer needed for cookies used in the following scenarios:

1. Traditional Strictly Necessary Functions: security protection, fraud detection, technical fault prevention, user authentication, and maintaining website selections.

2. Analytics and Website Optimisation: statistical data collection, performance monitoring, and user behaviour analysis for service improvement.

3. User Experience Enhancement: adapting websites to user preferences, optimising functions across devices, and improving interface elements.

4. Emergency Assistance: geolocation data for emergency services and facilitating critical communications.

The Conditions for Cookie Compliance

The DUAA exemptions do not create a free-for-all. Paragraph 5 of Schedule A1 sets out strict conditions. To qualify, analytics and optimisation cookies must serve only statistical or improvement purposes. They cannot be shared with third parties other than technical service providers. Organisations must also provide clear and comprehensive explanations of cookie use and give users a free, simple objection mechanism. In practice, this means exempt cookies may operate by default, but only until a user objects.

What This Means for Businesses

The DUAA 2025 introduces a new middle ground between essential cookies and invasive tracking cookies. Businesses gain flexibility but must adopt higher transparency standards. Compliance now requires action on several fronts:

  • Audit existing cookies against the new exemption categories
  • Update privacy policies with clear, specific language about cookie purposes
  • Introduce simple objection mechanisms for exempted cookies
  • Document compliance processes for potential ICO review
  • Separate exempt cookies from non-exempt ones in technical design

Achieving cookie compliance costs far less than regulatory fines. ICO penalties under PECR and GDPR can range from £10,000 to £500,000, not including reputational damage. Compliance is not optional, it’s the smarter business decision.

The Impact on Users

For users, DUAA 2025 reduces banner fatigue while strengthening transparency. People should expect clearer explanations of cookie functions, simple objection rights, and better website performance from legitimate optimisation. But vigilance remains important. The line between analytics and tracking is thin, and some organisations may attempt to misuse exemptions. Users must continue exercising their rights to object.

The New Enforcement Focus

Regulators will adapt their focus in the DUAA 2025 era. They will check whether exempt cookies genuinely serve their stated purposes, whether transparency is truly clear, whether objection mechanisms work, and whether data remains in-house. Cookie compliance enforcement will target organisations that attempt to stretch exemptions or obscure practices. In other words, businesses cannot use DUAA as cover for old habits.

Looking Forward: The Future of Cookie Compliance

DUAA 2025 represents a pragmatic shift in cookie regulation. It recognises that not all data collection undermines privacy. Some analytics genuinely improve websites for users. But businesses must meet stricter transparency obligations to stay compliant. For many, this will mean investing in clearer communication and more robust governance.

At Data Protection People, we believe cookie compliance in 2025 will separate organisations that embrace transparency from those that cling to outdated practices. Businesses that adopt open, user-focused cookie strategies often see stronger loyalty and better conversion rates than those that rely on manipulation.

For users, rights remain strong. People can still object to cookies they don’t want, and regulators will hold businesses accountable for misuse. The cookie chaos of the past is giving way to a more balanced, transparent model but only if organisations play by the rules.

References & Guidance

Contact Us

If you’re unsure whether your website meets the new cookie compliance standards, contact us for a GDPR Audit. Our experts can help you review cookies, update policies, and implement objection mechanisms. We also offer Data Protection Support and Training to keep your team ahead of regulatory changes. Don’t wait for an ICO review, take action now and secure your compliance.

Bristol City Council Faces Enforcement over SAR Failures

Bristol City Council Faces Enforcement over SAR Failures

The Information Commissioner’s Office (ICO) has issued a formal enforcement notice to Bristol City Council after uncovering serious, ongoing failures in how the Council manages Subject Access Requests (SARs). This action follows years of complaints and evidence of systemic delays. The message from the ICO is clear: organisations that fail to take SAR compliance seriously will face enforcement.

SAR Failures at Bristol City Council

The ICO’s investigation revealed that Bristol City Council has struggled with a growing backlog of SARs since 2020. A Subject Access Request gives individuals the right to ask for a copy of their personal data and to understand how that data is used. Failing to respond in time undermines public trust and breaches data protection law.

Between April 2023 and January 2025, the ICO received 63 complaints from individuals waiting too long for responses. Many reported that the delays caused them harm and distress, leaving them unable to resolve personal matters or defend their rights. The ICO found that the Council had made limited progress despite repeated engagement and guidance. As a result, enforcement became the only option.

Why SARs Matter

SARs are not a formality. They are a cornerstone of data protection rights under the UK GDPR and Data Protection Act 2018. By making a SAR, an individual can see exactly what information an organisation holds about them, why it holds that data, and who it is shared with. For some, this is about transparency and reassurance. For others, especially vulnerable individuals, a SAR can directly affect access to housing, social services, or justice.

When organisations delay or ignore SARs, people lose trust and may face real-world consequences. The ICO has repeatedly emphasised that SAR compliance is fundamental. Sally-Anne Poole, Head of Investigations at the ICO, summarised the issue:

“Subject access requests are a fundamental right that allows people to know what information organisations hold about them and how it is being used. Despite our repeated engagement with Bristol City Council over a sustained period of time, limited progress has been made to clear a backlog of requests. Our investigation has found that the Council’s approach towards compliance demonstrates a poor organisational attitude towards data rights and compliance with the law.”

What the Council Must Do

The enforcement notice issued to Bristol City Council sets out a strict list of actions. These include:

  • Contacting all individuals with overdue SARs to explain the delays and confirm when they can expect a response.
  • Clearing the backlog by specific deadlines, ensuring that the oldest SARs (dating back to 2022) are completed within 30 days.
  • Providing the ICO with weekly progress updates until the backlog is fully resolved.
  • Publishing an action plan within 90 days that clearly sets out responsibilities, priorities and timelines.
  • Making lasting organisational changes within 12 months to prevent SAR delays in future. This may require hiring more staff, investing in resources, and delivering staff training.

The ICO’s demands highlight that responding to SARs is not simply an administrative task. Councils and public bodies must show they can manage the process consistently, transparently, and within the one-month statutory deadline.

Lessons for Other Organisations

Bristol City Council’s enforcement notice should serve as a warning for all public authorities and organisations. The ICO expects SARs to be treated as a legal obligation, not an afterthought. Failing to respond on time risks enforcement, reputational damage, and potential fines.

Every organisation should ask itself some key questions:

Do we have a clear process for managing SARs from start to finish?
Do we have enough staff, technology and resources to respond within the legal timeframe?
Are we training employees so they understand SAR rights and know how to respond appropriately?
Can we evidence our compliance if the ICO asks?

If the answer to any of these questions is “no,” then urgent action is needed. The ICO has shown that it will not hesitate to escalate matters where organisations repeatedly fail to meet their obligations.

The Wider Context of SAR Compliance

SAR backlogs are not unique to Bristol. Many councils, charities, and businesses struggle with the volume and complexity of requests. However, the law is clear: SARs must be answered within one month unless an extension is justified. Even then, organisations must explain the reasons for any delay to the individual making the request.

Technology can help reduce SAR risks. Case management systems, redaction tools, and specialist support can speed up responses and reduce errors. But technology alone is not enough. Organisations also need strong governance, clear policies, and a culture that treats data rights as a priority. Without these, the risk of enforcement grows.

Our View

At Data Protection People, we believe the Bristol City Council case highlights two critical points. First, SARs are central to data protection compliance and public trust. Second, enforcement action is not limited to fines; the ICO will impose detailed corrective measures when organisations fail repeatedly. Councils, businesses, and charities should take this case as a clear sign that SAR processes must be robust, well-staffed, and monitored closely.

We recommend that organisations run regular compliance checks, train staff to handle SARs effectively, and seek support where needed. By doing so, you protect both your organisation and the people whose data you process.

Contact Us

If your organisation is struggling with Subject Access Requests, we can help. Our SAR Support service provides expert assistance to manage requests on time and in line with the law. We also offer GDPR Audits to identify gaps, ongoing compliance support, and staff training to build confidence in handling SARs. Contact us today to protect your organisation and deliver on data rights.

AI Minister: How Albania Is Using Artificial Intelligence to Fight Corruption

AI Minister: How Albania Is Using Artificial Intelligence to Fight Corruption

Albania has made global headlines by appointing the first ever AI Minister, a digital cabinet member named Diella. Her job? Oversee public procurement and cut out corruption. Prime Minister Edi Rama says Diella will speed up public tenders, make them fully transparent and ensure they stay free from human bias or influence. While her appointment is symbolic rather than constitutional, it shows how governments can use AI to transform decision-making.

Why This Matters Now

Governments around the world are experimenting with artificial intelligence, but Albania has gone a step further by putting AI in a leadership role. Rama says the AI Minister will help make procurement “100% free of corruption,” remove human interference, and improve accountability. This matters for businesses too. Public contracts could soon be awarded using automated, data-driven processes. That means organisations must ensure their bids are accurate, fair and ready for AI review.

What’s New: An AI in the Cabinet

Diella is not just a chatbot. She has already guided over a million citizens through Albania’s e-government platform. Now she will monitor procurement systems, check bids, and flag anything that looks suspicious. Rama says this will make public tenders faster and more efficient. By removing manual steps, Albania aims to “leapfrog” countries still stuck with paper-based processes. This is one of the first examples of a government putting AI front and centre in a core public function.

Why It Matters for Data Protection

AI-driven procurement uses large amounts of personal and organisational data. Under UK GDPR and EU GDPR, that processing must remain lawful, transparent and fair. Organisations must explain how data feeds into automated decisions. They must also allow individuals to challenge unfair outcomes. Data protection teams need to consider how AI systems store data, who can access it, and how to evidence compliance. If Diella flags a bid as non-compliant, businesses will expect a clear explanation of why and they have the right to request that information.

What Organisations Should Do Now

Track developments in AI regulation and public procurement. If you take part in tenders, prepare for AI systems to review your bids. Map what personal data you use in submissions and check that you have a lawful basis to process it. Our GDPR Audits can help you benchmark your compliance.

Train your team to understand automated decision-making and data protection obligations. Our Data Protection Training gives practical guidance on AI and GDPR. Strengthen your process for Subject Access Requests so you can respond quickly if bidders, staff or suppliers ask to see data used in automated systems.

Finally, review your governance and risk assessments. Document how you check fairness and accuracy in your data before it goes into any AI system. If you plan to adopt similar technology, carry out a Data Protection Impact Assessment (DPIA) to show accountability.

Our View

Albania’s AI Minister is more than a publicity stunt, nit is a signal of how governments might modernise. AI can make procurement more efficient and less prone to corruption, but only if it is transparent and well-governed. We expect more governments to follow Albania’s lead. Organisations that prepare now will avoid disruption later and gain an advantage when AI-driven procurement becomes the norm.

FAQs

What is an AI Minister?

An AI Minister is a government role filled by artificial intelligence. In Albania, Diella has been tasked with monitoring public procurement and fighting corruption.

Could AI replace human ministers?

No, Albania’s constitution still requires human ministers. The AI Minister is a symbolic appointment designed to show the power of AI in governance.

How does this affect data protection?

AI systems process personal data, so they must comply with GDPR. Organisations must be transparent and give individuals a way to challenge automated decisions.

How can we prepare?

Review data governance, train staff on AI and GDPR, and document processes. Run audits to check compliance before AI systems review your data.

Contact Us

AI is coming to public procurement, is your organisation ready? Contact us today to discuss GDPR Audits, Training for your team, and SAR Support to help you prepare for automated decision-making and data transparency.

10 Years of Data Protection People

Celebrating 10 Years of Data Protection People & 5 Years of the Data Protection Made Easy Podcast

Last week we marked not one, but two major milestones, 10 years of Data Protection People and the 5th birthday of the Data Protection Made Easy Podcast. To celebrate, we hosted a special live session with Philip Brining, Caine Glancy, Catarina Santos, and returning host Joe Kirk. Together, we looked back at the Top 10 Most Streamed Episodes from the past five years, revisiting the conversations that have shaped our community.

Key Themes from the Session

  • Subject Access Requests (SARs) – still one of the most complex and frequently discussed areas of data protection.
  • Data Protection Impact Assessments (DPIAs) – exploring challenges around risk, practicality, and when a DPIA is truly needed.
  • Legislative Changes – including Brexit, the Data Protection and Digital Information Bill, and the new DUA Act.

The team also reflected on why topics like ROPA and audits don’t always feature as highly among listeners, and why broad themes resonate more strongly than sector-specific discussions.

Insights from Our Community

Our special guest Joe Kirk shared valuable insights from moving into an in-house DPO role, including the importance of tackling cookie compliance and ensuring correct ICO registration. The panel also discussed the ICO’s new guidance on complaints handling and recognised legitimate interests, highlighting the practical steps organisations should take ahead of expected implementation in June 2026.

The Return of Weekly Podcasts

To celebrate our 10-year anniversary and the continued growth of our community, we are excited to announce that the Data Protection Made Easy Podcast is returning to a weekly schedule. Every Friday at lunchtime, we’ll be live with fresh discussions, community insights, and practical guidance for data protection professionals.

You can sign up on our Events Page to join future live sessions, or contact us here to subscribe and become part of the UK’s biggest data protection community.

Listen Back to the Anniversary Episode

If you missed it live, you can catch up now on Spotify using the player below:

Here’s to 10 years of making data protection easier, and 5 years of building a community where professionals can learn, share, and grow together. Thank you to everyone who has been part of the journey so far.

Caught in the Act: The UK’s New Age Verification Law

Online Safety Act, age checks, and real world risks, highlights from Episode 218

Recorded on Friday 29 August 2025, this live episode of Data Protection Made Easy brings together Catarina Santos, Caine Glancy and Philip Brining to explain what the latest Online Safety Act changes mean in practice. The team walk through how age verification works, why VPN downloads have surged in the UK, and the real impact on privacy, user experience and compliance.

Episode: 218, Data Protection Made Easy
Recorded: late August, Leeds and online
Hosts: Philip Brining, Catarina Santos, Caine Glancy

We are Data Protection People, a consultancy and a community. More than 1,500 practitioners join our live sessions for practical help and straight talking advice. We keep things human, current, and useful.

Prefer Spotify in a new tab,
open the episode,
or browse the full show feed.

What we covered

  • Online Safety Act, where it fits with the Children’s Code, why it goes further on content and safety.
  • Age assurance, facial estimation, ID checks, open banking, and the privacy trade offs behind each approach.
  • Supply chain risk, real incidents in education and vetting, why processor controls and backups still fail.
  • Education, why literacy and resilience matter as much as technical gates.
  • Community update, weekly sessions return in September, likely in focused 30 minute formats.

Highlights and opinions

Scope and categories. Ofcom guidance gives the most usable overview. Scale drives duties, category one providers face the heaviest lift. Smaller services still need proportionate controls.

“The Act is about content, the Children’s Code is about design, together they set expectations for what people actually see and share.” — Philip

Age checks in practice. Facial estimation and ID checks can help, they are not perfect. People will try VPNs and workarounds, so policy and education must sit alongside technology.

“There is no magic potion for age checks, the solution cannot be technology alone.” — Catarina

“If suppliers rush controls without thinking about retention and purpose limitation, we move risk rather than reduce it.” — Caine

Supply chain failures. Contracts need clear migration and deletion steps, restore tests must be real, controller oversight must be active, not paper based.

“Where is the weak link, backups, migration steps, subprocessors, or the missing instructions in the DPA.” — Philip

Freedom of expression and harm. Public concern is real. The intent is to reduce harm to children, not silence debate. Practical application will need careful balancing.

Practical takeaways for organisations

  • Write a content risk assessment if your service can be accessed by children, update it on a schedule, record decisions.
  • Map processors and subprocessors, include precise steps for transfers and deletion, test restores, not only backups.
  • Choose proportionate age assurance, record lawful basis, retention, and vendor due diligence, avoid copying IDs unless necessary.
  • Blend controls with education, publish clear user guidance, support parents and teachers, avoid dark patterns.

About the community

Data Protection Made Easy is the live podcast and discussion space run by Data Protection People. More than 1,500 members join to share cases, templates, and practical steps. We will return to weekly sessions in September, short and focused, with time for questions.

Contribute to a future episode

We are always looking for contributors and topics, case studies, SAR puzzles, transfer questions, or views on the Online Safety Act. Get support or advice, or pitch a slot for an upcoming episode.

Explore more in our Resource Centre, including recent episodes and guides.

DUA Act – Part Two

The Data (Use and Access) Act 2025 – Podcast Part Two

On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.

Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.

If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.

Listen on Spotify

Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.

Download the Slides

We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides

What We Covered

  • Real-life scenarios and case study examples based on DUA Act principles
  • Detailed Q&A on legitimate interest balancing tests, soft opt-in rules, and data subject rights
  • Compliance challenges and how to overcome them using good governance frameworks
  • The DUA Act’s expected impact on privacy management programmes and internal policies
  • Preparing your teams, clients, and data flows for the changes ahead

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

  • Early access to upcoming podcast sessions and event invites
  • Weekly insights into legislation like the DUA Act and GDPR
  • Exclusive downloads including templates, tools, and guides
  • Invitations to in-person events across the UK
  • Access to session recordings and slides
  • A place to ask questions, share experiences, and stay ahead

We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 – Podcast Part One Recap

On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.

Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.

Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.

Listen back on Spotify

Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.

Download the Slides

We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides

What We Covered

  • What the DUA Act is and how it evolved from the DPDI Bill
  • Key changes to Subject Access Requests, Legitimate Interests, and the role of the ICO
  • Updates to PECR enforcement powers and cookie consent exemptions
  • The Act’s impact on data sharing, organisational accountability, and regulatory expectations
  • What public and private sector organisations need to prepare for

Part Two – Live on Thursday 18th July

Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.

Click here to visit the Part Two event page and register your place: View Part Two

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

  • Early access to future podcast sessions
  • Weekly email updates with analysis and guidance on the DUA Act
  • Exclusive content including white papers, practical templates, and checklists
  • Invites to free in-person events across the UK
  • Recordings and slides from every live session
  • A chance to ask questions and share challenges with other professionals

We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.

Our Events & Webinars

Industry Leading Discussions

We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.

View All
UK Cookie Compliance What You Need to Know
03 October 25 12:30 - 1:00 pm

UK Cookie Compliance in 2025

_GDPR Radio - Episode 220 Data Protection News
19 September 25 12:30 - 1:00 pm

GDPR Radio Returns

Get Support With Data Protection And Cyber Security

Our mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.