The UKs #1 Data Protection Consultancy

Data Protection & Information Security Experts

Data Protection Made Easy.

GDPR Support Cyber Security Support
Join our extensive list of clients who have their data privacy under control

Accelerate Your Data Protection Compliance

Save Time, Save Money and Relax: You’re In Safe Hands

Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.

SAR Support

Explore our Subject Access Request (SAR) Handling Service and understand how Data Protection People can support your organisation

Contact Us

GDPR Training

Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.

Contact Us

Information Management Software

DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.

Contact Us

Data Protection Consultancy

Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.

Contact Us
View All

Need Help With Cyber Security Compliance?

We Have You Covered!

At Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.

External Attack Surface Management

Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.

Contact Us

ISO 27001

Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.

Contact Us


A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.

Contact Us

Cyber Security Support

Secure your organisation with Data Protection People's Cyber Security Support. Our expert team ensures cybersecurity excellence, offering tailored support for ISO27001, PCI DSS, Cyber Maturity, Cyber Essentials Plus, and more.

Contact Us
View All
Rofi Hendra Support Desk Data Protection People

Supporting DPOs

Flexible Support When You Need It

At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.

Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.

Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.

Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.

Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.

Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.

Diverse Sector Experience

Access to a Team of Industry Experts

At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.

Commercial Sector

Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.


Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.

Third Sector

Third Sector

For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.

Multi Nationals

For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.

Public Sector

In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.

Rob Wilkinson Sales Manager

Why Use Our Outsourced DPO Services?

Save Time, Money and Guarantee Compliance

Navigating the intricate landscape of data protection demands more than just a DPO — it requires a dedicated team committed to excellence. Our Outsourced DPO Services extend beyond the traditional role, offering a comprehensive approach to legal compliance and pragmatic solutions.

Why Choose Outsourcing?

An outsourced DPO brings a wealth of experience, not just in the law but also in crafting workable solutions. Their impartiality is fortified by a team of privacy practitioners, ensuring that your organization benefits from a spectrum of expertise. Should the need arise, seamless coverage during absences is guaranteed, eliminating the vulnerability associated with a single in-house DPO.

Staying Headache-Free

Concerned about the disruption if your DPO moves on? With an outsourced model, transitions are smooth, and you won’t experience the sudden headache of a critical role vacancy. The continuity provided by a team ensures that your data protection responsibilities are seamlessly handled.

Compliance Tailored to You

Our Outsourced DPO Services align seamlessly with your legal obligations, whether you’re mandated to appoint a DPO or choose to do so voluntarily. We understand that compliance is not just about ticking boxes but about ensuring a robust, practical approach to data protection. Choose Data Protection People for a worry-free, compliance-driven outsourced DPO solution — because your data protection journey should be as smooth as it is secure.

“I cant recommend Data Protection People enough, they have helped me in so many different areas, no matter how complex the challenge or how large the obstacle, DPP always has the answer.

I can call the team at any time and have built an amazing relationship with them, in times of frustration they are here to calm me down and create a plan, they are a pleasure to work with.”

Mark Leete
Eastlight Community Homes

Data Protection People Blogs & Podcasts

Data Privacy Learning & Guidance

Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.

Data Protection For Charities

How Data Protection is Vital for Charities Working with Vulnerable Individuals 

Charities occupy a distinct and sometimes complex space within regulatory compliance.  They increasingly engage unique insights and expertise to support public service provisions for individuals and the community, whilst walking the tightrope of challenging funding landscapes and resource stretched environments.  

Many charities deliver essential support to vulnerable groups of people.   Processing personal data within these organisations takes careful consideration: including the sensitive nature of the information; the potential impacts to the individual; and the vulnerability of the data subjects themselves.  

Ryan Calo, in their publication ‘Privacy, Vulnerability and Affordance,’ explores the difference between making a person vulnerable and exploiting vulnerability – both within the context of processing personal data.  This subject can be afforded much in-depth analysis drawing on academic and legal disciplines.  But many charities do work with people who are at greater risk of becoming entrenched in those cycles of vulnerability.  They are often standing at this intersection, with a very direct relationship to the data subject.   

If we take for example, a charity working in the criminal justice system, or within mental health services: these organisations often provide specific skills to engage with people who historically may have had a fractured relationship with public services or authority. Here, it is common to receive not only very sensitive disclosures, but to also be managing a sometimes precarious environment of trust.  That takes time and work to build, and the data collected is an extension of not only that individual, but of the context of the relationship.   In that tentative first step, the service user may be thinking: 

  • Do you know what you’re doing?  
  • What will you use my information for?  
  • Who will you tell? 
  • Am I safe here?  
  • Can I trust you?

Why are we collecting this information?

These questions are reflected in the principles of data protection and how the potential impact of processing may be assessed.  Why are we collecting this information? What is our lawful basis? Who are we sharing it with and why? Do we have the appropriate technical and organisational measures in place? Will we keep it safe? Conversely, it can also be the case that in such environments, a vulnerable individual may disclose large amounts of sensitive information beyond what is relevant to the intended outcomes of the engagement.  Asking these questions plays an important role in navigating that interaction.  

However, we risk losing sight of this where data protection becomes something intangible, a dry set of complex regulations that are hard to translate to reality.  Is it an arm of IT that involves extra forms? Is it just about ensuring we secure that filing cabinet, or patch that software?  

Many data protection professionals quite rightly refer to the problem of the padlock. We’ve all seen examples of it, and many of us are likely guilty for having used it in that slide we needed to illustrate.  This image risks reducing data protection to a lock box: if the information is shut away safely enough, then we’ve pretty much done our jobs.  It brings to mind this idea of rules, shutting out, maybe even obstruction.   

Of course, managing access and security is an essential part of data protection, but it is by no means the only one.  

Data protection legislation is very human.  It keeps sight of the vulnerability we are all exposed to in this digital age and explores provisions for particularities within that where some people may be more vulnerable than others.  The Working Party 29 and the EU GDPR (for example, recital 38 discussing children) acknowledge how high-risk groups may present within these definitions.  They also identify power imbalance between controller and data subject as a way of assessing vulnerability, and that this should be considered within data protection practices.  

Data Protection therefore asks us to look at the individual. It is not enough to provide the padlock. 

As required by the UK GDPR, we should be adhering to the principles of:  
  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

 Supporting colleagues to do this within charities can be challenging, albeit essential.  The impact of unauthorised access to or use of data for vulnerable people can be particularly distressing, and any resulting material or non-material damage can compound existing complex trauma.  In some situations, there can also be a significant risk of physical harm. Protecting someone’s location, identity, disclosures or evidence of engagement can have a direct bearing on their safety.  This is not only applicable to external unauthorised access such as a cyber-attack, but incorrect internal controls too.   

Studying trends within a data protection incident log may highlight the impact of human error as the root cause of many data breaches. It is when we are tired that we risk using cc instead of bcc.  It is when we have been confronted with a harrowing disclosure that we may be distracted.  When a charity is resource constrained and roles are stretching, it is easier to miss important steps. Infrastructure can be behind, resources can be scarce, and the environment may be stressful.  It is also at these times that data protection can risk becoming a bureaucratic side note, when in fact it serves to manage these situations when it is properly embedded.  

 Understanding the space that data protection holds in that reciprocal fostering of trust, is a helpful way of disassociating it from a series of paper-pushing exercises.   

 What are examples of good practise?  

 This is by no means an exhaustive list, but some overarching considerations include:  

 Data minimisation and proportionality

Asking whether you really need to collect personal data about a vulnerable service user will help to manage what you are recording.  How could this new record impact the wellbeing of that person?  It can feel counter-intuitive to question the motives of data collection when the overall purpose feels well intentioned.  But it’s important not to overlook it within a charity setting.  Minimising the amount of personal data held reduces risk in other areas, such as data breaches.  But it also ensures we are consistently considering how the questions we ask, or information we record, may impact the privacy and agency of a vulnerable individual.  

This is also relevant for avoiding situations where data protection is cited as an obstruction to collecting or sharing information which has resulted in a negative outcome for the individual. This is rarely a valid position, and risks both misuse of the legislation and harm to the data subject.    It will therefore prompt the right questions to ask during conversations with funders and commissioners.  Sometimes for charities, there is a power imbalance there for them as an organisation, too.  Understanding how to advocate correctly can facilitate helpful discussions with meaningful outcomes.  

 Encryption, access controls and infrastructure

Understanding the impacts of how you are storing and sharing personal data, and therefore what needs to be in place to mitigate those risks, is essential.  Regularly reviewing and updating procedures, technical measures and permissions are a part of this.  Charities will also need to understand what is expected of them by their funders.  If they are part of a statutory supply chain in particular, it is important to anticipate where investments may need to be applied.  

 Training and awareness

In reality, there aren’t always resources available to provide systems that will automate or manage processes that will reduce the margin for human error.  A charity may for example be working in a prison that still uses fax machines, or only be able to access a secure printer when a prison officer is able to log in for them.  It is not always obvious how these details interact with data protection until you come across them in conversation, but they can be very impactful to how you roll out a data protection programme that manages risk well in your charity.  In that scenario, asking if there was a secure printer available wouldn’t have been enough.  Therefore, it is essential to deliver lots of organisation specific training and raise awareness around data protection.

In some companies, paper records will largely be a thing of the past; but for many charities there are still lots of physical records stored and created.  Ensuring correct processes around this are understood may mean supplementing training modules, or creating visual office prompts.  Where possible, to offer a phone call for example, during the course of a Data Protection Impact Assessment (DPIA), can help to expediate the process and uncover nuance. To have strong allies in data protection across the charity can also greatly increase the effectiveness of embedding good practise.  

 Exercising rights and incident response

Knowing what to do if someone would like to exercise their rights under the UK GDPR, or if something goes wrong, is important.  It isn’t always straightforward for charities, and with lots of competing priorities might not feel pertinent until it happens and panic sets in.  That panic is what we want to avoid.  A charity may have 3 or 4 funding streams with specific requirements, or it may have 50-60. 

Where there are requirements in place, do you understand them? For example, for a case file, it is important to understand who the data controller is for that information, whether there is more than one controller, and what the contractual expectations are for that information.  And crucially, how that relates back to the wellbeing of the data subject, and whether they themselves are clear of their rights and who to contact.  

 Can I trust you?  

 That poignant question brings us back to the relationship between the charity and the vulnerable individual.  It is often an operational colleague who will be setting out in person the expectations of engagement and how support will be provided.  Transparency is a cornerstone of data protection, and providing a privacy notice is an essential part of this.  But in order to be clear with someone, it must be understood why personal information is being collected, what it is being used for, who it is being shared with, and how it will be managed. Charities sometimes perform an extension of a public service, but don’t have the same lawful bases to rely upon that government bodies do.  Therefore, considering the correct lawful basis will also be an important piece of information for the service user. 

If you are relying on consent, is that consent valid?  Is there a power imbalance to consider, and does the individual have capacity to meaningfully consent to the use of their information? Crucially, we must then be able to explain this to the individual in language and formatting that will best support their understanding of the process.   

 From the bidding stage to delivery and evaluation, charities should be positioning data protection as a fundamental part of their work with service users.  The principles they uphold as a charity, extend to personal data in this way.  Whether that is during the more tangible relationship of, for example, caseworker to client, or making decisions around which cookies to use on their website.  Charities have a duty of care to those most vulnerable, and not least in the way they manage their personal information.  

Data Protection in the Non-Profit Sector: Balancing Good Deeds with Good Practices – with Rebecca Wells

Join us on Friday, June 21st, from 12:30 PM to 1:30 PM BST for an insightful session on data protection in the charity sector. Our guest speaker, Rebecca Wells, Data Protection and Information Governance Manager at Sustrans, will share her expertise and address the unique challenges faced by non-profit organisations.

Key Discussion Points:

  • The Balancing Act for Charities: How to uphold data protection principles while effectively supporting vulnerable individuals.
  • Compliance Made Clear: Practical guidance for charities to meet evolving data protection regulations, even with limited resources.
  • Supporting DPO Wellbeing: Strategies to ensure Data Protection Officers (DPOs) working in the charity sector have the support they need.

This session is valuable for:

  • Data protection professionals working within charities
  • DPOs in the non-profit sector
  • Anyone interested in the human element of data protection and the challenges of balancing regulations with real-world needs.

Join the Conversation!

At Data Protection Made Easy, we’re passionate about empowering charities to leverage the power of data responsibly. We look forward to welcoming you to this upcoming session and continuing the conversation on data protection in the non-profit sector.

Does the Consent or Pay Model Offer Enough Choice on Data Privacy?

Nearly 5 billion people use social media. That’s billions of data subjects, with personal data ready to be tracked and processed for direct marketing. 

This information, however, can only be handled if the data subject agrees to their cookie policy. Under the Privacy and Electronic Communications Regulations (PECR), consent must be freely given with full awareness of what data will be collected. 

But things are changing. The privacy model ‘consent or pay’ is rising on online platforms, leaving data subjects with two options: pay for freedom or pay with personal data

What Is the Consent or Pay Model?

The ‘consent or pay’ model (or ‘pay or okay’ model) involves data controllers providing individuals with a choice to access their online service (e.g., a social media platform). 

The data subject can either:

  1. Consent to getting their personal data processed for a specific purpose; or,
  2. Pay a fee to use the online service without processing their data. 

Meta, the social media giant, uses this ‘pay or okay’ model across its platforms (since 2023). Users who agree to option one consent to being tracked and targeted with behavioural advertising. 

Fee payers access a paid version of Meta’s platforms without behavioural advertising. However, tracking, such as functionality cookies, may still be included. 

What Is Behavioural Advertising?

Behavioural advertising is the ongoing monitoring of a data subject’s online behaviours and actions. This may include site visits, interactions or topic interests. The data controller uses these insights to form a precise user profile that determines what advertisements are shown to them. 

Behavioural advertising is more sophisticated than ever and is critical to the success of many organisations’ digital marketing efforts. 

What Does the UK GDPR Say About Pay or OK? 

In the UK, the ICO has taken a neutral approach to determining whether the ‘consent or pay’ model is fair. So far, the Regulator has asked for feedback to support its initial view, which closed on 17th April 2024. 

As of yet, the UK GDPR doesn’t prohibit this model, but factors must be considered to ensure that consent and the right to withdraw are freely given should a user have their data processed. 

The ICO’s Approach for Adopting this Model

As speculation rises, the ICO has developed a non-exhaustive list of areas to consider when adopting this model:

1. Power Balance

Consent for targeted advertising can not be freely given if data subjects have minimal choice about whether to use a service or not. For example, if a user needs to access a public service or platform with a ‘position of market power’. 

2. Equivalence 

How different is the paid-for service from the free version? If a service provider includes add-ons to the paid service, this would affect how freely the user can consent. 

3. Appropriate Fee 

What is the fair price for privacy? Unreasonably high fees limit who can be free from advertising and who can’t. This power imbalance must be carefully considered to ensure the set fee is realistic. 

4. Privacy by Design

The options provided in a ‘consent or pay’ model should be clear and outline what each involves. Every data subject has the right to be informed, so consent cannot be freely given if individuals don’t understand how their data will be used. 

Withdrawing consent should also be as simple as giving it. The right to withdraw is a legal right, so organisations must act on people’s wishes when communicating with them. 

The EDPB’s Take

The European Data Protection Board (EDPB), the EU’s data protection authority, has taken a more explicit stance, providing their opinion on ‘pay or okay’ business models (17th April 2024). 

The main takeaway from this 42-page document is straightforward: give the user a real choice. The EDPB recommends that Meta and other platforms offer EU citizens three options, not two.  

  1. Paid subscription – Pay for platform access with zero behavioural advertising.
  2. Free account – Free-to-use account with behavioural advertising.
  3. Free account without advertising – Use the platform for free where certain advertising without data processing is allowed. 

Our Opinion

Can we truly put a price on privacy? In a recent podcast, our data protection experts shared their insights on the controversies surrounding the ‘pay or okay’ model. 

There is a growing worry that it could create a power imbalance, where those must pay to enjoy greater privacy. What are your thoughts? Listen to our next Data Protection Made Easy podcast to voice your opinion.

Looking for a GDPR Expert? 

Data Protection People is a leading GDPR consultancy that helps organisations across the UK. 

From specialist data protection officers (DPOs) to GDPR audits, we can help you maintain compliance and keep your customer’s data safe. Contact our team today

European Cybersecurity Blogger Awards

Data Protection Made Easy Podcast Wins Big at European Cybersecurity Blogger Awards!

Our Data Protection Made Easy podcast has just been crowned “Best Podcast” at the European Cybersecurity Blogger Awards. This well-deserved recognition celebrates the show’s unwavering commitment to delivering clear, engaging, and accessible information on the ever-evolving world of data protection.

The podcast’s story began three years ago as a client-exclusive webinar hosted by the visionary Phil Brining. Recognising the importance of data protection knowledge, Phil shared valuable insights and news with his audience. However, the pandemic highlighted a crucial need – a broader platform to reach a wider community, especially with physical interaction becoming limited. This realisation led to the birth of the Data Protection Made Easy podcast, a decision that proved to be a game-changer for our organisation.

From a small group of 40 dedicated listeners (all clients at the time), the podcast has blossomed into a thriving community exceeding 1200 members. This impressive growth wouldn’t have been possible without the show’s unique approach, which sets it apart from the crowd.

The Secret Sauce of Data Protection Made Easy

Forget rigid scripts and monotonous lectures. Data Protection Made Easy thrives on fostering organic conversations between passionate experts. This dynamic format fosters an engaging and accessible experience, even for listeners with no prior data protection knowledge. Complex topics are broken down into digestible chunks, making them easy to understand and remember.

But it’s not just about the content; it’s also about the delivery. The show proudly stands by its “no sales pitch, no jargon” philosophy. Here, the focus is purely on delivering valuable information, free from self-promotion or technical jargon that can often alienate listeners.

The magic truly comes alive thanks to the stellar team of hosts. We have been extremely lucky to have experienced, enthusiastic and personable hosts that have captured the attention of our community. Their genuine passion for data protection is palpable, making even the most intricate legal nuances feel approachable and engaging.

More Than a Podcast: A Thriving Community

Data Protection Made Easy goes beyond simply delivering information; it fosters a vibrant and inclusive community. Membership boasts a diverse range of individuals, from aspiring students eager to break into the data protection field to DPOs with decades of experience. This unique blend of backgrounds creates a rich tapestry of knowledge and perspectives.

A Heartfelt Thank You

This incredible achievement wouldn’t have been possible without the unwavering support of our amazing community. To each and every listener, thank you for being a part of this journey. Your passion for data protection is what truly fuels our fire.

A special thanks goes out to everyone who took the time to vote for us in the European Cybersecurity Blogger Awards. This award, unlike many others, is entirely based on audience votes, making your support even more meaningful. It signifies that the information we provide resonates with you, and that’s the greatest validation we could ask for.

Join the Movement: Become Part of the Data Protection Made Easy Community

Are you ready to connect with like-minded individuals? Here’s your chance to become part of this award-winning community! By joining the Data Protection Made Easy community, you’ll gain access to a treasure trove of resources:

  • Weekly invitations to insightful discussions: Stay on top of the latest trends and developments in data protection with regular updates and thought-provoking conversations.
  • Learn from the best: Immerse yourself in the wisdom of distinguished experts like Jasmine Harrison, Joe Kirk, and Phil Brining. Their combined experience and passion provide invaluable insights that will empower you in your data protection journey.
  • Network with a diverse community: Expand your professional circle by connecting with members from a wide range of backgrounds and experience levels. Share your knowledge, learn from others, and forge meaningful connections with individuals who share your passion for data protection.

Data Protection Made Easy is more than just a podcast; it’s a movement dedicated to making data protection knowledge accessible to all. Here, you’ll find a supportive community eager to learn, grow, and navigate the ever-changing data protection landscape together.

Sign up today and become part of the Data Protection Made Easy community. View our upcoming events here.

This win at the European Cybersecurity Blogger Awards is just the beginning for the Data Protection Made Easy podcast. With their commitment to accessible knowledge and a thriving community by their side, the future holds immense potential for even greater growth and impact.

Listen back to over 170 episodes on Spotify by clicking here. 

What Are the 8 Rights of Data Subjects?

For many organisations, not understanding the basics of data protection is why GDPR breaches or non-compliance fines happen. 

At its simplest, the UK GDPR protects individuals’ data. Personal data, or special category data, is personal for a reason. When organisations mishandle this, they risk their reputation and the rights of these individuals. 

Our mission is to make data protection easy, so in this blog, we’re going back to the basics. Keep reading to discover the 8 rights of data subjects and how to maintain GDPR compliance. 

What Is a Data Subject?

A data subject is a person who can be identified directly or indirectly by their personal data. This includes their name, ID number, location data or information about the persona’s physical, psychological, genetic, mental, economic, cultural or social identity. 

In other words, a data subject is the individual an organisation collects from. Other parties include data controllers and processors, who must comply with data protection laws

What Are the Eight Rights of Data Subjects? 

The UK GDPR empowers data subjects to hold organisations accountable for the data they handle. Under this legislation, the individual has 8 rights all businesses must be aware of.

1. Right to Be Informed

The right to be informed includes providing data subjects with information about what data you’re collecting, for how long and what you intend to do with it. 

As an organisation, you must offer this information clearly to build trust with the individual. The Information Commissioner’s Office (ICO) label this data as ‘privacy information’, which includes:

  • Data controller’s identity and contact details;
  • Data Protection Officer’s (DPO) contact details (where appropriate);
  • The purposes of processing; 
  • The legal basis for processing;
  • The categories of personal data collected;
  • The details of data transfers to third parties or international organisations;
  • Data retention period; 
  • Rights granted under the UK GDPR;
  • The right to complain;
  • Whether the collection of data is a statuary or contractual requirement; and,
  • If automated decision-making is involved. 

Article 13

2. Right of Access

The right of access allows individuals to receive copies of their personal data. This is commonly known as subject access requests (SARs). 

A data subject can submit a SAR verbally or in writing, including on social media. You only have one month to respond to a data subject access request (DSAR), so the clock starts ticking the moment your DPO receives it. 

We have a complete guide on handling SARs, but if you want to get this request sorted quickly and compliantly, our team offer exceptional SAR support services.  

Did you know changes around refusing DSARs are incoming? Head to our recent blog on the Data Protection and Digital Information (DPDI) Bill to find out where your organisation stands. 

3. Right to Rectification

Individuals have the right to ask organisations to update any inaccurate or incomplete data they have on them. 

If the request is valid, you have one month to make these changes. While rectifying data for one individual may appear easy, it raises concern about whether accuracy is maintained across your database. 

Due diligence is crucial upon review, so now would be a good time to conduct a broader GDPR audit

4. Right to Erasure

The right to erasure, or right to be forgotten, allows individuals to have their personal data deleted under certain circumstances. These include:

  • The personal data is no longer necessary;
  • The individual withdraws content;
  • The individual objects to data processing, and there are no legitimate grounds to continue this processing; 
  • Unlawful processing of personal data;
  • Erasure has to be done in accordance with a legal obligation;
  • Personal data has been processed to provide information society services.

Article 17

Want to know the solutions for data erasure? Read our blog on individual rights to learn more.

5. Right to Restrict Processing

Organisations can be limited in how they process an individual’s data. This right doesn’t mean a data controller has to erase personal data

Instead, you are restricted from processing data but can continue storing it. You have one month to action this if these situations apply: 

  • Data is inaccurate (Similar approach to the ‘right to rectification);
  • Data has been unlawfully processed;
  • The individual wants you to keep their data to be stored for a legal claim (even if you no longer need it); and, 
  • The individual has already submitted a data erasure request, and you are working on it. 

6. Right to Data Portability

Data subjects can obtain and reuse their personal data for whatever purpose. As such, data controllers must provide their data in a structured, usable, machine-readable format. 

Examples include CSV, XML and JSON files. 

7. Right to Object to Processing

This is as simple as it can get – an individual can object to data processing under certain circumstances. An organisation has one month to respond. 

Individuals can also object to data being used for direct marketing. This right to data privacy is under recent discussion, with social media giants relying on a ‘pay or ok’ model to support their processing activities

8. Rights to Automated Decision Making and Profiling 

The UK GDPR gives individuals the right to object to data processing if it is automated (E.g., without human interaction). 

This also includes whether profiling data is taken, such as mental health or work performance, and if it significantly impacts the individual.  

What Happens If You Violate Data Subject’s Right? 

If you violate any of these rights, you could face:

  • Financial damage – You could face fines from the ICO of up to £17.5 million or 4% of your annual turnover (whichever is higher).
  • Loss of trust – Poor handling of your customers’ rights will impact their trust in you and raise doubts about your company’s competence. 
  • Legal complications – By violating data subject rights, you’re not complying with the UK GDPR. Not only will this risk fines, but you will likely undergo legal complications that will damage your reputation.

Expert Information Request & SAR Support

Our data protection consultancy will help you maintain GDPR compliance and efficiently handle information rights requests

We have a proven track record of managing SARs, GDPR audits and other services to keep risk low. Contact our team to learn more today

Freedom Of Information – A Tool For Transparency

Freedom Of Information – A Tool For Transparency

Working in the data protection industry, where information is power, ensuring transparency within organisations is crucial. Freedom of Information (FOI), also known as the Freedom of Information Act (FOIA), empowers individuals to request access to information held by public authorities. During this week’s episode of the AWARD WINNING Data Protection Made Easy podcast, with over 20,000 Spotify plays and 170 episodes, dives deep into the world of FOI with expert Laura Brentnall, Support Desk Manager from Data Protection People.

Transparency: The Cornerstone of Public Trust

The FOI serves as a cornerstone for open government and public trust. It allows individuals to hold organisations accountable and fosters a more informed citizenry. Laura, with her experience working in local authorities and across diverse sectors, sheds light on the practicalities of FOI for organisations of all sizes.

Intriguing Encounters with FOI Requests

The session wouldn’t be complete without a touch of intrigue! Laura along with some of our listeners shared some fascinating (and sometimes bizarre) FOI requests they’ve encountered. From the infamous UK parliamentary expenses scandal, where information was disclosed outside of FOI channels, to a local council paying a psychic for an exorcism (yes, you read that right!), these real-world examples highlight the vast scope of FOI requests.

Navigating the Legal Landscape

FOI comes with its own legal framework. The discussion explores recent cases and considerations surrounding the FOIA. This includes the concept of vexatious requests, where someone submits excessive or unreasonable FOI requests to disrupt an organisation’s operations. A link to a case study from the Information Commissioner’s Office (ICO) is provided for further exploration.

Equipping You for FOI Success

The session equips organisations with practical strategies for handling FOI requests effectively. This might involve streamlining processes, understanding exemptions under the FOIA, and effectively communicating with requesters. Data Protection People have a dedicated team of FOI experts if you have further questions after listening.

Our New FOI Service: Simplifying the Process

Data Protection People are excited to announce its new FOI service! This service is designed to support organisations of all sizes and sectors in navigating the FOI process with confidence. Whether you need help developing a robust FOI policy or require assistance in responding to complex requests, our team of experts is here to guide you.

Calling All Outrageous Requests!

For the upcoming part two of this FOI discussion, the team is looking for your input! Submit your most outrageous (and anonymous) FOI experiences, and they’ll be discussed on the next episode. This is a fantastic opportunity to learn from the experiences of others and gain valuable insights.

Join Our Vibrant Community!

Data Protection Made Easy is more than just a podcast; it’s a thriving community. If you enjoyed this session and want to be part of the conversation, subscribe! Simply visit the contact us page and request to subscribe. You’ll then receive weekly invites to insightful discussions led by our industry experts.

Here’s what makes our community special:

  • Diversity: We welcome everyone, from veteran Data Protection Officers (DPOs) with 20 years of experience to students just starting their careers.
  • Open Forum: Our discussions are designed to be enthusiastic and informative. Professionals share valuable top tips, practical advice, and real-world stories to empower others.
  • Commitment to Education: We are passionate about data protection and believe in sharing knowledge freely. There’s no sales pitch here; just genuine conversation.
  • Impressive Reach: With over 100 live listeners every week, our podcast is a top contender in the data protection space. You’ll be joining a community of passionate individuals committed to data privacy.

Don’t miss out! Subscribe today and unlock a world of data protection knowledge with Data Protection Made Easy.

Tune in now via Spotify. 

Microsoft Recall – A Privacy Nightmare?

Microsoft Recall – A Privacy Nightmare?

Tune in to the Data Protection Made Easy Podcast as our hosts Joe Kirk and Jasmine Harrison come together for a lively discussion on the recent Microsoft recall and its potential impact on user privacy.

This week on GDPR Radio, we delve into the breaking news surrounding a major Microsoft product recall. We’ll explore the specific details of the recall and analyse the potential privacy risks it might pose to users.

But that’s not all! As always, we’ll also be keeping you up-to-date on the latest developments in the world of data protection. This week, the ongoing saga of the Data Protection and Digital Information Bill (DPDI Bill) took centre stage, with some listeners even suggesting it might be a lost cause. Tune in to hear the full conversation and gain valuable insights from Joe and Jasmine’s expert analysis.

Can’t make it live? No problem! This episode, along with over 170 others, is available on-demand. You can listen on Spotify or directly on our website using the embedded player at the top of this page.

Want to join the conversation

Sign up for our events page to reserve your spot for upcoming live discussions. We offer insightful and thoughtfully planned sessions on a variety of data protection topics. Whether you’re a seasoned professional or just starting out, there’s something for everyone. View Upcoming Events.

Become part of our vibrant community

With over 1,200 members strong, our community provides a valuable platform to connect with like-minded individuals, share experiences, and stay ahead of the curve in data protection. Subscribe today and receive weekly invites to future discussions. Request To Subscribe.

Don’t miss out! Tune in, join the conversation, and dive deeper into the world of data protection with Data Protection Made Easy.

Next week: Join Phil Brining and Support Desk Manager Laura Brentnall as they tackle the complexities of Freedom of Information (FOI) requests. Sign up for the “Freedom of Information – A Tool for Transparency” session on our events page: Click here.

AI & It’s Impact On Privacy

Data Protection Made Easy: AI & Privacy

Did you miss our lively discussion on AI and Privacy? Don’t worry, we’ve got you covered!

On May 24th, the Data Protection Made Easy community hosted a captivating session exploring the potential risks and benefits of AI for data privacy. We were thrilled to welcome special guest Rebecca Balebako, a privacy engineer with experience at Google and the founder of Baebako Privacy Engineers.

Rebecca, along with our regular hosts Joe Kirk, Jasmine Harrison, and Philip Brining, delved into a thought-provoking conversation. Key topics included:

  • The Two Sides of the Coin: Exploring how AI can both enhance and threaten privacy in different scenarios.
  • Exploiting the Risks: Understanding how malicious actors could exploit AI to invade user privacy.
  • Building Secure Software: Strategies for organizations to develop AI and software with data privacy at the core.

Join the Conversation

Even if you couldn’t join the live session, you can still benefit from the valuable insights and expertise shared. Head over to the Spotify player embedded at the top of this page to listen to the full episode and gain a deeper understanding of AI and its impact on data privacy.

Become Part of the Community

Don’t miss out on future discussions! Subscribing to Data Protection Made Easy grants you access to:

  • Free Weekly Live Sessions: Participate in insightful discussions with industry experts like Rebecca Balebako.
  • Vibrant Community of 1,200+ Individuals: Network and connect with fellow data protection enthusiasts.
  • Flexible Participation: Choose individual sessions or subscribe for weekly invites.

Sign up today and take control of your data privacy journey!

Data Breach Drama

Data Breach Drama: Baby Reindeer and the Limits of Data Protection

During this week’s episode of the Data Protection Made Easy podcast our hosts joined to discuss the news of the week. One big talking point in the news is the recent law suit against Netflix for the use of personal data. The new smash hit Netflix show, Baby Reindeer, raises critical questions for data protection professionals:

  • The Ethics of Storytelling: Where do we draw the line between artistic expression and exploiting real people’s lives?
  • The Power of the Audience: How does online speculation impact the privacy of those portrayed in fictional works, and how can we mitigate this risk?
  • The Future of Data Protection: How can data protection laws evolve to address the complexities of creative content in an increasingly digital world?

Unboxing a Legal Nightmare

Dive deep into this week’s episode where Phil Brining, Jasmine Harrison, and Joe Kirk dissect a case that throws data protection principles into question: the smash-hit Netflix series, Baby Reindeer. Marketed as based on a true story, the show has sparked outrage. Viewers, armed with the power of the internet, identified real-life people they believe inspired the show’s characters.

Behind the Reindeer’s Shadow

Baby Reindeer follows the (fictionalised) story of comedian Richard Gadd and his encounters with a stalker named Martha. The series gained notoriety for its dark portrayal of Martha’s actions, including stalking and assault. However, Fiona Harvey, the woman suspected to be the real-life Martha, vehemently denies the show’s accuracy. This is where things get personal – and legally complicated.

Data vs. Drama: Where Do We Draw the Line?

Harvey is suing Netflix and Gadd, claiming defamation and the exploitation of her personal data. This raises a fascinating question for data protection professionals: how do data protection regulations, designed to safeguard personal information, interact with the concept of artistic license?

Creative Freedom vs. Individual Rights: A Balancing Act

While data protection regulations exist to protect individuals’ privacy, creative works like Baby Reindeer enjoy some leeway. This concept, known as artistic license, allows creators to use real-life events and characters as inspiration for their work. However, data protection officers know it’s not a free pass. Significant alterations and fictionalisation might be necessary to protect individuals’ privacy and avoid defamation.

The Baby Reindeer Dilemma: Fact or Fiction?

The crux of the legal battle lies in how closely Baby Reindeer resembles reality. Did the series stray too far from artistic license by depicting specific events and portraying Harvey in such a negative light? This case pushes the boundaries of creative expression and individual rights.

The DPDI Bill and the Future

Beyond the exploration of Baby Reindeer and the Data Protection implications our hosts also discussed other topics on the Data Protection Made Easy podcast. Adding another layer to this drama is the ongoing revision of the Data Protection and Digital Information (DPDI) bill. This bill aims to strengthen data protection measures in the UK, and cases like Baby Reindeer highlight the need for clear guidelines at the intersection of creativity and data privacy.

  • Data protection officers, the time for debate is now! Share your thoughts on our company LinkedIn page. Let’s dissect this data protection drama and explore how we can ensure a future where creativity thrives alongside individual rights.

Remember, data protection isn’t just about regulations – it’s about protecting people. Let’s keep the conversation going and ensure the next episode of data protection isn’t a horror story!

If you would like to join us on future episodes of the Data Protection Made Easy podcast. click here.

The Data Protection Made Easy podcast now has over 150 episodes, each of which is available on Spotify. Click here and listen. 

Our Events & Webinars

Industry Leading Discussions

We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.

View All
GDPR Radio - Episode 176
28 June 24 12:30 - 1:30 pm

GDPR Radio – Episode 176

Data Protection in the Non-Profit Sector
21 June 24 12:30 - 1:30 pm

Data Protection in the Non-Profit Sector

Get Support With Data Protection And Cyber Security

Our mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.

This field is for validation purposes and should be left unchanged.