The UKs #1 Data Protection Consultancy

Data Protection & Information Security Experts

Data Protection Made Easy.

GDPR Support Cyber Security Support
Join our extensive list of clients who have their data privacy under control

Accelerate Your Data Protection Compliance

Save Time, Save Money and Relax: You’re In Safe Hands

Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.

Outsourced DPO

A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.

Contact Us

Data Protection Support

Data Protection People's world-class GDPR Support Desk. If you're navigating the complex landscape of data protection, PCI DSS, and cybersecurity, our support desk is your reliable compass.

Contact Us

GDPR Audits

A range of high level reviews, detailed audits and mid-range assessments to test compliance with data protection laws and standards

Contact Us

SAR Support

Explore our Subject Access Request (SAR) Handling Service and understand how Data Protection People can support your organisation

Contact Us
View All

Need Help With Cyber Security Compliance?

We Have You Covered!

At Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.

PCI DSS Compliance Services for Merchants

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

PCI DSS Compliance Services for Service Providers

A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

External Attack Surface Management

Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.

Contact Us

ISO 27001

Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.

Contact Us
View All
Rofi Hendra Support Desk Data Protection People

Supporting DPOs

Flexible Support When You Need It

At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.

Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.

Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.

Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.

Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.

Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.

Diverse Sector Experience

Access to a Team of Industry Experts

At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.

Commercial Sector

Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.

SMEs

Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.

Third Sector

Third Sector

For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.

Multi Nationals

For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.

Public Sector

In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.

Why Use Our Outsourced DPO Services?

Save Time, Money and Guarantee Compliance

Navigating the intricate landscape of data protection demands more than just a DPO — it requires a dedicated team committed to excellence. Our Outsourced DPO Services extend beyond the traditional role, offering a comprehensive approach to legal compliance and pragmatic solutions.

Why Choose Outsourcing?

An outsourced DPO brings a wealth of experience, not just in the law but also in crafting workable solutions. Their impartiality is fortified by a team of privacy practitioners, ensuring that your organization benefits from a spectrum of expertise. Should the need arise, seamless coverage during absences is guaranteed, eliminating the vulnerability associated with a single in-house DPO.

Staying Headache-Free

Concerned about the disruption if your DPO moves on? With an outsourced model, transitions are smooth, and you won’t experience the sudden headache of a critical role vacancy. The continuity provided by a team ensures that your data protection responsibilities are seamlessly handled.

Compliance Tailored to You

Our Outsourced DPO Services align seamlessly with your legal obligations, whether you’re mandated to appoint a DPO or choose to do so voluntarily. We understand that compliance is not just about ticking boxes but about ensuring a robust, practical approach to data protection. Choose Data Protection People for a worry-free, compliance-driven outsourced DPO solution — because your data protection journey should be as smooth as it is secure.

“I cant recommend Data Protection People enough, they have helped me in so many different areas, no matter how complex the challenge or how large the obstacle, DPP always has the answer.

I can call the team at any time and have built an amazing relationship with them, in times of frustration they are here to calm me down and create a plan, they are a pleasure to work with.”

Mark Leete
Eastlight Community Homes
TDC_logo

‘I found the FOI training session to be highly informative and well-structured. It covered all the key areas comprehensively and provided clear, practical guidance throughout. The content was easy to follow, and the delivery by Gary was engaging, making complex topics accessible and understandable’. 

‘The training session has really helped me to understand the IG rep role a bit more and what I need to be thinking about when receiving a request for information’. 

Charlene Haynes & Team
Tendring District Council
dyslexia-action-logo-2023

“I have worked with the Data Protection People for some time now. Their expertise has been drawn upon to assist us with our GDPR compliance gap analysis project, ROPA design and production through to conducting objective reviews and surveys. They are always available to help us out and their advice and guidance is excellent and delivered in a timely way. Special mentions to Kathy Midgley, Phil Brining, and David Hendry. A great, reliable and dependable service!”

Judy Barker
Dyslexia Action
Veritau

“A great service and peace of mind. Data Protection People provides a well-rounded service to ensure customers are fully supported in their approach to GDPR compliance. My interaction has largely been with the following people: Kathy Midgley – another great asset to the organisation. Always approachable, always helpful and consistently supportive to the team and customers.

Julie Ferguson
Veritau
Woodgate & Clark

“We have been working with the Data Protection People for many years now, and have found them to be insightful, helpful, and knowledgeable in all areas of Data Protection Compliance. Data Protection People have taken the time to understand our business, the regulatory environment we sit under, and the unique challenges we face in the industry. They have supported us in all areas of Information and Data Security, assisting in assessments of our policies and changes to our processes. They are always willing to go the extra mile and prioritise support where required.”

Nia Roberts
Woodgate & Clarke

Data Protection People Blogs & Podcasts

Data Privacy Learning & Guidance

Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.

The Data (Use and Access) Act 2025: What You Need to Know

The Data (Use and Access) Act 2025

The Data (Use and Access) Bill has now reached Royal Assent and will soon be officially enacted as The Data (Use and Access) Act 2025. This new legislation marks a significant milestone in the UK’s data protection law, modernising how data is accessed, used and governed in a post-Brexit digital economy.

A Long Road to Reform

This Act is the result of years of political and regulatory debate. Originally introduced as the Data Protection and Digital Information (DPDI) Bill back in 2022, the Bill stalled and ultimately failed to pass before the 2024 general election.

Later that year, the new Labour government revived and revised the Bill, reintroducing it as the Data (Use and Access) Bill. While many of the original provisions remained intact, some of the more contentious elements were removed to encourage broader support across Parliament.

However, its progress was anything but smooth. The Bill faced prolonged debate between the House of Commons and the House of Lords, especially around issues like AI transparency and the use of copyrighted material in AI training. After considerable back and forth, the government agreed to publish detailed reports on these topics within nine months of the Act becoming law.

Evolution, Not Revolution

The Data (Use and Access) Act 2025 is not a radical rewrite of data protection law. Instead, it builds upon the Data Protection Act 2018 and UK GDPR, updating and refining specific areas to meet the evolving needs of UK organisations and regulators.

Key features of the Act include:

  • Clearer guidance on Legitimate Interests for data processing, particularly in areas such as direct marketing, fraud prevention and security operations

  • An expanded definition of scientific research, offering greater clarity for academic and commercial researchers

  • Revisions to the Data Subject Access Request (DSAR) process, designed to simplify and streamline requests for both individuals and organisations

  • Changes to the structure of the Information Commissioner’s Office (ICO), supporting a more strategic and agile approach to regulation

  • New powers for the Secretary of State to decide which countries offer adequate data protection, using a standard of “not materially lower” than the UK’s

These updates offer more flexibility for data controllers but also introduce new uncertainties. For example, altering how adequacy decisions are made may raise questions with the European Commission, which is scheduled to review the UK’s adequacy status later this year.

What This Means for Your Business

With the Act now confirmed, businesses must begin to prepare for the changes. However, the implementation date has not yet been set, and detailed regulatory guidance is still pending.

So, what should you do now?

Here are some recommended next steps:

  • Talk to your Data Protection Officer (DPO): Understand how the Act may impact your organisation’s data handling practices.

  • Hold off on major changes: Avoid rushing into policy updates until official guidance is published by the ICO.

  • Review your current compliance position: Pay special attention to areas like legitimate interest assessments, research practices and your DSAR handling procedures.

  • Strengthen your data governance framework: Use this to identify improvements, reduce risk and ensure your systems are fit for the future.

At Data Protection People, we help organisations navigate change with clarity and confidence. As the UK’s data protection framework evolves, our goal remains the same, to make data protection simple, practical and effective.

Stay tuned for further updates as  provide actionable insights tailored to your sector.

How Often Should GDPR Audits Occur?

You should complete a GDPR audit every year, but for some businesses, this may be more regular. Conducting regular audits will help prove your compliance, which is crucial should you be subject to an inspection by supervisory authorities.

In this blog, we outline four scenarios when you should complete a GDPR audit outside of your day-to-day compliance.

Are GDPR Audits Mandatory?

No – carrying out a data protection audit is not a legal obligation under the GDPR. The closest mention of requiring an audit is shown in Article 32 (1) (d), whereby both data controllers and processors must regularly test, assess and evaluate their security measures depending on the risk of processing.

A GDPR audit is best practice. Regular reviews will help you demonstrate your accountability and address issues before they get worse. With better transparency, you will minimise the risk of a data breach and the fines that come along with it.

When Should You Do a GDPR Audit?

1. At the Start of the Year

Most businesses want to start the year off on the right foot. A GDPR audit offers the reality check you didn’t know you needed. It separates businesses that treat GDPR compliance as a tick-box exercise from those who apply it daily in their operations.

You may have everything on paper, such as the required documentation and technical controls, but if you don’t consistently implement these measures, how can you guarantee the safety of personal data?

Before you develop your business plans for the year, take a step back and assess whether your data protection requirements are being met.

2. When You’re Involved in High-Risk Processing

You are expected to complete a data protection impact assessment (DPIA) before a new processing activity begins if it is likely to result in a high risk to the rights and freedoms of an individual (GDPR, Article 35)

A DPIA is a type of risk assessment conducted based on a data mapping exercise. This process involves mapping out all the data you will collect, store and use when processing, which can help determine whether high-risk data is involved.

Data mapping and DPIAs cover key steps of a GDPR audit, such as the necessary mapping and risk assessment processes. Carrying out an audit in tandem can give you peace of mind and provide detailed insight into whether your compliance as a whole can sustain future processing activities.

3. During a Merger or Acquisition (M&A)

A 2019 study of 500+ M&A practitioners revealed that 55% of M&A transactions didn’t progress due to concerns around a company’s GDPR compliance.

If your business is planning a merger or acquisition (M&A), a data protection audit will demonstrate your compliance, which is a vital part of the due diligence process.

An audit will also give the buyer a clearer picture of the risks and liabilities involved in your processing activities. As such, it is your best chance of building confidence with potential buyers, ultimately leading to a positive outcome.

4. After Regulatory Changes

Over the years, the UK GDPR has been subject to various reforms, some of which failed, such as the Data Protection and Digital Information (DPDI) Bill, and others which have moved within their final stages of approval (the DUA Bill).

Other major compliance developments have included the EU AI Act and PCI DSS 4.0, which also extend the legal framework set out in the UK GDPR.

With so much change, a GDPR audit will help you assess whether your existing technical and organisational measures meet the requirements of legislation that is coming into effect or being changed.

Speak to Our Team for Expert GDPR Support

Whether you require an annual GDPR audit or ongoing support, our data protection consultants are here to help. Get in touch today to get started.

The DUA Bill: What It Means for UK Businesses

The DUA Bill: What It Means for UK Businesses

The Data (Use and Access) Bill (DUA Bill) is the UK government’s latest step in reforming data protection law. Replacing the shelved DPDI Bill, the DUA Bill is expected to become law in 2025 and will bring targeted updates to the UK GDPR and PECR, without replacing the current framework.

Its aim is to simplify compliance, support innovation, and ensure personal data remains protected. Here’s what businesses need to know.

Key Changes Introduced by the DUA Bill

Legitimate Interests

Recognised categories like safeguarding, fraud prevention, and system security will no longer need a balancing test. Common activities such as direct marketing and internal admin are also clarified as legitimate interests.

Automated Decision-Making & AI

The existing ban on solely automated decision-making producing legal or similarly significant effects is relaxed under the Bill for non-sensitive personal data. Organisations may use AI tools to make such decisions, provided individuals are:

  • informed that an automated process is being used, and
  • given the opportunity to request human intervention or challenge the outcome.

Additional safeguards remain in place for decisions involving special category (sensitive) data or those with significant legal impact.

Subject Access Requests (SARs)

Controllers can pause the response clock while awaiting clarification and are only required to carry out reasonable and proportionate searches. Refusals must still meet the ‘manifestly unfounded or excessive’ threshold.

Cookies & PECR Reform

No consent needed for low-risk cookies like analytics and personalisation. Marketing cookies still require opt-in. Fines for PECR breaches will rise to GDPR levels.

Internal Complaints Process

All organisations must implement a formal process to handle data complaints. Acknowledgment must be issued within 30 days before an issue can be escalated to the ICO.

ICO Restructure

The ICO will become a multi-member Commission with stronger enforcement powers, including mandatory interviews and the ability to demand compliance reports.

Smart Data Schemes

Expect sector-specific rules that allow consumers to securely share data between providers, starting with regulated sectors like energy and finance.

Digital Identity Services

A framework for certified digital ID providers will be introduced, with a new government trustmark to improve adoption and public confidence.

What You Should Do Now

  • Review Your Legal Bases: Check if your data use fits a recognised legitimate interest. Update your privacy notices and documentation accordingly.
  • Simplify Cookie Consent: Prepare to remove banners for analytics cookies and update your cookie policy to reflect the new opt-out model.
  • Update SAR Handling: Ensure your team understands the new rules around response deadlines and proportionate searches. Explore SAR Support.
  • Set Up a Complaints Process: Build a clear internal pathway for privacy complaints and train staff on how to escalate them.
  • Review Use of AI and Automation: Add transparency statements and human review options where decisions affect individuals significantly.
  • Refresh Training: Brief your team on what’s changing. Focus on marketing, data requests, cookie practices and AI tools. Book Training.
  • Stay Informed: The DUA Bill is likely to become law this year. Subscribe to ICO updates and be ready to act when commencement dates are confirmed.

Frequently Asked Questions (FAQs) about the DUA Bill

What is the DUA Bill?

The DUA Bill is a UK data reform law updating parts of UK GDPR and PECR to support innovation while maintaining privacy protections.

How does the DUA Bill affect businesses?

It reduces admin burdens (e.g. SAR handling, cookie consent) while introducing new duties like internal complaints processes and stronger ICO powers.

Will GDPR be replaced?

No. The DUA Bill updates the existing framework. UK GDPR and the Data Protection Act 2018 remain in place.

Do I still need consent for analytics cookies?

No, consent won’t be required for low-risk cookies under the DUA Bill. You must still inform users and allow opt-outs.

Do I still need a DPO?

Yes, if your organisation already requires one under UK GDPR, the DPO requirement remains. Read more about our DPO Services.

When will the DUA Bill take effect?

It is expected to pass into law in 2025. Provisions will come into force gradually, so businesses should begin preparations now.

Need help preparing for the DUA Bill?

Our team at Data Protection People supports organisations across all sectors. Whether you need help updating your policies, reviewing your SAR process, or preparing your staff, we’re here to guide you through the changes.

Business Development Executive Job

Join Our Team as a Business Development Executive

Location: Leeds (Hybrid – 4 days in office)
Department: Sales & Marketing
Contract Type: Full-Time, Permanent
Salary: £28,000–£35,000 + Uncapped Commission (DOE)
Start Date: Immediate

Are You Ready to Grow With a Business That’s Going Places?

We’re hiring a Business Development Executive at a pivotal moment for Data Protection People. With a new Sales & Marketing Director onboard and a full-scale transformation underway, this is your chance to join a team on the rise.

You’ll take ownership of lead generation, build meaningful B2B relationships, and support our mission to simplify data protection and cyber security. If you’re target-driven, motivated by growth, and ready to shape your sales career, we want to hear from you.

What Will You Be Doing?

  • Generate new business leads through outbound activity and referrals
  • Follow up on warm prospects and re-engage past clients
  • Manage your pipeline using Salesforce and keep the CRM up to date
  • Book and attend meetings (in-person or virtual) to understand client needs
  • Support product demonstrations and help close deals
  • Achieve monthly KPIs and contribute to revenue targets
  • Cross-sell new services to existing clients
  • Attend industry events to represent the business and generate leads
  • Work closely with delivery teams to ensure smooth handovers

Who We’re Looking For

Essential:

  • Proven B2B sales or business development experience
  • Excellent communication, negotiation, and relationship-building skills
  • Confident using CRM systems and Microsoft Office
  • Motivated, self-driven, and ready to hit the ground running

Desirable:

  • Experience with Salesforce CRM
  • Sales background in consultancy, tech, or professional services

What You’ll Get

  • £28k–£35k base salary + commission (depending on experience)
  • Hybrid working – 3 days per week in our Leeds office
  • Free onsite parking at The Tannery
  • Up to 30 days holiday + bank holidays
  • Access to expert mentoring and career development support
  • Regular team socials, charity events, and wellness perks

About Our Location

You’ll work from our vibrant office at The Tannery, 91 Kirkstall Road, LS3 1HS. We’re just a 10-minute walk from Leeds train station, with excellent public transport links and free parking available.

Ready to Apply?

If you’re excited by the opportunity to grow your sales career with a forward-thinking, purpose-led organisation—apply today. Email [email protected] Submit your CV and tell us why you’re the right fit for the team.

 

Managing Subject Access Requests from Employees & Ex-Employees- Part 2

Managing Subject Access Requests from Employees & Ex-Employees- Part 2

Data Protection Made Easy Podcast – Episode 214

After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.

Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.

Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.

What We Covered

Understanding What Drives SARs

We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.

When You Must Respond – And When You Don’t

We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.

Managing Excessive or Repetitive Requests

Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.

Balancing Transparency and Internal Protection

Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.

Lessons from Real Grievance and Disciplinary Cases

We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.

Proactive Preparation: Getting Ahead of SARs

Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.

Avoiding Common Mistakes

From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.

Handling Escalation and Risk

Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.

Want More Like This?

The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.

Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables

Meet the Panel

Looking Ahead

As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.

Know someone who would benefit? Share the podcast link  and help others take the complexity out of compliance.

Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.

Managing Employee SARs

Managing Subject Access Requests from Employees & Ex-Employees

Data Protection Made Easy Podcast – Episode 114

Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.

If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.

Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.

What We Covered

This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:

🔹 Common Triggers and Misconceptions

From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”

As Catarina Santos explained, it’s essential to reframe the narrative:

“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”

🔹 SARs and Organisational Culture

The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.

🔹 The Community Speaks

This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.

Philip Brining highlighted the value of the community:

“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”

🔹 Tools of the Trade: Teams, WhatsApp & Chat Platforms

Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.

🔹 Balancing Access, Proportionality, and Security

SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:

“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”

The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.

What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:

“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”

Want More Like This?

The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.

Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables

Meet the Panel

Looking Ahead

Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.

Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.

Special May Promotion: Free SAR Consultations

This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.

Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.

📩 Simply email us at [email protected] with the subject line SAR Support, and we’ll book in a free 30-minute consultation.

 

Joe Kirk’s Top 10 Tips

Joe Kirk’s Top 10 Tips: Lessons from a Career in Data Protection

In this special episode of the Data Protection Made Easy podcast, long-time host and data protection consultant Joe Kirk reflects on his journey through the world of privacy and compliance—from his early days in sales, speaking to hundreds of DPOs across the UK, to becoming a consultant himself and working with a wide range of clients across every major sector.

As this marks Joe’s final regular appearance on the podcast, we dedicated the session to the Top 10 Lessons He’s Learned over the last four years. These are practical, honest, and experience-based takeaways that he hopes will help current and aspiring DPOs make a meaningful impact in their roles.

Key Themes Discussed

  • How sales and consulting provide different but complementary perspectives on data protection
  • The common challenges DPOs face regardless of sector or organisation size
  • The importance of empathy, curiosity, and communication in building trust
  • Avoiding the “tick-box” mentality and becoming a strategic advisor
  • Keeping your knowledge current in a fast-moving legal and tech landscape
  • How to show your value to the business even when you’re not customer-facing
  • Why DPOs should be involved in decision-making at the earliest possible stage
  • Balancing legal risk with operational reality
  • Encouraging a culture of accountability, not fear
  • The importance of continuous learning – and what Joe would do differently if starting today

These tips are relevant whether you’re new to data protection, already in a DPO role, or even an employer looking to build a successful privacy function.

A Time of Transition for Data Protection Made Easy

Joe’s departure also marks the beginning of a new phase for the Data Protection Made Easy community. As we look to evolve and bring even more value to our subscribers, we’re making some important changes:

Podcast Frequency
We will now host one episode per month, instead of weekly. This allows us to:

  • Deep dive into more meaningful topics
  • Reintroduce guest speakers and expert panels
  • Focus on sector-specific challenges and use cases
  • Provide more actionable takeaways for our listeners

In-Person Events
To complement our podcast, we’ll be launching monthly in-person events, starting with a Housing Sector Roundtable in Leeds. These will be free to attend and packed with:

  • Expert guest speakers
  • Open discussion sessions
  • Networking opportunities
  • Food, drink, and sector-specific guidance

If you’re in the housing sector or work in data protection in Yorkshire, this is a great chance to connect with our team face-to-face. More info coming soon.

Monthly Newsletter
To replace our weekly GDPR Radio news episodes, we’ve launched a monthly email newsletter with:

  • Top stories from the ICO and UK government
  • Regulation changes and enforcement action recaps
  • Insights from the Data Protection People team
  • Highlights from recent podcasts and events

If you’re a subscriber, your first issue should already be in your inbox! If not, sign up here:

Subscribe to the Newsletter

What’s Next?

We’ll soon be publishing a full article on Joe’s Top 10 Tips for DPOs, expanding on the episode with real-life examples, links to useful tools, and guidance from our team. This will be available in the Resource Centre and shared with our newsletter subscribers.

We’ll also be sharing details on our 10-Year Anniversary Celebration taking place in July 2025. If you’re based in Leeds and would like to attend this free event, keep an eye out for the invitation — food, drinks, music, and privacy professionals all under one roof (plus a special guest DJ set from Joe himself!).

Keep in Touch with Joe

While Joe is stepping away from the podcast, you may still hear him pop up as a guest speaker in future episodes or events. He’s made a lasting impact on our community and we’d love for you to stay connected with him: Connect with Joe on LinkedIn

Catch Up On Demand

Listen to Episode 213 – Joe Kirk’s Top 10 Tips on Spotify

Or find us on Apple Podcasts, Amazon Music, and all major streaming platforms.

Thank you to Joe for four years of thoughtful, passionate, and incredibly valuable contributions to the Data Protection Made Easy community. We’ll miss him as a regular host, but we know this isn’t goodbye – just see you later.

GDPR Radio – Episode 212

GDPR Radio – Data Protection News of the Week

In Episode 212 of GDPR Radio, the news-focused arm of the Data Protection Made Easy podcast, our hosts Phil, Catarina, and Joe returned to unpack the latest headlines and developments in the world of data protection.

This interactive session offered an hour of engaging, thought-provoking discussion with a live audience made up of DPOs, legal professionals, cyber security experts, and privacy enthusiasts. As always, we covered what matters most to the data protection community—breaking down key cases, legislative shifts, and industry commentary in a simple, digestible way.

What We Discussed

In this episode, we explored:

  • Latest ICO enforcement actions and what they mean for organisations in regulated sectors

  • Notable data breaches from the past fortnight and the implications for incident response practices

  • The future of AI & consent – how regulators are shaping their approach to emerging technologies

  • UK data reform updates and their impact on DPO responsibilities

  • Plus, we answered live questions from our audience in real-time!

Whether you joined us live or plan to catch up later, Episode 212 was packed with valuable insights for data protection professionals at all levels.


How to Join Future Episodes

We host live podcast episodes every Friday between 12:30 and 13:30. These sessions are free to attend and open to anyone with an interest in data protection or cyber security. To receive weekly invitations straight to your inbox, simply sign up via our website:

👉 Subscribe to Podcast Invites


Earn IAPP CPE Credits

Listening to Data Protection Made Easy live or on-demand may qualify you for Continuing Professional Education (CPE) credits with the IAPP. Attendees can self-certify their participation by keeping a record of attendance or listening history.


Be Part of the Community

The Data Protection Made Easy podcast isn’t just a podcast—it’s a growing community. With over 1,500 subscribers and 200+ episodes, we’re proud to offer a space where professionals can learn, share ideas, and stay ahead of the curve. Each week, our live chat is buzzing with questions, opinions, and useful links from fellow practitioners.


Catch Up On Demand

Missed the live session? You can listen to Episode 212 and all previous episodes on Spotify, Amazon Music, Apple Podcasts, or wherever you get your podcasts.

🎧 Listen to GDPR Radio – Episode 212 on Spotify


Let us know what you thought of the episode or share a topic you’d like to see covered in a future edition of GDPR Radio!

Our Events & Webinars

Industry Leading Discussions

We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.

View All
AI Tools & GDPR What You Need to Know (1)
13 June 25 12:30 - 1:30 pm

AI Tools & GDPR: What You Need to Know

Managing Employee & Ex-Employee SARs (Part 2)
13 June 25 12:30 - 1:30 pm

Employee & Ex-Employee SARs (Part 2)

Get Support With Data Protection And Cyber Security

Our mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.