Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
A business is legally required to appoint a Data Protection Officer (DPO) when its activities meet specific UK GDPR criteria. This includes large-scale monitoring, processing special category data or operating as a public body.
Certain types of organisations, and organisations carrying out specific activities, are required to appoint a DPO under GDPR.
Organisations that require a DPO, whether a controller or a processor, typically include:
For instance, healthcare providers, insurance companies and large HR platforms will usually need to appoint a data protection officer.
If you’re not legally required to appoint a DPO, but choose to appoint one voluntarily, the position still has the same responsibilities and tasks as a mandatory appointment.
A DPO becomes legally required when your organisation’s data activities create higher compliance responsibilities – not necessarily company size.
GDPR doesn’t define the numbers around ‘large-scale processing’, but it considers:
We would recommend consulting with a data protection expert if you’re unsure.
| Activity | DPO required? | Example |
| Small business storing customer emails | Usually no | Local gift shop |
| Large-scale health data processing | Yes | Private clinic |
| Employee CCTV monitoring across sites | Potentially | National employer |
The right DPO service provider combines GDPR expertise, independence and practical business support.
What to look for:
Using an outsourced DPO service gives you access to broader expertise, guaranteed independence and better scalability. It is also usually more cost-effective to outsource to an external DPO than it is to hire one in-house.
However, an in-house DPO may be more readily available and have a deeper understanding of your company’s internal processes from the get-go.
At Data Protection People, we offer a range of DPO services designed to suit your needs. Our expert Data Protection Officers will provide you with everything you need to get GDPR compliant. Get in touch today.
If a business fails to appoint a DPO when it’s legally required to do so, the organisation could face regulatory scrutiny, compliance issues and potential fines.
Yes. Small organisations may not legally require one, but can still use outsourced DPO services for risk reduction – and can set them up well if their businesses grow.
Yes. It works well for scaling operations or increasing sensitive data processing.
The World Cup started on 11 June, and for the next five weeks it will be almost impossible to avoid. What may be easier to miss, among the football, is the amount of watching going on: not just of players on the pitch, but of fans walking through the gates and, closer to home, staff turning up tired after a late kick-off.
Two things are happening this summer that every organisation should pay attention to. One is in the stadiums. The other is in the office.
Mark has a ticket to a group game. He gets to the gate and there is nothing to scan: no paper ticket, no phone, no barcode. He simply looks at a camera, it recognises his face, and he is through. Brilliant, thinks Mark. The future.
Face-based entry is already in use across major US sports venues, and biometric screening is widely expected to be one of the defining features of the 2026 World Cup, with the United States, Canada and Mexico hosting millions of fans across 16 cities. Typically, it works much as it does for Mark: fans register through an app, a selfie is converted into a digital token linked to their ticket, and they walk straight through. To a fan, it feels like a glimpse of how every stadium may work one day. To anyone responsible for data protection, it raises a serious question, because facial recognition is not ordinary data processing.
When a system uses someone’s face to identify them, it is processing biometric data. Under UK GDPR, biometric data used for identification is special category data. You cannot process it simply because it is convenient, or because people seem happy enough to accept its use.
Doing it lawfully takes two things: a lawful basis under Article 6 UK GDPR, and a separate condition under Article 9. Consent may look like the obvious route, but it has to be freely given and comply with the rest of the rules for consent under the UK GDPR. It will also have to be “explicitly” provided in order to collect special category data. That is hard to argue when the alternative is being turned away from a match someone has already paid for.
That last point is where organisations often come unstuck. Earlier this year, the Spanish data protection authority fined Barcelona €500,000, not simply for using biometric data, but for failing to carry out a proper Data Protection Impact Assessment before collecting facial and voice data from members during a digital sign-up process involving around 143,000 people. The club had produced a risk assessment; the regulator decided it was not, in substance, a proper DPIA at all. Members had complained that the biometric option felt compulsory and that the ordinary alternative was unclear.
UK clubs are watching the World Cup closely, and some will be tempted to bring this technology home. Before they do, they need to understand that what looks like an upgrade to the fan experience is, in data protection terms, one of the highest-risk things they can do.
Rachel runs HR, and she has started to notice a pattern. Two people are off sick on the same morning, the day after a late England game. A couple of others log in late and look as though they would rather be anywhere else. A run of “working from home” requests all seem to land on match days. She is tempted to keep a closer eye on a few people for the next month or so.
She is not alone. Because the tournament is being played across North America, many matches fall in the UK evening or late at night, with kick-offs at 7pm, 10pm and well past midnight. The predictable result is a workforce running on less sleep, and managers tempted to check who is logging in late, review activity logs, and cross-check absences against the fixture list.
Monitoring staff is not unlawful. But it is regulated, and the same principles that govern facial recognition apply here too. There has to be a lawful basis. In the workplace, consent rarely works because the imbalance between employer and employee means it cannot usually be freely given. Most employers rely instead on legitimate interests, which means carrying out a Legitimate Interests Assessment rather than simply deciding that the monitoring feels reasonable.
It also has to be proportionate. Wanting to catch a few people who stayed up too late is not, by itself, a good enough reason to monitor an entire workforce. An employer has to ask whether there is a less intrusive way to achieve the same thing, and whether what is being collected is limited to what is genuinely needed.
It also has to be transparent. Monitoring people without telling them is only lawful in genuinely exceptional cases, such as investigating suspected criminal activity. A football match does not come close. If Rachel’s organisation is going to monitor staff, it has to tell them what is being monitored, why, on what basis, and for how long. That should be set out clearly in a policy and privacy notice. Where the monitoring is systematic, it also needs a Data Protection Impact Assessment: the very same tool a football club needs before installing facial recognition.
Mark and Rachel could not be in more different situations. One is a fan being watched at a match; the other is a manager thinking about doing the watching. But the underlying questions are the same. What is your lawful basis? Do you really need to do this? Is it proportionate? Have you told people? Have you carried out an Impact Assessment?
The World Cup will be over by late July. The technology it showcases will not be. Facial recognition at the turnstile and monitoring software on the work laptop are both becoming more normal, and more tempting, every year. Too often, organisations reach for the technology first and consider the law later.
Watching people is not automatically unlawful. It is not automatically acceptable either. The technology does not remove the need to ask the difficult questions; it makes asking them more important than ever.
If you are considering biometric or facial recognition technology, treat it as high-risk from the outset. Carry out the Impact Assessment first, identify both your Article 6 lawful basis and your Article 9 condition, and think carefully about whether consent can truly be freely given. If you monitor staff, or are tempted to do so over the coming weeks, make sure you have a documented lawful basis, that the monitoring is proportionate, that staff are properly informed, and that an Impact Assessment sits behind anything systematic.
Enjoy the football. Just make sure your organisation is not the one caught offside.
If your organisation is considering biometric technology, facial recognition, or employee monitoring, now is the time to get the data protection position right. Our team can help you understand the risks, complete robust DPIAs, identify the correct lawful basis, and put clear policies and safeguards in place before issues arise. Through our Data Protection Audits, Outsourced DPO services, and ongoing Data Protection Support, we work with football clubs and organisations across every sector to keep projects compliant and proportionate and make data protection easy for you and your teams.
Data protection professionals are often tasked with balancing regulatory compliance and organisational objectives. Whilst this challenge exists across every sector, the stakes can become significantly higher when personal data sits at the centre of political campaigning, public scrutiny, and national attention.
In a recent episode of the Data Protection Made Easy podcast, host Caine Glancy was joined by James Robson, former Data Protection Officer (DPO) for The Labour Party, to discuss his experiences managing privacy and compliance within one of the UK’s most visible political parties.
The conversation provided a fascinating insight into the realities of data protection within politics, whilst also highlighting lessons that are relevant to organisations far beyond Westminster.
One of the most striking aspects of the discussion was James’ description of the environment he inherited when joining The Labour Party.
The organisation had spent a significant period without a dedicated DPO and was continuing to deal with the fallout from a major data breach. Alongside this were unresolved data subject access requests, deletion requests, open complaints, regulatory scrutiny, and thousands of privacy-related enquiries awaiting review.
James explained that, upon joining, he discovered open ICO complaints, significant DSAR backlogs, and even a privacy mailbox containing more than 10,000 unopened emails.
Whilst the scale of these challenges was unusual, the underlying lesson is one many organisations will recognise. Data protection issues rarely emerge overnight. More often, they develop gradually through a combination of competing priorities, limited resources, and a lack of ongoing oversight.
Allowing data protection responsibilities to accumulate without a dedicated resource, whether an internal DPO or an outsourced DPO service, creates compounding risk. The longer a backlog grows, the more difficult and costly it becomes to resolve.
Throughout the episode, James repeatedly returned to the importance of building relationships across an organisation.
Rather than approaching departments as a compliance function looking to identify faults, James described spending time understanding how teams operated, what challenges they faced, and how data protection could support organisational objectives.
This approach, rooted in collaboration rather than enforcement, is one of the most consistently cited factors in effective data protection leadership. Compliance culture cannot be mandated, it must be grown through trust, communication, and mutual understanding.
Faced with ongoing scrutiny from the Information Commissioner’s Office (ICO), James described how he took a different approach to regulatory engagement than had previously been adopted.
Rather than attempting to keep the regulator at a distance, he advocated for greater transparency and closer collaboration. He explained that rebuilding trust with the ICO became a key priority and that establishing an open dialogue helped create a more constructive relationship moving forward.
This is a valuable reminder that the ICO, whilst a regulatory body, is not an adversary. Organisations that engage proactively, particularly when addressing legacy issues, are often in a stronger position than those that disengage or become defensive.
Political opinions are classified as special category data under UK GDPR, meaning additional protections and requirements apply to their processing.
James explained how political parties lawfully access and use electoral register data, the role of democratic engagement provisions, and the complexities involved in distinguishing between democratic engagement and political marketing.
Under Article 9 of the UK GDPR, political opinions are special category data. Processing them requires a lawful basis under Article 6 and a separate condition under Article 9, such as explicit consent or a specific exemption applying to political parties and democratic engagement activities.
These distinctions matter enormously in practice. The line between lawful outreach under democratic engagement provisions and unlawful direct marketing is not always clear, and political parties face heightened public and regulatory attention when that line is crossed.
Another interesting insight from the episode was James’ decision to bring together data protection professionals from different political parties to discuss common challenges and share experiences.
Regardless of political affiliation, DPOs operating within parties face structurally similar challenges, managing large volumes of supporter data, navigating democratic engagement provisions, and operating under significant public scrutiny.
James found that creating space for cross-party professional dialogue was genuinely useful, and it speaks to a broader principle: the data protection profession benefits enormously from peer learning and shared experience.
James Robson is the former Data Protection Officer for The Labour Party. He joined the organisation during a period of significant regulatory scrutiny and was responsible for rebuilding compliance infrastructure, clearing substantial backlogs of DSARs and ICO complaints, and re-establishing constructive engagement with the Information Commissioner’s Office.
Whether you are managing a backlog of DSARs, navigating ICO scrutiny, or looking to strengthen your compliance culture, Data Protection People can help.
Our team supports organisations across the UK with outsourced DPO services, compliance programmes, training, audits, and practical advice designed to make data protection easy to understand and easy to do.
A weaponised Subject Access Request (SAR) can have a huge impact if your organisation is ill-prepared. When data is difficult to find, responsibilities are unclear and processes rely on humans rather than automation, a well-timed, weaponised SAR can cause disruption, expose weaknesses and increase risk of non-compliance.
While ‘weaponised SAR’ is not a regulatory term used by the ICO, it is commonly used to describe requests perceived as tactical or linked to disputes, rather than solely for transparency purposes.
Common scenarios include:
Not every SAR is weaponised, and intent is not always obvious.
Weaponised – and complex – SARs can be difficult to manage because they increase risk, expose weaknesses and take advantage of pressure to respond.
Here are five signs that your organisation is not ready for a weaponised SAR:
Weaponised SARs often involve broad searches across multiple systems, like email archives, shared drives, instant messages, HR systems and more.
If your team can’t identify every system that contains employee data within one working day, you could be in trouble.
Similarly, weaponised SARs rarely affect one department alone. When your HR, Legal and Compliance teams work separately, confusion over ownership will slow down your response and put your business at risk of non-compliance.
Tactical SARs will often appear during periods of conflict, and anxiety around them often indicates missing processes.
Even before GDPR entered the public consciousness, lawyers advising employees involved in tribunals or conflicts would recommend filing a SAR. Sometimes this meant finding evidence; other times it was used tactically to cause disruption.
Responding to a SAR often exposes other areas that are lacking, leaving employees feeling panicked and stressed.
Likewise, a weaponised SAR will test the process as much as it will test data availability. If you’re still relying on manual searches and inbox reviews, then any SAR, weaponised or not, can cause confusion, slow responses and missed information.
Make sure you have:
Most organisations never think to stress-test a high-risk SAR, so often they only discover their weaknesses after the countdown to a deadline begins.
Running an exercise to find the holes in your system will mean that weaponised SARs will have less of an impact.
We recommend:
Our SAR Support Service is comprehensive, offering everything from discovery tools to help you find relevant information to redaction services and end-to-end SAR handling. If you’re worried about weaponised SARs, we can help put your mind at ease.
Get in touch to talk to our SAR specialists today.
Not automatically. Organisations must be ‘motive-blind’ to SARs and treat them the same from the outset. You can refuse a SAR if it is manifestly unfounded or manifestly excessive.
Yes. If you can prove this, then you can exclude or limit the data subject’s right of access or charge a fee towards the costs of responding.
No. Many are legitimate rights requests, though some arise during disputes.
The data protection landscape rarely stands still, but recent developments suggest organisations may be facing new challenges from multiple directions.
In a recent episode of GDPR Radio, Caine Glancy and Catarina Pereira dos Santos explored several of the biggest stories currently impacting the profession, including the growing number of AI-generated Subject Access Requests (SARs), criticism of the ICO’s complaints handling processes, the resignation of Information Commissioner John Edwards, and the UK’s proposed social media restrictions for under-16s.
Whilst these issues may appear unrelated, they all raise important questions about accountability, regulation and how organisations can prepare for an increasingly complex compliance environment.
One of the first topics discussed was the significant increase in Subject Access Requests being experienced by some organisations, particularly within the housing sector.
Catarina explained that several clients have reported substantial increases in SAR volumes compared to the same period last year, with some organisations managing dozens of requests simultaneously.
Whilst organisations often look for common causes such as complaints or service issues, the discussion highlighted another potential factor, the growing use of artificial intelligence.
The conversation explored how AI tools such as ChatGPT are making it easier than ever for individuals to draft and submit Subject Access Requests.
Catarina described conducting her own test using ChatGPT and discovering that many of the requests being received by one client closely mirrored the wording generated by the AI platform.
“Twenty-eight of them are literally coming from ChatGPT because it was a copy and paste of the one that I have seen in front of me.”
The discussion highlighted both the opportunities and challenges this creates. On one hand, AI can help individuals better understand and exercise their rights. On the other, organisations may find themselves dealing with increasing volumes of requests that are generated quickly and submitted with little effort.
The discussion also highlighted a less obvious issue.
According to Caine, organisations are increasingly finding themselves engaged in lengthy back-and-forth exchanges where AI-generated responses repeatedly challenge the organisation’s position.
Rather than helping resolve requests, AI can sometimes create what Caine described as a “hamster wheel” of ongoing correspondence. Organisations respond, AI generates a counterargument, and the cycle continues.
This creates an important challenge for organisations. Knowing when a SAR has been answered appropriately and when communication can reasonably come to an end is becoming increasingly important.
The conversation then turned to the Information Commissioner’s Office and recent criticism of its complaints framework.
The hosts discussed concerns raised by campaign groups regarding the ICO’s approach to lower-risk complaints and whether sufficient action is being taken when individuals exercise their data protection rights.
The discussion explored the difficult balance regulators face between prioritising resources and maintaining public confidence.
Catarina questioned whether data subject rights risk becoming theoretical if complaints are routinely stored for information purposes without further action.
“The regulators should be there to protect the rights and freedoms… but then they complain and they are used for informational purposes rather than actually helping the data subjects.”
The resignation of Information Commissioner John Edwards was another major topic.
Whilst the hosts acknowledged that the full circumstances remain a matter of public record, the discussion focused on what the change could mean for the future direction of the ICO.
Catarina suggested that the timing may provide an opportunity for the regulator to review its processes and priorities.
The broader question raised throughout the discussion was whether the ICO’s current approach remains fit for purpose in an environment where data protection concerns continue to grow in both volume and complexity.
The final major topic centred around the UK’s proposed social media restrictions for under-16s.
The proposal has been positioned as a measure to improve online safety and reduce the risks children face online. Catarina acknowledged the positive intentions behind the proposal, particularly given the ongoing concerns around children’s privacy, harmful content and the misuse of personal data.
However, the discussion also raised several practical concerns.
A recurring theme throughout the discussion was accountability.
Rather than focusing solely on restricting access for younger users, both hosts questioned whether greater responsibility should be placed on the platforms themselves.
As Catarina explained, the conversation appears to focus heavily on controlling users whilst paying less attention to the role social media companies play in creating and maintaining online environments.
The discussion also raised questions around age verification, enforcement and whether restrictions alone can address the root causes of online harm.
The conversation concluded by recognising that online safety is rarely a straightforward issue.
Whilst protecting children remains an important objective, both hosts questioned whether blanket restrictions alone can solve the wider challenges associated with social media, harmful content and digital wellbeing.
As Caine noted, the underlying issue may not simply be access to social media, but the platforms themselves and the environments they create.
The episode highlighted several developments that organisations should continue monitoring closely.
The rise of AI-generated SARs is already creating operational challenges for some organisations. Questions around ICO enforcement and complaints handling continue to attract attention. Meanwhile, proposals around online safety and social media restrictions are likely to generate ongoing debate.
Whilst the outcomes remain uncertain, one thing is clear. Data protection professionals will need to remain adaptable as technology, regulation and public expectations continue to evolve.
Yes. A Subject Access Request can still be valid even if it has been created using an AI tool. Organisations should assess the request in the same way they would any other SAR.
Increased awareness of data protection rights, the use of AI tools and wider public discussion around privacy may all be contributing to higher SAR volumes.
Organisations should follow their internal SAR procedure, document their decisions and ensure they have responded appropriately. Once a request has been handled properly, it is important to know when further correspondence is no longer necessary.
The ICO uses a risk-based approach when reviewing complaints. This means some complaints may be prioritised depending on factors such as risk, harm and wider public interest.
Although the proposal aims to protect children online, concerns remain around age verification, enforcement, privacy and whether enough responsibility is being placed on social media platforms themselves.
Organisations can prepare by having clear SAR procedures, training staff, maintaining good records and seeking specialist data protection support where needed.
Managing Subject Access Requests, responding to regulatory challenges and keeping up with changing data protection expectations can be difficult, particularly when organisations are facing increasing workloads and limited internal resource.
Our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services help organisations navigate complex compliance challenges with confidence.
Whether you need support managing SARs, reviewing governance processes or improving staff awareness, our team can help you make data protection easier to understand and easier to manage.
When a personal data breach occurs, the first few hours are often the most important.
The decisions made immediately after an incident can significantly influence the outcome, affecting regulatory obligations, reputational damage, customer trust and the overall response effort.
In a recent episode of the Data Protection Made Easy podcast, Caine Glancy and Catarina Pereira dos Santos discussed the practical actions organisations should take during the first 72 hours following a personal data breach.
The discussion explored breach containment, risk assessments, notifications, lessons learned and the common mistakes organisations make when responding to incidents.
Whilst every breach is different, the session reinforced a simple message. Organisations that respond quickly, assess risk properly and learn from incidents are often far better positioned to reduce harm and prevent future issues.
One of the most important points raised during the discussion was the need to contain an incident as quickly as possible.
Before organisations start thinking about reporting obligations, notifications or regulatory engagement, they need to understand what has happened and stop any ongoing unauthorised access, disclosure or loss of personal data.
As Catarina explained: “We need to contain it immediately.”
Containment actions will vary depending on the nature of the breach. This may involve recalling emails, disabling accounts, restricting access to systems, recovering documents or preventing further disclosure.
The key objective is to stop the incident from escalating whilst gathering enough information to understand what has happened.
Once the immediate situation has been contained, organisations need to establish the facts.
The discussion highlighted how many organisations rush straight to questions about whether a breach should be reported to the ICO without first understanding what has actually happened.
Before any meaningful risk assessment can take place, organisations need to identify what information was involved, who was affected, how the breach occurred, whether the information has been accessed and what mitigating actions have already been taken.
This information forms the foundation of any subsequent decision-making process.
Without context, it is almost impossible to determine whether a breach presents a risk to individuals or whether reporting obligations apply.
The session also addressed a common misconception. Not every personal data breach needs to be reported to the ICO.
Many organisations automatically assume that any breach involving personal data must be reported, whilst others incorrectly assume that low-risk incidents are not breaches at all.
In reality, every incident should be assessed on its own merits.
A misdirected email, accidental disclosure or inappropriate access may still constitute a personal data breach even if the risk to individuals is ultimately low.
The discussion reinforced the importance of assessing the specific circumstances rather than relying on assumptions.
As Caine explained, context is critical when evaluating risk and determining the appropriate response.
A recurring theme throughout the discussion was the importance of context.
Organisations often want a straightforward answer to whether a breach is reportable or whether affected individuals should be notified. However, data protection rarely works in absolutes.
Caine highlighted how difficult it can be to assess risk without understanding the full circumstances surrounding an incident.
A simple statement such as “an email was sent to the wrong person” does not provide enough information to determine the level of risk involved. Organisations need to understand the contents of the email, the sensitivity of the information, who received it and whether any mitigating actions have already been taken.
As Caine explained: “The key is always in the likely.”
Risk assessments should focus on what is realistically likely to happen as a result of the breach, rather than becoming overly focused on highly unlikely scenarios.
This is why context remains one of the most important elements of effective breach management.
One of the most common questions raised following a breach is whether the incident needs to be reported to the Information Commissioner’s Office.
The discussion highlighted that organisations should avoid treating ICO reporting as an automatic response.
Instead, reporting decisions should be based on the outcome of a documented risk assessment and the likelihood of risk to individuals.
Where a breach is likely to result in a risk to the rights and freedoms of individuals, organisations are generally required to notify the ICO within 72 hours of becoming aware of the incident.
However, the hosts also acknowledged that many organisations struggle with this decision-making process, particularly when dealing with complex incidents or limited information.
For smaller organisations without dedicated privacy teams, understanding reporting thresholds can be one of the most challenging aspects of breach management.
The session also explored another area that frequently causes uncertainty, notifying affected individuals.
Many organisations assume that if a breach has occurred, the individuals involved must automatically be informed. However, this is not always the case.
Whilst transparency remains a fundamental principle of data protection, notifications should have a clear purpose.
As Catarina explained, the purpose of notifying individuals is not simply to tell them that a breach has happened. It is to allow them to take action where there is an active risk to them.
If a breach creates a high risk to an individual’s rights and freedoms, notifying them may allow them to protect themselves from fraud, identity theft, financial loss or other harms.
Where there is no ongoing risk, organisations may decide that notification is unnecessary.
The discussion highlighted the importance of carefully balancing transparency, risk and potential distress when making these decisions.
Whilst organisations are often concerned about under-reporting breaches, the discussion highlighted that over-notification can also create problems.
Informing individuals about every low-risk incident may cause unnecessary concern, particularly where no meaningful action is required on their part.
Some individuals may understandably assume the worst when they hear the phrase “data breach”, regardless of the actual level of risk involved.
In certain circumstances, notifying individuals about low-risk incidents may create confusion, anxiety and additional complaints without providing any practical benefit.
This is why notification decisions should always be proportionate and based on a thorough assessment of the circumstances.
As the discussion demonstrated, there is rarely a one-size-fits-all approach.
Caine reinforced this point by explaining: “Nothing in data protection is a one size fits all kind of thing.”
One of the strongest messages from the session was that organisations should view breaches as learning opportunities.
Even low-risk incidents can reveal weaknesses in processes, training, systems or controls.
Rather than simply recording an incident and moving on, organisations should take the time to identify trends and recurring issues.
As Caine explained: “The main thing really is treating it as lessons learned always.”
If multiple incidents occur for similar reasons, such as misdirected emails, access errors or process failures, this may indicate a wider issue that requires attention.
Reviewing breach data collectively often provides valuable insight into where improvements can be made.
The discussion highlighted how organisations can use incidents to strengthen controls, improve staff awareness and reduce the likelihood of future breaches.
Closely linked to the lessons learned approach was the idea of extracting value from incidents wherever possible.
Breaches are rarely desirable, but they can provide useful information about organisational weaknesses and areas for improvement.
As Caine commented: “You’ve got to try and claim some benefit back from it where you can.”
This might involve updating procedures, improving training, introducing additional technical controls or reviewing existing risk assessments.
By treating breaches as opportunities for continuous improvement, organisations can often strengthen their overall data protection framework.
Once the immediate response has been completed, the discussion highlighted the importance of reviewing the incident in full.
This should include documenting what happened, assessing the effectiveness of the response, identifying any improvements and updating relevant policies or procedures where necessary.
Organisations should also consider whether additional staff training, awareness campaigns or technical measures may help prevent similar incidents in the future.
The first 72 hours are important, but the actions taken afterwards are often what determine whether an organisation genuinely learns from an incident.
The session reinforced a practical and proportionate approach to managing personal data breaches.
Contain the incident, establish the facts, assess the risk, determine whether reporting obligations apply and identify opportunities for improvement.
Whilst every breach is different, organisations that follow these principles are often better positioned to respond effectively, reduce harm and strengthen compliance over time.
Most importantly, the discussion highlighted that effective breach management is not just about regulatory compliance. It is about protecting individuals, maintaining trust and continuously improving organisational practices.
Managing a personal data breach can be challenging, particularly when organisations are under pressure to assess risk, make reporting decisions and communicate effectively with regulators and affected individuals.
Our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services help organisations build effective breach management processes, improve governance and strengthen compliance.
Whether you’re responding to an incident, reviewing your breach procedures or looking to improve organisational awareness, our team can help you manage data protection with confidence.
The first priority should be containing the incident to prevent any further unauthorised access, disclosure, loss or destruction of personal data. Once contained, organisations should establish the facts and begin assessing risk.
No. Organisations should assess whether the breach is likely to result in a risk to the rights and freedoms of individuals. Not all breaches meet the threshold for ICO notification.
Where a breach is reportable, organisations are generally required to notify the ICO within 72 hours of becoming aware of the incident.
No. Individuals generally need to be informed where the breach is likely to result in a high risk to their rights and freedoms. Notification decisions should be based on a documented risk assessment.
A risk assessment helps organisations understand the potential impact on affected individuals and determine whether reporting or notification obligations apply.
Even low-risk incidents can reveal weaknesses in processes, systems, training or controls. Reviewing breaches helps organisations identify trends, strengthen governance and reduce future risk.
Political parties process vast amounts of personal data, from electoral registers and supporter databases to campaign communications, fundraising activities and voter engagement initiatives. Yet despite the scale of this processing, many people have little visibility into the data protection challenges operating behind the scenes.
In a special episode of the Data Protection Made Easy podcast, Caine Glancy was joined by James Robson, former Data Protection Officer for The Labour Party, to discuss what data protection looks like inside one of the UK’s most scrutinised organisations.
The discussion explored regulatory investigations, Subject Access Requests, electoral data, political campaigning, public trust, governance and the future of data protection in democratic processes.
Drawing on his unique experience, James shared practical insight into the realities of managing compliance in a highly political, highly visible and constantly evolving environment.
If your organisation is navigating complex data protection challenges, our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services help organisations strengthen governance, improve compliance and build trust.
One of the most striking moments from the discussion came when James described his first experience of joining The Labour Party.
Rather than inheriting a mature compliance programme, he found a significant backlog of privacy requests, open regulatory investigations and unresolved compliance issues.
Reflecting on the experience, James explained: “I walked into a burning building not realising it was a burning building.”
He described discovering unanswered Subject Access Requests, deletion requests and ongoing ICO engagement linked to historic compliance challenges.
At the time, there were numerous open complaints, significant operational issues and substantial work required to restore confidence in the organisation’s compliance framework.
The discussion highlighted how quickly data protection risks can escalate when governance arrangements are not maintained and why organisations should avoid viewing compliance as something that can simply be paused or deprioritised.
The conversation reinforced a reality many data protection professionals will recognise. When governance processes are not maintained, problems rarely remain isolated.
Unanswered requests become complaints. Complaints become regulatory attention. Regulatory attention creates pressure, scrutiny and operational disruption.
Good governance is often most visible when things go wrong. Effective processes, documented decision-making, clear accountability and regular oversight can help organisations identify issues early and reduce the likelihood of problems escalating.
For many organisations, this serves as a reminder that compliance is not simply about policies and procedures. It requires ongoing attention, ownership and investment.
Another key theme was the role of transparency when dealing with regulators.
Rather than treating the ICO as an adversary, James explained how he worked to build a more collaborative relationship focused on openness and improvement.
He commented: “We needed to change the feeling that the ICO had about Labour.”
Part of that strategy involved increasing transparency and involving the regulator more closely in ongoing remediation efforts.
As James explained: “We need to bring the ICO as close to us as possible and be transparent about all working processes.”
Whilst many organisations naturally feel nervous about engaging with regulators, the discussion highlighted how openness can often help demonstrate accountability and commitment to improvement.
Transparency does not remove regulatory obligations, but it can help build trust and create a more constructive working relationship when challenges arise.
A recurring theme throughout the episode was the importance of relationships.
James explained how understanding data processing activities required close collaboration with teams across the organisation.
Rather than approaching compliance from a purely legal perspective, he focused on understanding business objectives and identifying practical solutions that balanced organisational goals with privacy requirements.
This is a challenge many Data Protection Officers face. Effective compliance rarely comes from saying no. It comes from understanding what an organisation is trying to achieve and helping it achieve those objectives in a compliant way.
Successful privacy programmes are often built on trust, communication and collaboration rather than policy documents alone.
Political parties exist to campaign, engage with voters and ultimately win elections. Data protection obligations do not remove those objectives, but they do influence how they can be achieved.
The discussion explored the challenge of balancing privacy risks with organisational priorities.
As Caine highlighted during the episode, effective Data Protection Officers need to understand both the risks to individuals and the wider risks facing the organisation.
This balancing act applies far beyond politics. Whether working in housing, healthcare, education, local government or the private sector, privacy professionals are often required to navigate competing priorities whilst ensuring compliance remains effective and proportionate.
The episode also provided valuable insight into one of the most misunderstood areas of political data protection, campaign communications and voter information.
James explained that political parties operate within a unique legal framework that combines electoral legislation, UK GDPR, PECR and wider democratic engagement provisions.
This creates challenges that many organisations never encounter.
The discussion explored how political parties can lawfully access electoral register information, the distinction between democratic engagement and political marketing, and the complexities surrounding voter communications.
It also highlighted why public understanding of these processes is often limited, leading to frequent questions and complaints about how political parties obtain and use personal information.
Political opinions are classified as special category data under UK GDPR, making compliance particularly important when handling voter information and political preferences.
Election periods create unique pressures for privacy professionals.
James described how political events can trigger substantial increases in Subject Access Requests, complaints and regulatory attention.
One example discussed during the episode involved a coordinated campaign encouraging individuals to submit Subject Access Requests to political parties during a general election period.
The volume of requests created significant operational pressure at a time when political parties were already operating under intense scrutiny.
These spikes can place substantial strain on compliance teams whilst simultaneously increasing public and regulatory attention on data protection practices.
The discussion highlighted the importance of having robust procedures, clear governance and sufficient resources in place before periods of heightened activity begin.
For organisations in any sector, this serves as a useful reminder that compliance planning should account for periods of increased demand and unexpected operational pressures.
Another important takeaway from the discussion was the value of professional networks.
James explained how he worked with Data Protection Officers from other political parties to discuss common challenges and share experiences.
Despite political differences, many of the data protection issues faced by parties were remarkably similar.
The group provided an opportunity to exchange ideas, discuss regulatory developments and learn from one another’s experiences.
This reinforces a broader point that applies across every sector. Data protection can often feel isolating, particularly for individuals working in-house.
Building relationships with peers, sharing experiences and learning from others can be invaluable when dealing with complex challenges.
The Data Protection Made Easy community was created with this exact purpose in mind, bringing professionals together to discuss challenges, share knowledge and support one another.
The discussion also explored the relationship between public trust and data protection.
Political parties process significant volumes of personal information and must balance democratic engagement with individual privacy rights.
Public understanding of how electoral data is used is often limited, creating concerns around political profiling, campaign communications and voter engagement.
James highlighted the importance of transparency and helping individuals understand how and why their information is being processed.
This challenge is not unique to politics. Organisations across every sector face increasing expectations around transparency, accountability and responsible data use.
Building trust requires more than simply meeting legal requirements. It requires organisations to demonstrate that they are handling information responsibly and in ways that align with people’s expectations.
Towards the end of the discussion, the conversation shifted towards the future of data protection.
Artificial intelligence, advanced analytics, digital identity solutions and large-scale data sharing initiatives are creating new opportunities and new risks.
James argued that data protection professionals will play a critical role in helping organisations navigate these developments responsibly.
Reflecting on the future of the profession, he stated: “The importance of what we do will grow to a level of significance I don’t think we even understand properly yet.”
As organisations increasingly rely on data-driven technologies, privacy professionals will be required to balance innovation with governance, accountability and individual rights.
The conversation highlighted how the role of the Data Protection Officer continues to evolve beyond compliance alone, becoming increasingly connected to strategy, trust and organisational decision-making.
Another theme explored during the discussion was the future of individual control over personal information.
As digital services become more connected, expectations around transparency and user control are likely to increase.
James explained: “People will have more power over their data and have more agency over it.”
This vision reflects a broader shift towards empowering individuals to understand, manage and control how their personal information is used.
Whether through enhanced transparency, digital identity initiatives or improved governance frameworks, organisations are likely to face increasing expectations around giving people greater visibility and control over their information.
Whilst few organisations operate under the same level of scrutiny as a national political party, many of the lessons discussed throughout this episode apply across every sector.
Strong governance, effective stakeholder relationships, transparent regulatory engagement, practical compliance processes and a clear understanding of risk remain fundamental regardless of industry.
The discussion provided a fascinating insight into one of the most unique data protection environments in the UK whilst reinforcing principles that every organisation can learn from.
Whether managing Subject Access Requests, engaging with regulators, implementing new technologies or building trust with stakeholders, the core principles of good data protection remain the same.
For organisations looking to strengthen governance and improve compliance, our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services can help build a stronger and more resilient approach to data protection.
Yes. Political parties can access electoral register information under specific legal provisions designed to support democratic engagement and electoral processes.
Yes. Political opinions are classified as special category data under UK GDPR and require additional protections when processed.
The requirements depend on the type of communication, the recipient and the legal basis being relied upon. Political communications can involve a complex interaction between UK GDPR, PECR and electoral legislation.
Political parties process personal data to support campaigning activities, democratic engagement, membership management, constituency casework and voter communications.
The ICO regulates compliance with UK data protection legislation and can investigate complaints, issue enforcement action and provide guidance to political organisations.
Elections often involve large-scale processing of personal information, increased public scrutiny and heightened regulatory attention. Strong governance helps ensure information is handled lawfully, fairly and transparently.
Data protection training is often treated as a compliance exercise, something that must be completed, recorded and repeated each year. However, as discussed during a recent episode of the Data Protection Made Easy podcast, training only delivers real value when it changes behaviour.
Hosted by Caine Glancy and Catarina Pereira dos Santos, the session explored why traditional training approaches often fail to influence day-to-day decision-making and what organisations can do to create lasting behavioural change.
Whilst completion rates and quiz scores may demonstrate that training has taken place, they do not always show whether employees understand how to apply data protection principles in real situations. The discussion highlighted the importance of moving beyond tick-box compliance and creating training that is practical, engaging and relevant to the people receiving it.
If your organisation is looking to strengthen its data protection culture, our Data Protection Training and Awareness Services, Data Protection Support Service and Outsourced DPO Service can help build awareness, confidence and compliance across your organisation.
One of the key themes from the discussion was the difference between providing information and creating behavioural change.
Whilst it is relatively straightforward to explain the requirements of the UK GDPR, helping people understand how those requirements apply to their daily responsibilities is often far more challenging.
Catarina explained that effective training cannot simply focus on theory and legal requirements alone, stating: “It needs to be practical. It needs to be a thing that’s practical and achievable for everyone.”
Employees deal with personal data every day through emails, customer interactions, records management, Subject Access Requests and information sharing. If training does not connect directly to these activities, it is unlikely to influence behaviour when it matters most.
Successful training should not be measured solely by attendance records or assessment results.
The real objective is to help staff recognise risks, make informed decisions and apply data protection requirements confidently in practice.
As discussed during the episode, organisations should consider whether employees are able to identify personal data breaches, understand when a Subject Access Request has been received and make appropriate decisions when handling personal data.
Catarina highlighted the challenge many organisations face when measuring success, commenting: “On the measuring of the training side of things, actually I’m a superstar. I’ve passed it, I’ve done it on a regular basis.”
Without these practical outcomes, even the highest completion rates may provide a false sense of confidence.
Training records may show that staff have attended sessions, completed e-learning modules and passed assessments, but this does not necessarily mean that knowledge has translated into action.
An employee may achieve a strong quiz score yet continue to make avoidable mistakes, such as sending information to the wrong recipient, failing to recognise a personal data breach or misunderstanding their responsibilities under data protection legislation.
This is why effective training must focus on practical understanding rather than simply demonstrating attendance.
As Catarina explained: “What actually changes the behaviour is not just the records.”
Organisations should aim to create learning experiences that help employees understand the risks most relevant to their role and provide them with the confidence to respond appropriately when those situations arise.
Throughout the discussion, both hosts emphasised the value of practical learning.
Interactive workshops, scenario-based exercises and practical demonstrations often deliver stronger outcomes than traditional presentation-led training alone.
Catarina highlighted the importance of hands-on learning, explaining: “There is nothing else as doing it in practical.”
Subject Access Requests provide a useful example. Rather than simply explaining the legislation, participants can work through realistic requests, identify relevant personal data, consider exemptions and discuss how they would respond.
People may not remember every slide from a training session, but they often remember the situations they worked through themselves.
Caine reinforced this point, stating: “The best training is when you can get people talking and you can get them thinking about it afterwards.”
Another important topic covered during the episode was the need to tailor training to different audiences.
Different teams interact with personal data in different ways, which means their risks and responsibilities are often very different.
The information required by Human Resources teams may differ significantly from the needs of Marketing, IT, Customer Service or Senior Leadership teams.
Caine explained: “You’ve got to know who you’re talking to.”
He went on to emphasise the importance of role-specific training, adding: “What they need to know is what’s going to relate to their role.”
Employees are more likely to engage when they can clearly see how the content relates to their day-to-day responsibilities. Using department-specific examples and practical scenarios helps make training more relevant and memorable.
The conversation also explored an often-overlooked factor in successful learning, the trainer themselves.
Even well-designed training programmes can struggle to engage learners if they are delivered without energy, enthusiasm or practical insight.
Caine explained: “Training is only really as good as the person who is delivering it.”
Effective trainers help participants understand why data protection matters, encourage discussion and create an environment where people feel comfortable asking questions.
Importantly, successful delivery is not about personality alone. It is about demonstrating genuine passion for the topic and helping learners understand how the subject applies to their own experiences and challenges.
As Caine highlighted: “You have to bring energy and you have to bring excitement to the topic to make them care about it.”
One of the most important takeaways from the episode was that training should not be viewed as a one-off event.
Catarina stressed this point, explaining: “The training is not just a one time thing.”
People forget information, processes change and new risks emerge. Organisations that rely solely on annual refresher training often find that important messages fade long before the next session takes place.
Regular communications, awareness campaigns, newsletters, posters, team discussions and practical reminders help keep data protection visible and relevant.
Catarina explained: “You should be expecting to have awareness campaigns, posters, sending emails, newsletters in a constant way.”
A strong data protection culture is built through continuous reinforcement rather than a single annual training session.
The episode also highlighted the importance of leadership involvement.
When senior leaders actively support data protection initiatives, attend training sessions and reinforce key messages, employees are more likely to recognise the importance of compliance and good information governance.
Caine explained the value of leadership engagement, stating: “If you can get the buy-in from them, it will always trickle down.”
Managers also play an important role in embedding learning after training has taken place. They are often best placed to reinforce expectations, answer questions and identify areas where additional support may be needed.
Creating meaningful behavioural change requires commitment from every level of the organisation.
Many organisations continue to measure training success through attendance figures, completion rates and assessment scores.
Whilst these metrics provide useful information, they only tell part of the story.
The more important question is whether behaviour has changed. Are staff reporting incidents more quickly? Are fewer emails being sent to the wrong recipients? Are Subject Access Requests being identified earlier? Are teams considering privacy risks at the start of projects rather than after problems occur?
These indicators often provide a much clearer picture of whether training is having a meaningful impact.
As Catarina highlighted throughout the discussion, meaningful success is demonstrated through practical outcomes rather than training records alone.
The discussion reinforced a simple but important message. Effective data protection training is not about achieving compliance for compliance’s sake. It is about helping people understand their responsibilities and giving them the confidence to make better decisions when handling personal data.
Caine summarised one of the key principles discussed during the session, stating: “Training can never be one size fits all.”
Organisations that focus on practical learning, ongoing awareness, tailored content and strong leadership support are far more likely to create lasting behavioural change.
For organisations looking to strengthen their approach, our Data Protection Training and Awareness Services, Data Protection Support Service and Outsourced DPO Service can help create effective training programmes that move beyond compliance and support a stronger data protection culture.
Data protection training helps employees understand how to handle personal data correctly, recognise risks, identify potential breaches and comply with data protection legislation.
Most organisations provide annual refresher training, but ongoing awareness activities throughout the year are equally important to reinforce learning and maintain good practices.
Effective training is practical, relevant to the audience, interactive and supported by ongoing awareness activities that reinforce key messages.
Yes. Different departments face different risks and responsibilities. Tailoring training to specific roles often improves engagement and learning outcomes.
Rather than focusing solely on attendance and completion rates, organisations should look for behavioural indicators such as improved incident reporting, reduced errors and stronger awareness of data protection responsibilities.
No. Training is only one part of the solution. Ongoing awareness, leadership support and regular reinforcement are all essential for creating a strong and sustainable data protection culture.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
