The UKs #1 Data Protection Consultancy

Data Protection & Information Security Experts

Data Protection Made Easy.

GDPR Support Cyber Security Support
Join our extensive list of clients who have their data privacy under control

Accelerate Your Data Protection Compliance

Save Time, Save Money and Relax: You’re In Safe Hands

Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.

Information Management Software

DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.

Contact Us

Data Protection Consultancy

Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.

Contact Us

Outsourced DPO

A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.

Contact Us

Data Protection Support

Data Protection People's world-class GDPR Support Desk. If you're navigating the complex landscape of data protection, PCI DSS, and cybersecurity, our support desk is your reliable compass.

Contact Us
View All

Need Help With Cyber Security Compliance?

We Have You Covered!

At Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.

PCI DSS Compliance Services for Merchants

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

PCI DSS Compliance Services for Service Providers

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

External Attack Surface Management

Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.

Contact Us

ISO 27001

Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.

Contact Us
View All
Rofi Hendra Support Desk Data Protection People

Supporting DPOs

Flexible Support When You Need It

At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.

Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.

Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.

Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.

Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.

Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.

Diverse Sector Experience

Access to a Team of Industry Experts

At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.

Commercial Sector

Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.

SMEs

Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.

Third Sector

Third Sector

For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.

Multi Nationals

For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.

Public Sector

In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.

Why Use Our Outsourced DPO Services?

Save Time, Money and Guarantee Compliance

Navigating the intricate landscape of data protection demands more than just a DPO — it requires a dedicated team committed to excellence. Our Outsourced DPO Services extend beyond the traditional role, offering a comprehensive approach to legal compliance and pragmatic solutions.

Why Choose Outsourcing?

An outsourced DPO brings a wealth of experience, not just in the law but also in crafting workable solutions. Their impartiality is fortified by a team of privacy practitioners, ensuring that your organization benefits from a spectrum of expertise. Should the need arise, seamless coverage during absences is guaranteed, eliminating the vulnerability associated with a single in-house DPO.

Staying Headache-Free

Concerned about the disruption if your DPO moves on? With an outsourced model, transitions are smooth, and you won’t experience the sudden headache of a critical role vacancy. The continuity provided by a team ensures that your data protection responsibilities are seamlessly handled.

Compliance Tailored to You

Our Outsourced DPO Services align seamlessly with your legal obligations, whether you’re mandated to appoint a DPO or choose to do so voluntarily. We understand that compliance is not just about ticking boxes but about ensuring a robust, practical approach to data protection. Choose Data Protection People for a worry-free, compliance-driven outsourced DPO solution — because your data protection journey should be as smooth as it is secure.

“I cant recommend Data Protection People enough, they have helped me in so many different areas, no matter how complex the challenge or how large the obstacle, DPP always has the answer.

I can call the team at any time and have built an amazing relationship with them, in times of frustration they are here to calm me down and create a plan, they are a pleasure to work with.”

Mark Leete
Eastlight Community Homes
TDC_logo

‘I found the FOI training session to be highly informative and well-structured. It covered all the key areas comprehensively and provided clear, practical guidance throughout. The content was easy to follow, and the delivery by Gary was engaging, making complex topics accessible and understandable’. 

‘The training session has really helped me to understand the IG rep role a bit more and what I need to be thinking about when receiving a request for information’. 

Charlene Haynes & Team
Tendring District Council
dyslexia-action-logo-2023

“I have worked with the Data Protection People for some time now. Their expertise has been drawn upon to assist us with our GDPR compliance gap analysis project, ROPA design and production through to conducting objective reviews and surveys. They are always available to help us out and their advice and guidance is excellent and delivered in a timely way. Special mentions to Kathy Midgley, Phil Brining, and David Hendry. A great, reliable and dependable service!”

Judy Barker
Dyslexia Action
Veritau

“A great service and peace of mind. Data Protection People provides a well-rounded service to ensure customers are fully supported in their approach to GDPR compliance. My interaction has largely been with the following people: Kathy Midgley – another great asset to the organisation. Always approachable, always helpful and consistently supportive to the team and customers.

Julie Ferguson
Veritau
Woodgate & Clark

“We have been working with the Data Protection People for many years now, and have found them to be insightful, helpful, and knowledgeable in all areas of Data Protection Compliance. Data Protection People have taken the time to understand our business, the regulatory environment we sit under, and the unique challenges we face in the industry. They have supported us in all areas of Information and Data Security, assisting in assessments of our policies and changes to our processes. They are always willing to go the extra mile and prioritise support where required.”

Nia Roberts
Woodgate & Clarke

Data Protection People Blogs & Podcasts

Data Privacy Learning & Guidance

Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.

UK Age Verification for 18+ Content

What Does Age Verification for 18+ Content Mean for Data Protection in the UK? 

The UK is introducing mandatory age verification for accessing 18+ online content, including pornography, gambling and other age-restricted services. This change is designed to protect children, but it raises important questions for the data protection community. Are these measures safeguarding users or creating new risks? And how do organisations strike a balance between compliance and privacy? 

What Is Age Verification and Why Is It Being Introduced? 

Age verification is the process of confirming that a user is over a certain age threshold, usually 18, before granting access to restricted online content. The UK Government has committed to rolling this out in response to long-standing concerns about children accessing harmful material online. 

Under the Online Safety Act 2023, platforms hosting 18+ content are now required to introduce robust age checks. This could involve ID scans, credit card verification, or even biometric facial recognition technology. 

Is This a Win for Online Safety or a Risk to Privacy? 

The move aims to protect vulnerable users, particularly children. But to verify age, websites must process more personal data and often very sensitive data. This creates tension between protection and privacy. 

Positive Intentions

  • Protecting Children: Preventing underage users from accessing harmful content is widely supported by parents, educators and regulators. 
  • Holding Platforms Accountable: The burden is shifting to providers, encouraging better content moderation and accountability. 
  • Legal Clarity: New obligations provide a clearer legal framework for platforms, including pornographic and gambling websites. 

Potential Risks

  • Data Minimisation Concerns: Does proving someone is 18 really require full identity data, or could a tokenised, privacy-preserving method be used? 
  • Scope Creep: Once age data is collected, what stops platforms from storing or using it for other purposes? 
  • Increased Attack Surface: The more sensitive data stored, the higher the risk of breaches. Facial recognition and ID scans are high-value targets. 
  • Lack of Transparency: Users may not understand how their ID or biometric data is used, stored, or shared. 

What Technologies Are Being Used? 

Age verification is no longer just about ticking a box. Technology providers are introducing advanced tools to meet the UK’s requirements, including: 

  • Biometric Facial Estimation: AI determines your likely age based on a selfie 
  • Document Verification: Scanning a passport or driver’s licence 
  • Credit Card Verification: Confirming age based on payment card data 
  • Third-Party Age Assurance Providers: Trusted intermediaries that verify age without sharing the full identity 

All of these involve processing personal data. Some even involve special category data, which demands greater safeguards under UK GDPR. 

Data Protection Considerations for Organisations 

If your organisation is involved in publishing or enabling access to age-restricted content, there are immediate steps to take. 

1. Conduct a Data Protection Impact Assessment (DPIA)
Any use of biometric or ID verification requires a DPIA. These technologies pose high risks to individual rights and freedoms and are likely to trigger Article 35 obligations under the UK GDPR. 

2. Follow the Principles of Data Minimisation
Collect only what is necessary. If proof of age can be confirmed without identity, that’s preferable. Avoid systems that retain ID data longer than needed. 

3. Use Trusted Verification Providers
Work with accredited Age Check Certification Scheme (ACCS) providers or other UK-recognised vendors who are independently audited and transparent. 

4. Be Transparent with Users
Make it clear what data is being collected, how it is processed, and whether it is shared. This includes publishing clear privacy notices and cookie policies. 

FAQs: Age Verification & Data Protection 

Is age verification required by law in the UK?
Yes. The Online Safety Act 2023 requires platforms hosting 18+ content to implement proportionate and effective age checks. 

Do age verification systems fall under UK GDPR?
Yes. Any system that processes personal data—including biometric data or ID scans—must comply with UK GDPR requirements. 

What’s the safest way to verify age?
Using third-party age assurance providers that issue verification tokens without exposing full identity data is currently considered best practice. 

Can users opt out?
If access to the content is restricted by law, users cannot opt out of the age verification process. However, transparency and consent in how data is processed still apply. 

Who enforces this?
Ofcom is the lead regulator under the Online Safety Act. The ICO oversees compliance with data protection laws related to these technologies. 

The Balance Between Safety and Privacy 

For many, this change is a positive step towards safeguarding young people online. But it also signals a broader shift: privacy and safety are no longer separate priorities, they must coexist. 

The risk is that platforms, in their rush to comply, adopt intrusive systems without fully understanding the data protection consequences. Age verification should not become identity verification by default. 

The challenge now is to build trust through transparency, minimise data wherever possible, and ensure that age checks are done securely, proportionately, and fairly. 

What Should Data Protection Officers Be Doing Now? 

  • Monitor developments and Ofcom guidance under the Online Safety Act 
  • Review any services or platforms your organisation operates that may fall under age-restriction obligations 
  • Speak to IT and procurement teams to vet any third-party age verification providers 
  • Consider providing staff training on biometric data, DPIAs and user transparency 

Our View at Data Protection People 

We believe data protection and child safety can go hand in hand, but only if implemented carefully. Mandating age verification should not open the door to excessive data harvesting or surveillance. 

At Data Protection People, we support clients through this changing landscape, helping them stay compliant without compromising their users’ privacy. Our consultants can help you assess risks, write DPIAs, review third-party tools and update privacy documentation. 

If your organisation is implementing or reviewing age verification systems, we’re here to support you. 

Need Help Navigating Age Verification Compliance? 

We offer consultancy and audits that help organisations align with both the Online Safety Act and UK GDPR. 

 

GDPR Audit Services

What Is a Data Protection Audit and Why Does Your Organisation Need One?

A data protection audit is an independent, expert-led review of your organisation’s compliance with UK data protection laws, including the UK GDPR, DUAA, DPA18 and PECR. At Data Protection People, audits are one of our top priorities. They are the foundation of how we help organisations identify risks, benchmark performance and improve accountability. Whether you’re a small business or a public sector body, a regular audit ensures your systems and practices are working as intended, helping you stay compliantand build trust with your stakeholders.

Why Regular GDPR Audits Are Essential

A Comprehensive Compliance Assessment

A GDPR audit evaluates how your organisation handles personal data. It checks whether your policies, procedures and technical controls meet the requirements of the UK GDPR and other relevant laws. It’s not just about ticking boxes; it’s about building confidence that your organisation is doing the right things the right way.

Identifying Gaps and Weaknesses

Even small gaps in your data protection practices can lead to big problems. A GDPR audit helps you uncover those gaps early. Whether it’s missing documentation, unclear lawful bases or ineffective SAR processes, identifying these weaknesses gives you the chance to put things right before they escalate.

Streamlining Internal Governance

Do your policies reflect what actually happens in practice? Are staff following the right procedures? Audits bring these questions to the surface. We don’t just assess paperwork, we evaluate real-world processes and behaviours to ensure your organisation is genuinely living up to its policies.

Building Stakeholder Trust

Showing that you’ve independently assessed your data protection compliance builds credibility. Whether it’s for the board, customers or regulators, being able to point to an audit from a trusted provider like Data Protection People helps demonstrate accountability.

Our Range of Data Protection and GDPR Audits

We offer a wide range of audits to suit different needs, budgets and levels of maturity. Whether you need a light-touch review or a deep-dive audit, we have a solution.

GDPR Discovery Day
A high-level review that assesses how your organisation is currently managing data protection compliance. Ideal for organisations that want a snapshot of where they stand.
Who it’s for: Any organisation seeking quick insight and identify quick compliance wins
Time commitment: 1 day
Output: Executive summary of strengths, weaknesses and next steps

Gap Analysis
A detailed report that compares your practices against a robust compliance framework. You’ll get a visual benchmark and actionable insights to help close any gaps.
Who it’s for: Organisations preparing for audits or external scrutiny
Time commitment: 3 days
Output: Full benchmarking report with RAG-rated findings

Full GDPR Audit
A comprehensive audit covering all aspects of your data protection framework, including records of processing, risk assessments, policy controls, and compliance culture.
Who it’s for: Organisations seeking detailed assurance
Time commitment: 5 days
Output: Full audit report with evidence, recommendations, and improvement roadmap

PECR Audit
A focused review of how you manage electronic communications, cookies, and marketing consent under the Privacy and Electronic Communications Regulations (PECR).
Who it’s for: Organisations conducting digital marketing
Time commitment: 1–2 days
Output: Compliance report with recommendations

Tailored Audit Framework
We can design bespoke audit frameworks that align with your internal structures or specific sector requirements. These can be based on our established methodology or built from scratch.
Who it’s for: Regulated sectors or organisations with unique risks
Time commitment: Varies
Output: Custom framework, audit delivery, and repeatable toolkit

Common Questions About GDPR Audits

What is the purpose of a data protection audit?
A data protection audit helps you assess whether your organisation is complying with relevant laws and best practices. It identifies areas of risk, provides reassurance to stakeholders, and supports continuous improvement.

 How often should we carry out an audit?
We recommend a full audit at least every 12–18 months. However, audits may be needed more frequently for high-risk sectors, major system changes or after a data breach.

 Can we audit ourselves?
Internal reviews are useful but can lack objectivity. An external audit ensures independence and brings in specialist knowledge.

 Do audits include subject access requests?
Yes, our audits assess how your organisation handles individuals’ rights including SARs, erasure, rectification and objection.

 What laws and standards do you audit against?
We audit against the UK GDPR, PECR, ICO guidance, and where appropriate, international frameworks like NIST or ISO standards.

Why Clients Choose Data Protection People

Expertise You Can Rely On
Our audit team includes certified professionals such as Catarina Santos, who bring years of real-world experience across sectors. We understand the law, the risks and the operational challenges.

Structured and Actionable
We don’t leave you with a vague report. Every audit concludes with clear, prioritised recommendations that you can act on. If needed, we can also support the implementation process.

Tailored to Your Organisation
We don’t believe in one-size-fits-all. Whether you’re a housing association, a retailer, or a healthcare provider, we tailor the audit to your data flows, systems, and risks.

Flexible, Repeatable Frameworks
Want to embed auditing into your governance processes? We can create reusable frameworks that allow you to conduct regular internal audits or annual reviews.

Get Support With Your Next Audit

At Data Protection People, our mission is to make data protection easy to understand and easy to do. Our audit services are designed to help you benchmark, improve and maintain your compliance posture.

 

Is Your Business Ready for a GDPR Audit? Here’s What You Need to Know

Are You Ready for a GDPR Audit?

Most organisations believe their data protection practices are solid, until they take a closer look. A GDPR audit gives you the chance to step back and properly assess how your organisation handles personal data. It’s not just about compliance. It’s about building confidence that your systems, policies and people are doing the right things.

Whether you’re preparing for an inspection, responding to concerns, or just want to get ahead, a GDPR audit is the best place to start.

What Is a GDPR Audit?

A GDPR audit is a structured, independent review of your organisation’s data protection arrangements. It looks at how you collect, store, use and share personal data across your operations.

At Data Protection People, our audits are clear, thorough and tailored to your needs. Some clients ask us for a simple high-level review to check the basics. Others need a full, in-depth audit that explores every part of their data protection strategy.

We also offer audits focused on specific areas like electronic communications or internal governance. Each audit is built to match the risks, size and structure of your organisation. We don’t use generic templates. We listen, understand and provide advice that fits your environment.

Why a GDPR Audit Is Worth Doing

Data protection can easily fall down the priority list, especially when teams are busy. But that’s exactly when risks can creep in. A GDPR audit gives you an honest picture of where you stand and helps you address issues before they grow into problems.

It can also give your leadership team the confidence to make informed decisions. When data protection is done well, it protects more than just information—it protects your reputation, your customers and your future.

We also find that audits are a great way to bring teams together around a shared goal. The process highlights what’s working well and where improvements are needed, without placing blame or creating pressure.

When Should You Consider a GDPR Audit?

A GDPR audit is useful for any organisation that handles personal data, regardless of size or sector. If you’ve never had one before, it’s worth scheduling an audit to create a baseline and check that your foundations are in place.

Organisations often reach out to us after a period of growth or change. If you’ve launched new services, moved systems, or experienced staff turnover, it’s a good time to review your compliance. We also work with clients who’ve had a breach or a near miss and want to understand what went wrong.

If you’re preparing for an ICO inspection or contract review, an audit can help you feel more confident and prepared. It’s not about ticking boxes. It’s about showing you’re serious about data protection and taking the right steps to get it right.

What’s Involved in the Audit?

Our process is designed to make things easy for you. First, we start by understanding your organisation, how it operates, and where the data flows. We’ll talk through your systems, services and how personal data moves across your business.

Next, we review your key documents. That includes your policies, privacy notices, contracts, and staff training records. These documents give us a view of your governance and how you meet your legal obligations.

We may speak with relevant staff to understand how things work day to day. These conversations help us check that policies are being followed in practice, not just written on paper.

We then carry out a structured assessment, comparing your setup against GDPR requirements and sector best practices. Once complete, we provide a clear report. It explains what you’re doing well and where improvements are needed. Most importantly, we include a detailed action plan that helps you prioritise and take control of your compliance.

Why Choose Data Protection People?

We’ve been helping organisations with data protection for over 15 years. Our consultants are experienced, practical and know how to explain things clearly. We understand the challenges businesses face when trying to stay compliant, and we’re here to make it easier.

Our audits are designed to work around you. We don’t disrupt your day-to-day operations or expect your team to speak legal jargon. We take the time to understand your business and provide advice that’s realistic, achievable and tailored to your situation.

Clients tell us they feel more confident after an audit with us. They know where they stand and what to do next. That’s what we aim for, clarity, confidence and practical solutions.

What Happens After the Audit?

Once you receive your report, you’ll have a clear list of actions and priorities. You can choose to handle these internally, or we can help you implement the changes. Some clients ask us to support policy updates, deliver staff training or even take on the role of outsourced DPO.

Whether you need a little help or full support, we’re flexible and here to make compliance easier. Our goal is to help you build a strong, practical approach to data protection that grows with your organisation.

Final Thoughts

A GDPR audit isn’t something to put off or fear. It’s an opportunity to take stock, reduce risk and build better processes. By investing in a proper review, you protect more than just data, you protect your customers, your reputation and your business.

If you’ve been unsure where to start, or worried about what you might find, we’re here to help. Our team will guide you through the process step by step. You’ll come away with a clearer understanding of your responsibilities and a plan you can trust.

Ready to find out more?
Speak to our team today about booking a GDPR audit. We’ll help you understand what’s involved and how it can benefit your organisation.

Summer SAR Support

SAR Support During the Summer Holidays: Why Organisations Struggle and How to Stay Compliant

Every year, as summer arrives and schools break up for the six-week holiday, many organisations begin to feel the pressure. But it’s not just the heat or the juggling of annual leave rotas that causes challenges. For data protection teams across the UK, summer has become known as SAR season, a time when Subject Access Requests (SARs) increase and internal resources are stretched thin.

At Data Protection People, we’ve supported hundreds of clients through this exact scenario. We’ve seen the same patterns emerge year after year: reduced staffing levels, mounting deadlines, and complex SARs that simply cannot wait. Understanding why this happens and how to prepare can make all the difference.

Why Do SARs Increase During the Summer?

There isn’t one single reason, but rather a combination of factors that converge during July and August. First, many internal data protection and HR teams are operating with skeleton staff due to holidays. This makes it harder to keep up with SARs, especially those that are more involved, such as requests from current or former employees.

At the same time, there can be a rise in employee-related SARs during the summer break. Disagreements over flexible working, disputes linked to holiday entitlements, or even longer-standing grievances can lead to individuals submitting SARs as part of broader HR issues. In the education sector, we also see a rise in parent and student SARs being submitted just before the academic year begins, adding more pressure at an already busy time.

Add to this the fact that organisations have only one calendar month to respond to a SAR, with no extension allowed unless the request is particularly complex, and the situation quickly becomes challenging.

The Risk of Delayed or Incomplete SAR Responses

Failure to meet SAR deadlines doesn’t just inconvenience the individual making the request. It can trigger complaints to the Information Commissioner’s Office (ICO), damage your organisation’s reputation, and even result in financial penalties. In some cases, particularly involving employees or sensitive personal data, delays can lead to legal disputes or grievances that might otherwise have been avoided with a well-handled and timely response.

It’s also important to remember that a SAR isn’t just about handing over data. You need to ensure that third-party information is carefully redacted, privileged or confidential material is properly assessed, and that the response is complete and clearly structured. This is not something that can be rushed, especially when your internal teams are already overstretched.

Why Organisations Choose Data Protection People for SAR Support

We are proud to be recognised as the leading provider of SAR support in the UK, and we currently rank #1 on Google for SAR and DSAR support services. Our experience spans all sectors, including housing, education, healthcare, charity, and private organisations of all sizes. Whether you’re facing a one-off customer request or handling an employee SAR covering 15+ years of service, our team is equipped to help.

We have a dedicated team of 25 professional redactors who work solely on SARs. This means you’ll be supported by experts who understand not just the legal obligations, but the operational and reputational risks associated with each request. Our advanced SAR processing software allows us to de-duplicate documents, carry out high-precision redactions, and manage the full review process securely and efficiently.

Our clients value our ability to step in quickly, assess their needs, and deliver a professional, compliant response, often under tight time constraints. We’re more than just a redaction service. We work alongside your internal team to manage the SAR from start to finish, offering full visibility, clear communication, and high-quality results.

We’re Here When You Need Us Most

The summer holiday period can be a perfect storm for SAR compliance issues: fewer people in the office, growing backlogs, and no let-up in legal obligations. That’s why many organisations turn to external support during this time of year.

By working with us, you can reduce the stress on your internal team, ensure deadlines are met, and protect your organisation from unnecessary risk. We also offer ongoing SAR management support, policy reviews, and tailored training to help you build resilience and improve processes moving forward.

If you’ve received a complex SAR and are unsure where to start, or if you’re already facing time pressure due to annual leave cover, get in touch. We’ll help you regain control, stay compliant, and respond with confidence.

Need Support with a SAR or DSAR?

Our team is ready to help. Whether you need end-to-end SAR handling, software to streamline your internal response process, or simply some expert guidance, we’re here to support you. Contact us today or visit our SAR Support page for more information.

Stay Ahead of the Curve with Data Protection Made Easy

If you’d like to stay up to date with news, updates and practical advice on SARs and other data protection topics, join the Data Protection Made Easy community:

We break down complex topics, provide practical solutions, and help professionals at all levels feel more confident and in control.

DUA Act – Part Two

The Data (Use and Access) Act 2025 – Podcast Part Two

On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.

Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.

If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.

Listen on Spotify

Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.

Download the Slides

We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides

What We Covered

  • Real-life scenarios and case study examples based on DUA Act principles
  • Detailed Q&A on legitimate interest balancing tests, soft opt-in rules, and data subject rights
  • Compliance challenges and how to overcome them using good governance frameworks
  • The DUA Act’s expected impact on privacy management programmes and internal policies
  • Preparing your teams, clients, and data flows for the changes ahead

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

  • Early access to upcoming podcast sessions and event invites
  • Weekly insights into legislation like the DUA Act and GDPR
  • Exclusive downloads including templates, tools, and guides
  • Invitations to in-person events across the UK
  • Access to session recordings and slides
  • A place to ask questions, share experiences, and stay ahead

We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 – Podcast Part One Recap

On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.

Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.

Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.

Listen back on Spotify

Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.

Download the Slides

We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides

What We Covered

  • What the DUA Act is and how it evolved from the DPDI Bill
  • Key changes to Subject Access Requests, Legitimate Interests, and the role of the ICO
  • Updates to PECR enforcement powers and cookie consent exemptions
  • The Act’s impact on data sharing, organisational accountability, and regulatory expectations
  • What public and private sector organisations need to prepare for

Part Two – Live on Thursday 18th July

Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.

Click here to visit the Part Two event page and register your place: View Part Two

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

  • Early access to future podcast sessions
  • Weekly email updates with analysis and guidance on the DUA Act
  • Exclusive content including white papers, practical templates, and checklists
  • Invites to free in-person events across the UK
  • Recordings and slides from every live session
  • A chance to ask questions and share challenges with other professionals

We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.

Managing Subject Access Requests from Employees & Ex-Employees- Part 2

Managing Subject Access Requests from Employees & Ex-Employees- Part 2

Data Protection Made Easy Podcast – Episode 214

After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.

Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.

Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.

What We Covered

Understanding What Drives SARs

We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.

When You Must Respond – And When You Don’t

We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.

Managing Excessive or Repetitive Requests

Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.

Balancing Transparency and Internal Protection

Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.

Lessons from Real Grievance and Disciplinary Cases

We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.

Proactive Preparation: Getting Ahead of SARs

Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.

Avoiding Common Mistakes

From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.

Handling Escalation and Risk

Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.

Want More Like This?

The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.

Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables

Meet the Panel

Looking Ahead

As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.

Know someone who would benefit? Share the podcast link  and help others take the complexity out of compliance.

Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.

Managing Employee SARs

Managing Subject Access Requests from Employees & Ex-Employees

Data Protection Made Easy Podcast – Episode 114

Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.

If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.

Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.

What We Covered

This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:

🔹 Common Triggers and Misconceptions

From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”

As Catarina Santos explained, it’s essential to reframe the narrative:

“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”

🔹 SARs and Organisational Culture

The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.

🔹 The Community Speaks

This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.

Philip Brining highlighted the value of the community:

“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”

🔹 Tools of the Trade: Teams, WhatsApp & Chat Platforms

Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.

🔹 Balancing Access, Proportionality, and Security

SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:

“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”

The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.

What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:

“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”

Want More Like This?

The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.

Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables

Meet the Panel

Looking Ahead

Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.

Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.

Special May Promotion: Free SAR Consultations

This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.

Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.

📩 Simply email us at [email protected] with the subject line SAR Support, and we’ll book in a free 30-minute consultation.

 

Our Events & Webinars

Industry Leading Discussions

We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.

View All
Caught in the Act The UK’s New Age Verification Law
29 August 25 12:30 - 1:30 pm

Caught in the Act

The Data (Use and Access) Act – Part Two
18 July 25 12:30 - 1:30 pm

The DUA Act (Part 2)

Get Support With Data Protection And Cyber Security

Our mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.