Myles Dacres

Myles Dacres

Marketing Manager

Myles Dacres is the Marketing Manager at Data Protection People. Over the past six years, he has led the organisation’s physical and digital presence, helping to strengthen the brand and grow what is now one of the UK’s largest data protection communities. He played a key role in the creation of the Data Protection Made Easy community and podcast, which has grown to more than 1,700 subscribers across the UK and beyond.

Get to Know Myles

Myles joined Data Protection People in 2020 and leads the organisation’s marketing strategy, brand development and community growth. His focus is on making data protection clearer, more practical and more accessible for organisations across the UK.

He drives the growth of the Data Protection Made Easy podcast and wider professional community, alongside sector events and AI led search initiatives. Through these platforms, he helps translate complex regulatory expectations into content that is engaging, understandable and relevant for both new and experienced practitioners.

Experience

Myles has built over five years of specialist B2B marketing experience within the data protection and cyber security sector. Beginning his career through a marketing apprenticeship at Data Protection People, he progressed into leading the organisation’s marketing function and shaping its long term growth strategy.

He has been instrumental in developing the Data Protection Made Easy community from the ground up, growing it into a network of more than 1,700 engaged professionals. This has been achieved through consistent podcast delivery, sector focused events, strategic collaborations and carefully structured thought leadership campaigns.

His expertise spans brand positioning, SEO, AEO and AI search visibility, campaign planning, event delivery, partnership marketing and PR strategy. He also oversees the creation of content that supports training, audit and consultancy services, ensuring that marketing activity aligns directly with operational objectives.

Working closely with senior leadership, Myles translates commercial goals into measurable marketing performance, embedding structure, data insight and long term thinking into every initiative.

Myles Dacres

“During my time at DPP, I have learned that community and brand are everything. I am fortunate to work with an incredible team that I have seen grow year after year, and I am proud to showcase the outstanding work they deliver every day.”

Myles Dacres
Marketing Manager

Myles's Posts

The Rise of AI in Payment Fraud and Cybersecurity

The Rise of AI in Payment Fraud and Cybersecurity

Artificial intelligence and machine learning are increasingly influencing how security operates on both sides of the fence. Organisations are using them to spot unusual activity more quickly and with more precision. Attackers are using them to run phishing campaigns, impersonate people convincingly, and scale fraud operations that would have required whole teams just a few years ago.

The uncomfortable truth is that both sides are using the same technology and are getting better at it. Attackers do not follow scripts. They adapt in real time, blend into normal-looking traffic, and automate the trial and error that used to slow them down.

The Attacker’s Advantage

AI has lowered the barrier to sophisticated attacks considerably. Credential harvesting, social engineering, synthetic identity fraud, and card testing are not new threats, but AI makes them faster, more targeted, and harder to distinguish from legitimate activity.

A phishing email that once took hours to craft can now be personalised and sent at scale. In some emerging cases, attackers are experimenting with automation that adjusts payloads or lures based on defensive responses.

In the AI Risk and Resilience Special Report published across 2025–2026, Mandiant observed that threat actors are moving beyond experimental use of generative AI and increasingly operationalising AI across the attack lifecycle.

The report highlights a shift toward more automated and adaptive techniques, where AI is used to support reconnaissance, phishing, and malware development at scale, reducing how much human effort is needed to run and evolve campaigns.

AI as a Defensive Capability

The same shift is happening on the defensive side, often quietly. Many of the fraud platforms, identity tools, and monitoring systems organisations already rely on have machine learning built in, sometimes without it being particularly visible or labelled as such.

These systems work by processing large volumes of transaction data, authentication logs, and behavioural signals to spot patterns that do not fit. Rather than flagging individual events in isolation, they correlate activity across users, devices, and systems.

This is how organisations can catch things like account takeover attempts or card testing activity that might look unremarkable on their own. In complex payment environments with heavy API traffic and distributed infrastructure, that kind of correlation is genuinely difficult to do without automation.

Compliance Pressure and the AI Gap

PCI DSS v4.x represents a meaningful shift in how organisations are expected to approach security compliance. Rather than functioning as a purely prescriptive checklist, the standard now places greater emphasis on achieving defined security outcomes.

This change introduces two methods for meeting requirements: the traditional Defined Approach, which follows the familiar step-by-step control structure, and a more flexible Customized Approach, which allows organisations to design controls that fit their specific environment, provided they can demonstrate, through testing and risk analysis, that the requirement objective is met.

That second option is where the real mindset changes sit. PCI DSS v4.x is less concerned with the technology used to implement a control and more concerned with whether the implemented control is effective in meeting the security objectives.

This creates space for organisations to move away from rigid, one-size-fits-all implementations and adopt more modern, risk-driven security designs. As long as the intent of a requirement is met, organisations have more flexibility to tailor their control architecture to their operational reality.

While the standard does not explicitly require AI or machine learning, it does expect organisations to have proper logging, monitoring, and processes in place to detect and respond to suspicious or unusual activity.

In practice, many teams achieve this using existing security tooling such as SIEM platforms, behavioural monitoring approaches, and automated log analysis. Some organisations also use capabilities like User and Entity Behaviour Analytics to improve visibility and scale detection across large, complex environments.

However, passing a compliance audit and actually being secure remain two different things. Organisations can satisfy every requirement and still carry blind spots in detection and response that only surface when something goes wrong.

Business email compromise illustrates this well. Controls exist for it, including awareness training, email filtering, and access restrictions. Attackers know those controls exist and design around them.

According to the Microsoft Threat Intelligence findings in the Microsoft Digital Defense Report 2024, threat actors involved in business email compromise continuously adapt their techniques, messaging, and supporting infrastructure in response to detection and defensive controls.

The campaigns persist not because controls are missing, but because attackers adapt to them more quickly than many defences do.

This is precisely what PCI DSS v4.x is responding to. The emphasis has shifted from whether controls are present at a point in time to whether they continue to work effectively under real-world conditions.

That distinction pushes organisations toward continuous validation rather than snapshot assessments, and it raises a governance question that cannot be sidestepped.

As behavioural analytics and AI-assisted tools take on more of the detection and response work, organisations must still be able to demonstrate how alerts are generated, how the system is tuned over time, how false positives and negatives are managed, and how the whole thing maps back to a specific requirement intent.

The flexibility that PCI DSS v4.x offers comes with heavier responsibility to document, justify, and evidence that whatever solution is in place, whether traditional or AI-enhanced, is genuinely doing its job. Saying “we use AI” is not an answer an auditor will accept.

The Future: AI Agents in Security Operations

We are at the beginning of the next phase of AI in security operations, and it is agentic. Rather than systems that simply detect and alert, agentic AI is designed to investigate, correlating signals across endpoints, identity, network, and application layers, then assembling a coherent view of activity for analyst review.

Across enterprise security platforms, AI-driven workflows are increasingly being embedded into investigation and incident triage workflows, with some extending into guided remediation. The direction is clear and the pace of adoption is accelerating.

The meaningful change is not detection itself but speed. Investigation cycles that previously took hours are being compressed significantly, reducing the window between when an attack begins and when someone understands what is happening.

In payment environments, where delayed detection can mean mass cardholder data exposure, that matters enormously. Security controls are increasingly built into operational workflows, where automation does not just flag issues but helps investigate them.

This shifts the analyst’s role away from constant alert monitoring and toward validating findings and making decisions.

What It All Comes Down To

AI systems are only as good as the threat models and data behind them. As both attackers and defenders lean harder into AI, security outcomes depend less on what tools an organisation has purchased and more on how quickly it can adapt, validate, and respond.

That is a harder problem than it sounds, and it does not get solved at audit time.

It raises some honest questions for security and compliance leadership. Do you have real-time visibility across your payment environment, or are there gaps that only surface after something has already gone wrong?

Has anyone formally assessed whether your AI-driven tools are performing as expected, or are you trusting the vendor’s word? Can abnormal behaviour be detected and acted on at the speed it occurs?

And are your PCI controls functioning as continuous, validated mechanisms, or as checkboxes that get ticked once a year and largely left alone in between?

Most organisations get this wrong in the same way: they treat AI as a product to buy rather than a control to govern.

A fraud platform with machine learning under the hood is still, fundamentally, a control, and every control needs to be tested, documented, and proven to work. Vendor marketing does not change that.

A model might perform well, but without proper validation and oversight, it is not necessarily any safer than the rules-based system it replaced.

The real challenge is no longer whether organisations have security controls in place, but whether those controls can be trusted to behave consistently as environments and attack patterns evolve.

Frequently Asked Questions

How is AI being used in payment fraud?

Cyber criminals are increasingly using AI to automate phishing campaigns, create convincing impersonations, develop synthetic identities, and scale attacks such as credential harvesting and card testing. AI allows these attacks to become faster, more personalised, and more difficult to detect.

Can AI improve cyber security?

Yes. AI can help organisations detect suspicious behaviour more quickly by analysing large volumes of transaction data, authentication logs, and behavioural patterns. This enables security teams to identify potential threats that may otherwise go unnoticed.

Does PCI DSS v4.x require organisations to use AI?

No. PCI DSS v4.x does not require organisations to implement AI or machine learning. Instead, it requires organisations to demonstrate that their security controls effectively detect, monitor, and respond to threats, regardless of the technology being used.

What are AI driven security controls?

AI driven security controls use artificial intelligence or machine learning to support activities such as fraud detection, behavioural analytics, threat monitoring, and incident investigation. Like any security control, they should be regularly tested, validated, and documented.

Why is governance important for AI security tools?

AI tools should not simply be trusted because they use advanced technology. Organisations need to understand how they make decisions, monitor their effectiveness, manage false positives and negatives, and ensure they continue to meet security and compliance requirements over time.

How can Data Protection People help?

Data Protection People works with organisations at exactly this intersection, validating that adopted controls, whether AI-enabled or traditional, align with PCI DSS requirements and broader security standards such as ISO 27001, and can be evidenced to an auditor without ambiguity.

Compliance postures do not always keep pace with the technology changes happening inside them. If AI and automation have reshaped how your controls operate but your last formal assessment predates those changes, this is a risk.

Finding it through independent assurance is considerably better than finding it through a regulatory review or a breach.

Get in touch now for assistance.

Reddit fined for children’s privacy failures 

Reddit issued with £14.47m fine for children’s privacy failures 

Last week the UK Information Commissioner’s Office (ICO) fined Reddit £14.47 million for unlawfully processing children’s personal data. And the problem here was that children under 13 were able to use the platform for years while Reddit relied mainly on users simply ticking a box to confirm their age. The ICO investigation found two core failures: 

 As a result, children under 13 had their personal data processed without a lawful basis and were potentially exposed to content they should never have seen. 

What happened?  

Reddit’s terms of service have long stated that children under 13 cannot use the platform. However, until July 2025, Reddit did not have meaningful measures in place to check users’ ages; people could open an account by declaring their age themselves. The ICO found that large numbers of under-13s were likely using the platform during this period, meaning their personal data was being processed without a lawful basis. 

 Even more concerning was the lack of early risk assessment: Reddit had not carried out a Data Protection Impact Assessment looking properly at risks to children until 2025 – despite allowing teenagers aged 13–17 to use the service.  

 According to the ICO, this meant children’s data was collected and used in ways they could not reasonably understand or control, potentially exposing them to harmful or inappropriate content. 

Reddit has since introduced age assurance measures, including checks for access to mature content but ICO has made it clear that these changes came late and remain under review. 

 This is a great example for us to consider around age verification mechanisms. For ages, much of the intern relied on the self-declaration method: “please confirm you are over 13”. It seems reasonable enough to say that everyone (children, parents and organisations) were aware on how easy this was to bypass… and the big problem was the enforcement and its slow interference – many organisations convinced themselves that putting age limits in terms and conditions was enough and self-declaration is sufficient.  

On this, ICO’s message is clear: relying mainly on users to declare their own age is not acceptable where children are likely to access a service – and this should go beyond social media: gaming platforms, forums apps, online communities 

Age verification 

I had the chance to explore this topic within my research for my thesis dissertation and I can easily say that one of the challenges organisations face is that stronger age checks can appear to conflict with data protection principles – for example, uploading passports to join an online community is excessive and this would come with its own risks. This is why I find the approach discussed by the Irish data protection commission particularly helpful: rather than pushing one technical solution, it focuses on proportionate, risk-based age assurance: the higher the risk to children, the stronger the assurance needed.  

Not every service needs the same level of verification, but every organisation should be able to explain what risks to children exist, how likely access by children is and why the chosen safeguards are appropriate.  

 The ICO made it clear that it is now actively focusing on platforms that primarily rely on self-declaration – which means that Reddit is unlikely to be the last case… 

Conclusion and takeaway 

I actually welcome this decision; not because fines are the main goal (as they rarely solve problems on their own, particularly for these big companies) but because the clarity that they bring helps organisations move forward and to think about their own practices.  

 I think that for too long, there has been uncertainty around how far companies needed to go when it came to age checks and, at the same time, regulators and industry need to work together to avoid turning age assurance into mass identification or unnecessary data collection.  

 Links:  

https://cy.ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/reddit-issued-with-1447m-fine-for-children-s-privacy-failures/  

https://www.theguardian.com/technology/2026/feb/24/reddit-fined-uk-children-under-13-data 

https://www.dataprotection.ie/en/dpc-guidance/fundamentals-child-oriented-approach-data-processing  

Insider Threats Are Becoming a Reality

Why Insider Threats Are Becoming a UK Healthcare Reality

A recent case reported by ITV has brought renewed attention to one of the most difficult data protection challenges facing healthcare providers today, unauthorised internal access to patient records.

According to reports, a medical practitioner is alleged to have accessed confidential patient data over a period of six years without the knowledge or consent of the data controller. The case is currently progressing through the courts, but it has already raised significant concerns around how healthcare organisations manage access to some of the most sensitive personal data in existence.

For many organisations across the UK, this will feel alarmingly familiar.

At Data Protection People, this is not an isolated incident. It reflects a growing pattern we are seeing within health and social care environments where personal data is not always being accessed maliciously from the outside, but instead by individuals who already have legitimate system permissions.

Healthcare Data Is a High Value Target

Health records fall within special category data under UK GDPR. This includes information relating to an individual’s physical or mental health, treatment history, medications, diagnoses, and other deeply personal details.

When accessed inappropriately, this information can be exploited for financial gain, identity theft, insurance fraud, or even social engineering attacks. In some cases, it can also lead to reputational damage, blackmail, or discrimination.

This is why healthcare breaches often carry some of the highest regulatory penalties and present the greatest risk to individuals.

Not All Breaches Are Caused by Hackers

In ITV’s coverage of the incident, our Data Protection Expert, Caine Glancy, was asked to comment on what may be driving the increase in these types of events.

He explained:

“People are seeing the significance and the impact data being breached out into the world seems to have had. I think it’s also because data protection is not something that’s being considered for all businesses as strictly as it should. At the moment, a lot of compliance with data protection seems to be more of a superficial statement for a lot of organisations.”

This highlights a key issue.

Many organisations focus heavily on external threats such as phishing attacks, ransomware, or system vulnerabilities. While these risks are very real, they often overlook the fact that inappropriate internal access remains one of the most common causes of personal data breaches.

Employees, contractors, students, and temporary staff may all have legitimate access to systems as part of their role. Without the right controls in place, this access can be misused, whether intentionally or otherwise.

Click here to view the full story via the ITV website.

Why Insider Access Is So Difficult to Control

Healthcare environments are built on trust and access to information is often essential for delivering timely patient care. However, this creates a tension between operational efficiency and data protection compliance.

We frequently support organisations who:

  • Have shared login credentials across departments
  • Provide blanket access to entire patient databases
  • Lack audit trails to monitor who accessed what and when
  • Do not regularly review user permissions
  • Rely on annual training alone to drive compliance

In fast paced clinical environments, access controls are sometimes viewed as a barrier to care delivery rather than a safeguard against harm.

However, without appropriate role based access controls, monitoring, and behavioural training, organisations may be unable to detect misuse until significant damage has already occurred.

What Organisations Should Be Doing Now

Cases such as this serve as a reminder that technical compliance alone is not enough.

Healthcare providers should ensure they have:

  • Clear access management processes aligned to job roles
  • Multi factor authentication for all systems containing patient data
  • Regular reviews of user permissions
  • System logging and monitoring to identify unusual access patterns
  • Targeted training programmes focused on real world risks
  • A documented incident response process for data breaches

Many of these measures are already required under the UK GDPR’s security principle, yet they are often implemented inconsistently in practice.

A Growing Trend Across the UK

With over 200 episodes of the Data Protection Made Easy podcast and a community of more than 1,700 data protection professionals, we regularly hear from organisations facing similar challenges.

The reality is that insider threats are rarely discussed publicly, but they are one of the most frequent issues raised during audits, SAR support work, and outsourced DPO engagements.

As this case demonstrates, organisations must move beyond treating data protection as a policy exercise and begin embedding it into day to day working practices.

Need Support Managing Access to Sensitive Data?

If your organisation handles special category data and you are unsure who currently has access to what, or whether your monitoring controls would detect inappropriate use, it may be time to review your approach.

Our team supports healthcare providers across the UK with access management reviews, breach response planning, and ongoing compliance support designed to reduce the likelihood of incidents such as this occurring in the first place.

Training That Actually Changes Behaviour

Data protection training is often treated as a compliance requirement, something that must be completed, recorded, and repeated each year. But if training does not change how people behave in practice, has it really worked?

Data Protection Made Easy Podcast Data Protection Made Easy PodcastEpisode: Training That Actually Changes BehaviourHosted by: Caine Glancy & Catarina Pereira dos Santos Listen now →

In a recent episode of the Data Protection Made Easy podcast, Caine Glancy and Catarina Pereira dos Santos discussed what makes data protection training effective, why so much training fails to influence day-to-day behaviour, and how organisations can move beyond tick-box learning.

The discussion focused on a key point that many organisations will recognise: completing a training module is not the same as understanding how to apply data protection in real situations. Attendance, quiz scores, and completion rates may show that training has taken place, but they do not always show whether staff know what to do when they handle personal data at work.

Why most data protection training fails

One of the central themes of the episode was the difference between training that informs people and training that changes behaviour. It is relatively easy to explain what the UK GDPR says. It is much harder to help staff understand what that means for their own role, their own systems, and the real decisions they make every day.

Caine explained that training cannot simply be a case of telling people what the law says and expecting them to translate that into practical action. Different people learn in different ways, and the best trainers are able to make complex information understandable to a wide range of audiences.

Effective training should leave people knowing what they have learned, why it matters, and how to apply it in practice.

This is particularly important in data protection because staff are not usually dealing with abstract legal principles. They are responding to emails, handling subject access requests, sharing information, using systems, speaking to customers, managing records, and making judgement calls. If training does not connect directly to those situations, it is unlikely to influence behaviour when it matters most.

Why this matters for your organisation

Training should not be measured by completion alone. Organisations need to consider whether staff can recognise risks, make better decisions, and apply data protection requirements confidently in their daily work.

Moving beyond tick box compliance

Catarina highlighted a common issue with traditional training: organisations often focus on whether someone attended the session, clicked through the slides, or passed the quiz. Whilst these records have value, they do not necessarily prove that training has been understood or applied.

For example, a member of staff may complete annual training and achieve a strong quiz score, but still repeatedly send emails to the wrong recipient, fail to recognise a personal data breach, or misunderstand when a data subject access request has been received. In that situation, the training record may look positive, but the behaviour has not changed.

This is why effective data protection training must be practical, relevant, and supported by ongoing awareness. It should help people understand the risks they are most likely to face and give them the confidence to act appropriately when those risks arise.

Practical training creates lasting change

Throughout the discussion, both hosts emphasised the importance of making training practical. Whilst understanding the legal framework is important, real learning happens when people can apply that knowledge to realistic situations.

This is why interactive exercises, real-world scenarios, workshops, and practical demonstrations are often far more effective than simply presenting information. When individuals actively participate in training, they are more likely to remember it, discuss it with colleagues, and apply it when similar situations arise in the workplace.

Subject access requests provide a good example. Rather than simply explaining the legislation, trainers can ask participants to review a request, identify relevant information, apply exemptions, and consider how they would respond. By working through realistic examples, staff gain confidence and develop practical skills that can be used immediately.

People rarely remember every slide from a training session, but they often remember the scenarios they worked through themselves.

Practical learning also creates opportunities for discussion. Staff can ask questions, challenge assumptions, and relate the topic directly to their own role. This often reveals misunderstandings that may otherwise go unnoticed until an incident occurs.

Why one size fits all training rarely works

Another key theme from the episode was the need to tailor training to the audience. Different teams interact with personal data in different ways, which means their risks, responsibilities, and training needs are often very different.

The information that a HR team requires may be very different from what a marketing team, IT department, customer service team, or senior leadership group needs to understand. Delivering exactly the same training to every employee may be efficient, but it is not always effective.

Staff are far more likely to engage when they can clearly see how the content applies to their day-to-day responsibilities. Relevant examples, department-specific risks, and practical guidance make it easier for individuals to understand why the training matters to them personally.

Good practice

Consider whether different teams within your organisation would benefit from tailored examples, role-specific guidance, or dedicated workshops rather than relying solely on generic annual refresher training.

The role of the trainer

The conversation also explored an often-overlooked factor in successful learning: the trainer themselves.

Even the best training materials can fall flat if they are delivered without enthusiasm, engagement, or practical insight. Effective trainers bring energy to the subject, encourage participation, and help learners understand why the topic matters.

Importantly, this does not mean every trainer needs to have the same personality. Some are naturally more outgoing than others. What matters is demonstrating genuine passion for the topic and creating an environment where people feel comfortable asking questions and sharing experiences.

People are far more likely to engage with training when they can see that the trainer understands the challenges they face and is focused on helping them succeed rather than simply delivering information.

Training alone is not enough

One of the most important points raised during the discussion was that training should never be viewed as a one-off activity. Completing an induction session or annual refresher course is only one part of developing a strong data protection culture.

People forget information over time. New risks emerge. Processes change. Staff move into new roles. Organisations that rely solely on annual training sessions often find that important lessons are forgotten long before the next refresher arrives.

This is where awareness activities become critical. Regular communications, team discussions, newsletters, posters, brief reminders, and ongoing conversations all help reinforce key messages and keep data protection visible throughout the year.

A strong data protection culture is built through continuous reinforcement, not a single annual training session.

Awareness should also be relevant. Rather than simply distributing generic messages, organisations should use real examples, common mistakes, recent incidents, and practical guidance that staff can immediately relate to. This helps create an environment where data protection becomes part of everyday decision-making rather than something people only think about during training.

Leadership sets the tone

Creating meaningful behavioural change requires more than just good trainers and engaging content. Leadership support plays a significant role in determining whether training succeeds or fails.

When senior leaders actively support data protection initiatives, attend training, discuss compliance openly, and reinforce expectations, employees are more likely to recognise the importance of the topic. Conversely, if leadership treats training as a box-ticking exercise, staff are likely to adopt the same attitude.

Managers also have an important role to play after training has been delivered. They are often best placed to reinforce learning, answer questions, identify areas where additional support may be required, and encourage good practices within their teams.

Leadership tip

Data protection culture is far easier to establish when managers and senior leaders actively participate in awareness activities and demonstrate that compliance is a shared organisational responsibility.

Measuring success differently

Many organisations measure training success using attendance figures, completion rates, or assessment scores. Whilst these metrics can provide useful information, they only tell part of the story.

The real question is whether behaviour has changed. Are staff reporting incidents more quickly? Are fewer emails being sent to incorrect recipients? Are teams identifying subject access requests sooner? Are managers asking better questions about privacy risks before projects begin?

These behavioural indicators often provide a far more accurate picture of whether training is having a meaningful impact. They demonstrate whether learning has moved beyond theory and become embedded in day-to-day operations.

Organisations that focus solely on completion statistics risk missing the bigger picture. Successful training programmes should ultimately be judged by the decisions people make, not simply the certificates they receive.

Key takeaways

  • Training should focus on changing behaviour, not simply achieving completion rates or passing quiz scores.
  • Practical exercises, real-world scenarios, and interactive discussions are often more effective than purely theoretical learning.
  • One size fits all training rarely delivers the best results. Different teams have different risks, responsibilities, and learning needs.
  • Training should be supported by ongoing awareness activities that keep data protection visible throughout the year.
  • Leadership engagement plays a crucial role in building a positive data protection culture and encouraging accountability.
  • Success should be measured by behavioural improvements and reduced risk, not solely by attendance records and certificates.

Frequently asked questions

What makes data protection training effective?
Effective data protection training is practical, relevant, engaging, and tailored to the audience. It helps individuals understand not only what the law requires, but also how those requirements apply to their day-to-day responsibilities.
How often should organisations provide data protection training?
Most organisations provide induction training for new starters and refresher training on a regular basis. However, training should be supported by ongoing awareness activities throughout the year to reinforce key messages and address emerging risks.
Why doesn’t annual training always improve compliance?
People naturally forget information over time. If training is delivered once a year without ongoing reinforcement, employees may struggle to remember important concepts when they encounter them in practice. Behavioural change requires continuous engagement and support.
How can organisations measure whether training is working?
Beyond attendance and quiz results, organisations should look at behavioural indicators such as incident reporting, data breach trends, subject access request handling, staff confidence levels, and the quality of data protection decision-making across the organisation.
Do different departments need different data protection training?
In many cases, yes. Whilst core data protection principles apply to everyone, different departments face different risks. Tailored training helps ensure employees receive guidance that is relevant to the information they handle and the decisions they make.

CG&CS

Caine Glancy & Catarina Pereira dos Santos

As experienced data protection practitioners, Caine and Catarina regularly deliver training and awareness programmes to organisations across a wide range of sectors. Their focus is on helping organisations move beyond compliance exercises and develop practical data protection cultures that support long-term behavioural change.

Looking to improve your organisation’s training and awareness programme?

Whether you need GDPR awareness training, role-specific workshops, leadership sessions, or ongoing support to strengthen your compliance culture, our consultants can help.

Speak to an expert →

Upcoming Data Protection Training Sessions 2026

We’re excited to share our upcoming training programme for 2026, packed with practical, expert-led sessions covering some of the most pressing areas of UK data protection compliance.

Whether you’re a DPO, compliance lead, HR professional, IT manager, board member, or someone looking to build their knowledge, there’s something here for you and your team.


Why this training matters

Data protection responsibilities aren’t getting any simpler. AI tools, increasing volumes of Subject Access Requests, cross-border data transfers, and growing board-level scrutiny mean that practical, up-to-date knowledge is more valuable than ever.

Our sessions are delivered by experienced practitioners who work with organisations across the UK every day. You won’t just learn the theory, you’ll walk away with guidance you can immediately apply within your organisation.


What’s coming up

29 May & 27 July 2026

Data Protection Impact Assessment Masterclass

Learn when a DPIA is legally required, how to complete one effectively, and what the ICO expects, including practical guidance on AI systems, CCTV, employee monitoring, and other high-risk processing activities.

8 June 2026

Subject Access Requests Masterclass

From complex and weaponised SARs to AI-generated requests, this session helps you respond confidently and efficiently, covering exemptions, redactions, timeframes, and internal governance.

15 June 2026

Personal Data Breach Management Masterclass

When a breach happens, how you respond matters most. This session covers the 72-hour ICO reporting requirement, breach risk assessments, containment, documentation, and lessons learned.

22 June 2026

UK GDPR & Data Protection Act 2018 Introduction

A practical foundation session covering lawful bases for processing, individual rights, accountability requirements, and organisational responsibilities. Ideal for new starters and general staff awareness.

6 July 2026

Freedom of Information Act Masterclass

Designed for public authorities, housing associations, education providers, and NHS organisations, covering FOI obligations, exemptions, public interest tests, and managing vexatious requests.

13 July 2026

Corporate Governance Responsibilities for Board Members

Data protection is a board-level responsibility. This executive-focused session covers governance, regulatory and reputational risk, AI governance, cyber resilience, and demonstrating accountability.

13 July 2026

International Data Transfers

Cloud services, global suppliers, AI platforms, this session gives practical guidance on IDTAs, Standard Contractual Clauses, Transfer Risk Assessments, adequacy decisions, and vendor due diligence.

20 July 2026

Records of Processing Activities Masterclass

ROPAs are the foundation of your accountability framework. This masterclass helps you create and maintain records that genuinely support governance, audits, risk management, and compliance maturity.


Group bookings and in-house training

If you have a team that would benefit from any of these sessions, we can also deliver training in-house, tailored to your sector, your systems, and your specific challenges. We work with organisations of all sizes, from small teams to large public bodies.

We also offer bespoke workshops, sector-specific sessions, executive briefings, and ongoing support and consultancy.


Ready to book or find out more?

Training should do more than tick a box, it should build confidence, strengthen accountability, and help your people make better decisions. We’d love to help your organisation get there.

S2 Ep13: GDPR Radio: News Of The Week

S2 Ep13: GDPR Radio: News Of The Week

GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy walk through the latest developments in data protection, highlighting recent regulatory activity, enforcement trends, and key stories organisations need to be aware of.

These sessions are designed to give a clear, practical overview of what is happening right now, helping organisations stay informed without needing to dig through complex legal updates.

Listen back on Spotify

Episode highlights

This session focuses on recent news and real-world developments in the data protection landscape.

1) Recent data protection news and updates We cover the latest developments across GDPR and wider privacy regulation, including new guidance, legal updates, and shifts in how data protection is being applied in practice.

2) Data breaches and enforcement action The episode looks at recent breaches and fines, helping to highlight common risks and what organisations can learn from real cases.

3) Regulator decisions and trends We explore activity from regulators, including enforcement approaches and what this signals for organisations moving forward.

4) Big tech and privacy developments Discussion includes how large organisations are handling personal data, and what this means for compliance expectations across all sectors.

Key takeaways for organisations

  • Stay up to date with data protection news to understand how expectations are evolving in practice.
  • Learn from real-world breaches and enforcement action to identify and reduce your own risk areas.
  • Pay attention to regulator trends, as these often indicate where future scrutiny will be focused.
  • Ensure your organisation is adapting to changes in how personal data is being used, especially as technology continues to evolve.

Useful links

About GDPR Radio

GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.

Speakers

Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People

Why Is Dedicated Data Protection Compliance Software Important?

Dedicated data protection compliance software is important because it reduces the reliance on cumbersome manual processes. Instead of relying on static documentation like spreadsheets, automated platforms allow organisations to maintain ongoing compliance simply and easily.

  • Dedicated data protection compliance software centralises GDPR compliance, rather than relying on various spreadsheets.
  • It automates processes and minimises human error, reducing risk.
  • It provides audit-ready evidence of compliance.
  • Platforms like Data Protection People’s Datawise support ongoing compliance, rather than one-off snapshots.

What is Dedicated Data Protection Compliance Software?

Dedicated data protection compliance software is a centralised platform designed to help businesses comply with GDPR. Often referred to as Privacy Information Management Systems (PIMS), it streamlines SARs, RoPAs and DPIAs, as well as training records, risk registers and more.

Datawise is Data Protection People’s compliance software, helping DPOs stay on top of everything they need to stay GDPR compliant.

Why is Dedicated Data Protection Software Important for GDPR Compliance?

Dedicated compliance software is important because it makes demonstrating accountability (an integral part of GDPR compliance) much simpler.

Centralises Compliance Activities

With one system for data mapping, risk tracking and incident management, a centralised platform eliminates fragmented processes.

Provides Evidence of Compliance

GDPR requires you to provide evidence of compliance, not just policies. Gathering this evidence can take hundreds of hours, depending on how big the organisation is. Dedicated privacy compliance software streamlines this task.

Reduces Human Error

Compliance software removes reliance on spreadsheets and standardises workflows, helping to reduce the risk of human error.

What Features Should Dedicated Data Protection Compliance Software Have?

The most effective GDPR compliance software includes tools that support everyday compliance and long-term governance. The features that should be included are:

  • Rights request management
  • Records of Processing Activities (RoPAs) management with audit trails
  • Data Protection Impact Assessments (DPIAs) workflows
  • Incident and breach tracking
  • Risk registers and reporting dashboards
  • Supplier/ processor management

How is Dedicated Compliance Software Different from General Data Management Tools?

A dedicated compliance platform is built around specific regulatory requirements, going above and beyond a simple data storage tool. Software like Datawise manages compliance processes from end-to-end, automating workflows and centralising everything you need to be compliant in one place.

Do You Need Dedicated Compliance Software to Manage a GDPR Audit?

Dedicated data protection compliance software is not a legal requirement, but it significantly improves the efficiency and accuracy of GDPR audits. It makes evidence gathering faster, audits easier and gives you better visibility of your organisation’s risk factors.

Make GDPR Compliance Simpler With Datawise from Data Protection People

Datawise is Data Protection People’s proprietary compliance software. It’s built on a world-class platform, enabling easier compliance management by centralising and streamlining data management. Get in touch to find out more.

FAQs

What is GDPR compliance software?

Data protection compliance software is a tool designed to help organisations manage GDPR obligations, including SARs, DPIAs and data records.

Can I manage GDPR compliance without dedicated software?

Yes, you can, but using manual tools is inefficient, and can lead to inaccuracies. Dedicated software centralises everything, improving ongoing GDPR compliance.

How does data protection software support audits?

Put simply, it makes demonstrating your organisation’s compliance much easier. Dedicated compliance software centralises records, provides audit trails and structured documentation.

AI and Data Protection for UK Businesses

AI and Data Protection for UK Businesses

By Amber Sivill, Junior Data Protection Consultant at Data Protection People

AI is already in the workplace, whether leadership has approved it or not. UK data shows business use is rising, with 26% of businesses reporting use of at least one AI technology in March 2026, while nearly half of employers who use or plan to use AI expect their business model to use or rely on it within three to five years. At the same time, wider workplace research suggests many employees are using their own tools without formal approval. For SMEs, that creates a familiar problem in a new form, productivity pressure on one side, data protection and cyber risk on the other.

From Data Protection People’s perspective, the answer is not a blanket ban, but instead the controlled adoption and oversight of AI tools. The Information Commissioner’s Office is clear that there is no AI exemption to data protection law, and the National Cyber Security Centre advocates that AI systems introduce distinct security risks that must be designed for, monitored, and managed. The practical goal is to let staff use AI where the benefit is real, while keeping personal data, confidential information, and security controls intact.

Why this matters now

The real issue is not only formal AI projects, but also shadow AI. Microsoft found that 78% of AI users bring their own tools to work, which is even more common in small and medium sized companies. This is particularly problematic because a quick prompt can become a security incident if staff paste in names, emails, case notes, HR material, complaints, contracts or commercial information. Cross border processing is often missed too. If personal data is sent, or simply made accessible, to a separate organisation outside the UK, the ICO treats that as a restricted transfer under UK GDPR. In parallel, the ICO has warned that wrongly relying on generative AI outputs as factually accurate information about individuals can lead to misinformation, reputational damage and other harms to individuals.

The ICO also notes that AI models can contain personal data and may embed training data in ways that could allow retrieval or disclosure. The NCSC adds that AI systems are exposed to both familiar cyber threats and AI specific threats such as prompt injection, data poisoning, and model inversion.

Ban or controlled adoption

An overarching ban has one advantage, it is simple to implement. But it is not realistic, and it can make the risk less visible by driving AI use underground. Controlled adoption is harder, but it is normally the better fit for UK SMEs because it accepts how work is realistically happening and gives you a route to govern it.

Approach Benefits Risks When appropriate
Ban Clear message, lower immediate exposure in very high-risk areas Workarounds, shadow AI, lost productivity, weak visibility Highly sensitive processing, no approved secure tooling, active incident or regulatory concern
Controlled adoption Better visibility, practical governance, safer productivity gains, staff trust Needs policies, reviews, training, monitoring and resourcing Most SMEs, where AI is already appearing in admin, marketing, IT or drafting work

This is consistent with current evidence showing rising adoption, strong employee demand and the need for governance rather than denial.

What staff need to hear

Communication for staff has to be clearly communicated and easy to understand. Organisations should be able to tell individuals the rules of what is required, what they have to do and when to ask for guidance. That approach aligns with ICO expectations on accountability and NCSC guidance on awareness, secure use and human oversight. It is also crucial that we continue to support staff by providing quality and regular training.

Do

  • Use only approved AI tools.
  • Keep prompts generic where possible.
  • Remove personal data and confidential detail unless the tool and use case have been approved.
  • Check outputs before you use or share them.
  • Escalate if you are unsure.

Do not

  • Paste personal data, special category data, client files, HR records, passwords, source code or commercially sensitive material into public tools.
  • Treat AI output as a fact without checking it.
  • Use AI to make significant decisions about people without significant human review and approval.
  • Buy or connect new AI tools without going through the approval route.

Controls and governance

For most organisations, the right control set is straightforward: keep an AI register, publish an AI policy, set an approval workflow, run DPIAs where risk justifies it, complete supplier due diligence, assess international transfers, and apply technical controls around access, logging and data loss prevention. ICO guidance is clear that a DPIA is required where new technology use is likely to result in high risk, and if in doubt, doing one is recommended. DSIT’s AI Management Essentials also directs SMEs towards an AI system record, an accessible AI policy, impact assessment, risk assessment and communication with employees.

Suggested AI policy headings

  • Policy Statement
  • Purpose and Scope
  • Roles and Responsibilities
  • Data Protection Considerations Around AI
  • DPIAs
  • Prior Consultation
  • Privacy By Design and Default
  • Data Protection Principles
  • Rights
  • Data Processors
  • Restricted Transfers
  • Cyber Security Risks
  • Intellectual Property
  • Accuracy of Output
  • AI Dos and Don’ts

How to approve AI tools in practice

When someone in your organisation wants to use an AI tool, you do not need a complicated process, but you do need a consistent one.

Start with a simple question, will the tool involve personal data or sensitive information?

If the answer is no, carry out a basic check. Look at who provides the tool, whether it is secure, and whether it fits your business and the rules of your AI policy. If you are comfortable, you can allow a limited trial and keep it under review.

If the answer is yes, you need to slow things down and consider if the processing can comply with the UK GDPR.

  • Review how the tool uses data
  • Check where the data is stored, especially if it leaves the UK
  • Carry out a DPIA if there is any real risk
  • Review the supplier and their terms

Once that is done, decide:

  • If the risks are too high, do not use the tool or look for an alternative
  • If the risks are manageable, approve it with conditions, for example limiting what data can be used and requiring human review

After approval, the job is not finished. You should monitor how the tool is used, review it periodically, and be prepared to stop using it if risks change.

Immediate next steps

  • Identify which AI tools staff are already using.
  • Approve a short list of safer tools and incorporate this into an AI policy of approved tools.
  • Send out staff communication informing them of the organisation’s stance on the use of AI as well as rules for them to consider.
  • Add AI to your DPIA and procurement workflow.
  • Review supplier terms, retention and training arrangements.
  • Check for restricted transfers and document the outcome.
  • Train managers first, then wider staff.
  • Decide who owns AI governance internally.

These are practical first steps for SMEs and align with current ICO, NCSC and DSIT guidance.

Reasonable enforcement

You cannot police every prompt, and you do not need to. Reasonable enforcement means proportionate controls and visible accountability. Use SSO and approved tool access where you can, browser or network restrictions for clearly banned tools, logging sufficiently to investigate incidents, targeted audits in high-risk teams, and a simple route for staff to ask before using a new tool. The NCSC specifically recommends monitoring and log data that lets you audit use, investigate compromise and manage security incidents, while DSIT’s hidden AI risks work makes the same point from an organisational angle, successful AI governance is cultural as well as technical.

How Data Protection People supports clients

At Data Protection People, we are seeing AI move from a side conversation to a core compliance issue. We support clients with practical AI guidance, policy and framework design, DPIA and international transfer support, contract and supplier review, documentation templates, training and ongoing advisory support through our consultancy, toolkit and support services. Our wider view is simple, organisations should protect themselves first, but they should not pretend AI is going away. The sensible path is to embrace it with caution, good governance and clear boundaries.

We will also be discussing this on the Data Protection Made Easy podcast on Friday 24 April, joined by Caine Glancy and myself, Amber Sivill. The podcast is hosted live every Friday at lunchtime and is designed for practical discussion, not theory, which is exactly what this topic needs. If you are reading this after 24 April 2026, you will be able to listen to the full discussion via Spotify. Click here to listen to the Data Protection Made Easy podcast.

Key references