Resources

Podcasts, Guides, Updates & More

Stack of books
Join our extensive list of clients who have their data privacy under control

Quick links

Blogs Podcasts Whitepapers

Data Protection People Blogs

Data Privacy Learning & Guidance

Our mission is to make data protection easy: easy to understand and easy to do. Our weekly podcasts are available in our Resource Centre along with a collection of articles, white papers, useful guidance, templates, case law, and opinions – providing you with tools you can utilise in your workplace.

Bristol City Council Faces Enforcement over SAR Failures

Bristol City Council Faces Enforcement over SAR Failures

Bristol City Council Faces Enforcement over SAR Failures

The Information Commissioner’s Office (ICO) has issued a formal enforcement notice to Bristol City Council after uncovering serious, ongoing failures in how the Council manages Subject Access Requests (SARs). This action follows years of complaints and evidence of systemic delays. The message from the ICO is clear: organisations that fail to take SAR compliance seriously will face enforcement.

SAR Failures at Bristol City Council

The ICO’s investigation revealed that Bristol City Council has struggled with a growing backlog of SARs since 2020. A Subject Access Request gives individuals the right to ask for a copy of their personal data and to understand how that data is used. Failing to respond in time undermines public trust and breaches data protection law.

Between April 2023 and January 2025, the ICO received 63 complaints from individuals waiting too long for responses. Many reported that the delays caused them harm and distress, leaving them unable to resolve personal matters or defend their rights. The ICO found that the Council had made limited progress despite repeated engagement and guidance. As a result, enforcement became the only option.

Why SARs Matter

SARs are not a formality. They are a cornerstone of data protection rights under the UK GDPR and Data Protection Act 2018. By making a SAR, an individual can see exactly what information an organisation holds about them, why it holds that data, and who it is shared with. For some, this is about transparency and reassurance. For others, especially vulnerable individuals, a SAR can directly affect access to housing, social services, or justice.

When organisations delay or ignore SARs, people lose trust and may face real-world consequences. The ICO has repeatedly emphasised that SAR compliance is fundamental. Sally-Anne Poole, Head of Investigations at the ICO, summarised the issue:

“Subject access requests are a fundamental right that allows people to know what information organisations hold about them and how it is being used. Despite our repeated engagement with Bristol City Council over a sustained period of time, limited progress has been made to clear a backlog of requests. Our investigation has found that the Council’s approach towards compliance demonstrates a poor organisational attitude towards data rights and compliance with the law.”

What the Council Must Do

The enforcement notice issued to Bristol City Council sets out a strict list of actions. These include:

  • Contacting all individuals with overdue SARs to explain the delays and confirm when they can expect a response.
  • Clearing the backlog by specific deadlines, ensuring that the oldest SARs (dating back to 2022) are completed within 30 days.
  • Providing the ICO with weekly progress updates until the backlog is fully resolved.
  • Publishing an action plan within 90 days that clearly sets out responsibilities, priorities and timelines.
  • Making lasting organisational changes within 12 months to prevent SAR delays in future. This may require hiring more staff, investing in resources, and delivering staff training.

The ICO’s demands highlight that responding to SARs is not simply an administrative task. Councils and public bodies must show they can manage the process consistently, transparently, and within the one-month statutory deadline.

Lessons for Other Organisations

Bristol City Council’s enforcement notice should serve as a warning for all public authorities and organisations. The ICO expects SARs to be treated as a legal obligation, not an afterthought. Failing to respond on time risks enforcement, reputational damage, and potential fines.

Every organisation should ask itself some key questions:

Do we have a clear process for managing SARs from start to finish?
Do we have enough staff, technology and resources to respond within the legal timeframe?
Are we training employees so they understand SAR rights and know how to respond appropriately?
Can we evidence our compliance if the ICO asks?

If the answer to any of these questions is “no,” then urgent action is needed. The ICO has shown that it will not hesitate to escalate matters where organisations repeatedly fail to meet their obligations.

The Wider Context of SAR Compliance

SAR backlogs are not unique to Bristol. Many councils, charities, and businesses struggle with the volume and complexity of requests. However, the law is clear: SARs must be answered within one month unless an extension is justified. Even then, organisations must explain the reasons for any delay to the individual making the request.

Technology can help reduce SAR risks. Case management systems, redaction tools, and specialist support can speed up responses and reduce errors. But technology alone is not enough. Organisations also need strong governance, clear policies, and a culture that treats data rights as a priority. Without these, the risk of enforcement grows.

Our View

At Data Protection People, we believe the Bristol City Council case highlights two critical points. First, SARs are central to data protection compliance and public trust. Second, enforcement action is not limited to fines; the ICO will impose detailed corrective measures when organisations fail repeatedly. Councils, businesses, and charities should take this case as a clear sign that SAR processes must be robust, well-staffed, and monitored closely.

We recommend that organisations run regular compliance checks, train staff to handle SARs effectively, and seek support where needed. By doing so, you protect both your organisation and the people whose data you process.

Contact Us

If your organisation is struggling with Subject Access Requests, we can help. Our SAR Support service provides expert assistance to manage requests on time and in line with the law. We also offer GDPR Audits to identify gaps, ongoing compliance support, and staff training to build confidence in handling SARs. Contact us today to protect your organisation and deliver on data rights.

AI Minister How Albania Is Using Artificial Intelligence to Fight Corruption

AI Minister: How Albania Is Using Artificial Intelligence to Fight Corruption

AI Minister: How Albania Is Using Artificial Intelligence to Fight Corruption

Albania has made global headlines by appointing the first ever AI Minister, a digital cabinet member named Diella. Her job? Oversee public procurement and cut out corruption. Prime Minister Edi Rama says Diella will speed up public tenders, make them fully transparent and ensure they stay free from human bias or influence. While her appointment is symbolic rather than constitutional, it shows how governments can use AI to transform decision-making.

Why This Matters Now

Governments around the world are experimenting with artificial intelligence, but Albania has gone a step further by putting AI in a leadership role. Rama says the AI Minister will help make procurement “100% free of corruption,” remove human interference, and improve accountability. This matters for businesses too. Public contracts could soon be awarded using automated, data-driven processes. That means organisations must ensure their bids are accurate, fair and ready for AI review.

What’s New: An AI in the Cabinet

Diella is not just a chatbot. She has already guided over a million citizens through Albania’s e-government platform. Now she will monitor procurement systems, check bids, and flag anything that looks suspicious. Rama says this will make public tenders faster and more efficient. By removing manual steps, Albania aims to “leapfrog” countries still stuck with paper-based processes. This is one of the first examples of a government putting AI front and centre in a core public function.

Why It Matters for Data Protection

AI-driven procurement uses large amounts of personal and organisational data. Under UK GDPR and EU GDPR, that processing must remain lawful, transparent and fair. Organisations must explain how data feeds into automated decisions. They must also allow individuals to challenge unfair outcomes. Data protection teams need to consider how AI systems store data, who can access it, and how to evidence compliance. If Diella flags a bid as non-compliant, businesses will expect a clear explanation of why and they have the right to request that information.

What Organisations Should Do Now

Track developments in AI regulation and public procurement. If you take part in tenders, prepare for AI systems to review your bids. Map what personal data you use in submissions and check that you have a lawful basis to process it. Our GDPR Audits can help you benchmark your compliance.

Train your team to understand automated decision-making and data protection obligations. Our Data Protection Training gives practical guidance on AI and GDPR. Strengthen your process for Subject Access Requests so you can respond quickly if bidders, staff or suppliers ask to see data used in automated systems.

Finally, review your governance and risk assessments. Document how you check fairness and accuracy in your data before it goes into any AI system. If you plan to adopt similar technology, carry out a Data Protection Impact Assessment (DPIA) to show accountability.

Our View

Albania’s AI Minister is more than a publicity stunt, nit is a signal of how governments might modernise. AI can make procurement more efficient and less prone to corruption, but only if it is transparent and well-governed. We expect more governments to follow Albania’s lead. Organisations that prepare now will avoid disruption later and gain an advantage when AI-driven procurement becomes the norm.

FAQs

What is an AI Minister?

An AI Minister is a government role filled by artificial intelligence. In Albania, Diella has been tasked with monitoring public procurement and fighting corruption.

Could AI replace human ministers?

No, Albania’s constitution still requires human ministers. The AI Minister is a symbolic appointment designed to show the power of AI in governance.

How does this affect data protection?

AI systems process personal data, so they must comply with GDPR. Organisations must be transparent and give individuals a way to challenge automated decisions.

How can we prepare?

Review data governance, train staff on AI and GDPR, and document processes. Run audits to check compliance before AI systems review your data.

Contact Us

AI is coming to public procurement, is your organisation ready? Contact us today to discuss GDPR Audits, Training for your team, and SAR Support to help you prepare for automated decision-making and data transparency.

GDPR Radio CCTV, Facial Recognition and Pseudonymised Data (1)

CCTV, Facial Recognition and Pseudonymised Data

GDPR Radio: CCTV, Facial Recognition and Pseudonymised Data

This GDPR Radio looks at CCTV in the workplace, police use of facial recognition, AI posture tracking as a lower risk alternative to biometrics, and the CJEU reminder that pseudonymised data is not always personal data. We also touch on opinions in SARs, cookie enforcement, and insider risks in schools. Fast paced, 30 minutes, loaded with takeaways.

Data Protection Made Easy podcast, Philip Brining and Catarina Santos unpacked real world audit insights and fast moving news. From sites with 300 plus cameras to the ICO’s current focus on police use of facial recognition, the conversation shows how context defines personal data, and why documentation matters for every decision you take.

Key Topics Discussed

  • CCTV and employee monitoring, lawful bases, necessity, and proportionality in practice during live audits.
  • Facial recognition under the spotlight, plus AI posture tracking to follow individuals without biometric templates.
  • CJEU on pseudonymised data, not always personal data, depends on the recipient’s re identification capability.
  • Opinions in SARs, when an opinion may be the personal data of the author, not the subject.
  • Cookies and compliance, large fines in Europe and a rising risk profile for UK organisations.
  • Insider risks in schools, a reminder that culture, training, and controls matter.

Practical Takeaways for DPOs and Privacy Teams

  1. Document the context, record why data is or is not personal data in each use case, and keep the rationale current.
  2. Refresh your CCTV DPIA, check purpose, signage, retention, access controls, and whether monitoring is targeted or continuous.
  3. Assess alternatives to biometrics, posture and attribute based tracking may reduce risk, but still needs a DPIA and clear limits.
  4. Review SAR playbooks, handle opinions carefully, consider third party rights, and keep a defensible audit trail.
  5. Get cookies under control, implement a register, governance, and true prior consent for non essential cookies.

A Snappier Format

Episodes are now 30 minutes. The aim is simple, quick insights you can act on, with space for live Q&A and chat. Join live to ask questions, or listen back on your favourite platform.

Join the Data Protection Made Easy Community

It is free to join, and you will receive weekly invites, useful resources, and priority access to events. Become part of one of the UK’s largest data protection communities.

FAQ

Is pseudonymised data always personal data

No. It depends on whether the recipient can reasonably re identify individuals. Context matters, so record your assessment.

Do opinions belong in SAR disclosures

Opinions can be the personal data of the author. Handle these carefully, consider third party rights,

Strong Authentication in a Phishing World

Strong Authentication in a Phishing World

Strong Authentication in a Phishing-Driven World: What Really Works

Phishing is still one of the toughest challenges in cybersecurity, not because of technical flaws, but because it exploits people. Attackers trick users into giving up credentials and bypassing security controls. Even with multi-factor authentication (MFA) in place, we have seen attackers find workarounds, from real-time relay attacks to SIM swaps and weaknesses in account recovery.In this article, we explore what “strong authentication” really means today, how phishing-resistant methods raise the bar, and how organisations can align with standards like PCI DSS and other frameworks to build an authentication strategy that holds up against modern threats.

Limitations of Traditional Multi-Factor Authentication (MFA)

MFA has become standard practice. However, the strength depends on the chosen factors. Many common MFA methods still rely on shared secrets like OTPs, passwords or PINs, which are vulnerable to interception.

Attackers now use real-time phishing, SIM-swap fraud, and account recovery abuse to bypass these protections. Traditional MFA is no longer enough on its own.

How Phishing Attacks Bypass MFA: Real-World Scenarios

Fake login pages, SIM swap fraud, and weak recovery processes are commonly exploited. As long as MFA depends on guessable or interceptable elements, attackers will find a way around it.

Understanding Phishing-Resistant Authentication

Phishing-resistant methods use asymmetric cryptography. The user’s private key stays on the device and signs authentication requests. If an attacker tries to trick the user, the system won’t respond.

Examples include FIDO2 passkeys, smartcards, and hardware security keys.

Core Principles of Phishing-Resistant Authentication

  • No shared secrets transmitted or stored
  • Authentication uses private/public key cryptography
  • Authentication is domain-bound
  • Phishing, relay, and replay attacks are blocked by design

Passwordless vs. Phishing-Resistant Authentication

Not all passwordless options are phishing-resistant. Methods like SMS OTPs and magic links still carry risks. Passkeys using FIDO2 provide stronger protection by being bound to a specific domain or app.

The Use of Synced Passkeys (Convenience vs. Complexity)

Synced passkeys increase convenience but also increase compliance scope. Under PCI DSS, all synced devices become part of the in-scope system. This can increase audit complexity.

PCI DSS v4.x and Phishing-Resistant Authentication

PCI DSS now mandates MFA for all non-console and remote access to cardholder data environments. Phishing-resistant auth methods may satisfy some MFA requirements for non-admin access.

Requirement 8.4 details where MFA applies. Requirement 8.5.1 outlines how MFA must work: prevent replay, not be bypassable, and involve at least two factors.

PCI SSC Ranks Authentication Methods

According to PCI SSC:

  • Best Practice: Passkeys, smartcards, hardware-bound credentials
  • Good Practice: App-generated OTPs, strong passwords
  • Acceptable: SMS OTPs, email OTPs, magic links (with limitations)

Traditional MFA using SMS or email is only “acceptable”, not best practice. NIST also recommends moving away from SMS-based authentication.

Conclusion

Organisations must go beyond basic MFA. The goal is to implement phishing-resistant methods like passkeys or smartcards, layered with biometrics or PINs where needed, and aligned to security standards like PCI DSS.

Key Takeaways

  • SMS, email OTPs, and magic links are baseline, not best practice
  • Passkeys and smartcards provide stronger, phishing-resistant authentication
  • Synced credentials can increase scope and audit complexity

How Data Protection People Can Assist

We help organisations interpret authentication standards and implement best practices.

  • Selection and rollout of phishing-resistant methods
  • Design of compliant authentication flows
  • Evaluation of current controls and system risk
  • Support with PCI DSS audit readiness and scope reduction
Load More

Data Protection People Podcasts

Data Privacy Learning & Guidance

Celebrating 10-Years of Data Protection People (1)

10 Years of Data Protection People

Celebrating 10 Years of Data Protection People & 5 Years of the Data Protection Made Easy Podcast

Last week we marked not one, but two major milestones, 10 years of Data Protection People and the 5th birthday of the Data Protection Made Easy Podcast. To celebrate, we hosted a special live session with Philip Brining, Caine Glancy, Catarina Santos, and returning host Joe Kirk. Together, we looked back at the Top 10 Most Streamed Episodes from the past five years, revisiting the conversations that have shaped our community.

Key Themes from the Session

  • Subject Access Requests (SARs) – still one of the most complex and frequently discussed areas of data protection.
  • Data Protection Impact Assessments (DPIAs) – exploring challenges around risk, practicality, and when a DPIA is truly needed.
  • Legislative Changes – including Brexit, the Data Protection and Digital Information Bill, and the new DUA Act.

The team also reflected on why topics like ROPA and audits don’t always feature as highly among listeners, and why broad themes resonate more strongly than sector-specific discussions.

Insights from Our Community

Our special guest Joe Kirk shared valuable insights from moving into an in-house DPO role, including the importance of tackling cookie compliance and ensuring correct ICO registration. The panel also discussed the ICO’s new guidance on complaints handling and recognised legitimate interests, highlighting the practical steps organisations should take ahead of expected implementation in June 2026.

The Return of Weekly Podcasts

To celebrate our 10-year anniversary and the continued growth of our community, we are excited to announce that the Data Protection Made Easy Podcast is returning to a weekly schedule. Every Friday at lunchtime, we’ll be live with fresh discussions, community insights, and practical guidance for data protection professionals.

You can sign up on our Events Page to join future live sessions, or contact us here to subscribe and become part of the UK’s biggest data protection community.

Listen Back to the Anniversary Episode

If you missed it live, you can catch up now on Spotify using the player below:

Here’s to 10 years of making data protection easier, and 5 years of building a community where professionals can learn, share, and grow together. Thank you to everyone who has been part of the journey so far.

Caught in the Act The UK’s New Age Verification Law

Caught in the Act: The UK’s New Age Verification Law

Online Safety Act, age checks, and real world risks, highlights from Episode 218

Recorded on Friday 29 August 2025, this live episode of Data Protection Made Easy brings together Catarina Santos, Caine Glancy and Philip Brining to explain what the latest Online Safety Act changes mean in practice. The team walk through how age verification works, why VPN downloads have surged in the UK, and the real impact on privacy, user experience and compliance.

Episode: 218, Data Protection Made Easy
Recorded: late August, Leeds and online
Hosts: Philip Brining, Catarina Santos, Caine Glancy

We are Data Protection People, a consultancy and a community. More than 1,500 practitioners join our live sessions for practical help and straight talking advice. We keep things human, current, and useful.

Prefer Spotify in a new tab,
open the episode,
or browse the full show feed.

What we covered

  • Online Safety Act, where it fits with the Children’s Code, why it goes further on content and safety.
  • Age assurance, facial estimation, ID checks, open banking, and the privacy trade offs behind each approach.
  • Supply chain risk, real incidents in education and vetting, why processor controls and backups still fail.
  • Education, why literacy and resilience matter as much as technical gates.
  • Community update, weekly sessions return in September, likely in focused 30 minute formats.

Highlights and opinions

Scope and categories. Ofcom guidance gives the most usable overview. Scale drives duties, category one providers face the heaviest lift. Smaller services still need proportionate controls.

“The Act is about content, the Children’s Code is about design, together they set expectations for what people actually see and share.” — Philip

Age checks in practice. Facial estimation and ID checks can help, they are not perfect. People will try VPNs and workarounds, so policy and education must sit alongside technology.

“There is no magic potion for age checks, the solution cannot be technology alone.” — Catarina

“If suppliers rush controls without thinking about retention and purpose limitation, we move risk rather than reduce it.” — Caine

Supply chain failures. Contracts need clear migration and deletion steps, restore tests must be real, controller oversight must be active, not paper based.

“Where is the weak link, backups, migration steps, subprocessors, or the missing instructions in the DPA.” — Philip

Freedom of expression and harm. Public concern is real. The intent is to reduce harm to children, not silence debate. Practical application will need careful balancing.

Practical takeaways for organisations

  • Write a content risk assessment if your service can be accessed by children, update it on a schedule, record decisions.
  • Map processors and subprocessors, include precise steps for transfers and deletion, test restores, not only backups.
  • Choose proportionate age assurance, record lawful basis, retention, and vendor due diligence, avoid copying IDs unless necessary.
  • Blend controls with education, publish clear user guidance, support parents and teachers, avoid dark patterns.

About the community

Data Protection Made Easy is the live podcast and discussion space run by Data Protection People. More than 1,500 members join to share cases, templates, and practical steps. We will return to weekly sessions in September, short and focused, with time for questions.

Contribute to a future episode

We are always looking for contributors and topics, case studies, SAR puzzles, transfer questions, or views on the Online Safety Act. Get support or advice, or pitch a slot for an upcoming episode.

Explore more in our Resource Centre, including recent episodes and guides.

The DUA Act - Part 2 – What It Means for UK Organisations

DUA Act – Part Two

The Data (Use and Access) Act 2025 – Podcast Part Two

On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.

Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.

If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.

Listen on Spotify

Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.

Download the Slides

We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides

What We Covered

  • Real-life scenarios and case study examples based on DUA Act principles
  • Detailed Q&A on legitimate interest balancing tests, soft opt-in rules, and data subject rights
  • Compliance challenges and how to overcome them using good governance frameworks
  • The DUA Act’s expected impact on privacy management programmes and internal policies
  • Preparing your teams, clients, and data flows for the changes ahead

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

  • Early access to upcoming podcast sessions and event invites
  • Weekly insights into legislation like the DUA Act and GDPR
  • Exclusive downloads including templates, tools, and guides
  • Invitations to in-person events across the UK
  • Access to session recordings and slides
  • A place to ask questions, share experiences, and stay ahead

We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.

The DUA Act What It Means for UK Organisations

The Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 – Podcast Part One Recap

On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.

Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.

Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.

Listen back on Spotify

Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.

Download the Slides

We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides

What We Covered

  • What the DUA Act is and how it evolved from the DPDI Bill
  • Key changes to Subject Access Requests, Legitimate Interests, and the role of the ICO
  • Updates to PECR enforcement powers and cookie consent exemptions
  • The Act’s impact on data sharing, organisational accountability, and regulatory expectations
  • What public and private sector organisations need to prepare for

Part Two – Live on Thursday 18th July

Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.

Click here to visit the Part Two event page and register your place: View Part Two

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

  • Early access to future podcast sessions
  • Weekly email updates with analysis and guidance on the DUA Act
  • Exclusive content including white papers, practical templates, and checklists
  • Invites to free in-person events across the UK
  • Recordings and slides from every live session
  • A chance to ask questions and share challenges with other professionals

We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.

Load More

Data Protection People Whitepapers

Data Privacy Learning & Guidance

Request for Information

How to Respond to a Data Subject Access Request (DSAR) 

Read about how to properly handle a Data Subject Access Request (DSAR) as a data controller at an organisation who has received a request.

Information Governance Framework Checklist

Do I need to do a DPIA?

Learn about Data Protection Impact Assessments (DPIAs) and how to manage them.

GDPR Training

Data within Education

Data within Education Having joined Data Protection People as a graduate fresh from finishing Leeds Beckett University, my knowledge of GDPR and data protection was virtually non-existent, I was well and truly thrown in the deep end. You could say it was like learning how to run before I could walk. Luckily alongside having to…

Training and Awareness

Outsourced Consultant Versus In-House?

Do I need to do a DPIA? Whenever you implement a new processing activity, system, or process, you should consider whether a DPIA is needed. This should be done as early as possible in the process to allow time for the implementation of risk mitigation. Step One: is a DPIA legally required? The first thing…

Join our community

Our mission is to make data protection easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.