Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
Data protection professionals are often tasked with balancing regulatory compliance and organisational objectives. Whilst this challenge exists across every sector, the stakes can become significantly higher when personal data sits at the centre of political campaigning, public scrutiny, and national attention.
In a recent episode of the Data Protection Made Easy podcast, host Caine Glancy was joined by James Robson, former Data Protection Officer (DPO) for The Labour Party, to discuss his experiences managing privacy and compliance within one of the UK’s most visible political parties.
The conversation provided a fascinating insight into the realities of data protection within politics, whilst also highlighting lessons that are relevant to organisations far beyond Westminster.
One of the most striking aspects of the discussion was James’ description of the environment he inherited when joining The Labour Party.
The organisation had spent a significant period without a dedicated DPO and was continuing to deal with the fallout from a major data breach. Alongside this were unresolved data subject access requests, deletion requests, open complaints, regulatory scrutiny, and thousands of privacy-related enquiries awaiting review.
James explained that, upon joining, he discovered open ICO complaints, significant DSAR backlogs, and even a privacy mailbox containing more than 10,000 unopened emails.
Whilst the scale of these challenges was unusual, the underlying lesson is one many organisations will recognise. Data protection issues rarely emerge overnight. More often, they develop gradually through a combination of competing priorities, limited resources, and a lack of ongoing oversight.
Allowing data protection responsibilities to accumulate without a dedicated resource, whether an internal DPO or an outsourced DPO service, creates compounding risk. The longer a backlog grows, the more difficult and costly it becomes to resolve.
Throughout the episode, James repeatedly returned to the importance of building relationships across an organisation.
Rather than approaching departments as a compliance function looking to identify faults, James described spending time understanding how teams operated, what challenges they faced, and how data protection could support organisational objectives.
This approach, rooted in collaboration rather than enforcement, is one of the most consistently cited factors in effective data protection leadership. Compliance culture cannot be mandated, it must be grown through trust, communication, and mutual understanding.
Faced with ongoing scrutiny from the Information Commissioner’s Office (ICO), James described how he took a different approach to regulatory engagement than had previously been adopted.
Rather than attempting to keep the regulator at a distance, he advocated for greater transparency and closer collaboration. He explained that rebuilding trust with the ICO became a key priority and that establishing an open dialogue helped create a more constructive relationship moving forward.
This is a valuable reminder that the ICO, whilst a regulatory body, is not an adversary. Organisations that engage proactively, particularly when addressing legacy issues, are often in a stronger position than those that disengage or become defensive.
Political opinions are classified as special category data under UK GDPR, meaning additional protections and requirements apply to their processing.
James explained how political parties lawfully access and use electoral register data, the role of democratic engagement provisions, and the complexities involved in distinguishing between democratic engagement and political marketing.
Under Article 9 of the UK GDPR, political opinions are special category data. Processing them requires a lawful basis under Article 6 and a separate condition under Article 9, such as explicit consent or a specific exemption applying to political parties and democratic engagement activities.
These distinctions matter enormously in practice. The line between lawful outreach under democratic engagement provisions and unlawful direct marketing is not always clear, and political parties face heightened public and regulatory attention when that line is crossed.
Another interesting insight from the episode was James’ decision to bring together data protection professionals from different political parties to discuss common challenges and share experiences.
Regardless of political affiliation, DPOs operating within parties face structurally similar challenges, managing large volumes of supporter data, navigating democratic engagement provisions, and operating under significant public scrutiny.
James found that creating space for cross-party professional dialogue was genuinely useful, and it speaks to a broader principle: the data protection profession benefits enormously from peer learning and shared experience.
James Robson is the former Data Protection Officer for The Labour Party. He joined the organisation during a period of significant regulatory scrutiny and was responsible for rebuilding compliance infrastructure, clearing substantial backlogs of DSARs and ICO complaints, and re-establishing constructive engagement with the Information Commissioner’s Office.
Whether you are managing a backlog of DSARs, navigating ICO scrutiny, or looking to strengthen your compliance culture, Data Protection People can help.
Our team supports organisations across the UK with outsourced DPO services, compliance programmes, training, audits, and practical advice designed to make data protection easy to understand and easy to do.
This week marks a huge milestone for everyone involved in the Data Protection Made Easy community as we celebrate our 250th podcast episode.
What started as a simple idea has grown into the UK’s number one data protection podcast, bringing together thousands of professionals from across the public, private and third sectors to discuss the latest developments in data protection, privacy, information governance and cyber security.
Today, the community has grown to more than 1,700 subscribers, attracts over 100 live attendees every single week, and has generated more than 20,000 streams on Spotify alone. What makes us most proud, however, is not the numbers. It is the community that has formed around them.
For 250 episodes, our goal has remained exactly the same, to make data protection easier to understand, more accessible, and more practical for organisations of all sizes.
Back when the podcast first launched, there were very few places where data protection professionals could come together regularly to discuss real-world challenges.
Most of the information available was either highly technical, heavily legalistic, or difficult for busy professionals to digest.
At Data Protection People, we recognised a gap.
We wanted to create a space where professionals could learn from one another, ask questions, share experiences and discuss the practical realities of managing data protection within organisations.
Rather than lengthy presentations or sales pitches, we wanted conversations.
Conversations about the issues that organisations are genuinely facing every day.
Conversations about legislation, regulatory changes, subject access requests, international data transfers, cyber security incidents, artificial intelligence, children’s data, marketing compliance, Freedom of Information requests and everything in between.
Most importantly, we wanted those conversations to be accessible to everyone, regardless of whether they were a seasoned Data Protection Officer or completely new to the profession.
Over the years, something remarkable happened.
The podcast stopped being just a podcast.
It became a community.
Every Friday at lunchtime, professionals from across the UK and beyond join us live to discuss current issues, share experiences and learn from one another.
Many attendees have been joining us for years. New faces arrive every week. Friendships have formed. Professional networks have grown. Career opportunities have been created.
The Data Protection Made Easy community has become a place where people can ask questions without judgement, share challenges openly and gain insights from others facing similar situations.
This collaborative approach is what makes the community special.
No one person has all the answers in data protection. The best outcomes often come from sharing perspectives and learning from the experiences of others.
Across 250 episodes, we have covered virtually every area of data protection and information governance.
Topics have included:
Our aim has always been to provide practical takeaways that attendees can apply within their organisations immediately.
The numbers tell part of the story:
But the real impact lies in the feedback we receive.
We regularly hear from practitioners who have used insights from the podcast to improve compliance programmes, handle complex requests, respond to breaches, influence senior leadership teams and develop their own careers.
Many attendees tell us the podcast has become a key part of their professional development.
That is exactly why we continue to invest in it.
One of the most exciting developments over recent years has been taking the community beyond the virtual world.
The relationships built through the podcast have led to in-person events, workshops, roundtable discussions and networking opportunities.
These events allow community members to meet face-to-face, share experiences and continue conversations that started during our weekly sessions.
The success of these events has reinforced something we have always believed:
Data protection is ultimately about people.
The strongest compliance programmes are built through collaboration, shared learning and open discussion.
While reaching 250 episodes is a fantastic achievement, we see it as just the beginning.
The world of privacy, data protection and cyber security is changing faster than ever before.
Artificial intelligence continues to reshape how organisations process personal data.
The Data (Use and Access) Act is bringing significant changes to the UK regulatory landscape.
New technologies, evolving threats and increasing public awareness mean organisations face fresh challenges every year.
Our commitment is to continue helping professionals navigate those challenges.
Over the coming years, attendees can expect:
Most importantly, we will continue providing a free platform where professionals can learn, network and stay informed.
Joining the Data Protection Made Easy community is completely free.
Every Friday at lunchtime, we host a live session where attendees can watch discussions, ask questions, network with peers and participate in conversations about the latest developments in data protection, privacy and cyber security.
You can also catch up on previous episodes through Spotify, Apple Podcasts and other major podcast platforms, with more than 250 episodes now available on demand.
Whether you are a Data Protection Officer, Information Governance professional, compliance specialist, cyber security practitioner, senior leader, or simply someone with an interest in privacy and data protection, there is a place for you within the community.
To join the community, subscribe to the Data Protection Made Easy podcast and register for our free weekly live sessions via the Data Protection People website.
Reaching 250 episodes would not have been possible without the incredible support of our speakers, guests, contributors and community members.
Thank you to everyone who has joined a live session, listened to an episode, asked a question, shared an insight, attended an event or recommended the podcast to a colleague.
You are the reason this community exists.
Here’s to the next 250 episodes.
Because data protection should be made easy.
Data protection training is often treated as a compliance requirement, something that must be completed, recorded, and repeated each year. But if training does not change how people behave in practice, has it really worked?
 |
Data Protection Made Easy PodcastEpisode: Training That Actually Changes BehaviourHosted by: Caine Glancy & Catarina Pereira dos Santos | Listen now → |
In a recent episode of the Data Protection Made Easy podcast, Caine Glancy and Catarina Pereira dos Santos discussed what makes data protection training effective, why so much training fails to influence day-to-day behaviour, and how organisations can move beyond tick-box learning.
The discussion focused on a key point that many organisations will recognise: completing a training module is not the same as understanding how to apply data protection in real situations. Attendance, quiz scores, and completion rates may show that training has taken place, but they do not always show whether staff know what to do when they handle personal data at work.
One of the central themes of the episode was the difference between training that informs people and training that changes behaviour. It is relatively easy to explain what the UK GDPR says. It is much harder to help staff understand what that means for their own role, their own systems, and the real decisions they make every day.
Caine explained that training cannot simply be a case of telling people what the law says and expecting them to translate that into practical action. Different people learn in different ways, and the best trainers are able to make complex information understandable to a wide range of audiences.
Effective training should leave people knowing what they have learned, why it matters, and how to apply it in practice.
This is particularly important in data protection because staff are not usually dealing with abstract legal principles. They are responding to emails, handling subject access requests, sharing information, using systems, speaking to customers, managing records, and making judgement calls. If training does not connect directly to those situations, it is unlikely to influence behaviour when it matters most.
Training should not be measured by completion alone. Organisations need to consider whether staff can recognise risks, make better decisions, and apply data protection requirements confidently in their daily work.
Catarina highlighted a common issue with traditional training: organisations often focus on whether someone attended the session, clicked through the slides, or passed the quiz. Whilst these records have value, they do not necessarily prove that training has been understood or applied.
For example, a member of staff may complete annual training and achieve a strong quiz score, but still repeatedly send emails to the wrong recipient, fail to recognise a personal data breach, or misunderstand when a data subject access request has been received. In that situation, the training record may look positive, but the behaviour has not changed.
This is why effective data protection training must be practical, relevant, and supported by ongoing awareness. It should help people understand the risks they are most likely to face and give them the confidence to act appropriately when those risks arise.
Throughout the discussion, both hosts emphasised the importance of making training practical. Whilst understanding the legal framework is important, real learning happens when people can apply that knowledge to realistic situations.
This is why interactive exercises, real-world scenarios, workshops, and practical demonstrations are often far more effective than simply presenting information. When individuals actively participate in training, they are more likely to remember it, discuss it with colleagues, and apply it when similar situations arise in the workplace.
Subject access requests provide a good example. Rather than simply explaining the legislation, trainers can ask participants to review a request, identify relevant information, apply exemptions, and consider how they would respond. By working through realistic examples, staff gain confidence and develop practical skills that can be used immediately.
People rarely remember every slide from a training session, but they often remember the scenarios they worked through themselves.
Practical learning also creates opportunities for discussion. Staff can ask questions, challenge assumptions, and relate the topic directly to their own role. This often reveals misunderstandings that may otherwise go unnoticed until an incident occurs.
Another key theme from the episode was the need to tailor training to the audience. Different teams interact with personal data in different ways, which means their risks, responsibilities, and training needs are often very different.
The information that a HR team requires may be very different from what a marketing team, IT department, customer service team, or senior leadership group needs to understand. Delivering exactly the same training to every employee may be efficient, but it is not always effective.
Staff are far more likely to engage when they can clearly see how the content applies to their day-to-day responsibilities. Relevant examples, department-specific risks, and practical guidance make it easier for individuals to understand why the training matters to them personally.
Consider whether different teams within your organisation would benefit from tailored examples, role-specific guidance, or dedicated workshops rather than relying solely on generic annual refresher training.
The conversation also explored an often-overlooked factor in successful learning: the trainer themselves.
Even the best training materials can fall flat if they are delivered without enthusiasm, engagement, or practical insight. Effective trainers bring energy to the subject, encourage participation, and help learners understand why the topic matters.
Importantly, this does not mean every trainer needs to have the same personality. Some are naturally more outgoing than others. What matters is demonstrating genuine passion for the topic and creating an environment where people feel comfortable asking questions and sharing experiences.
People are far more likely to engage with training when they can see that the trainer understands the challenges they face and is focused on helping them succeed rather than simply delivering information.
One of the most important points raised during the discussion was that training should never be viewed as a one-off activity. Completing an induction session or annual refresher course is only one part of developing a strong data protection culture.
People forget information over time. New risks emerge. Processes change. Staff move into new roles. Organisations that rely solely on annual training sessions often find that important lessons are forgotten long before the next refresher arrives.
This is where awareness activities become critical. Regular communications, team discussions, newsletters, posters, brief reminders, and ongoing conversations all help reinforce key messages and keep data protection visible throughout the year.
A strong data protection culture is built through continuous reinforcement, not a single annual training session.
Awareness should also be relevant. Rather than simply distributing generic messages, organisations should use real examples, common mistakes, recent incidents, and practical guidance that staff can immediately relate to. This helps create an environment where data protection becomes part of everyday decision-making rather than something people only think about during training.
Creating meaningful behavioural change requires more than just good trainers and engaging content. Leadership support plays a significant role in determining whether training succeeds or fails.
When senior leaders actively support data protection initiatives, attend training, discuss compliance openly, and reinforce expectations, employees are more likely to recognise the importance of the topic. Conversely, if leadership treats training as a box-ticking exercise, staff are likely to adopt the same attitude.
Managers also have an important role to play after training has been delivered. They are often best placed to reinforce learning, answer questions, identify areas where additional support may be required, and encourage good practices within their teams.
Data protection culture is far easier to establish when managers and senior leaders actively participate in awareness activities and demonstrate that compliance is a shared organisational responsibility.
Many organisations measure training success using attendance figures, completion rates, or assessment scores. Whilst these metrics can provide useful information, they only tell part of the story.
The real question is whether behaviour has changed. Are staff reporting incidents more quickly? Are fewer emails being sent to incorrect recipients? Are teams identifying subject access requests sooner? Are managers asking better questions about privacy risks before projects begin?
These behavioural indicators often provide a far more accurate picture of whether training is having a meaningful impact. They demonstrate whether learning has moved beyond theory and become embedded in day-to-day operations.
Organisations that focus solely on completion statistics risk missing the bigger picture. Successful training programmes should ultimately be judged by the decisions people make, not simply the certificates they receive.
As experienced data protection practitioners, Caine and Catarina regularly deliver training and awareness programmes to organisations across a wide range of sectors. Their focus is on helping organisations move beyond compliance exercises and develop practical data protection cultures that support long-term behavioural change.
Whether you need GDPR awareness training, role-specific workshops, leadership sessions, or ongoing support to strengthen your compliance culture, our consultants can help.
Jasmine Harrison joins Data Protection People as Partnership Manager, bringing years of hands-on data protection experience to help organisations explore and build meaningful partnerships.
Team Announcement
Partnership Manager · Data Protection People
We are absolutely thrilled to announce that Jasmine Harrison has been appointed as Partnership Manager here at Data Protection People. Jasmine expressed a strong personal interest in stepping into this new role, and it is easy to see why. The position draws on every dimension of her journey with us, from her very first days as a support consultant right through to her most recent work as a DPP consultant.
“This role encompasses everything I’ve absorbed over the years at DPP, and I’m excited to bring that experience to our growing network of partners.”
— Jasmine Harrison, Partnership Manager
Jasmine first joined Data Protection People in 2020 as a Data Protection Support Consultant. From there she went on to manage client accounts before taking time out to travel. She returned to DPP as a consultant, and now moves into this newly created Partnership Manager role, a natural next step that brings together everything she has built over the years.
2020
Data Protection Support Consultant
Jasmine joined DPP and quickly established herself as a knowledgeable and reliable support consultant, helping clients navigate their data protection obligations.
Account Management
Accounts Manager
Moving into account management, Jasmine developed strong, lasting relationships with clients and gained a clear commercial understanding of how DPP partnerships work in practice.
Time Out
Travelling
Jasmine took time out to travel, returning to DPP with fresh perspective and renewed energy for the work ahead.
Consultant
DPP Consultant
Back at DPP, Jasmine worked as a consultant, drawing on her support and account management background to deliver high-quality, practical advice to clients.
Now
Partnership Manager
Jasmine steps into her new role as Partnership Manager, bringing together the full breadth of her DPP experience to support and grow our partner network.
Jasmine’s path through DPP means she understands our work from almost every angle. That breadth of experience, across support, account management, and consultancy, is exactly what our expanding partnership programme needs.
|
Relationship building Years of client-facing experience means Jasmine builds trust quickly and sustains strong partnerships over the long term. |
Data protection knowledge Deep, practical knowledge of data protection compliance means Jasmine can speak with authority to any prospective partner. |
|
Commercial awareness Her account management background gives Jasmine a sharp understanding of how partnerships create tangible value for both parties. |
Consultancy mindset Jasmine approaches every partnership with a practical, solutions-first perspective — always focused on what works in the real world. |
We already work with a wide range of organisations through our partnership programme, and Jasmine is actively looking to connect with businesses who want to expand or enhance their services through a partnership with Data Protection People.
Whether you are an HR consultancy, a legal firm, an IT services provider, or any other organisation whose clients have data protection needs, there could be a real opportunity worth exploring together.
Contact us and we will arrange an introductory call with Jasmine to discuss what a partnership with Data Protection People could look like for your organisation.
When a personal data breach occurs, the first few hours are often the most important.
The decisions made immediately after an incident can significantly influence the outcome, affecting regulatory obligations, reputational damage, customer trust and the overall response effort.
In a recent episode of the Data Protection Made Easy podcast, Caine Glancy and Catarina Pereira dos Santos discussed the practical actions organisations should take during the first 72 hours following a personal data breach.
The discussion explored breach containment, risk assessments, notifications, lessons learned and the common mistakes organisations make when responding to incidents.
Whilst every breach is different, the session reinforced a simple message. Organisations that respond quickly, assess risk properly and learn from incidents are often far better positioned to reduce harm and prevent future issues.
One of the most important points raised during the discussion was the need to contain an incident as quickly as possible.
Before organisations start thinking about reporting obligations, notifications or regulatory engagement, they need to understand what has happened and stop any ongoing unauthorised access, disclosure or loss of personal data.
As Catarina explained: “We need to contain it immediately.”
Containment actions will vary depending on the nature of the breach. This may involve recalling emails, disabling accounts, restricting access to systems, recovering documents or preventing further disclosure.
The key objective is to stop the incident from escalating whilst gathering enough information to understand what has happened.
Once the immediate situation has been contained, organisations need to establish the facts.
The discussion highlighted how many organisations rush straight to questions about whether a breach should be reported to the ICO without first understanding what has actually happened.
Before any meaningful risk assessment can take place, organisations need to identify what information was involved, who was affected, how the breach occurred, whether the information has been accessed and what mitigating actions have already been taken.
This information forms the foundation of any subsequent decision-making process.
Without context, it is almost impossible to determine whether a breach presents a risk to individuals or whether reporting obligations apply.
The session also addressed a common misconception. Not every personal data breach needs to be reported to the ICO.
Many organisations automatically assume that any breach involving personal data must be reported, whilst others incorrectly assume that low-risk incidents are not breaches at all.
In reality, every incident should be assessed on its own merits.
A misdirected email, accidental disclosure or inappropriate access may still constitute a personal data breach even if the risk to individuals is ultimately low.
The discussion reinforced the importance of assessing the specific circumstances rather than relying on assumptions.
As Caine explained, context is critical when evaluating risk and determining the appropriate response.
A recurring theme throughout the discussion was the importance of context.
Organisations often want a straightforward answer to whether a breach is reportable or whether affected individuals should be notified. However, data protection rarely works in absolutes.
Caine highlighted how difficult it can be to assess risk without understanding the full circumstances surrounding an incident.
A simple statement such as “an email was sent to the wrong person” does not provide enough information to determine the level of risk involved. Organisations need to understand the contents of the email, the sensitivity of the information, who received it and whether any mitigating actions have already been taken.
As Caine explained: “The key is always in the likely.”
Risk assessments should focus on what is realistically likely to happen as a result of the breach, rather than becoming overly focused on highly unlikely scenarios.
This is why context remains one of the most important elements of effective breach management.
One of the most common questions raised following a breach is whether the incident needs to be reported to the Information Commissioner’s Office.
The discussion highlighted that organisations should avoid treating ICO reporting as an automatic response.
Instead, reporting decisions should be based on the outcome of a documented risk assessment and the likelihood of risk to individuals.
Where a breach is likely to result in a risk to the rights and freedoms of individuals, organisations are generally required to notify the ICO within 72 hours of becoming aware of the incident.
However, the hosts also acknowledged that many organisations struggle with this decision-making process, particularly when dealing with complex incidents or limited information.
For smaller organisations without dedicated privacy teams, understanding reporting thresholds can be one of the most challenging aspects of breach management.
The session also explored another area that frequently causes uncertainty, notifying affected individuals.
Many organisations assume that if a breach has occurred, the individuals involved must automatically be informed. However, this is not always the case.
Whilst transparency remains a fundamental principle of data protection, notifications should have a clear purpose.
As Catarina explained, the purpose of notifying individuals is not simply to tell them that a breach has happened. It is to allow them to take action where there is an active risk to them.
If a breach creates a high risk to an individual’s rights and freedoms, notifying them may allow them to protect themselves from fraud, identity theft, financial loss or other harms.
Where there is no ongoing risk, organisations may decide that notification is unnecessary.
The discussion highlighted the importance of carefully balancing transparency, risk and potential distress when making these decisions.
Whilst organisations are often concerned about under-reporting breaches, the discussion highlighted that over-notification can also create problems.
Informing individuals about every low-risk incident may cause unnecessary concern, particularly where no meaningful action is required on their part.
Some individuals may understandably assume the worst when they hear the phrase “data breach”, regardless of the actual level of risk involved.
In certain circumstances, notifying individuals about low-risk incidents may create confusion, anxiety and additional complaints without providing any practical benefit.
This is why notification decisions should always be proportionate and based on a thorough assessment of the circumstances.
As the discussion demonstrated, there is rarely a one-size-fits-all approach.
Caine reinforced this point by explaining: “Nothing in data protection is a one size fits all kind of thing.”
One of the strongest messages from the session was that organisations should view breaches as learning opportunities.
Even low-risk incidents can reveal weaknesses in processes, training, systems or controls.
Rather than simply recording an incident and moving on, organisations should take the time to identify trends and recurring issues.
As Caine explained: “The main thing really is treating it as lessons learned always.”
If multiple incidents occur for similar reasons, such as misdirected emails, access errors or process failures, this may indicate a wider issue that requires attention.
Reviewing breach data collectively often provides valuable insight into where improvements can be made.
The discussion highlighted how organisations can use incidents to strengthen controls, improve staff awareness and reduce the likelihood of future breaches.
Closely linked to the lessons learned approach was the idea of extracting value from incidents wherever possible.
Breaches are rarely desirable, but they can provide useful information about organisational weaknesses and areas for improvement.
As Caine commented: “You’ve got to try and claim some benefit back from it where you can.”
This might involve updating procedures, improving training, introducing additional technical controls or reviewing existing risk assessments.
By treating breaches as opportunities for continuous improvement, organisations can often strengthen their overall data protection framework.
Once the immediate response has been completed, the discussion highlighted the importance of reviewing the incident in full.
This should include documenting what happened, assessing the effectiveness of the response, identifying any improvements and updating relevant policies or procedures where necessary.
Organisations should also consider whether additional staff training, awareness campaigns or technical measures may help prevent similar incidents in the future.
The first 72 hours are important, but the actions taken afterwards are often what determine whether an organisation genuinely learns from an incident.
The session reinforced a practical and proportionate approach to managing personal data breaches.
Contain the incident, establish the facts, assess the risk, determine whether reporting obligations apply and identify opportunities for improvement.
Whilst every breach is different, organisations that follow these principles are often better positioned to respond effectively, reduce harm and strengthen compliance over time.
Most importantly, the discussion highlighted that effective breach management is not just about regulatory compliance. It is about protecting individuals, maintaining trust and continuously improving organisational practices.
Managing a personal data breach can be challenging, particularly when organisations are under pressure to assess risk, make reporting decisions and communicate effectively with regulators and affected individuals.
Our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services help organisations build effective breach management processes, improve governance and strengthen compliance.
Whether you’re responding to an incident, reviewing your breach procedures or looking to improve organisational awareness, our team can help you manage data protection with confidence.
The first priority should be containing the incident to prevent any further unauthorised access, disclosure, loss or destruction of personal data. Once contained, organisations should establish the facts and begin assessing risk.
No. Organisations should assess whether the breach is likely to result in a risk to the rights and freedoms of individuals. Not all breaches meet the threshold for ICO notification.
Where a breach is reportable, organisations are generally required to notify the ICO within 72 hours of becoming aware of the incident.
No. Individuals generally need to be informed where the breach is likely to result in a high risk to their rights and freedoms. Notification decisions should be based on a documented risk assessment.
A risk assessment helps organisations understand the potential impact on affected individuals and determine whether reporting or notification obligations apply.
Even low-risk incidents can reveal weaknesses in processes, systems, training or controls. Reviewing breaches helps organisations identify trends, strengthen governance and reduce future risk.
Political parties process vast amounts of personal data, from electoral registers and supporter databases to campaign communications, fundraising activities and voter engagement initiatives. Yet despite the scale of this processing, many people have little visibility into the data protection challenges operating behind the scenes.
In a special episode of the Data Protection Made Easy podcast, Caine Glancy was joined by James Robson, former Data Protection Officer for The Labour Party, to discuss what data protection looks like inside one of the UK’s most scrutinised organisations.
The discussion explored regulatory investigations, Subject Access Requests, electoral data, political campaigning, public trust, governance and the future of data protection in democratic processes.
Drawing on his unique experience, James shared practical insight into the realities of managing compliance in a highly political, highly visible and constantly evolving environment.
If your organisation is navigating complex data protection challenges, our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services help organisations strengthen governance, improve compliance and build trust.
One of the most striking moments from the discussion came when James described his first experience of joining The Labour Party.
Rather than inheriting a mature compliance programme, he found a significant backlog of privacy requests, open regulatory investigations and unresolved compliance issues.
Reflecting on the experience, James explained: “I walked into a burning building not realising it was a burning building.”
He described discovering unanswered Subject Access Requests, deletion requests and ongoing ICO engagement linked to historic compliance challenges.
At the time, there were numerous open complaints, significant operational issues and substantial work required to restore confidence in the organisation’s compliance framework.
The discussion highlighted how quickly data protection risks can escalate when governance arrangements are not maintained and why organisations should avoid viewing compliance as something that can simply be paused or deprioritised.
The conversation reinforced a reality many data protection professionals will recognise. When governance processes are not maintained, problems rarely remain isolated.
Unanswered requests become complaints. Complaints become regulatory attention. Regulatory attention creates pressure, scrutiny and operational disruption.
Good governance is often most visible when things go wrong. Effective processes, documented decision-making, clear accountability and regular oversight can help organisations identify issues early and reduce the likelihood of problems escalating.
For many organisations, this serves as a reminder that compliance is not simply about policies and procedures. It requires ongoing attention, ownership and investment.
Another key theme was the role of transparency when dealing with regulators.
Rather than treating the ICO as an adversary, James explained how he worked to build a more collaborative relationship focused on openness and improvement.
He commented: “We needed to change the feeling that the ICO had about Labour.”
Part of that strategy involved increasing transparency and involving the regulator more closely in ongoing remediation efforts.
As James explained: “We need to bring the ICO as close to us as possible and be transparent about all working processes.”
Whilst many organisations naturally feel nervous about engaging with regulators, the discussion highlighted how openness can often help demonstrate accountability and commitment to improvement.
Transparency does not remove regulatory obligations, but it can help build trust and create a more constructive working relationship when challenges arise.
A recurring theme throughout the episode was the importance of relationships.
James explained how understanding data processing activities required close collaboration with teams across the organisation.
Rather than approaching compliance from a purely legal perspective, he focused on understanding business objectives and identifying practical solutions that balanced organisational goals with privacy requirements.
This is a challenge many Data Protection Officers face. Effective compliance rarely comes from saying no. It comes from understanding what an organisation is trying to achieve and helping it achieve those objectives in a compliant way.
Successful privacy programmes are often built on trust, communication and collaboration rather than policy documents alone.
Political parties exist to campaign, engage with voters and ultimately win elections. Data protection obligations do not remove those objectives, but they do influence how they can be achieved.
The discussion explored the challenge of balancing privacy risks with organisational priorities.
As Caine highlighted during the episode, effective Data Protection Officers need to understand both the risks to individuals and the wider risks facing the organisation.
This balancing act applies far beyond politics. Whether working in housing, healthcare, education, local government or the private sector, privacy professionals are often required to navigate competing priorities whilst ensuring compliance remains effective and proportionate.
The episode also provided valuable insight into one of the most misunderstood areas of political data protection, campaign communications and voter information.
James explained that political parties operate within a unique legal framework that combines electoral legislation, UK GDPR, PECR and wider democratic engagement provisions.
This creates challenges that many organisations never encounter.
The discussion explored how political parties can lawfully access electoral register information, the distinction between democratic engagement and political marketing, and the complexities surrounding voter communications.
It also highlighted why public understanding of these processes is often limited, leading to frequent questions and complaints about how political parties obtain and use personal information.
Political opinions are classified as special category data under UK GDPR, making compliance particularly important when handling voter information and political preferences.
Election periods create unique pressures for privacy professionals.
James described how political events can trigger substantial increases in Subject Access Requests, complaints and regulatory attention.
One example discussed during the episode involved a coordinated campaign encouraging individuals to submit Subject Access Requests to political parties during a general election period.
The volume of requests created significant operational pressure at a time when political parties were already operating under intense scrutiny.
These spikes can place substantial strain on compliance teams whilst simultaneously increasing public and regulatory attention on data protection practices.
The discussion highlighted the importance of having robust procedures, clear governance and sufficient resources in place before periods of heightened activity begin.
For organisations in any sector, this serves as a useful reminder that compliance planning should account for periods of increased demand and unexpected operational pressures.
Another important takeaway from the discussion was the value of professional networks.
James explained how he worked with Data Protection Officers from other political parties to discuss common challenges and share experiences.
Despite political differences, many of the data protection issues faced by parties were remarkably similar.
The group provided an opportunity to exchange ideas, discuss regulatory developments and learn from one another’s experiences.
This reinforces a broader point that applies across every sector. Data protection can often feel isolating, particularly for individuals working in-house.
Building relationships with peers, sharing experiences and learning from others can be invaluable when dealing with complex challenges.
The Data Protection Made Easy community was created with this exact purpose in mind, bringing professionals together to discuss challenges, share knowledge and support one another.
The discussion also explored the relationship between public trust and data protection.
Political parties process significant volumes of personal information and must balance democratic engagement with individual privacy rights.
Public understanding of how electoral data is used is often limited, creating concerns around political profiling, campaign communications and voter engagement.
James highlighted the importance of transparency and helping individuals understand how and why their information is being processed.
This challenge is not unique to politics. Organisations across every sector face increasing expectations around transparency, accountability and responsible data use.
Building trust requires more than simply meeting legal requirements. It requires organisations to demonstrate that they are handling information responsibly and in ways that align with people’s expectations.
Towards the end of the discussion, the conversation shifted towards the future of data protection.
Artificial intelligence, advanced analytics, digital identity solutions and large-scale data sharing initiatives are creating new opportunities and new risks.
James argued that data protection professionals will play a critical role in helping organisations navigate these developments responsibly.
Reflecting on the future of the profession, he stated: “The importance of what we do will grow to a level of significance I don’t think we even understand properly yet.”
As organisations increasingly rely on data-driven technologies, privacy professionals will be required to balance innovation with governance, accountability and individual rights.
The conversation highlighted how the role of the Data Protection Officer continues to evolve beyond compliance alone, becoming increasingly connected to strategy, trust and organisational decision-making.
Another theme explored during the discussion was the future of individual control over personal information.
As digital services become more connected, expectations around transparency and user control are likely to increase.
James explained: “People will have more power over their data and have more agency over it.”
This vision reflects a broader shift towards empowering individuals to understand, manage and control how their personal information is used.
Whether through enhanced transparency, digital identity initiatives or improved governance frameworks, organisations are likely to face increasing expectations around giving people greater visibility and control over their information.
Whilst few organisations operate under the same level of scrutiny as a national political party, many of the lessons discussed throughout this episode apply across every sector.
Strong governance, effective stakeholder relationships, transparent regulatory engagement, practical compliance processes and a clear understanding of risk remain fundamental regardless of industry.
The discussion provided a fascinating insight into one of the most unique data protection environments in the UK whilst reinforcing principles that every organisation can learn from.
Whether managing Subject Access Requests, engaging with regulators, implementing new technologies or building trust with stakeholders, the core principles of good data protection remain the same.
For organisations looking to strengthen governance and improve compliance, our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services can help build a stronger and more resilient approach to data protection.
Yes. Political parties can access electoral register information under specific legal provisions designed to support democratic engagement and electoral processes.
Yes. Political opinions are classified as special category data under UK GDPR and require additional protections when processed.
The requirements depend on the type of communication, the recipient and the legal basis being relied upon. Political communications can involve a complex interaction between UK GDPR, PECR and electoral legislation.
Political parties process personal data to support campaigning activities, democratic engagement, membership management, constituency casework and voter communications.
The ICO regulates compliance with UK data protection legislation and can investigate complaints, issue enforcement action and provide guidance to political organisations.
Elections often involve large-scale processing of personal information, increased public scrutiny and heightened regulatory attention. Strong governance helps ensure information is handled lawfully, fairly and transparently.
Data protection training is often treated as a compliance exercise, something that must be completed, recorded and repeated each year. However, as discussed during a recent episode of the Data Protection Made Easy podcast, training only delivers real value when it changes behaviour.
Hosted by Caine Glancy and Catarina Pereira dos Santos, the session explored why traditional training approaches often fail to influence day-to-day decision-making and what organisations can do to create lasting behavioural change.
Whilst completion rates and quiz scores may demonstrate that training has taken place, they do not always show whether employees understand how to apply data protection principles in real situations. The discussion highlighted the importance of moving beyond tick-box compliance and creating training that is practical, engaging and relevant to the people receiving it.
If your organisation is looking to strengthen its data protection culture, our Data Protection Training and Awareness Services, Data Protection Support Service and Outsourced DPO Service can help build awareness, confidence and compliance across your organisation.
One of the key themes from the discussion was the difference between providing information and creating behavioural change.
Whilst it is relatively straightforward to explain the requirements of the UK GDPR, helping people understand how those requirements apply to their daily responsibilities is often far more challenging.
Catarina explained that effective training cannot simply focus on theory and legal requirements alone, stating: “It needs to be practical. It needs to be a thing that’s practical and achievable for everyone.”
Employees deal with personal data every day through emails, customer interactions, records management, Subject Access Requests and information sharing. If training does not connect directly to these activities, it is unlikely to influence behaviour when it matters most.
Successful training should not be measured solely by attendance records or assessment results.
The real objective is to help staff recognise risks, make informed decisions and apply data protection requirements confidently in practice.
As discussed during the episode, organisations should consider whether employees are able to identify personal data breaches, understand when a Subject Access Request has been received and make appropriate decisions when handling personal data.
Catarina highlighted the challenge many organisations face when measuring success, commenting: “On the measuring of the training side of things, actually I’m a superstar. I’ve passed it, I’ve done it on a regular basis.”
Without these practical outcomes, even the highest completion rates may provide a false sense of confidence.
Training records may show that staff have attended sessions, completed e-learning modules and passed assessments, but this does not necessarily mean that knowledge has translated into action.
An employee may achieve a strong quiz score yet continue to make avoidable mistakes, such as sending information to the wrong recipient, failing to recognise a personal data breach or misunderstanding their responsibilities under data protection legislation.
This is why effective training must focus on practical understanding rather than simply demonstrating attendance.
As Catarina explained: “What actually changes the behaviour is not just the records.”
Organisations should aim to create learning experiences that help employees understand the risks most relevant to their role and provide them with the confidence to respond appropriately when those situations arise.
Throughout the discussion, both hosts emphasised the value of practical learning.
Interactive workshops, scenario-based exercises and practical demonstrations often deliver stronger outcomes than traditional presentation-led training alone.
Catarina highlighted the importance of hands-on learning, explaining: “There is nothing else as doing it in practical.”
Subject Access Requests provide a useful example. Rather than simply explaining the legislation, participants can work through realistic requests, identify relevant personal data, consider exemptions and discuss how they would respond.
People may not remember every slide from a training session, but they often remember the situations they worked through themselves.
Caine reinforced this point, stating: “The best training is when you can get people talking and you can get them thinking about it afterwards.”
Another important topic covered during the episode was the need to tailor training to different audiences.
Different teams interact with personal data in different ways, which means their risks and responsibilities are often very different.
The information required by Human Resources teams may differ significantly from the needs of Marketing, IT, Customer Service or Senior Leadership teams.
Caine explained: “You’ve got to know who you’re talking to.”
He went on to emphasise the importance of role-specific training, adding: “What they need to know is what’s going to relate to their role.”
Employees are more likely to engage when they can clearly see how the content relates to their day-to-day responsibilities. Using department-specific examples and practical scenarios helps make training more relevant and memorable.
The conversation also explored an often-overlooked factor in successful learning, the trainer themselves.
Even well-designed training programmes can struggle to engage learners if they are delivered without energy, enthusiasm or practical insight.
Caine explained: “Training is only really as good as the person who is delivering it.”
Effective trainers help participants understand why data protection matters, encourage discussion and create an environment where people feel comfortable asking questions.
Importantly, successful delivery is not about personality alone. It is about demonstrating genuine passion for the topic and helping learners understand how the subject applies to their own experiences and challenges.
As Caine highlighted: “You have to bring energy and you have to bring excitement to the topic to make them care about it.”
One of the most important takeaways from the episode was that training should not be viewed as a one-off event.
Catarina stressed this point, explaining: “The training is not just a one time thing.”
People forget information, processes change and new risks emerge. Organisations that rely solely on annual refresher training often find that important messages fade long before the next session takes place.
Regular communications, awareness campaigns, newsletters, posters, team discussions and practical reminders help keep data protection visible and relevant.
Catarina explained: “You should be expecting to have awareness campaigns, posters, sending emails, newsletters in a constant way.”
A strong data protection culture is built through continuous reinforcement rather than a single annual training session.
The episode also highlighted the importance of leadership involvement.
When senior leaders actively support data protection initiatives, attend training sessions and reinforce key messages, employees are more likely to recognise the importance of compliance and good information governance.
Caine explained the value of leadership engagement, stating: “If you can get the buy-in from them, it will always trickle down.”
Managers also play an important role in embedding learning after training has taken place. They are often best placed to reinforce expectations, answer questions and identify areas where additional support may be needed.
Creating meaningful behavioural change requires commitment from every level of the organisation.
Many organisations continue to measure training success through attendance figures, completion rates and assessment scores.
Whilst these metrics provide useful information, they only tell part of the story.
The more important question is whether behaviour has changed. Are staff reporting incidents more quickly? Are fewer emails being sent to the wrong recipients? Are Subject Access Requests being identified earlier? Are teams considering privacy risks at the start of projects rather than after problems occur?
These indicators often provide a much clearer picture of whether training is having a meaningful impact.
As Catarina highlighted throughout the discussion, meaningful success is demonstrated through practical outcomes rather than training records alone.
The discussion reinforced a simple but important message. Effective data protection training is not about achieving compliance for compliance’s sake. It is about helping people understand their responsibilities and giving them the confidence to make better decisions when handling personal data.
Caine summarised one of the key principles discussed during the session, stating: “Training can never be one size fits all.”
Organisations that focus on practical learning, ongoing awareness, tailored content and strong leadership support are far more likely to create lasting behavioural change.
For organisations looking to strengthen their approach, our Data Protection Training and Awareness Services, Data Protection Support Service and Outsourced DPO Service can help create effective training programmes that move beyond compliance and support a stronger data protection culture.
Data protection training helps employees understand how to handle personal data correctly, recognise risks, identify potential breaches and comply with data protection legislation.
Most organisations provide annual refresher training, but ongoing awareness activities throughout the year are equally important to reinforce learning and maintain good practices.
Effective training is practical, relevant to the audience, interactive and supported by ongoing awareness activities that reinforce key messages.
Yes. Different departments face different risks and responsibilities. Tailoring training to specific roles often improves engagement and learning outcomes.
Rather than focusing solely on attendance and completion rates, organisations should look for behavioural indicators such as improved incident reporting, reduced errors and stronger awareness of data protection responsibilities.
No. Training is only one part of the solution. Ongoing awareness, leadership support and regular reinforcement are all essential for creating a strong and sustainable data protection culture.
Many organisations view GDPR audits as a compliance exercise, a checklist that confirms whether policies, procedures and documentation exist. In reality, effective audits go much further than simply reviewing paperwork.
In a recent episode of the Data Protection Made Easy podcast, Catarina Pereira dos Santos and Catherine Santos explored what GDPR auditors consistently uncover when assessing organisations and why the same issues continue to appear across different sectors.
The discussion covered retention failures, staff awareness, third-party management, personal device usage, governance gaps and the common misconception that having documentation automatically means an organisation is compliant.
Drawing on real audit experiences, the session highlighted how organisations can use audits to identify weaknesses, improve accountability and strengthen their overall approach to data protection.
For organisations looking to assess their compliance position, our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services can help identify risks and support ongoing compliance.
One of the first points raised during the discussion was that a genuine GDPR audit involves much more than reviewing documentation.
Catherine explained: “It’s not a checklist for sure.”
Whilst policies, procedures and records remain important, an audit should also assess how data protection operates in practice. This includes speaking with employees, understanding data flows and evaluating whether documented processes are actually being followed.
As Catherine highlighted, audits often provide an opportunity to understand how mature data protection is within an organisation and whether staff genuinely understand their responsibilities.
Simply having documentation in place does not automatically demonstrate compliance if employees are unaware of the processes they are expected to follow.
A recurring theme throughout the episode was the difference between having documentation and implementing it effectively.
The hosts discussed how organisations frequently present policies, procedures and registers during audits, only for employees to reveal that they have never seen them.
As Catherine explained, one of the most common responses during interviews is: “Do we have such a policy? I didn’t know.”
This creates a significant compliance risk. Policies are only effective if they are understood, communicated and embedded within everyday working practices.
An organisation may have an excellent Information Security Policy, Data Breach Procedure or Retention Schedule, but if staff are unaware of them, compliance becomes difficult to demonstrate in practice.
The discussion highlighted the importance of speaking with employees during an audit.
Unlike a gap analysis or documentation review, a GDPR audit should assess how data protection is understood and applied throughout the organisation.
Employees often provide valuable insight into how personal information is actually handled, revealing differences between documented processes and day-to-day reality.
These conversations can also act as informal awareness sessions, helping staff better understand their responsibilities and providing an opportunity to ask questions.
The hosts emphasised that compliance is not achieved through policies alone. It depends on people understanding what they need to do and why.
When discussing the issues they encounter most frequently, both hosts quickly identified retention as a recurring challenge.
Many organisations have retention policies in place, but implementation often tells a different story.
Employees may understand that records should be deleted after a certain period, yet the actual deletion process never takes place.
The discussion included examples of organisations retaining emails for decades, storing outdated information indefinitely and relying on manual deletion processes that are rarely followed consistently.
Without effective retention practices, organisations risk keeping personal information for longer than necessary and increasing their exposure to data protection risks.
Another area highlighted during the discussion was third-party management.
Many organisations maintain supplier registers and records of processing activities, but auditors often discover inconsistencies when testing the information.
The hosts shared examples where organisations claimed to have Data Processing Agreements in place for all suppliers, only for further investigation to reveal unsigned templates or agreements that had never actually been implemented.
This demonstrates why auditors must test evidence rather than simply accept documentation at face value.
Third-party relationships often represent significant compliance risks, particularly where personal data is being processed externally or transferred internationally.
The discussion also explored one of the most common findings in modern workplaces, employees using personal devices for business purposes.
As Catherine explained: “The organisation doesn’t know that some employees use their phones for work.”
This creates a range of challenges. Personal devices may contain customer information, contracts, emails or communications that are completely outside the organisation’s governance framework.
It can also create difficulties when responding to Subject Access Requests, managing retention periods and investigating incidents.
Without appropriate Bring Your Own Device policies and controls, organisations may struggle to understand where personal data is being stored and processed.
The hosts also highlighted the increasing use of WhatsApp and other informal communication tools.
Whilst these platforms may improve efficiency, they can also introduce governance challenges when organisations fail to formally recognise or manage their use.
Examples discussed included contractors using WhatsApp to share photographs, employees communicating with customers through personal devices and business information being exchanged through channels that are not covered by existing policies.
These hidden data flows can create significant compliance risks if organisations are unaware of how information is being processed.
Effective governance requires organisations to understand where personal information is being stored, shared and accessed, regardless of whether that activity takes place through official systems or informal channels.
One of the most interesting parts of the discussion focused on the perception of audits themselves.
Many employees view auditors as investigators looking for mistakes or individuals responsible for assigning blame.
The hosts acknowledged that the word “audit” often creates anxiety, particularly where organisations have recently experienced a breach or compliance issue.
However, they stressed that audits should be viewed as opportunities for improvement rather than exercises in criticism.
As Catarina explained when speaking to employees during audits: “I am not here to judge you.”
The purpose of an audit is to identify risks, highlight opportunities for improvement and help organisations strengthen their compliance position.
When approached positively, audits can provide valuable insight into how organisations handle personal information and where additional support may be needed.
Finding issues during an audit is only the beginning of the process.
The real value comes from understanding those findings, prioritising actions and implementing meaningful improvements.
The discussion highlighted the importance of clear reporting, practical recommendations and helping organisations understand where risks are most significant.
Not every finding represents a high-risk compliance issue. Some can be addressed quickly, whilst others may require longer-term planning and investment.
Effective audit reports should help organisations understand not only what needs to improve, but also where they should focus their efforts first.
Whilst UK GDPR does not explicitly require organisations to conduct annual audits, the discussion highlighted how audits support one of the most important principles within the legislation, accountability.
Organisations must be able to demonstrate compliance. To do this effectively, they need mechanisms that test controls, assess risks and evaluate whether policies are operating as intended.
Audits provide an opportunity to challenge assumptions, verify compliance claims and identify gaps before they become larger issues.
Ultimately, the discussion reinforced that audits should not be seen as a negative exercise. They are an opportunity to learn, improve and build a stronger data protection culture.
A GDPR audit is a structured assessment of an organisation’s data protection practices, policies, procedures and operational controls to determine how effectively personal information is being managed.
UK GDPR does not explicitly require annual audits, but audits are often used to support accountability obligations and demonstrate compliance.
Auditors typically assess governance arrangements, policies, training, records management, retention practices, security measures, third-party management and employee awareness.
Many organisations have retention policies in place, but fail to consistently apply them in practice, leading to unnecessary retention of personal information.
No. Compliance depends on policies being implemented effectively and understood by employees, not simply existing as documents.
A GDPR audit helps organisations identify weaknesses, strengthen controls, improve accountability and reduce the likelihood of compliance failures or data breaches.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
