Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact Us
Data Protection People's world-class GDPR Support Desk. If you're navigating the complex landscape of data protection, PCI DSS, and cybersecurity, our support desk is your reliable compass.
Contact Us
A range of high level reviews, detailed audits and mid-range assessments to test compliance with data protection laws and standards
Contact Us
Explore our Subject Access Request (SAR) Handling Service and understand how Data Protection People can support your organisation
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
The Data (Use and Access) Bill has now reached Royal Assent and will soon be officially enacted as The Data (Use and Access) Act 2025. This new legislation marks a significant milestone in the UK’s data protection law, modernising how data is accessed, used and governed in a post-Brexit digital economy.
This Act is the result of years of political and regulatory debate. Originally introduced as the Data Protection and Digital Information (DPDI) Bill back in 2022, the Bill stalled and ultimately failed to pass before the 2024 general election.
Later that year, the new Labour government revived and revised the Bill, reintroducing it as the Data (Use and Access) Bill. While many of the original provisions remained intact, some of the more contentious elements were removed to encourage broader support across Parliament.
However, its progress was anything but smooth. The Bill faced prolonged debate between the House of Commons and the House of Lords, especially around issues like AI transparency and the use of copyrighted material in AI training. After considerable back and forth, the government agreed to publish detailed reports on these topics within nine months of the Act becoming law.
The Data (Use and Access) Act 2025 is not a radical rewrite of data protection law. Instead, it builds upon the Data Protection Act 2018 and UK GDPR, updating and refining specific areas to meet the evolving needs of UK organisations and regulators.
Key features of the Act include:
Clearer guidance on Legitimate Interests for data processing, particularly in areas such as direct marketing, fraud prevention and security operations
An expanded definition of scientific research, offering greater clarity for academic and commercial researchers
Revisions to the Data Subject Access Request (DSAR) process, designed to simplify and streamline requests for both individuals and organisations
Changes to the structure of the Information Commissioner’s Office (ICO), supporting a more strategic and agile approach to regulation
New powers for the Secretary of State to decide which countries offer adequate data protection, using a standard of “not materially lower” than the UK’s
These updates offer more flexibility for data controllers but also introduce new uncertainties. For example, altering how adequacy decisions are made may raise questions with the European Commission, which is scheduled to review the UK’s adequacy status later this year.
With the Act now confirmed, businesses must begin to prepare for the changes. However, the implementation date has not yet been set, and detailed regulatory guidance is still pending.
So, what should you do now?
Here are some recommended next steps:
Talk to your Data Protection Officer (DPO): Understand how the Act may impact your organisation’s data handling practices.
Hold off on major changes: Avoid rushing into policy updates until official guidance is published by the ICO.
Review your current compliance position: Pay special attention to areas like legitimate interest assessments, research practices and your DSAR handling procedures.
Strengthen your data governance framework: Use this to identify improvements, reduce risk and ensure your systems are fit for the future.
At Data Protection People, we help organisations navigate change with clarity and confidence. As the UK’s data protection framework evolves, our goal remains the same, to make data protection simple, practical and effective.
Stay tuned for further updates as provide actionable insights tailored to your sector.
You should complete a GDPR audit every year, but for some businesses, this may be more regular. Conducting regular audits will help prove your compliance, which is crucial should you be subject to an inspection by supervisory authorities.
In this blog, we outline four scenarios when you should complete a GDPR audit outside of your day-to-day compliance.
No – carrying out a data protection audit is not a legal obligation under the GDPR. The closest mention of requiring an audit is shown in Article 32 (1) (d), whereby both data controllers and processors must regularly test, assess and evaluate their security measures depending on the risk of processing.
A GDPR audit is best practice. Regular reviews will help you demonstrate your accountability and address issues before they get worse. With better transparency, you will minimise the risk of a data breach and the fines that come along with it.
Most businesses want to start the year off on the right foot. A GDPR audit offers the reality check you didn’t know you needed. It separates businesses that treat GDPR compliance as a tick-box exercise from those who apply it daily in their operations.
You may have everything on paper, such as the required documentation and technical controls, but if you don’t consistently implement these measures, how can you guarantee the safety of personal data?
Before you develop your business plans for the year, take a step back and assess whether your data protection requirements are being met.
You are expected to complete a data protection impact assessment (DPIA) before a new processing activity begins if it is likely to result in a high risk to the rights and freedoms of an individual (GDPR, Article 35)
A DPIA is a type of risk assessment conducted based on a data mapping exercise. This process involves mapping out all the data you will collect, store and use when processing, which can help determine whether high-risk data is involved.
Data mapping and DPIAs cover key steps of a GDPR audit, such as the necessary mapping and risk assessment processes. Carrying out an audit in tandem can give you peace of mind and provide detailed insight into whether your compliance as a whole can sustain future processing activities.
A 2019 study of 500+ M&A practitioners revealed that 55% of M&A transactions didn’t progress due to concerns around a company’s GDPR compliance.
If your business is planning a merger or acquisition (M&A), a data protection audit will demonstrate your compliance, which is a vital part of the due diligence process.
An audit will also give the buyer a clearer picture of the risks and liabilities involved in your processing activities. As such, it is your best chance of building confidence with potential buyers, ultimately leading to a positive outcome.
Over the years, the UK GDPR has been subject to various reforms, some of which failed, such as the Data Protection and Digital Information (DPDI) Bill, and others which have moved within their final stages of approval (the DUA Bill).
Other major compliance developments have included the EU AI Act and PCI DSS 4.0, which also extend the legal framework set out in the UK GDPR.
With so much change, a GDPR audit will help you assess whether your existing technical and organisational measures meet the requirements of legislation that is coming into effect or being changed.
Whether you require an annual GDPR audit or ongoing support, our data protection consultants are here to help. Get in touch today to get started.
The Data (Use and Access) Bill (DUA Bill) is the UK government’s latest step in reforming data protection law. Replacing the shelved DPDI Bill, the DUA Bill is expected to become law in 2025 and will bring targeted updates to the UK GDPR and PECR, without replacing the current framework.
Its aim is to simplify compliance, support innovation, and ensure personal data remains protected. Here’s what businesses need to know.
Recognised categories like safeguarding, fraud prevention, and system security will no longer need a balancing test. Common activities such as direct marketing and internal admin are also clarified as legitimate interests.
The existing ban on solely automated decision-making producing legal or similarly significant effects is relaxed under the Bill for non-sensitive personal data. Organisations may use AI tools to make such decisions, provided individuals are:
Additional safeguards remain in place for decisions involving special category (sensitive) data or those with significant legal impact.
Controllers can pause the response clock while awaiting clarification and are only required to carry out reasonable and proportionate searches. Refusals must still meet the ‘manifestly unfounded or excessive’ threshold.
No consent needed for low-risk cookies like analytics and personalisation. Marketing cookies still require opt-in. Fines for PECR breaches will rise to GDPR levels.
All organisations must implement a formal process to handle data complaints. Acknowledgment must be issued within 30 days before an issue can be escalated to the ICO.
The ICO will become a multi-member Commission with stronger enforcement powers, including mandatory interviews and the ability to demand compliance reports.
Expect sector-specific rules that allow consumers to securely share data between providers, starting with regulated sectors like energy and finance.
A framework for certified digital ID providers will be introduced, with a new government trustmark to improve adoption and public confidence.
The DUA Bill is a UK data reform law updating parts of UK GDPR and PECR to support innovation while maintaining privacy protections.
It reduces admin burdens (e.g. SAR handling, cookie consent) while introducing new duties like internal complaints processes and stronger ICO powers.
No. The DUA Bill updates the existing framework. UK GDPR and the Data Protection Act 2018 remain in place.
No, consent won’t be required for low-risk cookies under the DUA Bill. You must still inform users and allow opt-outs.
Yes, if your organisation already requires one under UK GDPR, the DPO requirement remains. Read more about our DPO Services.
It is expected to pass into law in 2025. Provisions will come into force gradually, so businesses should begin preparations now.
Our team at Data Protection People supports organisations across all sectors. Whether you need help updating your policies, reviewing your SAR process, or preparing your staff, we’re here to guide you through the changes.
Location: Leeds (Hybrid – 4 days in office)
Department: Sales & Marketing
Contract Type: Full-Time, Permanent
Salary: £28,000–£35,000 + Uncapped Commission (DOE)
Start Date: Immediate
We’re hiring a Business Development Executive at a pivotal moment for Data Protection People. With a new Sales & Marketing Director onboard and a full-scale transformation underway, this is your chance to join a team on the rise.
You’ll take ownership of lead generation, build meaningful B2B relationships, and support our mission to simplify data protection and cyber security. If you’re target-driven, motivated by growth, and ready to shape your sales career, we want to hear from you.
You’ll work from our vibrant office at The Tannery, 91 Kirkstall Road, LS3 1HS. We’re just a 10-minute walk from Leeds train station, with excellent public transport links and free parking available.
If you’re excited by the opportunity to grow your sales career with a forward-thinking, purpose-led organisation—apply today. Email [email protected] Submit your CV and tell us why you’re the right fit for the team.
Data Protection Made Easy Podcast – Episode 214
After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.
Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
Understanding What Drives SARs
We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.
When You Must Respond – And When You Don’t
We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.
Managing Excessive or Repetitive Requests
Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.
Balancing Transparency and Internal Protection
Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.
Lessons from Real Grievance and Disciplinary Cases
We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.
Proactive Preparation: Getting Ahead of SARs
Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.
Avoiding Common Mistakes
From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.
Handling Escalation and Risk
Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.
Know someone who would benefit? Share the podcast link and help others take the complexity out of compliance.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
Data Protection Made Easy Podcast – Episode 114
Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.
If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:
From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”
As Catarina Santos explained, it’s essential to reframe the narrative:
“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”
The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.
This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.
Philip Brining highlighted the value of the community:
“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”
Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.
SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:
“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”
The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.
What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:
“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.
Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.
📩 Simply email us at [email protected] with the subject line “SAR Support”, and we’ll book in a free 30-minute consultation.
In this special episode of the Data Protection Made Easy podcast, long-time host and data protection consultant Joe Kirk reflects on his journey through the world of privacy and compliance—from his early days in sales, speaking to hundreds of DPOs across the UK, to becoming a consultant himself and working with a wide range of clients across every major sector.
As this marks Joe’s final regular appearance on the podcast, we dedicated the session to the Top 10 Lessons He’s Learned over the last four years. These are practical, honest, and experience-based takeaways that he hopes will help current and aspiring DPOs make a meaningful impact in their roles.
These tips are relevant whether you’re new to data protection, already in a DPO role, or even an employer looking to build a successful privacy function.
Joe’s departure also marks the beginning of a new phase for the Data Protection Made Easy community. As we look to evolve and bring even more value to our subscribers, we’re making some important changes:
Podcast Frequency
We will now host one episode per month, instead of weekly. This allows us to:
In-Person Events
To complement our podcast, we’ll be launching monthly in-person events, starting with a Housing Sector Roundtable in Leeds. These will be free to attend and packed with:
If you’re in the housing sector or work in data protection in Yorkshire, this is a great chance to connect with our team face-to-face. More info coming soon.
Monthly Newsletter
To replace our weekly GDPR Radio news episodes, we’ve launched a monthly email newsletter with:
If you’re a subscriber, your first issue should already be in your inbox! If not, sign up here:
We’ll soon be publishing a full article on Joe’s Top 10 Tips for DPOs, expanding on the episode with real-life examples, links to useful tools, and guidance from our team. This will be available in the Resource Centre and shared with our newsletter subscribers.
We’ll also be sharing details on our 10-Year Anniversary Celebration taking place in July 2025. If you’re based in Leeds and would like to attend this free event, keep an eye out for the invitation — food, drinks, music, and privacy professionals all under one roof (plus a special guest DJ set from Joe himself!).
While Joe is stepping away from the podcast, you may still hear him pop up as a guest speaker in future episodes or events. He’s made a lasting impact on our community and we’d love for you to stay connected with him: Connect with Joe on LinkedIn
Listen to Episode 213 – Joe Kirk’s Top 10 Tips on Spotify
Or find us on Apple Podcasts, Amazon Music, and all major streaming platforms.
Thank you to Joe for four years of thoughtful, passionate, and incredibly valuable contributions to the Data Protection Made Easy community. We’ll miss him as a regular host, but we know this isn’t goodbye – just see you later.
In Episode 212 of GDPR Radio, the news-focused arm of the Data Protection Made Easy podcast, our hosts Phil, Catarina, and Joe returned to unpack the latest headlines and developments in the world of data protection.
This interactive session offered an hour of engaging, thought-provoking discussion with a live audience made up of DPOs, legal professionals, cyber security experts, and privacy enthusiasts. As always, we covered what matters most to the data protection community—breaking down key cases, legislative shifts, and industry commentary in a simple, digestible way.
In this episode, we explored:
Latest ICO enforcement actions and what they mean for organisations in regulated sectors
Notable data breaches from the past fortnight and the implications for incident response practices
The future of AI & consent – how regulators are shaping their approach to emerging technologies
UK data reform updates and their impact on DPO responsibilities
Plus, we answered live questions from our audience in real-time!
Whether you joined us live or plan to catch up later, Episode 212 was packed with valuable insights for data protection professionals at all levels.
We host live podcast episodes every Friday between 12:30 and 13:30. These sessions are free to attend and open to anyone with an interest in data protection or cyber security. To receive weekly invitations straight to your inbox, simply sign up via our website:
👉 Subscribe to Podcast Invites
Listening to Data Protection Made Easy live or on-demand may qualify you for Continuing Professional Education (CPE) credits with the IAPP. Attendees can self-certify their participation by keeping a record of attendance or listening history.
The Data Protection Made Easy podcast isn’t just a podcast—it’s a growing community. With over 1,500 subscribers and 200+ episodes, we’re proud to offer a space where professionals can learn, share ideas, and stay ahead of the curve. Each week, our live chat is buzzing with questions, opinions, and useful links from fellow practitioners.
Missed the live session? You can listen to Episode 212 and all previous episodes on Spotify, Amazon Music, Apple Podcasts, or wherever you get your podcasts.
🎧 Listen to GDPR Radio – Episode 212 on Spotify
Let us know what you thought of the episode or share a topic you’d like to see covered in a future edition of GDPR Radio!
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
