Resources

ISO 27001 at 20

ISO 27001 at 20: Reflecting on Two Decades of Information Security Excellence

This year marks the 20th anniversary of ISO 27001 , the world’s leading information security management standard. Over two decades, ISO 27001 has become a global benchmark for protecting data, reducing cyber risk, and embedding security culture. As we approach the transition deadline for the 2022 update, now is the perfect time for organisations to take stock of their compliance journey.

What’s Changed: From BS 7799 to ISO 27001:2022

Before ISO 27001 became a global standard, its origins lay in the UK’s own BS 7799, first published in the 1990s. This framework evolved into ISO 27001 in 2005 and quickly gained international recognition for setting out what an effective Information Security Management System (ISMS) should look like.

The most recent version, ISO 27001:2022, modernises the standard for today’s digital landscape. While the management clauses remain largely familiar, the control set has been restructured to reflect new risks, technologies, and ways of working.

Main updates in ISO 27001:2022

• The number of controls has reduced from 114 to 93.
• Controls are grouped into four new categories: organisational, people, physical, and technological.
• New controls have been introduced to address modern risks such as cloud services, threat intelligence, and remote working.
• Each control now includes attributes that describe its purpose, making the standard more flexible and user-friendly.

These changes bring ISO 27001 in line with other management system standards through the Annex SL structure, which simplifies integration with frameworks like ISO 9001 (Quality Management) and ISO 22301 (Business Continuity).

Why It Matters for UK Organisations

ISO 27001 remains the gold standard for demonstrating information security maturity, and the 2022 update represents a significant evolution. For UK businesses, this update isn’t optional, it’s a mandatory transition with a clear deadline.

• Transition deadline: All ISO 27001:2013 certifications will expire on 1 November 2025. After this date, organisations must be certified to ISO 27001:2022.
• Improved alignment: The new structure makes it easier to integrate with other ISO standards, streamlining management processes.
• Modern security relevance: Updated controls address emerging threats such as cloud computing, supply chain security, and hybrid working environments.
• Enhanced business credibility: Certification to the latest version signals strong governance and builds trust with clients, partners, and regulators.

What You Should Be Doing Now

With less than a year until the transition deadline, organisations certified under ISO 27001:2013 should be well underway with their upgrade plans. Here’s how to get started:

• Confirm your certification status: Check which version of ISO 27001 your organisation is currently certified against and when your next audit is due.
• Conduct a gap analysis: Compare your existing ISMS against the 2022 control set. Identify any new, merged, or removed controls that affect your environment.
• Update policies and documentation: Ensure your ISMS documentation reflects new control terminology, roles, and risk management processes.
• Train your team: Make sure everyone involved in your ISMS,  from IT to HR, understands the new structure and control requirements.
• Engage your certification body: Confirm they are accredited for ISO 27001:2022 and schedule your transition audit well before the November 2025 deadline.
• Seek expert support: If resources are stretched, external consultants can provide transition planning, control mapping, or pre-audit support to make the process smoother.

Our View / Final Thoughts

Twenty years on, ISO 27001 continues to be the cornerstone of information security best practice. Its evolution shows how adaptable the framework is, maintaining timeless governance principles while responding to modern threats such as AI, remote work, and data sovereignty challenges.

At Data Protection People, we see ISO 27001:2022 not just as a compliance exercise, but as a strategic opportunity. Transitioning effectively strengthens resilience, improves stakeholder trust, and demonstrates that your organisation takes information security seriously.

If your certification is still under the 2013 version, now is the time to act. Our experts can support your transition with ISO audits, staff training, and ongoing compliance support.

FAQs

When do we need to transition to ISO 27001:2022?

All certifications under ISO 27001:2013 will expire on 1 November 2025. Transition audits should be completed before that date to avoid a lapse in certification.

What are the biggest changes in ISO 27001:2022?

The most significant updates are the streamlined control set (from 114 to 93), new control categories, and the addition of modern topics such as cloud security and threat intelligence.

Do all organisations need to adopt the new controls?

Every organisation must review all 93 controls, but not every control will apply. Applicability depends on your ISMS scope and risk assessment.

What happens if we don’t transition in time?

Your ISO 27001:2013 certification will become invalid after November 2025, and you may need to restart the full audit process, which is more costly and time-consuming than a transition audit.

Can DPP help with our ISO 27001 transition?

Yes. Our consultants can guide you through the transition process, from gap analysis and policy updates to training and audit preparation. Get in touch to learn more.

References and Useful Sources

• Evalian: ISO 27001 – 20 Years of Information Security Excellence (2025)
• ISO: Official ISO/IEC 27001 Standard
• BSI: ISO 27001 Certification Overview
• DPP: GDPR Audits | Training | Outsourced DPO | Support Services

Keeping Your Data Safe: A Practical Guide for UK Businesses

Data breaches and GDPR compliance can feel overwhelming for UK businesses. The cost of getting it wrong is significant, i.e. fines, reputation damage and the potential for massive business disruption. 

Protecting your company’s data is both a legal and operational necessity, but it doesn’t have to be complicated. In this guide, we will look at how regular audits, strong internal controls and even a dedicated role within your organisation can make data protection straightforward.

Understand Your Data Landscape

The first step to protecting your company’s data is simply understanding what you’re working with. The questions you need to answer are:

• What kind of personal data does your company hold?
• Where is it stored? 
• Who has access?

If you can’t answer these questions confidently, undertaking a data mapping project will help you identify and understand the data that you collect, hold and store. 

Carry Out Regular GDPR Audits

A GDPR audit is a review of your organisation’s data handling practices to assess whether they are compliant with the UK General Data Protection Regulations. It’s essential to ensure that your business meets its legal obligations, mitigates any risks of data breaches and implements necessary improvements.

Appoint a Data Protection Officer (DPO)

If your business carries out large-scale processing activities or is a public authority or body, then you need to hire a Data Protection Officer or outsource one. 

A DPO monitors GDPR compliance, leads audits and acts as liaison with ICO. They also provide guidance to management and employees who handle data.

If you’re a small or medium-sized business, then outsourcing a DPO might be more cost-effective, more impartial and expert-led than hiring one in-house. 

Strengthen Access Controls and Staff Training

One of the key measures you can take to keep your company’s data safe is implementing user access control. This means granting access to systems and data only to those who require it for their role. It also includes things like two-factor authentication and password control.

Regular training on data handling for all staff is also important, even if it’s just the basics, such as reporting incidents, phishing awareness and device locking. 

Have a Breach Response Plan

Do you know what to do if you’ve suffered a data breach? If you don’t, you could inadvertently be making the situation worse. Quick detection and response can not only potentially reduce the scale of the breach, but it can also reduce ICO penalties and reputational damage. 

Your DPO will help you manage any data breaches by assessing their severity, coordinating the response and notifying relevant authorities. 

Stay Up-to-Date with Regulation and Technology

GDPR and data protection law are always changing, especially after Brexit, so it’s important to keep up to date with the latest legislative changes. 

Technology can help you stay on the cutting edge of data protection, particularly in areas such as encryption, anonymisation and secure backups.

Your ongoing GDPR audits, along with your DPO’s responsibilities to monitor changes, should keep you informed.

Keep Your Data Safe with Data Protection People

Data protection is an ongoing business activity. With regular audits, internal controls and a knowledgeable DPO, you can keep your customers and your reputation safe. 

We offer a range of services to help you keep your company’s data protected from cyber criminals and accidental data breaches, from an outsourced DPO to GDPR audits. Get in touch with us today.

Location Data for Sale: A Wake-Up Call for UK Organisations

Location Data for Sale: A Wake-Up Call for UK Organisations

A recent RTÉ Prime Time investigation exposed how the real-time movement of tens of thousands of smartphones was being sold on the open market. The story, though focused on Ireland, is a stark warning for UK organisations that process or share location data. If location data can be traced back to individuals, it is personal data under UK GDPR. Misusing it could lead to serious enforcement action and loss of public trust.

What Happened

Undercover journalists posed as a data analytics company and purchased location data showing two weeks of movement for around 64,000 mobile phones. The dataset revealed daily routines, routes and even visits to sensitive sites like government buildings and prisons. Despite claims of “anonymisation”, investigators easily re-identified users by tracing data to home addresses and workplaces.

In response, Ireland’s Data Protection Commission launched an investigation into the data broker’s practices. The case mirrors ongoing global concerns about the misuse of mobile location data, issues that are equally relevant under UK GDPR and PECR.

Location Data as Personal Data

UK GDPR explicitly treats location information as personal data. In its definition of personal data, the UK GDPR lists “location data” alongside names and online identifiers. In practice, this means a person’s physical movements, whether by GPS, Wi-Fi or cell towers, identify them and are protected. GDPR examples of “private and subjective” data include location data on the same list as religion or political views. In other words, even though raw GPS coordinates aren’t a “special category”, location trails can quickly become as revealing as declared sensitive information.

• Location data comes with high responsibility: organisations must treat it carefully under UK GDPR’s principles (lawfulness, purpose limitation, data minimisation, etc.). They should be transparent, provide clear privacy notices, and obtain valid consent or other lawful basis before tracking.

Location Data Can Reveal Sensitive Details

Long-term tracking of movement patterns can expose highly personal traits. For example, ICO guidance emphasises that a 24/7 log of someone’s whereabouts is “highly intrusive”, as it “is likely to reveal a lot of information about them, including the potential to infer sensitive information such as their religion, sexuality, or health status.”

FTC regulators in the US have made similar points. In a complaint against a location-broker, the FTC noted that “Location data can expose sensitive information such as medical conditions, sexual orientation, political activities, and religious beliefs.”

In practice, detailed location logs can be cross-referenced with public data to infer private traits. For example, regular attendance at a particular church or mosque can reveal faith, frequent visits to a clinic or mental-health centre can imply medical issues, and patterns of travel to political rallies or social venues can hint at ideologies or sexuality.

• Examples of sensitive inferences: A person’s home, work, places of worship, or health clinics are obvious “sensitive” sites. Data brokers have sold segments like “pregnant women” or “people going to abortion clinics” by detecting patterns in GPS data.
• Risk of profiling and ads: Online ad networks also use location to profile users. Under UK law, using tracking data for targeted advertising requires strict consent. However, in reality many apps leak precise location to marketing firms. Investigations found that even innocuous apps (games, fitness or prayer apps) have been co-opted to harvest location data for sale. This means a user may see ads not only for local restaurants, but also for sensitive services, such as medical treatments, based on inferred profile.

Re-identifying “Anonymous” Location Trails

Simply stripping names off GPS data is not enough to make it safe. Mobility records are notoriously unique. The EU’s data protection board warns that supposedly “anonymised” location traces “are known to be notoriously difficult to anonymise.” They cite research showing that even a few points of a person’s movement make them re-identifiable.

In one landmark study, only four random spatio-temporal points (latitude/longitude plus time) were enough to uniquely identify 95% of individuals in a large mobility dataset. Even coarse data (such as cell-tower regions and hours rather than exact GPS minutes) proved only marginally safer, most people remained unique with just a handful of points. In short, an “anonymised” location database can often be re-linked to individuals by matching with outside information, such as known home or work addresses or social media check-ins.

User Consent Issues

Beyond official cases, everyday privacy concerns arise with location tracking:

• Mobile App Permissions: Many smartphone apps request location permission (for “better experience” or ads) and users often grant it without realising. Studies show thousands of popular apps, even games or utility apps, leak location via ad networks. In many cases users are unaware their movements are shared with marketing brokers.
• Behavioural Advertising: Companies build profiles from location info. Under UK law, using tracking cookies or device signals for targeted advertising requires clear consent. However, some websites push “cookie walls” or confusing consent banners (a form of “dark pattern”) to force acceptance. ICO guidance warns that mandatory “take-it-or-leave-it” consent (no free choice) is usually invalid.
• Surveillance Advertising: Location-based surveillance advertising, showing ads based on precise location behaviour, poses GDPR challenges. For instance, an ad network could infer health or beliefs (e.g. showing ads for political causes to someone who visited a rally). ICO guidance is clear that any profiling of user attitudes or preferences, which location-based targeting does, requires transparency and consent.

What You Should Be Doing Now

Principles for Responsible Processing

• Necessity and Justification: Only collect location if essential for the service. As the ICO puts it, tracking people’s movements “requires a strong justification”. Consider less intrusive alternatives first.
• Consent and Notice: Be clear with users why you need location data, how you use it, and get valid consent when profiling or advertising. Avoid dark patterns in consent requests.
• Data Minimisation and Retention: Store the minimum location detail needed, for example use coarse location if possible, and retain it only as long as required. Given the risk of re-identification, controllers should destroy or truly anonymise logs when no longer needed.
• Security and Access Controls: Because location data is sensitive, it must be well secured, with encryption and strict access controls. Log who accesses location information, and have a robust breach response plan.
• Right to Object: Remember that data subjects have the right to object to profiling. Companies should provide easy ways for users to opt out of location-based tracking or data sharing.

By following these principles and keeping abreast of ICO and EDPB guidance, organisations can handle location data more responsibly. The Home Office case shows regulators will scrutinise any 24/7 monitoring. With “always-on” location services on our phones and devices, businesses and governments alike must respect that location trails reveal the contours of people’s private lives.

Practical Steps

• Audit your data flows – Map out all sources and uses of location or behavioural data, including mobile apps, analytics tools and advertising platforms.
• Review contracts and suppliers – If you use data brokers or adtech partners, ensure they comply with UK GDPR and do not sell or re-use data unlawfully.
• Strengthen anonymisation practices – Follow the ICO’s Anonymisation and Pseudonymisation Guidance to assess and document re-identification risks.
• Refresh consent and transparency notices – Make sure privacy notices clearly explain any sharing or selling of location data, including the lawful basis for doing so.
• Carry out a DPIA – Conduct a Data Protection Impact Assessment for any project involving tracking or profiling users through location or behavioural data.
• Train staff and developers – Everyone involved in collecting or processing location data should understand their obligations and the potential risks.

At Data Protection People, we help organisations conduct DPIAs, assess anonymisation standards, and audit third-party data flows. If your organisation collects or shares location data, now is the time to act before regulators come knocking.

Our View / Final Thoughts

The RTÉ revelations underscore a growing issue: location data is among the most valuable, but also the most dangerous, forms of personal data. For UK businesses, this means tightening internal controls, demanding transparency from suppliers, and taking accountability seriously. “Anonymous” data is not always anonymous, and claiming so will not protect you from enforcement.

The ICO has already signalled a tougher stance on data brokers, consent mechanisms, and dark patterns. Organisations that proactively embed privacy-by-design and transparency will not only avoid penalties, but also strengthen customer trust in an era of growing data awareness.

FAQs

Does UK GDPR treat location data as personal data?

Yes. Location data can directly or indirectly identify an individual, which makes it personal data under Article 4 of the UK GDPR.

Is selling anonymised data allowed in the UK?

Only if it is genuinely anonymous and cannot be re-identified. If there is any realistic possibility of re-identification, it remains subject to UK GDPR.

What if our organisation uses third-party analytics tools?

You remain responsible for compliance. Review contracts, verify privacy practices, and complete DPIAs where tracking or profiling occurs.

Has the ICO fined organisations for data misuse before?

Yes. Examples include Experian’s enforcement notice (2023) and Clearview AI’s £7.5 million fine (2022) for unlawful data scraping. Location data misuse could attract similar penalties.

What support is available?

If you’re unsure about your obligations, Data Protection People’s support services can help with audits, DPIAs and policy reviews.

If you process, share or purchase location data, take action now. Our team at DPP can help ensure your practices are compliant, ethical and defensible.

References and Useful Sources

• RTÉ Prime Time: Security concern as tens of thousands of phone locations for sale (2025)
• ICO: Anonymisation and Pseudonymisation Guidance
• ICO: Experian enforcement action on data brokering transparency (2023)
• ICO: Clearview AI fined £7.5 million for unlawful facial recognition data scraping (2022)
• UK GDPR Articles 4 & 6, Data Protection Act 2018
• GDPR Audits | Outsourced DPO | Training | SAR Support

Unlawful Robo-Calls: ICO Fines Energy Firms Over Automated Marketing Breach

Unlawful Robo-Calls: ICO Fines Energy Firms Over Automated Marketing Breach

The Information Commissioner’s Office (ICO) has cracked down on two energy firms, fining them a combined £550,000 for making unlawful automated marketing calls (robo-calls).

The firms used voice-avatar software to make millions of calls that misled recipients into believing they were speaking with local UK agents. In reality, the calls originated overseas and were generated using pre-recorded scripts voiced by actors.

This case highlights the rising risks in automated marketing as businesses adopt AI-driven communication tools, especially when organisations push boundaries with limited oversight.

Why This Case Matters

As automated and AI-driven tools become more accessible, companies may see robo-calls as an efficient outreach method. But the ICO’s enforcement shows regulators are watching closely.

Also, robo-calls are not a grey area. Under the Privacy and Electronic Communications Regulations (PECR), organisations must have clear, prior consent before making any automated marketing call. The ICO’s latest fines are a reminder that:

• Automated calls attract stricter rules than live calls
• Innovation is no excuse for non-compliance
• Failures carry serious consequences regarding fines and reputational harm

This action reflects a wider regulatory trend. In recent months, the ICO and Ofcom have publicly warned of increasing misuse of AI-driven telemarketing. In the US, the Federal Trade Commission (FTC) has also fined firms for voice cloning and avatar call scams. The message is clear on both sides of the Atlantic: consent and transparency are non-negotiable.

The ICO’s Findings

The ICO fined Home Improvement Marketing Ltd (HIM) in Pembrokeshire £300,000. HIM used overseas call centres to make roughly 2.4 million automated calls from May to August 2023, using avatar software that masked the origin.

The ICO also fined Green Spark Energy Ltd (GSE) £250,000 after it made 9.5 million calls. Complaints poured in, nearly 500 people contacted the ICO or the Telephone Preference Service (TPS), including elderly and vulnerable individuals.

Key findings included:

• Lack of consent: many recipients never agreed to receive automated calls.
• Misleading practices: voice avatars masked overseas origins.
• Vulnerable individuals targeted: nearly 500 complaints were lodged, many from elderly people.
• Shared leadership: both companies were linked to a common director, Mathew Terry.

The ICO executed a search warrant in March 2024, seizing phones and documents that revealed instructions for evading detection and converting the calls into insulation product sales.

As Andy Curry, ICO Head of Investigations, commented:

“Advances in technology may make detection harder, but the rules remain the same. Companies using these systems must ensure they are lawful, transparent and fair.”

Our Legal Obligations Around Robo-Calls: PECR and UK GDPR

PECR: Automated marketing calls require prior, informed, and recorded consent. Organisations must identify themselves and provide an opt-out option.

UK GDPR: Organisations must handle personal data lawfully, transparently and fairly. When automation processes personal data for marketing, businesses must ensure people can understand how their data is used, including in decision-making.

ICO Direct Marketing Code of Practice: This statutory code sets out good practice and is essential reading for any organisation engaged in marketing.

How to Spot a Robo-Call

Consumers should remain vigilant. The ICO offers practical tips to recognise robo-calls:

• Notice small pauses before responses, the system selects prerecorded clips.
• Check if replies sound generic or irrelevant.
• Listen for identical voices across “agents.”
• Observe overly polished calls with no background noise.
• Notice if conversations revert to fixed marketing language regardless of replies.

Reports can be made directly to the ICO or via the Telephone Preference Service (TPS), which remains a key enforcement tool.

What Organisations Should Do Now

If your organisation uses or plans to use automated calling or avatar-based outreach, follow these steps to stay compliant:

• Consent mechanisms: Review contact lists to ensure valid, recorded consent exists before making any automated call.
• Maintain evidence: Document consent records with timestamps, sources, and purpose.
• Transparency: Ensure scripts clearly identify your organisation.
• Opt-out options: Provide a straightforward way for customers to object.
• Quality checks: Monitor call quality and avoid misleading avatars.
• Training: Train marketing teams on PECR and GDPR obligations.
• Auditing: Run regular audits to identify risks early.

We recommend running a Direct Marketing Audit as part of your data protection governance. You can integrate this into a broader GDPR Audit. Technology should support compliance, not bypass it.

Our View

At Data Protection People, we see this case as a clear signal from the ICO: using advanced technologies like avatar software and automated script systems does not exempt organisations from compliance. If anything, it heightens risk.

Compliance is not a barrier to innovation, it is a framework for deploying new technologies responsibly. Organisations that invest in consent, transparency, and accountability will not only stay on the right side of the law but also build lasting trust with customers.

FAQs

Are all robo-calls illegal?

No. Some automated calls are lawful, for example, where individuals have given prior, informed consent. Without consent, they breach PECR.

Do I need consent for avatar-style calls?

Yes. Whether calls use avatar software or a live agent, you must have explicit consent to make automated marketing outreach.

What type of consent qualifies?

Consent must be freely given, specific and informed. Keep detailed records showing the consent method, time and purpose.

What should I do if customers report robo-calls?

Investigate immediately, suspend suspect activities, review consent records, and cooperate with the ICO. Use our Data Protection Support if necessary. Consider SAR Support if the call involved personal data.

Contact Us

If your business engages in automated marketing, we can help you:

• Conduct Direct Marketing and GDPR Audits
• Provide UK GDPR and PECR training for marketing teams
• Review your consent capture mechanisms
• Deliver ongoing Data Protection Support

Contact us today to make sure your automated marketing complies with the law.

References:  

https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/09/warning-over-robo-calls-as-energy-firms-fined-half-a-million-pounds-for-unlawful-marketing-calls/#:~:text=unlawful%20marketing%20calls-,Warning%20over%20robo%20calls%20as%20energy%20firms%20fined%20half,pounds%20for%20unlawful%20marketing%20calls&text=We%20are%20warning%20the%20public,for%20making%20automated%20marketing%20calls. 

https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/direct-marketing-guidance/ 

https://www.ofcom.org.uk/phones-and-broadband/unwanted-calls-and-messages/recorded-message-marketing-calls