Myles Dacres

Myles Dacres

Marketing Manager

Myles Dacres is the Marketing Manager at Data Protection People. Over the past six years, he has led the organisation’s physical and digital presence, helping to strengthen the brand and grow what is now one of the UK’s largest data protection communities. He played a key role in the creation of the Data Protection Made Easy community and podcast, which has grown to more than 1,700 subscribers across the UK and beyond.

Get to Know Myles

Myles joined Data Protection People in 2020 and leads the organisation’s marketing strategy, brand development and community growth. His focus is on making data protection clearer, more practical and more accessible for organisations across the UK.

He drives the growth of the Data Protection Made Easy podcast and wider professional community, alongside sector events and AI led search initiatives. Through these platforms, he helps translate complex regulatory expectations into content that is engaging, understandable and relevant for both new and experienced practitioners.

Experience

Myles has built over five years of specialist B2B marketing experience within the data protection and cyber security sector. Beginning his career through a marketing apprenticeship at Data Protection People, he progressed into leading the organisation’s marketing function and shaping its long term growth strategy.

He has been instrumental in developing the Data Protection Made Easy community from the ground up, growing it into a network of more than 1,700 engaged professionals. This has been achieved through consistent podcast delivery, sector focused events, strategic collaborations and carefully structured thought leadership campaigns.

His expertise spans brand positioning, SEO, AEO and AI search visibility, campaign planning, event delivery, partnership marketing and PR strategy. He also oversees the creation of content that supports training, audit and consultancy services, ensuring that marketing activity aligns directly with operational objectives.

Working closely with senior leadership, Myles translates commercial goals into measurable marketing performance, embedding structure, data insight and long term thinking into every initiative.

Myles Dacres

“During my time at DPP, I have learned that community and brand are everything. I am fortunate to work with an incredible team that I have seen grow year after year, and I am proud to showcase the outstanding work they deliver every day.”

Myles Dacres
Marketing Manager

Myles's Posts

STAIRs Update for Housing Associations

STAIRs Update for Housing Associations

STAIRs Update for Housing Associations: Key Dates and What Social Landlords Should Do Now

Housing associations across the UK have received a further update on the upcoming Social Tenants Access to Information Requirements (STAIRs). These requirements will introduce new expectations for how social landlords provide information to tenants about the management of their homes.

The National Housing Federation (NHF) recently shared an update outlining key timelines and confirming that further operational guidance is currently being developed to support the sector.

Although the requirements will not come fully into force for some time, housing providers are being encouraged to begin preparing now. Reviewing how information is organised, published and shared internally will help ensure a smoother transition once the rules become mandatory.

What Are the Social Tenants Access to Information Requirements (STAIRs)?

STAIRs is a regulatory initiative designed to improve transparency between social landlords and tenants. The requirements will ensure residents can more easily access information about how their homes are managed, including policies, performance information and organisational decisions that affect them.

For housing providers, this means developing clear processes for publishing information and responding to tenant information requests in a structured and consistent way.

Himanshi Gulati, Data Protection Consultant at Data Protection People, explains:

“STAIRs will likely require housing providers to review how information is organised, published and shared with tenants. Starting early on developing processes around information management, request handling and complaints could make the transition much smoother.”

Key STAIRs Dates Housing Providers Should Know

The latest update confirms two important milestones for social landlords preparing for STAIRs.

  • October 2026 – Housing associations will be required to proactively publish certain information for tenants.
  • April 2027 – Organisations must meet full requirements for responding to tenant information requests.

Although these deadlines may seem some distance away, housing providers should begin preparing early. Developing the right internal governance, publication processes and request-handling procedures can take time to implement effectively across an organisation.

Operational Guidance Being Developed for Housing Associations

To support implementation across the housing sector, the National Housing Federation has commissioned law firm Anthony Collins, working alongside a cross-sector group of housing providers, to produce practical operational guidance.

This guidance will help organisations understand how to implement STAIRs in practice and is expected to cover areas such as:

  • Creating and maintaining publication schemes
  • Managing tenant information requests
  • Handling complaints related to access to information
  • Embedding operational processes across housing organisations

The guidance is expected to be published on 20 April 2026.

Housing Ombudsman Consultation on STAIRs Complaints

Alongside the operational guidance, the Housing Ombudsman has launched a consultation exploring how complaints relating to STAIRs should be handled once the requirements come into force.

Housing associations are being invited to share their views on how these complaints processes should operate in practice. The consultation is open until 17 March 2026.

For organisations in the sector, this provides an opportunity to shape how future disputes around tenant information access may be managed.

How Housing Providers Can Start Preparing for STAIRs

While the final operational guidance is still to be published, there are several steps housing providers can start considering now:

  • Review how organisational information is stored and structured
  • Identify what information may need to be proactively published
  • Develop internal processes for responding to tenant information requests
  • Ensure complaints processes align with future transparency requirements

As regulatory expectations around governance and transparency continue to grow in the housing sector, STAIRs represents another important step in strengthening trust between landlords and tenants.

As Himanshi highlights:

“For tenants, the aim is clearer access to information about how their homes are managed. For landlords, it’s another reminder that good governance and transparency are becoming central expectations in the sector.”

And while publication schemes may not always be the most exciting documents to prepare, getting them right early could save organisations significant time and complexity later.

STAIRs Frequently Asked Questions

Following discussions with housing professionals across the sector, we have also published a dedicated resource answering common questions about STAIRs and how housing providers can prepare.

Read our STAIRs FAQs for housing providers here

Need Support Preparing for STAIRs?

Our team at Data Protection People regularly supports housing providers with governance frameworks, tenant information requests, and developing processes that align with evolving regulatory expectations.

If your organisation would like guidance on preparing for STAIRs or strengthening information governance processes, our team would be happy to help.

CCTV Redaction Services

CCTV Redaction Services

CCTV Redaction Services

At Data Protection People, we now provide a complete CCTV redaction service combining advanced AI powered redaction technology with expert human review from experienced data protection consultants.

This ensures organisations can disclose footage lawfully, protect the privacy of third parties, and respond to Subject Access Requests (SARs) with confidence.

Organisations across the UK are increasingly receiving Subject Access Requests that include CCTV footage. Responding to these requests can be complex because footage often contains multiple individuals whose personal data must be protected before disclosure.

Before footage can be shared, organisations must ensure that third party personal data is redacted. Without proper redaction, organisations risk unlawfully disclosing personal data.

Data Protection People now provide a complete CCTV redaction service designed to make this process fast, secure and compliant with the UK GDPR and Data Protection Act 2018.

Why CCTV Redaction is Necessary

Under the UK GDPR, individuals have the right to request access to their personal data. This includes images or recordings where they can be identified within CCTV footage.

However, CCTV recordings often capture other individuals. Organisations must therefore ensure that the privacy of third parties is protected before releasing footage.

Failure to properly redact CCTV footage can lead to:

  • Unlawful disclosure of personal data
  • Complaints to the Information Commissioner’s Office
  • Potential regulatory action
  • Damage to organisational reputation

Redacting CCTV manually can take many hours. Modern redaction technology allows organisations to respond to requests much faster while maintaining compliance.

AI Powered Video Redaction

Data Protection People utilise advanced redaction technology capable of automatically identifying personal data within video footage.

Using artificial intelligence, the platform can automatically detect and redact:

  • Faces of individuals
  • Vehicle number plates
  • Screens and digital displays
  • Text appearing in scenes such as house numbers or signage
  • Other identifiable visual information

This allows footage to be processed with over 99 percent detection accuracy, dramatically reducing the time required to prepare footage for disclosure.

In many cases, a 10 minute CCTV clip can be redacted in approximately 10 minutes, compared to hours using manual methods.

What Makes Our CCTV Redaction Service Different

Many redaction tools simply provide software. Data Protection People combine advanced technology with expert human oversight.

Our consultants specialise in Subject Access Requests and information rights law, ensuring that all disclosures are handled correctly.

This provides organisations with:

  • AI powered video redaction technology
  • Expert review from data protection specialists
  • Secure handling of sensitive footage
  • Confidence that footage is safe to disclose

This combination of automation and expert quality assurance ensures organisations remain compliant while responding quickly to requests.

Part of Our Complete SAR Support Service

Data Protection People are recognised as one of the UK’s leading consultancies supporting organisations with Subject Access Requests.

Our SAR Support Service helps organisations:

  • Manage and respond to complex SARs
  • Review large volumes of information
  • Apply lawful exemptions where appropriate
  • Prepare compliant responses
  • Reduce the operational burden of information requests

With the addition of CCTV redaction capabilities, we now provide a fully comprehensive service covering every type of personal data disclosure.

Types of Footage We Can Redact

Our technology and consultants can support with redaction across a wide range of visual data sources, including:

  • CCTV systems
  • Body worn cameras
  • Dash cameras
  • Mobile phone video recordings
  • Security camera systems
  • Incident recordings

This service is particularly valuable for organisations operating in sectors such as:

  • Housing
  • Retail
  • Healthcare
  • Education
  • Transport
  • Local government

Secure Processing and Chain of Custody

Handling video containing personal data requires strict security controls.

Our redaction platform maintains a secure chain of custody, ensuring organisations maintain full visibility over how footage is processed.

This includes:

  • Controlled access to video files
  • Secure processing environments
  • Traceable redaction actions
  • Secure storage and sharing

All processing is designed to align with the requirements of the UK GDPR and data protection best practice.

When Organisations Need CCTV Redaction

While CCTV redaction is most commonly required for Subject Access Requests, organisations may also require redaction when:

  • Sharing footage with regulators
  • Providing evidence to legal teams
  • Publishing footage publicly
  • Using footage for training or investigations
  • Responding to information rights requests

In all cases, organisations must ensure that third party personal data is protected before footage is disclosed.

Speak to Our SAR Specialists

If your organisation needs support responding to a Subject Access Request involving CCTV footage, our team can help.

Data Protection People combine expert data protection consultants with advanced redaction technology to ensure requests are handled quickly, securely and in full compliance with the law.

Speak to an expert today to discuss your CCTV redaction requirements.

STAIRs Readiness Assessment

STAIRs Readiness Assessment

STAIRs Readiness Assessment for Housing Providers

The upcoming Social Tenants Access to Information Requirements (STAIRs) will introduce new expectations for housing associations to improve transparency and make key information more accessible to residents.

From October 2026, housing providers will be expected to proactively publish specific organisational information for tenants. From April 2027, organisations will also need to respond to formal tenant requests for information about how their homes are managed.

For many housing providers, this represents a significant operational change. Publication schemes, internal processes, governance documentation, and tenant communication procedures may all need reviewing to ensure the organisation is ready.

To support housing associations through this transition, Data Protection People has developed a structured STAIRs Readiness Assessment designed specifically for the housing sector.

Supporting Housing Providers Through STAIRs

Our team works closely with housing associations across the UK to support transparency obligations, information governance, and tenant data rights.

Following a recent STAIRs event hosted in Leeds, we worked with housing professionals to explore how the requirements will impact organisations of different sizes and structures.

During the session, housing providers raised practical questions about publication schemes, tenant information access, and how internal teams should prepare for the new rules.

We have published a full resource covering those discussions which you can explore here:

Frequently Asked Questions – STAIRs

Building on this work, our consultants have developed a dedicated STAIRs Readiness Assessment to help organisations identify gaps and prepare their teams ahead of implementation.

What is a STAIRs Readiness Assessment?

The STAIRs Readiness Assessment is a structured review designed to help housing associations understand how prepared they are for the upcoming transparency requirements.

The assessment examines your organisation’s current policies, governance documentation, information management processes, and tenant communication practices.

By the end of the process, you will have a clear understanding of:

  • Where your current processes align with STAIRs expectations
  • Where potential compliance gaps exist
  • What actions should be prioritised before the 2026 and 2027 implementation dates
  • How tenant information requests may be managed in practice

This ensures your organisation can begin preparing early, rather than reacting once the requirements become mandatory.

Our Three Phase STAIRs Readiness Process

Phase 1 – Policy and Documentation Review

A specialist consultant will review your existing documentation related to transparency, governance, and information handling.

This includes policies, procedures, and any information currently published for tenants.

The goal of this phase is to identify potential gaps between your current practices and the expected STAIRs publication requirements. This may include areas such as governance documentation, organisational performance reporting, and housing management information that tenants may expect to access.

The review also considers how your existing transparency documentation aligns with the proposed Publication Scheme approach expected under STAIRs.

Phase 2 – Leadership Interviews

We will conduct structured discussions with key leaders within the organisation.

This typically includes teams responsible for:

  • Housing operations
  • Compliance and governance
  • Communications and tenant engagement
  • Information governance and data protection

The purpose of these interviews is to understand how information about tenant services, policies, decisions, and organisational performance is currently managed and shared.

We also assess how easily this information could be provided if tenants submit requests once STAIRs is fully implemented.

Phase 3 – Reporting and Recommendations

Following the assessment, you will receive a comprehensive summary report outlining the findings.

This report highlights:

  • Priority actions to prepare for STAIRs compliance
  • Potential risks linked to transparency and information access
  • Recommendations for proactive publication of tenant information
  • Guidance on managing tenant information requests
  • A breakdown of how remediation activities can be implemented

The final report provides your leadership team with a clear roadmap for preparing the organisation before the new requirements come into effect.

Why Housing Providers Should Start Preparing Now

Although STAIRs requirements will not fully come into force until 2026 and 2027, the changes may require significant organisational preparation.

Housing providers may need to review publication processes, governance transparency, tenant communication channels, and internal procedures for responding to information requests.

Early preparation allows organisations to:

  • Reduce compliance risk
  • Improve transparency with residents
  • Align governance and communication processes
  • Prepare staff for new tenant information access expectations

By identifying potential gaps early, housing providers can introduce improvements gradually rather than under regulatory pressure.

Speak to Our Housing Sector Team

Our consultants regularly support housing associations with information governance, transparency requirements, and tenant data rights.

If you would like to explore how the STAIRs Readiness Assessment could support your organisation, our team would be happy to discuss the process and what preparation may look like for your housing provider.

You can also explore our sector resources and STAIRs guidance through the article below: STAIRs Update for Housing Providers

Need support preparing for STAIRs?

Updated ICO Guidance on the DUA Act

ICO Guidance on the DUA

ICO Guidance on the Data (Use and Access) Act (DUA): What You Need to Know

The Information Commissioner’s Office (ICO) has released guidance on handling data protection complaints in line with the requirements from the Data (Use and Access) Act (DUAA) which are set to come into force on 19 June 2026.

Whilst most of the reforms brought about by Part 5 of the DUAA took effect on February 5, organisations have longer to prepare for the complaint requirements and the ICO’s guidance supports organisations on achieving best practice ahead of time.

What does the DUAA change regarding data protection complaints?

Whilst the ICO has previously expected organisations to address data protection complaints received from individuals, this has not been backed up by any legal obligation.

Following the changes under the DUAA, individuals now have the legal right to submit a complaint to an organisation about the handling of their personal data and organisations must implement processes and procedures to facilitate this.

What are the key requirements for handling data protection complaints in line with the DUAA and ICO guidance?

The ICO’s latest guidance outlines the following key steps organisations must take to meet the complaint requirements under the DUAA:

  • Provide individuals with a way of making data protection complaints;
  • Acknowledge data protection complaints within 30 days of receipt;
  • Take appropriate steps to respond to complaints without undue delay, including making appropriate enquiries and keeping complainants informed; and
  • Provide people with complaint outcomes without undue delay.

For organisations with existing complaints procedures, only minor changes are likely needed to reflect the DUAA requirements, but organisations lacking an established complaints process will now be expected to implement a substantive procedure.

This article highlights the key areas of focus for organisations in preparation for the DUAA complaints provisions coming into force and summarises recommendations for best practice based on the ICO’s guidance.

What constitutes a data protection complaint?

Not every complaint that is linked to data protection matters constitutes a data protection complaint. Where an individual complains about an organisation’s services or other matters whilst also exercising data protection rights this does not count, e.g. an employee raises a grievance and at the same time makes a subject access request.

The ICO’s guidance clarifies that data protection complaints arise where an individual complains specifically about an organisation’s handling of their personal data, whether this be about the handling of a subject access request (SAR) or quality of data security.

As with other personal data rights requests, individuals do not have to use legal terms of quote the legislation to make a data protection complaint. Where unsure if an individual is making a data protection complaint, organisations should seek clarification.

What must we do to prepare for handling data protection complaints?

Give people a way to make complaints

The starting point is to ensure that your organisation gives people a way to raise a data protection complaint. The ICO’s guidance allows organisations flexibility to choose which channels are most approach, whether through a complaint form, email address, telephone number, online portal, live chat facility or in person (if operating offline).

There is no requirement to set up a separate tool for receiving data protection complaints and organisations can rely on existing complaints channels and adapt these to include data protection complaints. As per the ICO’s SAR guidance, individuals are not obliged to follow the set process and can complain using any method of their choice. Nonetheless having a set complaints process is important for accountability.

Organisations with online presence should also consider how to handle complaints received through social media and bear in mind that liaising with complainants through social media is not secure and an alternative contact method should be sought.

Those within the scope of the ICO’s Age Appropriate Design Code should satisfy the requirements for handling complaints from children outlined at standard 15 of the Code, ensuring children can easily make and escalate complaints.

Inform people of their right to complain

Organisations are already required to inform individuals of their right to submit a complaint to the Information Commissioner at the point of collection of their personal data through a privacy notice and also when responding to SARs.

Following the DUAA, organisations must now also inform individuals of their right to make a data protection complaint to the organisation itself. Organisations should update privacy notices accordingly to inform data subjects of their right to complain and the organisation’s complaints process including a contact point.

Those processing personal data for law enforcement purposes must also inform individuals of their right to complain at other junctures, including when refusing other rights requests.

Implement a complaints procedure

The ICO’s guidance makes clear that for best practice, organisations should implement a complaints procedure if they do not already have one. It should use plain language (avoid legal jargon), be published online and be made available to individuals at the earliest opportunity to ensure they are aware of how to raise complaints.

It is recommended that a written process includes the set method for receiving complaints; the supporting evidence needed to investigate; the proof of ID and third-party authority accepted as well as information on communicating timescales (acknowledgement within 30 days), updates and outcomes.

Whilst it is acceptable to integrate data protection complaints into overarching complaints procedures and a standalone process is not required, organisations must ensure outcomes are issued on data protection complaints without undue delay. So, when responding as part of a wider complaint connected to other issues, if able to provide an outcome on the data protection aspect sooner, you must do so.

Review record keeping and training

Guidance on record keeping reiterates not only the importance of having up to date, clearly organised and labelled systems so information can be found quickly and effectively, but also to provide evidence of the following:

  • Date complaints were received
  • Acknowledgements sent
  • Relevant conversations and documents
  • Complaint outcomes
  • Actions taken as a result

Not only does strong record keeping support compliance with the Art.5(2) UK GDPR Accountability principle by demonstrating compliance should the ICO or other industry bodies investigate, it is also beneficial for identifying recurring trends and underlying compliance issues.

In terms of training, all staff should as part of their overall data protection training be brought up to speed on recognising data protection complaints and knowing where to direct complaints internally when received.

Review Joint Controller and Processor arrangements

For Joint Controllers, emphasis is on having transparent arrangements in place given the timescale starts as soon as the complaint is received by a Controller so all parties must be clear on what to do, including in terms of:

  • whether to have a central point of contact for complaints,
  • how to inform people of where to complain and
  • responsibilities for investigating complaints and liaising with complaints.

Controller-Processor data processing agreements should cover arrangements for handling data protection complaints. The typical role of Processors remains to provide assistance, including on complaint investigations and by supplying relevant information, with Controllers retaining the obligation for complaint handling.

How do we ensure best practice in the end-to-end process?

Acknowledging the complaint

You must acknowledge receipt of a data protection complaint within 30 days and the ICO’s guidance clarifies that an auto-acknowledgement will suffice.

This timeframe begins the day after the complaint is received, even if this falls on a weekend or public holiday. However, if the last day to acknowledge falls on a weekend or public holiday, you have until the next working day.

A practical approach is emphasised, for instance there is no need to provide an acknowledgement and outcome separately if you are able to provide a complaint outcome within 30 days, or if contacting the complainant to ask for proof of ID an additional acknowledgement is not needed.

The same complainant ID and third-party authority verification protocols apply as for other personal data rights requests, meaning you should:

  • seek proof of ID at the earliest opportunity if in doubt
  • not request further evidence if already in possession of sufficient information
  • verify third party authority by requesting power of attorney or a signed letter of authority from the complainant they are acting on behalf of; and
  • abstain from investigating the complaint until valid authority is received.

Conducting the investigation

Organisations must make enquiries into data protection complaints without undue delay, starting from when the complaint is received and not after the 30 day acknowledgement period ends.

This process generally involves fact finding, speaking to relevant staff, comparing the complaint information with that held and checking if organisational standards were upheld, and the ICO’s guidance recommends asking the complainant for more information if necessary as well as managing their expectations.

The ICO’s guidance recognises that complaints will vary in complexity, scale and harm, meaning a blanket timeframe for resolving complaints is not expected. Instead, focus should be on the specific circumstances of the complaint (and your organisation) and making reasonable and proportionate enquiries based on this.

Providing updates and outcomes

Giving timely progress updates to complainants is emphasised in the ICO’s guidance, with the priority on explaining timeframes for resolution and any expected delays.

As with investigating complaints, outcomes must also be issued without undue delay, which according to the guidance means ‘without an unjustifiable or excessive delay.’ Outcomes should include explanation of steps taken to resolve the complaint and actions taken as a result, and where you think you have complied with data protection law this should be explained in detail.

An internal review process for complainants unhappy with the outcome is recommended. It is also best practice to inform individuals of their right to complain to the ICO, which individuals have the right to do so at any point notwithstanding any internal review process.

Conclusion

The complaints requirements introduced by the DUAA can be viewed as formalising what the ICO has long expected from organisations in terms of addressing data protection complaints. The standards emphasised in the ICO’s latest guidance on complaints largely mirrors those expected when handling other personal data rights requests.

Indeed, the ICO will be aiming for a reduction in the number of complaints brought to it following the DUAA changes. The regulator has an established policy of diverting complaints to organisations in the first instance where the issue has not previously been raised with the organisation directly, and it now has a legal basis for doing so.

This latest guidance also coincides with the ICO’s publication of its complaint handling framework which is centred on prioritising high-value cases where the ICO can have the most significant impact, an objective more realisable if less time can be spent on lower impact matters and those where internal complaints procedures have not been utilised.

Moving forward, organisations can expect to be held to a higher standard in terms of complaint handling. Not having formal procedures in place will amount to a breach of the DPA, may trigger complaints from data subjects and will be looked on with greater scrutiny by the ICO.

Implementing a formalised end-to-end data protection complaints procedure ensures best practice and will be looked on far more favourably by the ICO should any concerns be raised or investigations initiated. Data Protection People has already supported many organisations in this regard. If your organisation requires assistance in this area, please reach out to us.

How Can Staff Training Prevent GDPR Compliance Failure?

GDPR compliance failure can have a huge impact on your business. It could lead to data breaches, fines and regulatory action. Not to mention the effect it might have on your reputation. 

Compliance failure can be easily prevented through robust staff training. In this article, we’ll discuss why staff training needs to be your business’s front line of defence and how it reduces the risk of non-compliance. 

How Does Training Prevent Common GDPR Compliance Failures?

Policies alone are not enough to ensure compliance. Without staff understanding, you are leaving your organisation vulnerable. GDPR training is the best way to make sure all of your employees have the understanding they need to help protect your business against non-compliance, data breaches and enforcement action from regulatory bodies. 

How Does GDPR Training Improve Breach Detection and Reporting?

Effective GDPR training raises awareness of what data breaches are, how to recognise them and what to do when they occur. From phishing attacks, misdirected emails and insecure data sharing, training reduces the likelihood of a data breach happening in the first place, and encourages early internal reporting. It also reduces regulatory risk through a timely incident response. 

How Does GDPR Training Reduce Personal Data Misuse?

Your business probably handles personal data in one way or another. But do your staff recognise what personal data is, and what they’re allowed to do with it? GDPR training clarifies what lawful bases the business has for handling personal data, and what the limits of use are. 

It prevents function creep and unauthorised processing (like using existing data for marketing unrelated products or using fire security sign-in data to track employee attendance), reinforcing data minimisation in everyday tasks. 

How Does GDPR Training Support Data Subject Rights Requests?

Along with personal data handling comes Data Subject Access Requests (SARs). Through GDPR training, your staff will understand what access, erasure or rectification requests actually look like, and how to handle them. 

They’ll be able to prevent non-compliance through missed deadlines or unlawful refusals. Proper training will ensure that they handle SARs properly, rather than simply improvising because they don’t know any better. 

How Does Training Improve GDPR Decision-Making?

One of the most important ways that effective GDPR training prevents non-compliance is by equipping staff to apply GDPR principles consistently. 

By ensuring that all staff are trained, preferably in a practical, scenario-based way, they are empowered and confident in how their roles contribute to your organisation’s compliance.     

Why is Ongoing GDPR Training Best?

Ongoing training, rather than a one-off session, is best because it ensures your staff stay up to date with the latest regulations, threats, and system or policy changes. It also means that any new staff are as compliant as older ones. 

The benefits of ongoing refresher training include fewer incidents, stronger audit evidence and improved customer trust. Robust GDPR training is both a tool for compliance and business resilience – it shouldn’t be a box-ticking exercise. 

Train Your Staff With Data Protection People

GDPR compliance failure is preventable, and proper training should be the first line of defence. At Data Protection People, we provide bespoke data protection training that’s created and delivered by a team of experts. With us, your team can learn remotely, in-person or via e-learning with CPD-accredited courses that genuinely reduce the risk of non-compliance. 

Book your GDPR training with us today.   

 

Reddit issued with £14.47m fine for children’s privacy failures 

Reddit fined for children’s privacy failures 

Reddit issued with £14.47m fine for children’s privacy failures 

Last week the UK Information Commissioner’s Office (ICO) fined Reddit £14.47 million for unlawfully processing children’s personal data. And the problem here was that children under 13 were able to use the platform for years while Reddit relied mainly on users simply ticking a box to confirm their age. The ICO investigation found two core failures: 

 As a result, children under 13 had their personal data processed without a lawful basis and were potentially exposed to content they should never have seen. 

What happened?  

Reddit’s terms of service have long stated that children under 13 cannot use the platform. However, until July 2025, Reddit did not have meaningful measures in place to check users’ ages; people could open an account by declaring their age themselves. The ICO found that large numbers of under-13s were likely using the platform during this period, meaning their personal data was being processed without a lawful basis. 

 Even more concerning was the lack of early risk assessment: Reddit had not carried out a Data Protection Impact Assessment looking properly at risks to children until 2025 – despite allowing teenagers aged 13–17 to use the service.  

 According to the ICO, this meant children’s data was collected and used in ways they could not reasonably understand or control, potentially exposing them to harmful or inappropriate content. 

Reddit has since introduced age assurance measures, including checks for access to mature content but ICO has made it clear that these changes came late and remain under review. 

 This is a great example for us to consider around age verification mechanisms. For ages, much of the intern relied on the self-declaration method: “please confirm you are over 13”. It seems reasonable enough to say that everyone (children, parents and organisations) were aware on how easy this was to bypass… and the big problem was the enforcement and its slow interference – many organisations convinced themselves that putting age limits in terms and conditions was enough and self-declaration is sufficient.  

On this, ICO’s message is clear: relying mainly on users to declare their own age is not acceptable where children are likely to access a service – and this should go beyond social media: gaming platforms, forums apps, online communities 

Age verification 

I had the chance to explore this topic within my research for my thesis dissertation and I can easily say that one of the challenges organisations face is that stronger age checks can appear to conflict with data protection principles – for example, uploading passports to join an online community is excessive and this would come with its own risks. This is why I find the approach discussed by the Irish data protection commission particularly helpful: rather than pushing one technical solution, it focuses on proportionate, risk-based age assurance: the higher the risk to children, the stronger the assurance needed.  

Not every service needs the same level of verification, but every organisation should be able to explain what risks to children exist, how likely access by children is and why the chosen safeguards are appropriate.  

 The ICO made it clear that it is now actively focusing on platforms that primarily rely on self-declaration – which means that Reddit is unlikely to be the last case… 

Conclusion and takeaway 

I actually welcome this decision; not because fines are the main goal (as they rarely solve problems on their own, particularly for these big companies) but because the clarity that they bring helps organisations move forward and to think about their own practices.  

 I think that for too long, there has been uncertainty around how far companies needed to go when it came to age checks and, at the same time, regulators and industry need to work together to avoid turning age assurance into mass identification or unnecessary data collection.  

 Links:  

https://cy.ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/reddit-issued-with-1447m-fine-for-children-s-privacy-failures/  

https://www.theguardian.com/technology/2026/feb/24/reddit-fined-uk-children-under-13-data 

https://www.dataprotection.ie/en/dpc-guidance/fundamentals-child-oriented-approach-data-processing  

Data Protection In the Sporting Industry

Data Protection in the Sporting Industry

Data Protection in the Sporting Industry

Professional sport is built on performance, trust and loyalty, both on and off the field. Behind the scenes, however, modern sporting organisations are responsible for managing significant volumes of personal data belonging to players, staff, supporters, partners and wider communities. From ticketing systems and membership databases to athlete performance analytics and safeguarding records, the scope of personal data processed across the sporting sector continues to grow year on year.

In my role as Sales Team Leader at Data Protection People, and as someone with a genuine passion for professional sport, I have had the opportunity to work alongside specialist consultants to support organisations across the sector in strengthening their approach to data protection. Over the past few years, we have worked with an impressive portfolio of clients including Leeds United, England Netball, the RFU, Formula One affiliated organisations, and sports software providers such as Goodform.

Through these engagements, a number of consistent trends have emerged.

Increasing Volumes of Personal Data

Sporting organisations are now operating in highly digitised environments. Matchday ticketing, fan engagement platforms, biometric athlete monitoring, media accreditation, safeguarding responsibilities and commercial partnerships all rely on the collection and processing of personal data.

For many organisations, this has resulted in a shift from relatively simple data processing activities to far more complex ecosystems involving:

  • Third party ticketing providers
  • Performance analytics platforms
  • Medical and rehabilitation records
  • Recruitment and scouting databases
  • Sponsorship and commercial partner integrations
  • Community engagement and grassroots initiatives

With this increased complexity comes increased responsibility, particularly where sensitive or special category data is concerned.

Lessons from Recent Incidents

Over the last 12 months, the UK football landscape has seen a number of high profile cyber and data related incidents that demonstrate the risks facing sporting organisations.

Clubs across both the Premier League and English Football League have reported attempted phishing campaigns targeting staff email accounts, with attackers seeking access to internal communications and commercially sensitive information. In several cases, compromised credentials have resulted in unauthorised access to systems containing player and staff data.

Elsewhere, vulnerabilities within third party platforms used for fan engagement and online ticketing have exposed personal details including names, email addresses and purchase histories. While not always resulting in confirmed breaches, these incidents highlight the potential risks to supporters and the reputational impact that can follow.

For data subjects, these types of events can increase the risk of identity theft, targeted scams and misuse of personal information. For organisations, they reinforce the need for clear governance, supplier due diligence and robust internal processes.

The Rise of Outsourced DPO Support

One of the most common requirements we are seeing across the sporting sector is the need for independent oversight through an Outsourced Data Protection Officer.

Many clubs and governing bodies simply do not have the internal resource or specialist expertise to manage compliance obligations effectively alongside their operational priorities. An Outsourced DPO provides:

  • Independent advice on regulatory responsibilities
  • Support with Data Protection Impact Assessments
  • Guidance on data subject rights requests
  • Oversight of internal policies and procedures
  • Incident response and breach management support
  • Ongoing staff awareness and training

Importantly, this support helps organisations move from reactive compliance to a more structured and proactive approach.

Specialist Support for the Sector

I work closely with our specialist consultant, Oluwagbenga Onojobi, an ex-barrister with a law degree and a particular interest in supporting organisations within the sporting industry. While he is an avid Arsenal supporter, his focus remains firmly on helping clubs, governing bodies and commercial partners across the sector to meet their regulatory obligations and embed best practice.

Together, we support sporting organisations across a range of services including:

Our aim is to help organisations continue to innovate and engage with their supporters, athletes and partners without compromising the security and integrity of the personal data they are entrusted with.

Looking Ahead

As the sporting sector continues to embrace digital transformation, data protection will remain a critical component of organisational resilience. Whether managing supporter databases, safeguarding information or athlete performance data, clubs and governing bodies must ensure that compliance keeps pace with innovation.

At Data Protection People, we are proud to support organisations across the sporting landscape in navigating these challenges and building sustainable compliance frameworks that protect both their operations and the individuals they serve.

By Jordan Joseph-Kerrigan, Sales Team Leader, Data Protection People

Insider Threats Are Becoming a Reality

Insider Threats Are Becoming a Reality

Why Insider Threats Are Becoming a UK Healthcare Reality

A recent case reported by ITV has brought renewed attention to one of the most difficult data protection challenges facing healthcare providers today, unauthorised internal access to patient records.

According to reports, a medical practitioner is alleged to have accessed confidential patient data over a period of six years without the knowledge or consent of the data controller. The case is currently progressing through the courts, but it has already raised significant concerns around how healthcare organisations manage access to some of the most sensitive personal data in existence.

For many organisations across the UK, this will feel alarmingly familiar.

At Data Protection People, this is not an isolated incident. It reflects a growing pattern we are seeing within health and social care environments where personal data is not always being accessed maliciously from the outside, but instead by individuals who already have legitimate system permissions.

Healthcare Data Is a High Value Target

Health records fall within special category data under UK GDPR. This includes information relating to an individual’s physical or mental health, treatment history, medications, diagnoses, and other deeply personal details.

When accessed inappropriately, this information can be exploited for financial gain, identity theft, insurance fraud, or even social engineering attacks. In some cases, it can also lead to reputational damage, blackmail, or discrimination.

This is why healthcare breaches often carry some of the highest regulatory penalties and present the greatest risk to individuals.

Not All Breaches Are Caused by Hackers

In ITV’s coverage of the incident, our Data Protection Expert, Caine Glancy, was asked to comment on what may be driving the increase in these types of events.

He explained:

“People are seeing the significance and the impact data being breached out into the world seems to have had. I think it’s also because data protection is not something that’s being considered for all businesses as strictly as it should. At the moment, a lot of compliance with data protection seems to be more of a superficial statement for a lot of organisations.”

This highlights a key issue.

Many organisations focus heavily on external threats such as phishing attacks, ransomware, or system vulnerabilities. While these risks are very real, they often overlook the fact that inappropriate internal access remains one of the most common causes of personal data breaches.

Employees, contractors, students, and temporary staff may all have legitimate access to systems as part of their role. Without the right controls in place, this access can be misused, whether intentionally or otherwise.

Click here to view the full story via the ITV website.

Why Insider Access Is So Difficult to Control

Healthcare environments are built on trust and access to information is often essential for delivering timely patient care. However, this creates a tension between operational efficiency and data protection compliance.

We frequently support organisations who:

  • Have shared login credentials across departments
  • Provide blanket access to entire patient databases
  • Lack audit trails to monitor who accessed what and when
  • Do not regularly review user permissions
  • Rely on annual training alone to drive compliance

In fast paced clinical environments, access controls are sometimes viewed as a barrier to care delivery rather than a safeguard against harm.

However, without appropriate role based access controls, monitoring, and behavioural training, organisations may be unable to detect misuse until significant damage has already occurred.

What Organisations Should Be Doing Now

Cases such as this serve as a reminder that technical compliance alone is not enough.

Healthcare providers should ensure they have:

  • Clear access management processes aligned to job roles
  • Multi factor authentication for all systems containing patient data
  • Regular reviews of user permissions
  • System logging and monitoring to identify unusual access patterns
  • Targeted training programmes focused on real world risks
  • A documented incident response process for data breaches

Many of these measures are already required under the UK GDPR’s security principle, yet they are often implemented inconsistently in practice.

A Growing Trend Across the UK

With over 200 episodes of the Data Protection Made Easy podcast and a community of more than 1,700 data protection professionals, we regularly hear from organisations facing similar challenges.

The reality is that insider threats are rarely discussed publicly, but they are one of the most frequent issues raised during audits, SAR support work, and outsourced DPO engagements.

As this case demonstrates, organisations must move beyond treating data protection as a policy exercise and begin embedding it into day to day working practices.

Need Support Managing Access to Sensitive Data?

If your organisation handles special category data and you are unsure who currently has access to what, or whether your monitoring controls would detect inappropriate use, it may be time to review your approach.

Our team supports healthcare providers across the UK with access management reviews, breach response planning, and ongoing compliance support designed to reduce the likelihood of incidents such as this occurring in the first place.

Load More