Andy Williamson

Technical DPO and AI governance. Notes from the sharp end of data protection compliance.

Latest issues

Making the ICO Accountability Framework work in practice

In over six years of enforcing the UK GDPR, the ICO has never issued a fine for failing to maintain a Record of Processing Activities. Article 30 requires controllers to

Mar 13, 2026 5 min read

Data Protection in Financial Services: Managing the Conflict Between Two Regulators

While there are many challenges facing organisations in terms of complying with regulations, the biggest challenge for data protection governance in financial services is not knowing the regulation itself, but

Mar 12, 2026 6 min read

Natural history illustration of a European raven – featured image for Why most data protection training misses the point

Why data protection training can often miss the point

The majority of organisations today, provide data protection training. The training covers the GDPR principles, the definition of personal data, the basics of breach reporting. The staff who handle data

Mar 11, 2026 5 min read

A lotus seed pod (Nelumbo nucifera) - @andywson

Privacy by design is a technical problem first

Today nearly all organisations I look at have a privacy by design process. It's normally a section in their DPIA (Data Protection Impact Assessment), the structured risk analysis

Mar 10, 2026 4 min read

PECR and e-privacy: what most organisations get wrong

Your business website almost certainly has a cookie banner. You may even have paid for a consent management platform to handle it. But here is the question many businesses never

Mar 9, 2026 4 min read

View all issues