The UKs #1 Data Protection Consultancy

Data Protection & Information Security Experts

Data Protection Made Easy.

GDPR Support Cyber Security Support
Join our extensive list of clients who have their data privacy under control

Accelerate Your Data Protection Compliance

Save Time, Save Money and Relax: You’re In Safe Hands

Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.

SAR Support

Explore our Subject Access Request (SAR) Handling Service and understand how Data Protection People can support your organisation

Contact Us

GDPR Training

Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.

Contact Us

Information Management Software

DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.

Contact Us

Data Protection Consultancy

Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.

Contact Us
View All

Need Help With Cyber Security Compliance?

We Have You Covered!

At Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.

PCI DSS Compliance Services for Merchants

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

PCI DSS Compliance Services for Service Providers

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

External Attack Surface Management

Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.

Contact Us

ISO 27001

Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.

Contact Us
View All
Rofi Hendra Support Desk Data Protection People

Supporting DPOs

Flexible Support When You Need It

At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.

Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.

Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.

Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.

Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.

Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.

Diverse Sector Experience

Access to a Team of Industry Experts

At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.

Commercial Sector

Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.

SMEs

Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.

Third Sector

Third Sector

For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.

Multi Nationals

For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.

Public Sector

In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.

Why Use Our Outsourced DPO Services?

Save Time, Money and Guarantee Compliance

Navigating the intricate landscape of data protection demands more than just a DPO — it requires a dedicated team committed to excellence. Our Outsourced DPO Services extend beyond the traditional role, offering a comprehensive approach to legal compliance and pragmatic solutions.

Why Choose Outsourcing?

An outsourced DPO brings a wealth of experience, not just in the law but also in crafting workable solutions. Their impartiality is fortified by a team of privacy practitioners, ensuring that your organization benefits from a spectrum of expertise. Should the need arise, seamless coverage during absences is guaranteed, eliminating the vulnerability associated with a single in-house DPO.

Staying Headache-Free

Concerned about the disruption if your DPO moves on? With an outsourced model, transitions are smooth, and you won’t experience the sudden headache of a critical role vacancy. The continuity provided by a team ensures that your data protection responsibilities are seamlessly handled.

Compliance Tailored to You

Our Outsourced DPO Services align seamlessly with your legal obligations, whether you’re mandated to appoint a DPO or choose to do so voluntarily. We understand that compliance is not just about ticking boxes but about ensuring a robust, practical approach to data protection. Choose Data Protection People for a worry-free, compliance-driven outsourced DPO solution — because your data protection journey should be as smooth as it is secure.

“I cant recommend Data Protection People enough, they have helped me in so many different areas, no matter how complex the challenge or how large the obstacle, DPP always has the answer.

I can call the team at any time and have built an amazing relationship with them, in times of frustration they are here to calm me down and create a plan, they are a pleasure to work with.”

Mark Leete
Eastlight Community Homes
TDC_logo

‘I found the FOI training session to be highly informative and well-structured. It covered all the key areas comprehensively and provided clear, practical guidance throughout. The content was easy to follow, and the delivery by Gary was engaging, making complex topics accessible and understandable’. 

‘The training session has really helped me to understand the IG rep role a bit more and what I need to be thinking about when receiving a request for information’. 

Charlene Haynes & Team
Tendring District Council
dyslexia-action-logo-2023

“I have worked with the Data Protection People for some time now. Their expertise has been drawn upon to assist us with our GDPR compliance gap analysis project, ROPA design and production through to conducting objective reviews and surveys. They are always available to help us out and their advice and guidance is excellent and delivered in a timely way. Special mentions to Kathy Midgley, Phil Brining, and David Hendry. A great, reliable and dependable service!”

Judy Barker
Dyslexia Action
Veritau

“A great service and peace of mind. Data Protection People provides a well-rounded service to ensure customers are fully supported in their approach to GDPR compliance. My interaction has largely been with the following people: Kathy Midgley – another great asset to the organisation. Always approachable, always helpful and consistently supportive to the team and customers.

Julie Ferguson
Veritau
Woodgate & Clark

“We have been working with the Data Protection People for many years now, and have found them to be insightful, helpful, and knowledgeable in all areas of Data Protection Compliance. Data Protection People have taken the time to understand our business, the regulatory environment we sit under, and the unique challenges we face in the industry. They have supported us in all areas of Information and Data Security, assisting in assessments of our policies and changes to our processes. They are always willing to go the extra mile and prioritise support where required.”

Nia Roberts
Woodgate & Clarke

Data Protection People Blogs & Podcasts

Data Privacy Learning & Guidance

Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.

These 6 Mistakes Could Land Your Business with a Costly GDPR Fine

As with any form of compliance, businesses must overcome several hurdles on their path to becoming compliant with the GDPR. Through the help of our data protection consultancy, we are able to provide businesses with the insight they need to know whether they’re on the right track.

Along with simplifying compliance, our GDPR consultants are tasked with helping businesses be proactive, allowing them to mitigate risks before they unravel.

Through this work, we’ve observed six common GDPR mistakes and how to resolve them, all of which we run through in this blog.

Top 6 GDPR Violations to Watch Out for 

1. You Ignored a Subject Access Request

Under the GDPR, every individual has a right to access their personal information. This right, among seven other data subject rights, must be fulfilled without undue delay.

Individuals can submit subject access requests (SARs) verbally or in writing. Since they don’t need to be addressed to a specific individual in your organisation, these requests can be sent anywhere. Without knowing what an SAR is, it’s very easy for them to be ignored and not passed to the relevant individual for follow-up.

Remember, you only have 30 calendar days to respond to a SAR. Make sure you supply the person with their requested information before time runs out.

2. You Keep Personal Data for Too Long

It’s too easy to let ‘just in case’ get in the way when erasing personal data after you no longer need it. After a while, this information will pile up, and then you’ll need to invest more resources in keeping it safe.

Rather than focusing on the what-ifs of deleting data, draw your attention to the reasons why you should erase it. If you come back empty-handed, erase the data. If the reason is valid, record it in a data retention policy so it is clear how you manage, store and delete specific types of data.

With less information stored, you won’t have to spend as much time on a subject access request. Just think – would you rather search through hundreds or thousands of files?

3. You’re Not Careful with Email

The ICO’s data security incidents trends dataset reveals that emailing data to the wrong person remains the most common mistake businesses make.

There are plenty of scenarios where this can happen. It may occur when you’re rushed off your feet between meetings or when you’re multitasking between two jobs.

All it takes is a little distraction, and you end up emailing someone with a similar name, but it’s an entirely different individual. Once that email comes through, they have access to the history of that entire email thread.

If you send bulk emails, always check that you’re using Blind Carbon Copy (BCC). Otherwise, everyone in your CC group can see each other’s email addresses.

If either of these errors happens to you, act quickly and try to recall the email as soon as possible. If it’s too late, contact the individual(s) and ask them to delete it.

4. You Don’t Prioritise GDPR Training

Data breaches most often occur within the organisation. Your employees may email data to the wrong people, fail to redact or use BCC or fall victim to the all-too-common phishing attack.

If you don’t provide them with data protection training, how can you expect them to learn? Human error isn’t enough of an excuse – it’s just negligence on your part.

The UK GDPR doesn’t state how much or what type of training your business should do. Something as simple as our Introduction to Data Protection’ course will be enough to give your team a solid understanding of your GDPR obligations.

If you’re looking for convenience, our GDPR training can be delivered online or in person, so there’s no excuse not to learn. For larger organisations, you may be best placed with a data protection officer (DPO) who will handle your team’s best practices in-house.

5. Your Records Are Out of Date

GDPR compliance is all about demonstrating accountability. To do this, you need a clean audit trail, which you can evidence at a moment’s notice.

Businesses often struggle with the record-keeping aspect of GDPR. There’s a lot of paperwork involved, and if these records are out of date or insufficient, how will you know what happens when things go wrong?

This is why keeping your Record of Processing Activities (RoPA) is non-negotiable. It may take time at the start, but maintaining it means you can prove the work that’s been done to stay compliant.

If you don’t know what data is held, we recommend conducting a data mapping exercise to understand your processing activities. If you need more transparency, a detailed GDPR audit may be required.

6. You Approach Compliance Like Everyone Else

GDPR compliance cannot sustain a one-size-fits-all approach. A generic approach to data protection often falls short because it doesn’t consider your business’s specific nuances. This ‘one-size-fits-all’ mentality creates vulnerabilities, leaving room for costly mistakes.

A data protection by design and by default approach means your business integrates data protection into everything it does. Rather than assuming the best, this concept ensures privacy and security are built into your processes from the ground up, protecting individual rights proactively.

If you want a tailored approach, our GDPR consultants can help identify gaps in your data protection framework and recommend ways to improve compliance.

Speak to Our Team for Expert GDPR Support

Don’t let these common GDPR mistakes expose your business to costly fines. Our expert data protection consultants provide the tailored insights and measures you need to secure your data and achieve compliance.

Speak to our team today to find out how we can support you.

Are You Holding Third-Party Data Processors Accountable?

Almost every business relies on a network of suppliers to develop, deliver and maintain its products and/or services. Working with third-party processors, such as a payment processor or CRM provider, will help streamline workflows and allow you to serve customers with ease.

However, as this supply chain grows, more people outside of your organisation will have access to your customers’ personal data. As a data controller, it’s your responsibility to ensure both you and your processors take the same approach to GDPR compliance.

If not, your processor(s) will become a weak link in your supply chain, putting you at risk of a data breach. In this blog, we’ll uncover how third-party relationships work under the GDPR and the consequences of non-compliance.

What Is a Third Party under the GDPR?

The term ‘third party’ refers to a ‘natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.’ (UK GDPR, Article 4 (10).

Under this definition, a third party refers to an external company that handles personal data for a separate and distinct purpose outside the controller’s original basis for processing.

For the purposes of this blog, we are referring to third-party processors. These are data processors who work on behalf of a data controller and have their own obligations.

How Do Third-Party Relationships Work?

In our data processor vs controller guide, we discussed how compliance requirements can change depending on your level of involvement.

A third-party processor doesn’t have as much autonomy as the controller. The controller decides what information is processed and the lawful basis for doing so. As such, the controller must hold themselves and their processor accountable when fulfilling their GDPR obligations.

As outsourcing always comes with some form of risk, a controller and processor would have to agree to a Data Processing Agreement. The contract will include details such as:

  • The subject matter and length of the processing
  • The purpose of the processing
  • The type of personal data
  • The categories of data subject
  • The controller’s responsibilities and rights

Several other clauses or terms must be included, which the ICO covers in detail.

Who Is Responsible for a Data Breach, a Controller or a Processor?

In most cases, the data processor is responsible for a data breach, either because of non-compliance or a reason outside their control. What the processor is liable for, however, will depend on the terms set out in your Data Processing Agreement.

After an investigation by the ICO, the processor may be subject to administrative fines and penalties. They may also be liable to the data controller for a breach of their contract. This is also the case if a sub-processor had caused the breach.

If you, the controller, didn’t have a contract in place, you too will be liable for non-compliance. Setting a contract is just one of your responsibilities as a controller, and failure to comply puts you at risk.

A controller-processor contract doesn’t give controllers immunity. Yes, they safeguard your business, but it’s not enough to lay the blame entirely on the processor. As a controller, your role is to hold processors accountable. What this means is that the issues leading up to the breach could’ve been avoided had the controller taken more responsibility.

Need GDPR Support? Speak to Our Data Protection Consultants

As a data protection consultancy, we can help your business simplify your compliance requirements, whether you’re a data controller or processor.

Contact our team to learn more about our data protection services today.

The Data (Use and Access) Act 2025: What You Need to Know

The Data (Use and Access) Act 2025

The Data (Use and Access) Bill has now reached Royal Assent and will soon be officially enacted as The Data (Use and Access) Act 2025. This new legislation marks a significant milestone in the UK’s data protection law, modernising how data is accessed, used and governed in a post-Brexit digital economy.

A Long Road to Reform

This Act is the result of years of political and regulatory debate. Originally introduced as the Data Protection and Digital Information (DPDI) Bill back in 2022, the Bill stalled and ultimately failed to pass before the 2024 general election.

Later that year, the new Labour government revived and revised the Bill, reintroducing it as the Data (Use and Access) Bill. While many of the original provisions remained intact, some of the more contentious elements were removed to encourage broader support across Parliament.

However, its progress was anything but smooth. The Bill faced prolonged debate between the House of Commons and the House of Lords, especially around issues like AI transparency and the use of copyrighted material in AI training. After considerable back and forth, the government agreed to publish detailed reports on these topics within nine months of the Act becoming law.

Evolution, Not Revolution

The Data (Use and Access) Act 2025 is not a radical rewrite of data protection law. Instead, it builds upon the Data Protection Act 2018 and UK GDPR, updating and refining specific areas to meet the evolving needs of UK organisations and regulators.

Key features of the Act include:

  • Clearer guidance on Legitimate Interests for data processing, particularly in areas such as direct marketing, fraud prevention and security operations

  • An expanded definition of scientific research, offering greater clarity for academic and commercial researchers

  • Revisions to the Data Subject Access Request (DSAR) process, designed to simplify and streamline requests for both individuals and organisations

  • Changes to the structure of the Information Commissioner’s Office (ICO), supporting a more strategic and agile approach to regulation

  • New powers for the Secretary of State to decide which countries offer adequate data protection, using a standard of “not materially lower” than the UK’s

These updates offer more flexibility for data controllers but also introduce new uncertainties. For example, altering how adequacy decisions are made may raise questions with the European Commission, which is scheduled to review the UK’s adequacy status later this year.

What This Means for Your Business

With the Act now confirmed, businesses must begin to prepare for the changes. However, the implementation date has not yet been set, and detailed regulatory guidance is still pending.

So, what should you do now?

Here are some recommended next steps:

  • Talk to your Data Protection Officer (DPO): Understand how the Act may impact your organisation’s data handling practices.

  • Hold off on major changes: Avoid rushing into policy updates until official guidance is published by the ICO.

  • Review your current compliance position: Pay special attention to areas like legitimate interest assessments, research practices and your DSAR handling procedures.

  • Strengthen your data governance framework: Use this to identify improvements, reduce risk and ensure your systems are fit for the future.

At Data Protection People, we help organisations navigate change with clarity and confidence. As the UK’s data protection framework evolves, our goal remains the same, to make data protection simple, practical and effective.

Stay tuned for further updates as  provide actionable insights tailored to your sector.

How Often Should GDPR Audits Occur?

You should complete a GDPR audit every year, but for some businesses, this may be more regular. Conducting regular audits will help prove your compliance, which is crucial should you be subject to an inspection by supervisory authorities.

In this blog, we outline four scenarios when you should complete a GDPR audit outside of your day-to-day compliance.

Are GDPR Audits Mandatory?

No – carrying out a data protection audit is not a legal obligation under the GDPR. The closest mention of requiring an audit is shown in Article 32 (1) (d), whereby both data controllers and processors must regularly test, assess and evaluate their security measures depending on the risk of processing.

A GDPR audit is best practice. Regular reviews will help you demonstrate your accountability and address issues before they get worse. With better transparency, you will minimise the risk of a data breach and the fines that come along with it.

When Should You Do a GDPR Audit?

1. At the Start of the Year

Most businesses want to start the year off on the right foot. A GDPR audit offers the reality check you didn’t know you needed. It separates businesses that treat GDPR compliance as a tick-box exercise from those who apply it daily in their operations.

You may have everything on paper, such as the required documentation and technical controls, but if you don’t consistently implement these measures, how can you guarantee the safety of personal data?

Before you develop your business plans for the year, take a step back and assess whether your data protection requirements are being met.

2. When You’re Involved in High-Risk Processing

You are expected to complete a data protection impact assessment (DPIA) before a new processing activity begins if it is likely to result in a high risk to the rights and freedoms of an individual (GDPR, Article 35)

A DPIA is a type of risk assessment conducted based on a data mapping exercise. This process involves mapping out all the data you will collect, store and use when processing, which can help determine whether high-risk data is involved.

Data mapping and DPIAs cover key steps of a GDPR audit, such as the necessary mapping and risk assessment processes. Carrying out an audit in tandem can give you peace of mind and provide detailed insight into whether your compliance as a whole can sustain future processing activities.

3. During a Merger or Acquisition (M&A)

A 2019 study of 500+ M&A practitioners revealed that 55% of M&A transactions didn’t progress due to concerns around a company’s GDPR compliance.

If your business is planning a merger or acquisition (M&A), a data protection audit will demonstrate your compliance, which is a vital part of the due diligence process.

An audit will also give the buyer a clearer picture of the risks and liabilities involved in your processing activities. As such, it is your best chance of building confidence with potential buyers, ultimately leading to a positive outcome.

4. After Regulatory Changes

Over the years, the UK GDPR has been subject to various reforms, some of which failed, such as the Data Protection and Digital Information (DPDI) Bill, and others which have moved within their final stages of approval (the DUA Bill).

Other major compliance developments have included the EU AI Act and PCI DSS 4.0, which also extend the legal framework set out in the UK GDPR.

With so much change, a GDPR audit will help you assess whether your existing technical and organisational measures meet the requirements of legislation that is coming into effect or being changed.

Speak to Our Team for Expert GDPR Support

Whether you require an annual GDPR audit or ongoing support, our data protection consultants are here to help. Get in touch today to get started.

Managing Subject Access Requests from Employees & Ex-Employees- Part 2

Managing Subject Access Requests from Employees & Ex-Employees- Part 2

Data Protection Made Easy Podcast – Episode 214

After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.

Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.

Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.

What We Covered

Understanding What Drives SARs

We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.

When You Must Respond – And When You Don’t

We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.

Managing Excessive or Repetitive Requests

Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.

Balancing Transparency and Internal Protection

Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.

Lessons from Real Grievance and Disciplinary Cases

We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.

Proactive Preparation: Getting Ahead of SARs

Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.

Avoiding Common Mistakes

From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.

Handling Escalation and Risk

Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.

Want More Like This?

The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.

Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables

Meet the Panel

Looking Ahead

As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.

Know someone who would benefit? Share the podcast link  and help others take the complexity out of compliance.

Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.

Managing Employee SARs

Managing Subject Access Requests from Employees & Ex-Employees

Data Protection Made Easy Podcast – Episode 114

Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.

If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.

Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.

What We Covered

This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:

🔹 Common Triggers and Misconceptions

From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”

As Catarina Santos explained, it’s essential to reframe the narrative:

“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”

🔹 SARs and Organisational Culture

The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.

🔹 The Community Speaks

This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.

Philip Brining highlighted the value of the community:

“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”

🔹 Tools of the Trade: Teams, WhatsApp & Chat Platforms

Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.

🔹 Balancing Access, Proportionality, and Security

SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:

“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”

The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.

What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:

“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”

Want More Like This?

The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.

Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables

Meet the Panel

Looking Ahead

Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.

Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.

Special May Promotion: Free SAR Consultations

This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.

Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.

📩 Simply email us at [email protected] with the subject line SAR Support, and we’ll book in a free 30-minute consultation.

 

Joe Kirk’s Top 10 Tips

Joe Kirk’s Top 10 Tips: Lessons from a Career in Data Protection

In this special episode of the Data Protection Made Easy podcast, long-time host and data protection consultant Joe Kirk reflects on his journey through the world of privacy and compliance—from his early days in sales, speaking to hundreds of DPOs across the UK, to becoming a consultant himself and working with a wide range of clients across every major sector.

As this marks Joe’s final regular appearance on the podcast, we dedicated the session to the Top 10 Lessons He’s Learned over the last four years. These are practical, honest, and experience-based takeaways that he hopes will help current and aspiring DPOs make a meaningful impact in their roles.

Key Themes Discussed

  • How sales and consulting provide different but complementary perspectives on data protection
  • The common challenges DPOs face regardless of sector or organisation size
  • The importance of empathy, curiosity, and communication in building trust
  • Avoiding the “tick-box” mentality and becoming a strategic advisor
  • Keeping your knowledge current in a fast-moving legal and tech landscape
  • How to show your value to the business even when you’re not customer-facing
  • Why DPOs should be involved in decision-making at the earliest possible stage
  • Balancing legal risk with operational reality
  • Encouraging a culture of accountability, not fear
  • The importance of continuous learning – and what Joe would do differently if starting today

These tips are relevant whether you’re new to data protection, already in a DPO role, or even an employer looking to build a successful privacy function.

A Time of Transition for Data Protection Made Easy

Joe’s departure also marks the beginning of a new phase for the Data Protection Made Easy community. As we look to evolve and bring even more value to our subscribers, we’re making some important changes:

Podcast Frequency
We will now host one episode per month, instead of weekly. This allows us to:

  • Deep dive into more meaningful topics
  • Reintroduce guest speakers and expert panels
  • Focus on sector-specific challenges and use cases
  • Provide more actionable takeaways for our listeners

In-Person Events
To complement our podcast, we’ll be launching monthly in-person events, starting with a Housing Sector Roundtable in Leeds. These will be free to attend and packed with:

  • Expert guest speakers
  • Open discussion sessions
  • Networking opportunities
  • Food, drink, and sector-specific guidance

If you’re in the housing sector or work in data protection in Yorkshire, this is a great chance to connect with our team face-to-face. More info coming soon.

Monthly Newsletter
To replace our weekly GDPR Radio news episodes, we’ve launched a monthly email newsletter with:

  • Top stories from the ICO and UK government
  • Regulation changes and enforcement action recaps
  • Insights from the Data Protection People team
  • Highlights from recent podcasts and events

If you’re a subscriber, your first issue should already be in your inbox! If not, sign up here:

Subscribe to the Newsletter

What’s Next?

We’ll soon be publishing a full article on Joe’s Top 10 Tips for DPOs, expanding on the episode with real-life examples, links to useful tools, and guidance from our team. This will be available in the Resource Centre and shared with our newsletter subscribers.

We’ll also be sharing details on our 10-Year Anniversary Celebration taking place in July 2025. If you’re based in Leeds and would like to attend this free event, keep an eye out for the invitation — food, drinks, music, and privacy professionals all under one roof (plus a special guest DJ set from Joe himself!).

Keep in Touch with Joe

While Joe is stepping away from the podcast, you may still hear him pop up as a guest speaker in future episodes or events. He’s made a lasting impact on our community and we’d love for you to stay connected with him: Connect with Joe on LinkedIn

Catch Up On Demand

Listen to Episode 213 – Joe Kirk’s Top 10 Tips on Spotify

Or find us on Apple Podcasts, Amazon Music, and all major streaming platforms.

Thank you to Joe for four years of thoughtful, passionate, and incredibly valuable contributions to the Data Protection Made Easy community. We’ll miss him as a regular host, but we know this isn’t goodbye – just see you later.

GDPR Radio – Episode 212

GDPR Radio – Data Protection News of the Week

In Episode 212 of GDPR Radio, the news-focused arm of the Data Protection Made Easy podcast, our hosts Phil, Catarina, and Joe returned to unpack the latest headlines and developments in the world of data protection.

This interactive session offered an hour of engaging, thought-provoking discussion with a live audience made up of DPOs, legal professionals, cyber security experts, and privacy enthusiasts. As always, we covered what matters most to the data protection community—breaking down key cases, legislative shifts, and industry commentary in a simple, digestible way.

What We Discussed

In this episode, we explored:

  • Latest ICO enforcement actions and what they mean for organisations in regulated sectors

  • Notable data breaches from the past fortnight and the implications for incident response practices

  • The future of AI & consent – how regulators are shaping their approach to emerging technologies

  • UK data reform updates and their impact on DPO responsibilities

  • Plus, we answered live questions from our audience in real-time!

Whether you joined us live or plan to catch up later, Episode 212 was packed with valuable insights for data protection professionals at all levels.


How to Join Future Episodes

We host live podcast episodes every Friday between 12:30 and 13:30. These sessions are free to attend and open to anyone with an interest in data protection or cyber security. To receive weekly invitations straight to your inbox, simply sign up via our website:

👉 Subscribe to Podcast Invites


Earn IAPP CPE Credits

Listening to Data Protection Made Easy live or on-demand may qualify you for Continuing Professional Education (CPE) credits with the IAPP. Attendees can self-certify their participation by keeping a record of attendance or listening history.


Be Part of the Community

The Data Protection Made Easy podcast isn’t just a podcast—it’s a growing community. With over 1,500 subscribers and 200+ episodes, we’re proud to offer a space where professionals can learn, share ideas, and stay ahead of the curve. Each week, our live chat is buzzing with questions, opinions, and useful links from fellow practitioners.


Catch Up On Demand

Missed the live session? You can listen to Episode 212 and all previous episodes on Spotify, Amazon Music, Apple Podcasts, or wherever you get your podcasts.

🎧 Listen to GDPR Radio – Episode 212 on Spotify


Let us know what you thought of the episode or share a topic you’d like to see covered in a future edition of GDPR Radio!

Our Events & Webinars

Industry Leading Discussions

We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.

View All
AI Tools & GDPR What You Need to Know (1)
13 June 25 12:30 - 1:30 pm

AI Tools & GDPR: What You Need to Know

Managing Employee & Ex-Employee SARs (Part 2)
13 June 25 12:30 - 1:30 pm

Employee & Ex-Employee SARs (Part 2)

Get Support With Data Protection And Cyber Security

Our mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.