Frequently Asked Questions

Firebird Data Protection Consultancy offers a wide range of UK GDPR, PECR and AI Governance services. These include: 

UK GDPR and Data Protection Act 2018:

• Outsourced Data Protection Officer
• Subject Access Request File Preparation and Redaction
• Privacy Notice Development
• Data Protection Impact Assessments (DPIA) 
• Legitimate Interest Assessments (LIA)
• Data Protection Complaint Management
• Expert GDPR and Cyber Security Advice
• GDPR Compliance Audits
• Personal Data Breach Investigation and Containment
• Drafting ICO Communications following Breaches and Complaints
• Employee GDPR Training
• Supplier and Customer GDPR Due Diligence Support 

Privacy and Electronic Communications (PECR):

• Employee training on the rules around direct marketing (B2B and B2C)
• Consent Management Advice
• Documentation Reviews and Development
• PECR Compliance Audits
• Advice on the Use of Cookies 

Artificial Intelligence (AI) Governance:

• AI Policy and Standards Development
• Employee AI Awareness Training
• AI Tool Due Diligence 
• Expert Advice on Using AI Tools in Compliance with UK GDPR and AI Standards

We provide data protection, AI governance and PECR consultancy services to organisations of all sizes and sectors, including:

• Schools, Multi-Academy Trusts and other education providers
• Small and medium-sized companies (SMEs) (eg Aesthetics, EdTech, Marketing, Kids Clubs and Activity Centres).
• Start up's and micro businesses (eg AI App developers)
• Large enterprises and corporate organisations 
• Charities and not-for-profit organisations 
• Public sector bodies 

Our services are tailored to each organisation's size, sector and regulatory requirements.

The UK General Data Protection Regulation (the UK GDPR) is the legislation that governs how organisations collect, use, store and protect personal information in the UK.

Compliance helps organisations:

• Protect personal data 
• Build customer trust and attract more customers
• Reduce regulatory risk 
• Demonstrate accountability 
• Avoid enforcement action from the Information Commissioner's Office (ICO)

 If your organisation processes personal information relating to employees, customers, suppliers, service users or website visitors, then yes the UK GDPR is likely to apply.

This includes organisations of all sizes, from sole traders and charities to large multi-national enterprises.

Not every organisation is legally required to appoint a DPO, but many organisations choose to do so, to help manage their data protection obligations and demonstrate compliance.

You will need a DPO if :

• your organisation is a public authority or public body, such as a school, local authority or NHS organisation.
• your organisation's core activities involve regular and systematic monitoring of individuals on a large scale
• your organisation's core activities involve processing special category data or criminal offence data on a large scale.

Even where a DPO is not a legal requirement, many organisations appoint an internal or outsourced DPO to provide expert advice and support with GDPR compliance.

A DPO can help with your:

• GDPR compliance programmes
• Subject Access Requests (SARs)
• Data protection complaints
• Data breaches
• Data Protection Impact Assessments (DPIAs)
• Privacy notices and policies
• Staff training
• ICO enquiries and investigations

A DPO must have appropriate experience and knowledge of the data protection laws and be able to carry out their role effectively and independently. They should not hold a position that determines how personal data is processed, as this could create a conflict of interest. For example, Headteachers, Chair of Governors, Head of IT or Finance, and CEOs are unlikely to be suitable to also be the DPO,  as they are a decision-makers.

 Yes. Organisations that fail to comply with the UK GDPR or the Privacy and Electronic Communications Regulations (PECR) may face enforcement action from the Information Commissioner's Office (ICO).

The ICO has a range of powers, including:

• Issuing warnings and reprimands 
• Ordering organisations to change their practices 
• Conducting investigations 
• Issuing enforcement notices 
• Imposing financial penalties in serious cases up to £17.5m (or 4% of global turnover)

The following are common reasons for enforcement action:

• Unlawful marketing emails or text messages 
• Inadequate security measures 
• Failure to respond to data subject rights requests (such as Subject Access Requests)
• Unlawful processing of personal data 
• Poor data breach management 
• Non-compliant use of cookies and tracking technologies 

While not every compliance issue results in a fine, organisations are expected to demonstrate accountability and take reasonable steps to comply with data protection laws. A proactive approach to GDPR and PECR compliance can significantly reduce regulatory risk and help protect your organisation's reputation.

 The Data (Use and Access) Act 2025 introduces new requirements for organisations handling data protection complaints. A data protection complaint is a complaint made by an individual who believes an organisation has not handled their personal information in accordance with the data protection laws.

The complaint may be made by a customer; employee; volunteer; donor; parent; young person; supplier; service user or even a website visitor.

Examples of data protection complaints include:

• Personal information being shared with the wrong person 
• Marketing emails being sent without consent 
• A Subject Access Request not being handled correctly 
• Inaccurate personal information being held 
• Personal data being retained for too long 
• CCTV being used improperly 
• A failure to respond to a request to erase personal data 
• A suspected data breach 
• A lack of transparency about how personal information is used

Under the new rules, individuals are expected to raise concerns directly with an organisation before escalating them to the Information Commissioner's Office (ICO). 

Organisations must have processes in place to receive, investigate and respond to data protection complaints.

The changes are designed to:

• Encourage issues to be resolved more quickly 
• Improve accountability 
• Reduce unnecessary escalation to the ICO 
• Give organisations the opportunity to address concerns directly 

Organisations should ensure they have:

• A clear complaints procedure 
• Acknowledge complaints within 30 days
• Designated staff responsible for handling complaints 
• Processes for recording and investigating concerns 
• Appropriate response times and escalation routes 

Having an effective data protection complaints process can help organisations resolve concerns early, improve customer trust and demonstrate compliance with the UK data protection law.

In many cases, yes. PECR generally requires organisations to obtain valid consent before sending marketing emails to individuals. There are limited exceptions, such as the 'soft opt-in' rules, which may apply in specific circumstances.

Understanding the PECR rules and the correct legal basis to enable electronic marketing communications is essential to reduce compliance risks.

 The Privacy and Electronic Communications Regulations (PECR) sit alongside the UK GDPR and govern the way businesses use:

• Email marketing 
• SMS marketing 
• Telephone marketing 
• Cookies 
• Website tracking technologies 
• Electronic communications with B2B and B2C customers

Most organisations conducting digital marketing activities must comply with both PECR and the UK GDPR.

A Subject Access Request allows individuals to ask for a copy of the personal information an organisation holds about them. Organisations generally have one month to respond and must have procedures in place to manage requests effectively. 

Organisations are not always required to disclose all of the information they hold. There are a number of exemptions which may apply in certain circumstances. Examples include information relating to:

• Third parties (other individuals)
• Serious harm
• Legal professional privilege 
• Negotiations with the requester 
• Management forecasting or planning 
• Confidential references 
• Crime prevention and detection 

Where an exemption applies, organisations may be able to withhold some or all of the requested information. Each request should be assessed on its own facts and exemptions should be applied carefully and appropriately.