Skip to content
Get in touch

Stand up for data protection

The data protection and privacy regulations have moved under our feet — are you still standing? The landscape has shifted, yet again, just two and a half years on from the GDPR coming into force.

The new landscape

The data protection and privacy regulatory landscape has shifted under our feet, yet again, just two and a half years on from the GDPR coming into force.

Brexit happened, the transition period ended (at 11pm on the 31st December 2020), the US Privacy Shield was ruled to be no longer a legal safeguard for data transfers and the electronic Privacy Regulation (ePR) is still not agreed.

The UK is under a new regulatory regime – the UKGDPR and an amended version of the Data Protection Act 2018 are the two key regulations for UK marketers now. The PECR is still in place for all electronic marketing and, of course, any marketing within the EU/EEA needs to comply with the EUGDPR.

Why does it matter?

As marketers we know we need to review where we are now on a regular basis to ensure that our plans are aligned with market needs, customer expectations and the business environment. We need to review where we are with data protection and privacy compliance regularly too.

As consumers we tend to agree to the use of our personal data readily to get information or services that we want or need. In organisations, we can sometimes unwittingly do the same!


Markets change, customers’ needs change, your product and service offerings change, your marketing campaigns change and your organisation’s use of personal data is likely to have changed too. Has your data protection and privacy governance changed with them? For example:

  • Have you changed to a different CRM system provider? Where is the data being held? What agreements do you have in place?
  • Have you started to use new online communication apps or software such as WeTransfer or Where is your and others’ personal data being held? Have you considered the aspects of safeguarding international data transfers? Have you signed their contracts and agreements?
  • Have you started using new processors? Have you put agreements in place?
  • Are your privacy information notices (policies) and other documentation consistent? When did you last review and update them? Many organisations have not updated their privacy policies since May 2018!
  • Do all your employees know about data protection and privacy regulations and what they need to do to keep personal data secure? Do they know what is in your privacy policy, for example?

Practical training workshops

The ‘Stand up for data protection’ training workshops are directly tailored to your needs. The sessions will be customised to deliver against your specific requirements. We will do this by consideration of the following:

  • your organisation
  • your product or service
  • your market(s) – including B2B, B2C and charities
  • your customers’ or clients’ needs and expectations
  • your employees’ needs and expectations
  • how you use personal data for marketing purposes
  • where your organisation operates
  • where your data is held
  • whether your organisation processes personal data as a “data controller” or “data processor” or both
  • your existing knowledge
  • your current state of compliance
  • your specific concerns

Typical content

The day would include:

Briefing session

An update on the new regime, the key changes and what needs to be considered as a result.

This will also include reminders of the key elements that must be complied with.

Typical content would be:


  • The new data protection regime: The UKGDPR, Data Protection Act 2018 (amended), The EUGDPR and PECR
  • The interim data transfer window
  • UK and EU commitment on direct marketing communications
  • Transfers to non EEA countries
  • EU and UK representatives
  • The need to update contacts, agreements, procedures and documentation

Key compliance elements

Reminders of the key aspects of data protection compliance in as much or as little detail as the audience requires to ensure that they are clearly understood.

  • Definitions – personal data; controller; processing; processor
  • The six lawful bases for processing
  • Individuals’ rights focussing on marketing implications
  • Data breaches and employee obligations
  • Data minimisation and retention
  • Privacy by design
  • Data protection officers
  • Data protection and transfers impact assessments
  • Accountability, governance and transfers of data
  • The Privacy and Electronic Communications Regulations (PECR)

Workshop sessions

Data flows mapping

Auditing all personal data ‘flows’ in, within and out of the organisation and mapping them on the basis of the ‘5 Ws’:

  • WHY … is personal data processed?
  • WHOSE … personal data is processed?
  • WHAT … personal data is processed?
  • WHEN … is personal data processed?
  • WHERE … is personal data processed?

Issue identification

Based on the mapping exercise, where are the likely issues that will need to be addressed? These might include:

  • Data transfers especially outside the UK and the EEA
  • Safeguards for the above being inadequate
  • External apps and software being used to process personal data that have not been considered in privacy policies and/or no agreements or safeguards put in place
  • Inconsistency in documentation
  • Policies and processes in need of reviews and updates
  • Processes not in place e.g. data breach handling
  • Need to appoint an EU representative
  • Need to review legal bases for processing
  • Data sharing agreements missing
  • Data processing agreements missing Internal training of a wider group of employees needed
  • Data minimisation not being considered
  • Data retention and deletion aspects

Creating an action plan

Finally, an action plan will be created and agreed during the session to ensure that:

  • the issues identified are explored further (where necessary)
  • responsibilities are clearly assigned
  • any senior management decisions or further advice are sought
  • priorities and timescales are assigned
  • tasks are implemented
  • a further review date is diaried

Q & A session

An opportunity for attendees to raise any questions that have arisen but not been answered within the sessions.


Entry criteria

Compliance with the relevant data protection and privacy regulations is vital and the ‘Stand up for data protection’ workshops are aimed at all those in your organisation that handle personal data. Attendees are likely to be department or function heads in marketing, IT, finance, service, human resources, sales and any other customer facing roles.

What will you get from the workshop?

At the end of the workshop, you will have a clear understanding of what you need to do, why you need to do it, how to go about getting it done and who should be involved. You will also know where to go for support with any areas.

About the workshop leader

The workshop leader is Steve Bax from Bax Interaction. Steve is a Chartered Marketer, a member of the Market Research Society and a Fellow of Cambridge Marketing College. He is a highly experienced tutor and trainer and has been teaching marketers the key aspects of data protection and privacy regulations and directives for over 17 years. Steve has delivered numerous workshops, training sessions and seminars on the GDPR, the Data Protection Act, PECR and the proposed ePR reforms since May 2017. He has also conducted compliance reviews, drafted privacy policies, data sharing agreements, data processing agreements, contracts, corporate data protection policies for various organisations.

The ‘Stand up for data protection’ workshops are available as tailored in-house sessions. These are suitable for online delivery during the pandemic.