Resources

STAIRs Readiness Assessment

STAIRs Readiness Assessment for Housing Providers

The upcoming Social Tenants Access to Information Requirements (STAIRs) will introduce new expectations for housing associations to improve transparency and make key information more accessible to residents.

From October 2026, housing providers will be expected to proactively publish specific organisational information for tenants. From April 2027, organisations will also need to respond to formal tenant requests for information about how their homes are managed.

For many housing providers, this represents a significant operational change. Publication schemes, internal processes, governance documentation, and tenant communication procedures may all need reviewing to ensure the organisation is ready.

To support housing associations through this transition, Data Protection People has developed a structured STAIRs Readiness Assessment designed specifically for the housing sector.

Supporting Housing Providers Through STAIRs

Our team works closely with housing associations across the UK to support transparency obligations, information governance, and tenant data rights.

Following a recent STAIRs event hosted in Leeds, we worked with housing professionals to explore how the requirements will impact organisations of different sizes and structures.

During the session, housing providers raised practical questions about publication schemes, tenant information access, and how internal teams should prepare for the new rules.

We have published a full resource covering those discussions which you can explore here:

Frequently Asked Questions – STAIRs

Building on this work, our consultants have developed a dedicated STAIRs Readiness Assessment to help organisations identify gaps and prepare their teams ahead of implementation.

What is a STAIRs Readiness Assessment?

The STAIRs Readiness Assessment is a structured review designed to help housing associations understand how prepared they are for the upcoming transparency requirements.

The assessment examines your organisation’s current policies, governance documentation, information management processes, and tenant communication practices.

By the end of the process, you will have a clear understanding of:

• Where your current processes align with STAIRs expectations
• Where potential compliance gaps exist
• What actions should be prioritised before the 2026 and 2027 implementation dates
• How tenant information requests may be managed in practice

This ensures your organisation can begin preparing early, rather than reacting once the requirements become mandatory.

Our Three Phase STAIRs Readiness Process

Phase 1 – Policy and Documentation Review

A specialist consultant will review your existing documentation related to transparency, governance, and information handling.

This includes policies, procedures, and any information currently published for tenants.

The goal of this phase is to identify potential gaps between your current practices and the expected STAIRs publication requirements. This may include areas such as governance documentation, organisational performance reporting, and housing management information that tenants may expect to access.

The review also considers how your existing transparency documentation aligns with the proposed Publication Scheme approach expected under STAIRs.

Phase 2 – Leadership Interviews

We will conduct structured discussions with key leaders within the organisation.

This typically includes teams responsible for:

• Housing operations
• Compliance and governance
• Communications and tenant engagement
• Information governance and data protection

The purpose of these interviews is to understand how information about tenant services, policies, decisions, and organisational performance is currently managed and shared.

We also assess how easily this information could be provided if tenants submit requests once STAIRs is fully implemented.

Phase 3 – Reporting and Recommendations

Following the assessment, you will receive a comprehensive summary report outlining the findings.

This report highlights:

• Priority actions to prepare for STAIRs compliance
• Potential risks linked to transparency and information access
• Recommendations for proactive publication of tenant information
• Guidance on managing tenant information requests
• A breakdown of how remediation activities can be implemented

The final report provides your leadership team with a clear roadmap for preparing the organisation before the new requirements come into effect.

Why Housing Providers Should Start Preparing Now

Although STAIRs requirements will not fully come into force until 2026 and 2027, the changes may require significant organisational preparation.

Housing providers may need to review publication processes, governance transparency, tenant communication channels, and internal procedures for responding to information requests.

Early preparation allows organisations to:

• Reduce compliance risk
• Improve transparency with residents
• Align governance and communication processes
• Prepare staff for new tenant information access expectations

By identifying potential gaps early, housing providers can introduce improvements gradually rather than under regulatory pressure.

Speak to Our Housing Sector Team

Our consultants regularly support housing associations with information governance, transparency requirements, and tenant data rights.

If you would like to explore how the STAIRs Readiness Assessment could support your organisation, our team would be happy to discuss the process and what preparation may look like for your housing provider.

You can also explore our sector resources and STAIRs guidance through the article below: STAIRs Update for Housing Providers

Need support preparing for STAIRs?

ICO Guidance on the DUA

ICO Guidance on the Data (Use and Access) Act (DUA): What You Need to Know

The Information Commissioner’s Office (ICO) has released guidance on handling data protection complaints in line with the requirements from the Data (Use and Access) Act (DUAA) which are set to come into force on 19 June 2026.

Whilst most of the reforms brought about by Part 5 of the DUAA took effect on February 5, organisations have longer to prepare for the complaint requirements and the ICO’s guidance supports organisations on achieving best practice ahead of time.

What does the DUAA change regarding data protection complaints?

Whilst the ICO has previously expected organisations to address data protection complaints received from individuals, this has not been backed up by any legal obligation.

Following the changes under the DUAA, individuals now have the legal right to submit a complaint to an organisation about the handling of their personal data and organisations must implement processes and procedures to facilitate this.

What are the key requirements for handling data protection complaints in line with the DUAA and ICO guidance?

The ICO’s latest guidance outlines the following key steps organisations must take to meet the complaint requirements under the DUAA:

• Provide individuals with a way of making data protection complaints;
• Acknowledge data protection complaints within 30 days of receipt;
• Take appropriate steps to respond to complaints without undue delay, including making appropriate enquiries and keeping complainants informed; and
• Provide people with complaint outcomes without undue delay.

For organisations with existing complaints procedures, only minor changes are likely needed to reflect the DUAA requirements, but organisations lacking an established complaints process will now be expected to implement a substantive procedure.

This article highlights the key areas of focus for organisations in preparation for the DUAA complaints provisions coming into force and summarises recommendations for best practice based on the ICO’s guidance.

What constitutes a data protection complaint?

Not every complaint that is linked to data protection matters constitutes a data protection complaint. Where an individual complains about an organisation’s services or other matters whilst also exercising data protection rights this does not count, e.g. an employee raises a grievance and at the same time makes a subject access request.

The ICO’s guidance clarifies that data protection complaints arise where an individual complains specifically about an organisation’s handling of their personal data, whether this be about the handling of a subject access request (SAR) or quality of data security.

As with other personal data rights requests, individuals do not have to use legal terms of quote the legislation to make a data protection complaint. Where unsure if an individual is making a data protection complaint, organisations should seek clarification.

What must we do to prepare for handling data protection complaints?

Give people a way to make complaints

The starting point is to ensure that your organisation gives people a way to raise a data protection complaint. The ICO’s guidance allows organisations flexibility to choose which channels are most approach, whether through a complaint form, email address, telephone number, online portal, live chat facility or in person (if operating offline).

There is no requirement to set up a separate tool for receiving data protection complaints and organisations can rely on existing complaints channels and adapt these to include data protection complaints. As per the ICO’s SAR guidance, individuals are not obliged to follow the set process and can complain using any method of their choice. Nonetheless having a set complaints process is important for accountability.

Organisations with online presence should also consider how to handle complaints received through social media and bear in mind that liaising with complainants through social media is not secure and an alternative contact method should be sought.

Those within the scope of the ICO’s Age Appropriate Design Code should satisfy the requirements for handling complaints from children outlined at standard 15 of the Code, ensuring children can easily make and escalate complaints.

Inform people of their right to complain

Organisations are already required to inform individuals of their right to submit a complaint to the Information Commissioner at the point of collection of their personal data through a privacy notice and also when responding to SARs.

Following the DUAA, organisations must now also inform individuals of their right to make a data protection complaint to the organisation itself. Organisations should update privacy notices accordingly to inform data subjects of their right to complain and the organisation’s complaints process including a contact point.

Those processing personal data for law enforcement purposes must also inform individuals of their right to complain at other junctures, including when refusing other rights requests.

Implement a complaints procedure

The ICO’s guidance makes clear that for best practice, organisations should implement a complaints procedure if they do not already have one. It should use plain language (avoid legal jargon), be published online and be made available to individuals at the earliest opportunity to ensure they are aware of how to raise complaints.

It is recommended that a written process includes the set method for receiving complaints; the supporting evidence needed to investigate; the proof of ID and third-party authority accepted as well as information on communicating timescales (acknowledgement within 30 days), updates and outcomes.

Whilst it is acceptable to integrate data protection complaints into overarching complaints procedures and a standalone process is not required, organisations must ensure outcomes are issued on data protection complaints without undue delay. So, when responding as part of a wider complaint connected to other issues, if able to provide an outcome on the data protection aspect sooner, you must do so.

Review record keeping and training

Guidance on record keeping reiterates not only the importance of having up to date, clearly organised and labelled systems so information can be found quickly and effectively, but also to provide evidence of the following:

• Date complaints were received
• Acknowledgements sent
• Relevant conversations and documents
• Complaint outcomes
• Actions taken as a result

Not only does strong record keeping support compliance with the Art.5(2) UK GDPR Accountability principle by demonstrating compliance should the ICO or other industry bodies investigate, it is also beneficial for identifying recurring trends and underlying compliance issues.

In terms of training, all staff should as part of their overall data protection training be brought up to speed on recognising data protection complaints and knowing where to direct complaints internally when received.

Review Joint Controller and Processor arrangements

For Joint Controllers, emphasis is on having transparent arrangements in place given the timescale starts as soon as the complaint is received by a Controller so all parties must be clear on what to do, including in terms of:

• whether to have a central point of contact for complaints,
• how to inform people of where to complain and
• responsibilities for investigating complaints and liaising with complaints.

Controller-Processor data processing agreements should cover arrangements for handling data protection complaints. The typical role of Processors remains to provide assistance, including on complaint investigations and by supplying relevant information, with Controllers retaining the obligation for complaint handling.

How do we ensure best practice in the end-to-end process?

Acknowledging the complaint

You must acknowledge receipt of a data protection complaint within 30 days and the ICO’s guidance clarifies that an auto-acknowledgement will suffice.

This timeframe begins the day after the complaint is received, even if this falls on a weekend or public holiday. However, if the last day to acknowledge falls on a weekend or public holiday, you have until the next working day.

A practical approach is emphasised, for instance there is no need to provide an acknowledgement and outcome separately if you are able to provide a complaint outcome within 30 days, or if contacting the complainant to ask for proof of ID an additional acknowledgement is not needed.

The same complainant ID and third-party authority verification protocols apply as for other personal data rights requests, meaning you should:

• seek proof of ID at the earliest opportunity if in doubt
• not request further evidence if already in possession of sufficient information
• verify third party authority by requesting power of attorney or a signed letter of authority from the complainant they are acting on behalf of; and
• abstain from investigating the complaint until valid authority is received.

Conducting the investigation

Organisations must make enquiries into data protection complaints without undue delay, starting from when the complaint is received and not after the 30 day acknowledgement period ends.

This process generally involves fact finding, speaking to relevant staff, comparing the complaint information with that held and checking if organisational standards were upheld, and the ICO’s guidance recommends asking the complainant for more information if necessary as well as managing their expectations.

The ICO’s guidance recognises that complaints will vary in complexity, scale and harm, meaning a blanket timeframe for resolving complaints is not expected. Instead, focus should be on the specific circumstances of the complaint (and your organisation) and making reasonable and proportionate enquiries based on this.

Providing updates and outcomes

Giving timely progress updates to complainants is emphasised in the ICO’s guidance, with the priority on explaining timeframes for resolution and any expected delays.

As with investigating complaints, outcomes must also be issued without undue delay, which according to the guidance means ‘without an unjustifiable or excessive delay.’ Outcomes should include explanation of steps taken to resolve the complaint and actions taken as a result, and where you think you have complied with data protection law this should be explained in detail.

An internal review process for complainants unhappy with the outcome is recommended. It is also best practice to inform individuals of their right to complain to the ICO, which individuals have the right to do so at any point notwithstanding any internal review process.

Conclusion

The complaints requirements introduced by the DUAA can be viewed as formalising what the ICO has long expected from organisations in terms of addressing data protection complaints. The standards emphasised in the ICO’s latest guidance on complaints largely mirrors those expected when handling other personal data rights requests.

Indeed, the ICO will be aiming for a reduction in the number of complaints brought to it following the DUAA changes. The regulator has an established policy of diverting complaints to organisations in the first instance where the issue has not previously been raised with the organisation directly, and it now has a legal basis for doing so.

This latest guidance also coincides with the ICO’s publication of its complaint handling framework which is centred on prioritising high-value cases where the ICO can have the most significant impact, an objective more realisable if less time can be spent on lower impact matters and those where internal complaints procedures have not been utilised.

Moving forward, organisations can expect to be held to a higher standard in terms of complaint handling. Not having formal procedures in place will amount to a breach of the DPA, may trigger complaints from data subjects and will be looked on with greater scrutiny by the ICO.

Implementing a formalised end-to-end data protection complaints procedure ensures best practice and will be looked on far more favourably by the ICO should any concerns be raised or investigations initiated. Data Protection People has already supported many organisations in this regard. If your organisation requires assistance in this area, please reach out to us.

How Can Staff Training Prevent GDPR Compliance Failure?

GDPR compliance failure can have a huge impact on your business. It could lead to data breaches, fines and regulatory action. Not to mention the effect it might have on your reputation. 

Compliance failure can be easily prevented through robust staff training. In this article, we’ll discuss why staff training needs to be your business’s front line of defence and how it reduces the risk of non-compliance. 

How Does Training Prevent Common GDPR Compliance Failures?

Policies alone are not enough to ensure compliance. Without staff understanding, you are leaving your organisation vulnerable. GDPR training is the best way to make sure all of your employees have the understanding they need to help protect your business against non-compliance, data breaches and enforcement action from regulatory bodies. 

How Does GDPR Training Improve Breach Detection and Reporting?

Effective GDPR training raises awareness of what data breaches are, how to recognise them and what to do when they occur. From phishing attacks, misdirected emails and insecure data sharing, training reduces the likelihood of a data breach happening in the first place, and encourages early internal reporting. It also reduces regulatory risk through a timely incident response. 

How Does GDPR Training Reduce Personal Data Misuse?

Your business probably handles personal data in one way or another. But do your staff recognise what personal data is, and what they’re allowed to do with it? GDPR training clarifies what lawful bases the business has for handling personal data, and what the limits of use are. 

It prevents function creep and unauthorised processing (like using existing data for marketing unrelated products or using fire security sign-in data to track employee attendance), reinforcing data minimisation in everyday tasks. 

How Does GDPR Training Support Data Subject Rights Requests?

Along with personal data handling comes Data Subject Access Requests (SARs). Through GDPR training, your staff will understand what access, erasure or rectification requests actually look like, and how to handle them. 

They’ll be able to prevent non-compliance through missed deadlines or unlawful refusals. Proper training will ensure that they handle SARs properly, rather than simply improvising because they don’t know any better. 

How Does Training Improve GDPR Decision-Making?

One of the most important ways that effective GDPR training prevents non-compliance is by equipping staff to apply GDPR principles consistently. 

By ensuring that all staff are trained, preferably in a practical, scenario-based way, they are empowered and confident in how their roles contribute to your organisation’s compliance.     

Why is Ongoing GDPR Training Best?

Ongoing training, rather than a one-off session, is best because it ensures your staff stay up to date with the latest regulations, threats, and system or policy changes. It also means that any new staff are as compliant as older ones. 

The benefits of ongoing refresher training include fewer incidents, stronger audit evidence and improved customer trust. Robust GDPR training is both a tool for compliance and business resilience – it shouldn’t be a box-ticking exercise. 

Train Your Staff With Data Protection People

GDPR compliance failure is preventable, and proper training should be the first line of defence. At Data Protection People, we provide bespoke data protection training that’s created and delivered by a team of experts. With us, your team can learn remotely, in-person or via e-learning with CPD-accredited courses that genuinely reduce the risk of non-compliance. 

Book your GDPR training with us today.   

Data Protection in the Sporting Industry

Data Protection in the Sporting Industry

Professional sport is built on performance, trust and loyalty, both on and off the field. Behind the scenes, however, modern sporting organisations are responsible for managing significant volumes of personal data belonging to players, staff, supporters, partners and wider communities. From ticketing systems and membership databases to athlete performance analytics and safeguarding records, the scope of personal data processed across the sporting sector continues to grow year on year.

In my role as Sales Team Leader at Data Protection People, and as someone with a genuine passion for professional sport, I have had the opportunity to work alongside specialist consultants to support organisations across the sector in strengthening their approach to data protection. Over the past few years, we have worked with an impressive portfolio of clients including Leeds United, England Netball, the RFU, Formula One affiliated organisations, and sports software providers such as Goodform.

Through these engagements, a number of consistent trends have emerged.

Increasing Volumes of Personal Data

Sporting organisations are now operating in highly digitised environments. Matchday ticketing, fan engagement platforms, biometric athlete monitoring, media accreditation, safeguarding responsibilities and commercial partnerships all rely on the collection and processing of personal data.

For many organisations, this has resulted in a shift from relatively simple data processing activities to far more complex ecosystems involving:

• Third party ticketing providers
• Performance analytics platforms
• Medical and rehabilitation records
• Recruitment and scouting databases
• Sponsorship and commercial partner integrations
• Community engagement and grassroots initiatives

With this increased complexity comes increased responsibility, particularly where sensitive or special category data is concerned.

Lessons from Recent Incidents

Over the last 12 months, the UK football landscape has seen a number of high profile cyber and data related incidents that demonstrate the risks facing sporting organisations.

Clubs across both the Premier League and English Football League have reported attempted phishing campaigns targeting staff email accounts, with attackers seeking access to internal communications and commercially sensitive information. In several cases, compromised credentials have resulted in unauthorised access to systems containing player and staff data.

Elsewhere, vulnerabilities within third party platforms used for fan engagement and online ticketing have exposed personal details including names, email addresses and purchase histories. While not always resulting in confirmed breaches, these incidents highlight the potential risks to supporters and the reputational impact that can follow.

For data subjects, these types of events can increase the risk of identity theft, targeted scams and misuse of personal information. For organisations, they reinforce the need for clear governance, supplier due diligence and robust internal processes.

The Rise of Outsourced DPO Support

One of the most common requirements we are seeing across the sporting sector is the need for independent oversight through an Outsourced Data Protection Officer.

Many clubs and governing bodies simply do not have the internal resource or specialist expertise to manage compliance obligations effectively alongside their operational priorities. An Outsourced DPO provides:

• Independent advice on regulatory responsibilities
• Support with Data Protection Impact Assessments
• Guidance on data subject rights requests
• Oversight of internal policies and procedures
• Incident response and breach management support
• Ongoing staff awareness and training

Importantly, this support helps organisations move from reactive compliance to a more structured and proactive approach.

Specialist Support for the Sector

I work closely with our specialist consultant, Oluwagbenga Onojobi, an ex-barrister with a law degree and a particular interest in supporting organisations within the sporting industry. While he is an avid Arsenal supporter, his focus remains firmly on helping clubs, governing bodies and commercial partners across the sector to meet their regulatory obligations and embed best practice.

Together, we support sporting organisations across a range of services including:

• Outsourced DPO provision
• SAR Support
• Data Protection Audits
• Policy Development and Governance
• Supplier Due Diligence
• Incident Management
• Staff Training and Awareness
• Data Protection Support

Our aim is to help organisations continue to innovate and engage with their supporters, athletes and partners without compromising the security and integrity of the personal data they are entrusted with.

Looking Ahead

As the sporting sector continues to embrace digital transformation, data protection will remain a critical component of organisational resilience. Whether managing supporter databases, safeguarding information or athlete performance data, clubs and governing bodies must ensure that compliance keeps pace with innovation.

At Data Protection People, we are proud to support organisations across the sporting landscape in navigating these challenges and building sustainable compliance frameworks that protect both their operations and the individuals they serve.

By Jordan Joseph-Kerrigan, Sales Team Leader, Data Protection People