Myles Dacres

AI and Data Protection for UK Businesses

AI and Data Protection for UK Businesses

By Amber Sivill, Junior Data Protection Consultant at Data Protection People

AI is already in the workplace, whether leadership has approved it or not. UK data shows business use is rising, with 26% of businesses reporting use of at least one AI technology in March 2026, while nearly half of employers who use or plan to use AI expect their business model to use or rely on it within three to five years. At the same time, wider workplace research suggests many employees are using their own tools without formal approval. For SMEs, that creates a familiar problem in a new form, productivity pressure on one side, data protection and cyber risk on the other.

From Data Protection People’s perspective, the answer is not a blanket ban, but instead the controlled adoption and oversight of AI tools. The Information Commissioner’s Office is clear that there is no AI exemption to data protection law, and the National Cyber Security Centre advocates that AI systems introduce distinct security risks that must be designed for, monitored, and managed. The practical goal is to let staff use AI where the benefit is real, while keeping personal data, confidential information, and security controls intact.

Why this matters now

The real issue is not only formal AI projects, but also shadow AI. Microsoft found that 78% of AI users bring their own tools to work, which is even more common in small and medium sized companies. This is particularly problematic because a quick prompt can become a security incident if staff paste in names, emails, case notes, HR material, complaints, contracts or commercial information. Cross border processing is often missed too. If personal data is sent, or simply made accessible, to a separate organisation outside the UK, the ICO treats that as a restricted transfer under UK GDPR. In parallel, the ICO has warned that wrongly relying on generative AI outputs as factually accurate information about individuals can lead to misinformation, reputational damage and other harms to individuals.

The ICO also notes that AI models can contain personal data and may embed training data in ways that could allow retrieval or disclosure. The NCSC adds that AI systems are exposed to both familiar cyber threats and AI specific threats such as prompt injection, data poisoning, and model inversion.

Ban or controlled adoption

An overarching ban has one advantage, it is simple to implement. But it is not realistic, and it can make the risk less visible by driving AI use underground. Controlled adoption is harder, but it is normally the better fit for UK SMEs because it accepts how work is realistically happening and gives you a route to govern it.

This is consistent with current evidence showing rising adoption, strong employee demand and the need for governance rather than denial.

What staff need to hear

Communication for staff has to be clearly communicated and easy to understand. Organisations should be able to tell individuals the rules of what is required, what they have to do and when to ask for guidance. That approach aligns with ICO expectations on accountability and NCSC guidance on awareness, secure use and human oversight. It is also crucial that we continue to support staff by providing quality and regular training.

Do

• Use only approved AI tools.
• Keep prompts generic where possible.
• Remove personal data and confidential detail unless the tool and use case have been approved.
• Check outputs before you use or share them.
• Escalate if you are unsure.

Do not

• Paste personal data, special category data, client files, HR records, passwords, source code or commercially sensitive material into public tools.
• Treat AI output as a fact without checking it.
• Use AI to make significant decisions about people without significant human review and approval.
• Buy or connect new AI tools without going through the approval route.

Controls and governance

For most organisations, the right control set is straightforward: keep an AI register, publish an AI policy, set an approval workflow, run DPIAs where risk justifies it, complete supplier due diligence, assess international transfers, and apply technical controls around access, logging and data loss prevention. ICO guidance is clear that a DPIA is required where new technology use is likely to result in high risk, and if in doubt, doing one is recommended. DSIT’s AI Management Essentials also directs SMEs towards an AI system record, an accessible AI policy, impact assessment, risk assessment and communication with employees.

Suggested AI policy headings

• Policy Statement
• Purpose and Scope
• Roles and Responsibilities
• Data Protection Considerations Around AI
• DPIAs
• Prior Consultation
• Privacy By Design and Default
• Data Protection Principles
• Rights
• Data Processors
• Restricted Transfers
• Cyber Security Risks
• Intellectual Property
• Accuracy of Output
• AI Dos and Don’ts

How to approve AI tools in practice

When someone in your organisation wants to use an AI tool, you do not need a complicated process, but you do need a consistent one.

Start with a simple question, will the tool involve personal data or sensitive information?

If the answer is no, carry out a basic check. Look at who provides the tool, whether it is secure, and whether it fits your business and the rules of your AI policy. If you are comfortable, you can allow a limited trial and keep it under review.

If the answer is yes, you need to slow things down and consider if the processing can comply with the UK GDPR.

• Review how the tool uses data
• Check where the data is stored, especially if it leaves the UK
• Carry out a DPIA if there is any real risk
• Review the supplier and their terms

Once that is done, decide:

• If the risks are too high, do not use the tool or look for an alternative
• If the risks are manageable, approve it with conditions, for example limiting what data can be used and requiring human review

After approval, the job is not finished. You should monitor how the tool is used, review it periodically, and be prepared to stop using it if risks change.

Immediate next steps

• Identify which AI tools staff are already using.
• Approve a short list of safer tools and incorporate this into an AI policy of approved tools.
• Send out staff communication informing them of the organisation’s stance on the use of AI as well as rules for them to consider.
• Add AI to your DPIA and procurement workflow.
• Review supplier terms, retention and training arrangements.
• Check for restricted transfers and document the outcome.
• Train managers first, then wider staff.
• Decide who owns AI governance internally.

These are practical first steps for SMEs and align with current ICO, NCSC and DSIT guidance.

Reasonable enforcement

You cannot police every prompt, and you do not need to. Reasonable enforcement means proportionate controls and visible accountability. Use SSO and approved tool access where you can, browser or network restrictions for clearly banned tools, logging sufficiently to investigate incidents, targeted audits in high-risk teams, and a simple route for staff to ask before using a new tool. The NCSC specifically recommends monitoring and log data that lets you audit use, investigate compromise and manage security incidents, while DSIT’s hidden AI risks work makes the same point from an organisational angle, successful AI governance is cultural as well as technical.

How Data Protection People supports clients

At Data Protection People, we are seeing AI move from a side conversation to a core compliance issue. We support clients with practical AI guidance, policy and framework design, DPIA and international transfer support, contract and supplier review, documentation templates, training and ongoing advisory support through our consultancy, toolkit and support services. Our wider view is simple, organisations should protect themselves first, but they should not pretend AI is going away. The sensible path is to embrace it with caution, good governance and clear boundaries.

We will also be discussing this on the Data Protection Made Easy podcast on Friday 24 April, joined by Caine Glancy and myself, Amber Sivill. The podcast is hosted live every Friday at lunchtime and is designed for practical discussion, not theory, which is exactly what this topic needs. If you are reading this after 24 April 2026, you will be able to listen to the full discussion via Spotify. Click here to listen to the Data Protection Made Easy podcast.

Key references

• ICO, Guidance on AI and Data Protection
• ICO, Tackling Misconceptions
• ICO, When do we need to do a DPIA?
• ICO, A Brief Guide to International Transfers
• NCSC, AI and Cyber Security
• NCSC, Secure Design for AI Systems
• DSIT, AI Management Essentials
• ONS, Business Insights and Impact on the UK Economy
• Microsoft, AI at Work Is Here. Now Comes the Hard Part
• Data Protection People, GDPR Support Desk

S2 Ep13: GDPR Radio: News Of The Week

S2 Ep13: GDPR Radio: News Of The Week

GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy walk through the latest developments in data protection, highlighting recent regulatory activity, enforcement trends, and key stories organisations need to be aware of.

These sessions are designed to give a clear, practical overview of what is happening right now, helping organisations stay informed without needing to dig through complex legal updates.

Listen back on Spotify

Episode highlights

This session focuses on recent news and real-world developments in the data protection landscape.

1) Recent data protection news and updates We cover the latest developments across GDPR and wider privacy regulation, including new guidance, legal updates, and shifts in how data protection is being applied in practice.

2) Data breaches and enforcement action The episode looks at recent breaches and fines, helping to highlight common risks and what organisations can learn from real cases.

3) Regulator decisions and trends We explore activity from regulators, including enforcement approaches and what this signals for organisations moving forward.

4) Big tech and privacy developments Discussion includes how large organisations are handling personal data, and what this means for compliance expectations across all sectors.

Key takeaways for organisations

• Stay up to date with data protection news to understand how expectations are evolving in practice.
• Learn from real-world breaches and enforcement action to identify and reduce your own risk areas.
• Pay attention to regulator trends, as these often indicate where future scrutiny will be focused.
• Ensure your organisation is adapting to changes in how personal data is being used, especially as technology continues to evolve.

Useful links

• Privacy notice
• Claim CPE credits
• Register for the podcast / join the community
• Listen on Spotify

About GDPR Radio

GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.

Speakers

Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People

Reddit fined for children’s privacy failures 

Reddit issued with £14.47m fine for children’s privacy failures 

Last week the UK Information Commissioner’s Office (ICO) fined Reddit £14.47 million for unlawfully processing children’s personal data. And the problem here was that children under 13 were able to use the platform for years while Reddit relied mainly on users simply ticking a box to confirm their age. The ICO investigation found two core failures: 

• Reddit did not properly verify users’ ages 
• Reddit failed to carry out a Data Protection Impact Assessment (DPIA) before allowing risks to children to materialise 

 As a result, children under 13 had their personal data processed without a lawful basis and were potentially exposed to content they should never have seen. 

What happened?  

Reddit’s terms of service have long stated that children under 13 cannot use the platform. However, until July 2025, Reddit did not have meaningful measures in place to check users’ ages; people could open an account by declaring their age themselves. The ICO found that large numbers of under-13s were likely using the platform during this period, meaning their personal data was being processed without a lawful basis. 

 Even more concerning was the lack of early risk assessment: Reddit had not carried out a Data Protection Impact Assessment looking properly at risks to children until 2025 – despite allowing teenagers aged 13–17 to use the service.  

 According to the ICO, this meant children’s data was collected and used in ways they could not reasonably understand or control, potentially exposing them to harmful or inappropriate content. 

Reddit has since introduced age assurance measures, including checks for access to mature content but ICO has made it clear that these changes came late and remain under review. 

 This is a great example for us to consider around age verification mechanisms. For ages, much of the intern relied on the self-declaration method: “please confirm you are over 13”. It seems reasonable enough to say that everyone (children, parents and organisations) were aware on how easy this was to bypass… and the big problem was the enforcement and its slow interference – many organisations convinced themselves that putting age limits in terms and conditions was enough and self-declaration is sufficient.  

On this, ICO’s message is clear: relying mainly on users to declare their own age is not acceptable where children are likely to access a service – and this should go beyond social media: gaming platforms, forums apps, online communities 

Age verification 

I had the chance to explore this topic within my research for my thesis dissertation and I can easily say that one of the challenges organisations face is that stronger age checks can appear to conflict with data protection principles – for example, uploading passports to join an online community is excessive and this would come with its own risks. This is why I find the approach discussed by the Irish data protection commission particularly helpful: rather than pushing one technical solution, it focuses on proportionate, risk-based age assurance: the higher the risk to children, the stronger the assurance needed.  

Not every service needs the same level of verification, but every organisation should be able to explain what risks to children exist, how likely access by children is and why the chosen safeguards are appropriate.  

 The ICO made it clear that it is now actively focusing on platforms that primarily rely on self-declaration – which means that Reddit is unlikely to be the last case… 

Conclusion and takeaway 

I actually welcome this decision; not because fines are the main goal (as they rarely solve problems on their own, particularly for these big companies) but because the clarity that they bring helps organisations move forward and to think about their own practices.  

 I think that for too long, there has been uncertainty around how far companies needed to go when it came to age checks and, at the same time, regulators and industry need to work together to avoid turning age assurance into mass identification or unnecessary data collection.  

 Links:  

https://cy.ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/reddit-issued-with-1447m-fine-for-children-s-privacy-failures/  

https://www.theguardian.com/technology/2026/feb/24/reddit-fined-uk-children-under-13-data 

https://www.dataprotection.ie/en/dpc-guidance/fundamentals-child-oriented-approach-data-processing  

Data Protection in the Sporting Industry

Data Protection in the Sporting Industry

Professional sport is built on performance, trust and loyalty, both on and off the field. Behind the scenes, however, modern sporting organisations are responsible for managing significant volumes of personal data belonging to players, staff, supporters, partners and wider communities. From ticketing systems and membership databases to athlete performance analytics and safeguarding records, the scope of personal data processed across the sporting sector continues to grow year on year.

In my role as Sales Team Leader at Data Protection People, and as someone with a genuine passion for professional sport, I have had the opportunity to work alongside specialist consultants to support organisations across the sector in strengthening their approach to data protection. Over the past few years, we have worked with an impressive portfolio of clients including Leeds United, England Netball, the RFU, Formula One affiliated organisations, and sports software providers such as Goodform.

Through these engagements, a number of consistent trends have emerged.

Increasing Volumes of Personal Data

Sporting organisations are now operating in highly digitised environments. Matchday ticketing, fan engagement platforms, biometric athlete monitoring, media accreditation, safeguarding responsibilities and commercial partnerships all rely on the collection and processing of personal data.

For many organisations, this has resulted in a shift from relatively simple data processing activities to far more complex ecosystems involving:

• Third party ticketing providers
• Performance analytics platforms
• Medical and rehabilitation records
• Recruitment and scouting databases
• Sponsorship and commercial partner integrations
• Community engagement and grassroots initiatives

With this increased complexity comes increased responsibility, particularly where sensitive or special category data is concerned.

Lessons from Recent Incidents

Over the last 12 months, the UK football landscape has seen a number of high profile cyber and data related incidents that demonstrate the risks facing sporting organisations.

Clubs across both the Premier League and English Football League have reported attempted phishing campaigns targeting staff email accounts, with attackers seeking access to internal communications and commercially sensitive information. In several cases, compromised credentials have resulted in unauthorised access to systems containing player and staff data.

Elsewhere, vulnerabilities within third party platforms used for fan engagement and online ticketing have exposed personal details including names, email addresses and purchase histories. While not always resulting in confirmed breaches, these incidents highlight the potential risks to supporters and the reputational impact that can follow.

For data subjects, these types of events can increase the risk of identity theft, targeted scams and misuse of personal information. For organisations, they reinforce the need for clear governance, supplier due diligence and robust internal processes.

The Rise of Outsourced DPO Support

One of the most common requirements we are seeing across the sporting sector is the need for independent oversight through an Outsourced Data Protection Officer.

Many clubs and governing bodies simply do not have the internal resource or specialist expertise to manage compliance obligations effectively alongside their operational priorities. An Outsourced DPO provides:

• Independent advice on regulatory responsibilities
• Support with Data Protection Impact Assessments
• Guidance on data subject rights requests
• Oversight of internal policies and procedures
• Incident response and breach management support
• Ongoing staff awareness and training

Importantly, this support helps organisations move from reactive compliance to a more structured and proactive approach.

Specialist Support for the Sector

I work closely with our specialist consultant, Oluwagbenga Onojobi, an ex-barrister with a law degree and a particular interest in supporting organisations within the sporting industry. While he is an avid Arsenal supporter, his focus remains firmly on helping clubs, governing bodies and commercial partners across the sector to meet their regulatory obligations and embed best practice.

Together, we support sporting organisations across a range of services including:

• Outsourced DPO provision
• SAR Support
• Data Protection Audits
• Policy Development and Governance
• Supplier Due Diligence
• Incident Management
• Staff Training and Awareness
• Data Protection Support

Our aim is to help organisations continue to innovate and engage with their supporters, athletes and partners without compromising the security and integrity of the personal data they are entrusted with.

Looking Ahead

As the sporting sector continues to embrace digital transformation, data protection will remain a critical component of organisational resilience. Whether managing supporter databases, safeguarding information or athlete performance data, clubs and governing bodies must ensure that compliance keeps pace with innovation.

At Data Protection People, we are proud to support organisations across the sporting landscape in navigating these challenges and building sustainable compliance frameworks that protect both their operations and the individuals they serve.

By Jordan Joseph-Kerrigan, Sales Team Leader, Data Protection People

Insider Threats Are Becoming a Reality

Why Insider Threats Are Becoming a UK Healthcare Reality

A recent case reported by ITV has brought renewed attention to one of the most difficult data protection challenges facing healthcare providers today, unauthorised internal access to patient records.

According to reports, a medical practitioner is alleged to have accessed confidential patient data over a period of six years without the knowledge or consent of the data controller. The case is currently progressing through the courts, but it has already raised significant concerns around how healthcare organisations manage access to some of the most sensitive personal data in existence.

For many organisations across the UK, this will feel alarmingly familiar.

At Data Protection People, this is not an isolated incident. It reflects a growing pattern we are seeing within health and social care environments where personal data is not always being accessed maliciously from the outside, but instead by individuals who already have legitimate system permissions.

Healthcare Data Is a High Value Target

Health records fall within special category data under UK GDPR. This includes information relating to an individual’s physical or mental health, treatment history, medications, diagnoses, and other deeply personal details.

When accessed inappropriately, this information can be exploited for financial gain, identity theft, insurance fraud, or even social engineering attacks. In some cases, it can also lead to reputational damage, blackmail, or discrimination.

This is why healthcare breaches often carry some of the highest regulatory penalties and present the greatest risk to individuals.

Not All Breaches Are Caused by Hackers

In ITV’s coverage of the incident, our Data Protection Expert, Caine Glancy, was asked to comment on what may be driving the increase in these types of events.

He explained:

“People are seeing the significance and the impact data being breached out into the world seems to have had. I think it’s also because data protection is not something that’s being considered for all businesses as strictly as it should. At the moment, a lot of compliance with data protection seems to be more of a superficial statement for a lot of organisations.”

This highlights a key issue.

Many organisations focus heavily on external threats such as phishing attacks, ransomware, or system vulnerabilities. While these risks are very real, they often overlook the fact that inappropriate internal access remains one of the most common causes of personal data breaches.

Employees, contractors, students, and temporary staff may all have legitimate access to systems as part of their role. Without the right controls in place, this access can be misused, whether intentionally or otherwise.

Click here to view the full story via the ITV website.

Why Insider Access Is So Difficult to Control

Healthcare environments are built on trust and access to information is often essential for delivering timely patient care. However, this creates a tension between operational efficiency and data protection compliance.

We frequently support organisations who:

• Have shared login credentials across departments
• Provide blanket access to entire patient databases
• Lack audit trails to monitor who accessed what and when
• Do not regularly review user permissions
• Rely on annual training alone to drive compliance

In fast paced clinical environments, access controls are sometimes viewed as a barrier to care delivery rather than a safeguard against harm.

However, without appropriate role based access controls, monitoring, and behavioural training, organisations may be unable to detect misuse until significant damage has already occurred.

What Organisations Should Be Doing Now

Cases such as this serve as a reminder that technical compliance alone is not enough.

Healthcare providers should ensure they have:

• Clear access management processes aligned to job roles
• Multi factor authentication for all systems containing patient data
• Regular reviews of user permissions
• System logging and monitoring to identify unusual access patterns
• Targeted training programmes focused on real world risks
• A documented incident response process for data breaches

Many of these measures are already required under the UK GDPR’s security principle, yet they are often implemented inconsistently in practice.

A Growing Trend Across the UK

With over 200 episodes of the Data Protection Made Easy podcast and a community of more than 1,700 data protection professionals, we regularly hear from organisations facing similar challenges.

The reality is that insider threats are rarely discussed publicly, but they are one of the most frequent issues raised during audits, SAR support work, and outsourced DPO engagements.

As this case demonstrates, organisations must move beyond treating data protection as a policy exercise and begin embedding it into day to day working practices.

Need Support Managing Access to Sensitive Data?

If your organisation handles special category data and you are unsure who currently has access to what, or whether your monitoring controls would detect inappropriate use, it may be time to review your approach.

Our team supports healthcare providers across the UK with access management reviews, breach response planning, and ongoing compliance support designed to reduce the likelihood of incidents such as this occurring in the first place.

Board Data Protection Training

Navigating GDPR: Board Member Responsibilities and Compliance Leadership

Data protection has become a critical concern for organisations of all sizes. Board members play a pivotal role in ensuring that their organisations comply with the General Data Protection Regulation (GDPR) and other relevant data protection laws. This comprehensive training program is designed to equip board members with the knowledge and skills necessary to effectively oversee data protection within their organisation.

Course Objectives

• Understand the key principles and requirements of the GDPR
• Recognise the board’s responsibilities in data protection governance
• Develop a robust data protection strategy
• Assess and mitigate data protection risks
• Foster a culture of data privacy within the organisation

Course Benefits

By participating in this training program, board members will:

• Enhance their understanding of data protection laws and regulations.
• Gain confidence in their ability to oversee data protection within their organisation.
• Strengthen their organisation’s data protection governance.
• Reduce the risk of data breaches and regulatory fines.
• Improve their organisation’s reputation and credibility.

Why Choose Data Protection People?

At Data Protection People, we are committed to providing exceptional training and consulting services in the field of data protection. Our team of experts is dedicated to delivering clear, concise, and actionable advice. We believe that data protection should be accessible to everyone, regardless of their technical background.

Here’s why we are the best company for the job:

• Deep Expertise: Our consultants have extensive experience in data protection and cybersecurity.
• Tailored Training: We customise our training programs to meet the specific needs of your organisation.
• Clear and Concise Explanations: Our trainers are skilled at translating complex concepts into simple terms.
• Practical Advice: We provide actionable advice that can be implemented immediately.
• Proven Results: We have a track record of helping organisations achieve compliance with data protection laws.

Bespoke Training for Your Board

We offer bespoke training programs that are tailored to the specific needs of your board. We can customise the content to address your organisation’s unique challenges and priorities.

Contact us today to discuss your training requirements and learn more about how we can help your board navigate the complexities of GDPR compliance.

None of Your Business (NOYB)

None of Your Business (NOYB): A Champion for Data Privacy

Our personal data has become a valuable commodity. Companies collect vast amounts of information about us, from our online activities to our offline purchases. While this data can be used to provide personalised services, it also poses significant risks to our privacy. That’s where None of Your Business (NOYB) comes in.

What is NOYB?

None of Your Business (NOYB) is a non-profit organisation dedicated to protecting the privacy rights of individuals in Europe. Founded by Max Schrems, a prominent privacy advocate, NOYB aims to bridge the gap between the law and its implementation. Unlike traditional consumer rights groups, NOYB takes a collective approach, pooling resources and expertise to enforce privacy laws more effectively.

NOYB’s Mission and Goals

NOYB’s mission is to empower individuals to control their personal data and ensure that companies comply with data protection laws. The organisation’s goals include:

• Enforcing Privacy Rights: NOYB works to enforce individuals’ rights under the General Data Protection Regulation (GDPR) and other relevant laws.
• Challenging Tech Giants: NOYB has taken on major tech companies, holding them accountable for their data practices.
• Advocating for Stronger Regulations: NOYB actively campaigns for stronger data protection laws at the European and international levels.
• Raising Awareness: NOYB educates the public about the importance of privacy and empowers individuals to protect their rights.

How Does NOYB Work?

NOYB employs a multi-faceted approach to achieve its goals:

• Collective Action: NOYB leverages the power of collective action to enforce privacy laws on behalf of individuals.
• Strategic Litigation: NOYB carefully analyses privacy violations and identifies legal vulnerabilities to develop targeted litigation strategies.
• Advocacy and Awareness: NOYB actively advocates for stronger data protection laws and raises awareness about privacy issues through various channels.
• Collaboration: NOYB works closely with other organisations and experts to maximise its impact.

NOYB’s Key Achievements

Since its inception, NOYB has achieved significant successes in protecting privacy rights. Some of its notable accomplishments include:

• Challenging Tech Giants: NOYB has filed numerous lawsuits against major tech companies, including Facebook, Google, and WhatsApp, alleging violations of data protection laws. These legal battles have raised awareness about privacy issues and forced companies to re-evaluate their data practices.
• Advocating for Stronger Regulations: NOYB has played a crucial role in shaping data protection regulations at the European level. The organisation has lobbied for stronger laws and has been instrumental in ensuring that the GDPR provides robust protections for individuals’ privacy rights.
• Raising Public Awareness: NOYB has successfully raised public awareness about the importance of privacy. The organisation has conducted various campaigns and initiatives to educate individuals about their rights and empower them to take action.

NOYB vs. the ICO: A Comparative Analysis

None of Your Business (NOYB) and the Information Commissioner’s Office (ICO) are both key players in the realm of data protection in the United Kingdom. While they share a common goal of protecting individuals’ privacy rights, they operate in distinct ways.

ICO: The UK’s Data Protection Regulator

The ICO is the UK’s independent supervisory authority responsible for upholding data protection law. Its primary functions include:

• Enforcing Data Protection Laws: The ICO investigates complaints, conducts audits, and can issue fines to organizations that violate data protection laws.
• Providing Guidance: The ICO offers guidance and advice to organizations on complying with data protection regulations.
• Promoting Awareness: The ICO raises awareness of data protection issues and best practices.

NOYB: A Non-Profit Advocacy Group

NOYB is a non-profit organization that advocates for data privacy rights. Its key activities include:

• Legal Challenges: NOYB has filed numerous lawsuits against tech giants, challenging their data practices.
• Advocacy: NOYB campaigns for stronger data protection laws and regulations.
• Collective Action: NOYB empowers individuals to collectively enforce their privacy rights.

Key Differences

• Role: The ICO is a government regulator with enforcement powers, while NOYB is a non-profit advocacy group.
• Focus: The ICO focuses on enforcing data protection laws across all sectors, while NOYB often targets tech giants and high-profile cases.
• Approach: The ICO typically investigates complaints and conducts audits, while NOYB often employs legal challenges and public advocacy.

Impact on UK Companies

Both the ICO and NOYB can have a significant impact on UK companies. The ICO’s enforcement actions can lead to fines, reputational damage, and legal consequences. NOYB’s legal challenges and advocacy can also put pressure on companies to improve their data practices.

While the ICO is the primary regulator, NOYB’s activities can complement and strengthen the ICO’s efforts. NOYB’s public advocacy can raise awareness of data protection issues and encourage companies to take proactive steps to comply with the law. Additionally, NOYB’s legal challenges can serve as a deterrent to companies that may be tempted to violate data protection laws.

In conclusion, both the ICO and NOYB play important roles in protecting data privacy in the UK. While the ICO is the primary regulator, NOYB’s advocacy and legal actions can complement its efforts and help to ensure that companies are held accountable for their data practices.

Want to Learn More About NOYB?

Dive Deeper:

• NOYB Website: Visit the official NOYB website (https://noyb.eu/en) for more information about their mission, activities, and achievements.
• Data Protection Made Easy Podcast: Listen to our latest episode, “NOYB: A Privacy Champion,” for an in-depth discussion about NOYB’s work and the impact on data privacy. You can find the episode on our website (https://noyb.eu/en/data-protection-day-74-insiders-see-relevant-violations-most-companies) or on all major audio streaming platforms, including Spotify: https://open.spotify.com/episode/3TSg1ibbUyQJQCupa44UdY?si=FOTSWkIaQ226_SpI1ue08g.

Certificate in Data Protection Management

Earn a Certificate in Data Protection Management

(September 2024—November 2024)

Data Protection Officers (DPOs) play a pivotal role in ensuring compliant data protection practices are implemented, effective, fit for purpose and appropriately maintained. The DPO’s training is essential to ensuring that they have the necessary skills and knowledge to be effective and efficient in their role. It is therefore vital to secure the very best training and practical support for DPOs to ensure that they are able to provide excellent, informed and accurate support for the organisations they represent.

Training the Privacy Professionals

Our Certificate in Data Protection Management is a comprehensive program exploring what is required to set up an effective compliance framework for the management of data protection. The program is focussed on understanding, interpreting and applying data protection laws in an interesting and pragmatic way. Our aim is to train competent DPOs by ensuring that they have a strong understanding of the law in practice.

Flexible by design

In response to our client’s requirements, our course is designed as a modular ‘Teams’ based program, allowing delegates to integrate the modules within their daily work commitments. The program is delivered twice weekly, 2-hour sessions, over an 8 week period ending with an ‘open book’ assessment on week 9. Each cohort will contain no more than 8 delegates and each session will facilitate the balance between the delegates current role and developing their skills and knowledge in relation to data protection compliance. Each pair of weekly sessions are delivered in conjunction with ‘Assignments’ that are designed to consolidate and develop your knowledge further.

Mentoring on and after the program

We know the role of a DPO can feel a lonely one with limited avenues for continued learning and support. Therefore we will supply unlimited mentor support during and after the program. Post program support will last up to 8 weeks after you have completed your assessment. We can also supply guidance on how you can influence your managers and colleagues to ensure the whole organisation is on board with a commitment to data protection.

Hitting the Spot

You’ll cover data protection law at just the right level, encompassing a range of learning styles, to ensure you understand and feel comfortable working with legislation, guidance and case law. The indicative running order over the page highlights what a typical training program covers.

FREE templates and tools

• FREE templates and other tools
• FREE physical and digital copy of our Information
• Governance Framework: your reference point packed full of useful template documents
• Ongoing and post course mentoring to support your ongoing learning and development needs.

The UK’s best professional training

We may be biased but we’ve looked at what other professional training products are available, how they are structured and what they cover. Although there are some excellent training programs available, we have created our own unique program, built from our years of knowledge and experience in the field, to ensure that our training is undoubtedly the very best training in data protection law and practice on the market. Our aim is to make Data Protection easy: easy to understand and easy to do.

What our customers say…

“DPP has helped us in numerous different areas over the last 6 months. I have been really impressed with Oli and Kathy in particular the training services they have provided. They not only have a vast understanding of data protection, but they are also great people to work with. I feel comfortable that I can reach out to DPP at any time to help navigate complicated scenarios.” Juniper Education – Gayle Richardson – DPO

Approximate Running Order

The following is an approximate running order which may flex during the program to ensure that the pace is right for the group, the learning aims are met, the delegates have sufficient ‘learning time’, and each point is properly explained, explored and exercised. After committing to the programme, we will issue you with some pre-reading to help you hit the floor running and engage in the program content from day 1.

Week 1 Introduces you to the concept of privacy, information rights and data protection. It considers how the law has developed over the years, up to and including the latest legislation, and future developments to watch out for. With the current law in mind you will start to progress your understanding of the key themes, starting with the scope, definitions and data protection principles.

Week 2 Progresses some of the key themes and move on to considering the lawful basis for processing, what they mean in practice and an overview of information rights.

Week 3 Starts to consider some of the core obligations on controllers and processors under data protection laws, including data subject rights, governance and framework documentation.

Week 4 Focuses on understanding and demystifying Records of Processing Activities, Information Asset Registers, data retention schedules and risk assessments.

Week 5: Looks to appropriate technical and organisational security measures through to personal data breach reporting requirements.

Week 6: Considers data transfer mechanisms and how to undertake compliant data transfers within and outside of the UK.

Week 7: Introduces you to direct marketing and a focused look at PECR compliance.

Week 8: Final session on monitoring of compliance and undertaking audits, the role and power of the ICO, potential liabilities and sanctions that organisations face.

Week 9: An open book 3 part assessment (3 hours) involving (a) multi-choice questions, (b) scenario based questions, (c) practical exercise.

Assignments

In order for attendees to get fully immersed in the topics covered, assignments will be issued between each week’s learning. This will take several forms, worked examples of topics covered that week., podcasts for you to listen to or maybe reading to expand on learning or prepare you for the following week.

Fully Flexible

The purpose of a modular programme is to allow busy data professionals to engage in learning and continue the day job concurrently. We do understand that occasionally commitments or life gets in the way so to offset eventualities we have built in a buffer where you cannot make a session or two. In these situations a video covering that day’s topics will be made available to be viewed. This ‘safety net’ can be accessed for 2 separate sessions during the programme.

…It’s a team thing

In order to enhance the interactive nature of the programme DPP will provide a moderated group chat function, where the attendees of a specific programme can discuss topics and share thoughts. The community element of this will be expanded beyond the length of the course and will act as an interactive community for the data protection professionals post and on program

Certificate in Data Protection Management