Tag: IG

Act Now Wins IRMS Supplier of the Year Award 2026

Act Now Training is proud to announce that it has won the Information and Records Management Society (IRMS) Supplier of the Year award for 2026. The aim of the award is “to recognise suppliers in the IG/IM/RM world that go above and beyond normal expectations of customer service.”  The awards ceremony took place on Monday night at the IRMS Conference in Cardiff. 

This is the fourth time in six years that Act Now Training has won this award. Ibrahim Hasan said:  

“We would like to thank all our colleagues in the IG profession who voted for us. 
The award recognises our education led approach and our commitment to providing measurable training that develops participants’ IG skills, competencies and behaviours.   

It has been another fantastic 12 months for Act Now Training. Notable achievements include: 

Launching the Guardians of Data Podcast 

The new Guardians of Data Podcast has proved extremely popular with the IG profession. It’s a show which explores the world of information law and information governance; from privacy and AI to cybersecurity and freedom of information. In each episode we speak to experts and practitioners to unpack the big issues shaping the IG profession 

Previous episodes  have featured Tahir Latif talking about responsible AI deployment, Naomi Matthews and Ibrahim Hasan  explaining the law on filming people in public for social media, Maurice Frenkel looking back at 20 years of the Freedom of Information Act and Olu Odeniyi analysing recent cyber breaches and discussing the lessons learnt. 

Building the AI Skillset  

Act Now launched the AI Governance Practitioner Certificate with the aim of helping data protection professionals to play a leading role in addressing the legal and ethical dilemmas posed by emerging AI as well as position themselves as
forward-thinking leaders who can bridge the gap between law, ethics, and technology. The course has been extremely well received by the profession.     

Revising the Advanced GDPR certificate  

Since its launch in 2020, Act Now’s  Advanced Certificate in GDPR Practice has attracted hundreds of DPOs from across the public and private sectors. Feedback has been consistently positive with many participants commenting on how the course has given them the confidence and skills to be able to dissect complex data protection scenarios and give clear and practical compliance advice. This year the syllabus has been revised to reflect advances in technology, especially in AI, and the latest ICO/Tribunal decisions. The assessment method for this course has also been revised to help develop participants’ communication skills. 

Delivering New Workshops  

Act Now has continued to provide relevant and cost effective IG workshops during rapidly changing times for the IG community. Our programme has been expanded to include practical advice on topical issues such as the Data (Use and Access) Act, Data Breach Management and Children’s Data. 

How to Succeed in Information Governance

Seasoned IG professionals offer invaluable advice, having tackled data protection hurdles and shaped best practices over years in the field. By listening to their journeys, new IG professionals can better prepare themselves to face tomorrow’s IG challenges with confidence. 

In Episode 1 of the Guardians of Data podcast our guest was Jon Baines who is a senior data protection specialist at Mishcon de Reya LLP, a law firm where he advises on complex data protection and freedom of information matters. Jon isn’t a lawyer in the traditional sense, yet he has been listed in Legal 500 as a rising star in the data protection, privacy and cybersecurity category. Jon is also the long standing chair of the National Association of Data Protection and Freedom of Information Officers.  

In the podcast, our conversation ranges widely and goes into Jon’s route to the law, what sort of work a non-lawyer like gets involved in at a law firm, whether young professionals need to or should qualify as solicitors in order to develop a career in information law, some of the specialisms and the history of Mishcon de Reya LLP; and developments of data protection in the age of AI. 

The following is an abridged version of the podcast focusing on Jon’s advice to IG professionals.  

Question: You’ve proved that you don’t need to be a lawyer to work at the cutting edge of information law. What skills or perspectives can non-lawyers bring that make them particularly valuable in this field? 

Answer: Critical thinking. I’m a big advocate for seeing both sides. I nearly always, when I approach a task or an instruction, think “if I were advising the other side, what would I be doing?” Because I think it’s really important that you don’t just see the positives on your side; that ability to see across the issue and be able to challenge yourself is important. And that’s part of critical thinking.  

In a lot of data protection matters, it’s important to remember that a data subject is all of us effectively; we are all data subjects. Data protection is about a fundamental right, let’s call it the right to respect for our personal information and a limited right to control that information. So a certain amount of empathy is important.  

It’s also important to understand how commerce works; data protection law doesn’t exist in a vacuum. As I say, it’s about us; it’s about our information. It’s also about how that information, operates and can be used within a commercial world, a business world, a public service world. We don’t have a complete right to privacy, let alone privacy of our information. It’s a qualified right. So I think an understanding of business and understanding that business needs data in order to operate is important. 

What is your advice for those who are new to the IG profession? 

I think one of the biggest skills you need is being able to be across the whole organisation that you work for. So don’t work in a silo. Your role might be part of Legal etc. but make sure that you get out and learn about your organisation. Make sure that people know who you are. It’s old fashioned internal networking, I guess. 

How should IG professionals, position themselves, to add value to AI projects? 

Well, it kind of makes me think of the old Data Protection Impact Assessment or prior to GDPR, when we called them privacy impact assessments. It’s not much use being part of that sort of project if you’re only brought in at the last moment. The whole idea of risk assessment is to assess in advance. So it’s important for IG professionals to remind those setting up AI projects that their input is needed from the start; indeed, even before a decision is taken to initiate a project. There are going to be few AI projects that will not involve data protection, in some way or another, or that don’t have the potential to do so in the future. So I think it’s as simple as that really. Try and make sure you’ve got your foot in the door at the start, because it’s going to be very difficult to do your job if you’re brought in at the last moment. 

If you could go back and give your younger self one piece of career advice, what would it be? 

I would probably tell myself that, just in the years after graduation, time goes quite quickly. And whilst I wouldn’t ever want to put pressure on my younger self, I think I would want to tell my younger self to “pull your socks up” a bit and start doing this sort of thing earlier. I think I drifted for a number of years and, as I get older, I increasingly find myself in this role of elder sage and telling young people, don’t waste time; it goes so quickly. 

How useful is NADPO in terms of professional development? 

NADPO is a venerable institution. It’s been going since 1993. We’re an association of information law professionals and by that I mean there are DPOs, there are FOI officers, there are lawyers, there are some journalist members, academics etc. So everyone is welcome. We exist to support the profession by providing an opportunity to learn from experts (whilst we don’t do direct training). So for a payment of, what’s rather an eccentric, membership fee of £130 for two years, you get to attend our in-person events, which includes our annual conference where we have seven or eight expert speakers talking on various areas of information law. We also have monthly webinars and a range of other member benefits. I’m very keen that NADPO is for its members. So I love it when members come to me with ideas for speakers or offers. Like I say, it’s open to anyone who’s working in or really interested in the area of data protection, FOI and IG.  

You can listen to the full Episode 1 podcast with Jon here.  

More valuable careers advice in Episode 5 where our guest is Raz Edwards, Head of Data Security and Protection at Wolverhampton NHS Trust. In our conversation, Raz shares her journey into Information Governance, the challenges she’s faced and overcome as an IG leader, her advice for both new starters and seasoned professionals and her perspective on the future of the profession.  She also reflects on what she’s learned through her tribunal role and what it takes to succeed as an IG leader. 

New Podcast: How to Succeed as an IG Leader 

Act Now is pleased to bring you episode 5 of the Guardians of Data podcast.  

In information governance, there is no substitute for learning from those who have walked the path before us. Experienced IG leaders bring a wealth of knowledge from years at the frontline of data protection and information rights – navigating challenges, overcoming obstacles and shaping best practice along the way.
By sharing their stories, lessons learned and practical advice, they help both new starters and seasoned professionals grow in confidence, strengthen their practice and prepare for the challenges of tomorrow. 

In this episode we are joined by Raz Edwards, Head of Data Security and Protection at Wolverhampton NHS Trust. Raz has over 17 years of experience as a Data Protection Officer, including more than a decade in the NHS. She is also Chair of the National Strategic Information Governance Network and serves as a member of the Upper Tribunal and First-Tier Tribunal in the Information Rights Jurisdiction. 

In our conversation, Raz shares her journey into Information Governance, the challenges she’s faced and overcome as an IG leader, her advice for both new starters and seasoned professionals and her perspective on the future of the profession.
She also reflects on what she’s learned through her tribunal role and what it takes to succeed as an IG leader. 

 Download and listen here, or on your preferred podcast app. Available on Apple Podcasts, Spotify, and all major podcast platforms. 

Previous episodes of the Guardians of Data podcast have featured Jon Baines, reflecting on his career as a Data Protection Specialist and the hot issues in information governance, Lynn Wyeth discussing the recent controversy around Grok AI, Maurice Frenkel looking back at 20 years of the Freedom of Information Act and Olu Odeniyi analysing recent cyber breaches and discussing the lessons to learn.

Dr. Malkiat Thiarai Joins the Act Now Team 

Act Now is delighted to welcome Dr. Malkiat Thiarai to our team of associates. 

Our associates play a vital role in delivering our mission: helping to create a more privacy-conscious world by educating IG professionals. At Act Now, we pride ourselves on providing training that is clear, practical, and jargon-free — making complex topics accessible and engaging. 

Every one of our associates brings extensive real-world experience from the information governance sector. This expertise enriches our courses and ensures they remain relevant, insightful, and highly rated by our delegates. We are excited to have Dr. Thiarai join us in continuing this tradition of excellence. 

Dr. Malkiat Thiarai has worked for Birmingham City Council for over 30 years and has led the information governance function for over 20 years. He is currently the Head of Practice – Corporate Information Management and part of the council’s Digital and Technology Services multi-disciplinary leadership team. His role encompasses the duties of the Data Protection Officer as well as other aspects of information governance. He helps to improve the management of council data assets and provide strategic and operational management of information management.   

In 2021, Dr. Malkiat successfully completed a PhD in Urban Science from the University of Warwick. His research focussed on the understanding the challenges and capability of using personal data held within public sector organisations for research purposes and use the analysis to develop new models of service delivery that are focused on social care data whilst balancing the rights of the individual to privacy and a personal life. He has previously completed the LLM Information Rights and Law as well as an MBA in Public Service. 

Dr. Malkiat will be developing new courses around his area of expertise and sitting on our curriculum and exam board. He will also be assisting our team to deliver everything from one-day workshops to advanced practitioner certificate courses. 

Ibrahim Hasan, Director of Act Now Training, said:  

“I am very pleased that Dr. Malkiat has joined our team. I have known Malkiat for over 25 years. I am confident that his strong academic background coupled with experience of working in IG for many years, he will be great contribution to our team developing innovative curricula to help foster a culture of responsible data usage, build public trust and drive positive change.” 

Why Risk Management is Essential for IG Professionals 

GDPR compliance is very much about risk management. Throughout the UK and EU GDPR, Data Controllers are required to implement protective measures corresponding to the level of risk of their personal data processing activities. Consequently, risk management is a foundational skill which all data protection and information governance professionals need to develop.  

Risk in the UK GDPR 

Key provisions of the UK GDPR which mandate a risk-based approach include: 

Article 24 Responsibility of the Controller 

“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.” 

Article 25 Data Protection by Design and by Default 

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” 

Article 32 Security of Processing 

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,…” 

Article 33 Notification of a Personal Data Breach to the Commissioner 

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Commissioner , unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification under this paragraph is not made within 72 hours, it shall be accompanied by reasons for the delay.” 

Article 33 Notification of a Personal Data Breach to the Data Subject 

“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.” 

Article 35 Data Protection Impact Assessments (DPIAs) 

“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.” 

Even where the word ‘risk’ is not explicitly used, the concept underpins a number of data protection principles in the UK (and EU) GDPR. For example: 

Accountability Principle  
Data Controllers must be able to demonstrate compliance. This involves documenting risk assessments, decisions, and mitigations; all of which are key components of risk management. 

Lawfulness, Fairness, and Transparency  
Fair and transparent processing demands that Data Controllers consider the potential impacts on data subjects; essentially, assessing and managing risks to data subjects’ rights. 

Data Minimisation and Purpose Limitation 
Ensuring that only necessary data is collected and processed inherently involves evaluating what is proportionate and appropriate, which are concepts rooted in risk assessment. 

Practical Skills DPOs and IG Officers Need 

Given the prominence of risk in the GDPR, DPOs and IG professionals should cultivate the following competencies: 

  • Risk Identification: Being able to recognise threats to data confidentiality, integrity, and availability; whether technical (e.g. cyberattacks) or organisational (e.g. poor access controls). 
  • Risk Analysis: Assessing the likelihood and potential impact of risks and understanding their relevance to the rights and freedoms of individuals. 
  • Risk Evaluation and Prioritisation: Comparing estimated risks against risk tolerance and legal thresholds (e.g. what constitutes ‘high risk’ under Article 35). 
  • Mitigation Planning: Developing and implementing controls to reduce risk to an acceptable level; whether through encryption, training, anonymisation, or policy development. 
  • Ongoing Monitoring: Risk is not static. DPOs must continuously monitor changes in technology, regulation, and business practices that may affect data risk profiles. 

For data protection and IG professionals, risk management is not a ‘nice-to-have’; it is a foundational skill.  

Interested in developing your risk management skills further? Consider enrolling on our new Risk Management in IG workshop 

Nathan Bent Joins Act Now Training Team 

Act Now Training is pleased to announce that Nathan Bent has joined its team of associates

Nathan is a data protection specialist and a Certified Data Ethics Practitioner with the Open Data Institute (ODI). He has delivered over 40 courses in the past six months, covering Data Governance, Data Protection, Data Privacy, Data Security and Data Ethics. 

Throughout his career, Nathan has been recognised as a caring, joyful, and
people-oriented leader who is passionate about developing others and sharing knowledge. Nathan brings this passion and experience into every learning session, using practical, easy-to-understand examples, case studies, and real-life experiences to help each participant succeed. 

Nathan has worked as a Data Protection Officer, Data and Information Governance Manager, Chief Information Security Officer and Head of Data Governance and Technology in varying sectors from Engineering and Energy, to Social Housing and MedTech.  Over the past 25 years, he has led, coached, and educated teams that deliver data management, complex data insights, forecasting, statistical analysis, big data, data visualisation, data ethics, and legal and med-tech systems. 

Nathan said: 

“I am so pleased to be joining the Act Now team whose values and ethos are so closely aligned to mine. I have a lifelong passion for learning and knowledge. My training sessions are known for being dynamic, full of enthusiasm and often filled with laughter. I have made it my mission over the years to make what are often dry or (dare I say) boring subjects, fun and engaging.” 

Alongside Dr. Cedric Krummes, Nathan, our second recent appointment, will assist us in continuing to serve and deliver training courses for our clients. He will conduct
one-day workshops and our new AI Governance Practitioner Certificate. We warmly welcome Nathan to our team of dedicated and passionate trainers. 

Act Now Expands its Training Team 

At Act Now Training, we believe in building a privacy-conscious world. Our goal is to promote trust and respect for privacy, ensuring organisations embed data protection into their operations by default. Our  team of associates break down complex legal concepts, making education accessible and empowering IG professionals to become leaders in their field. By fostering a culture of responsible data usage, we help build public trust and drive positive change. 

With new courses launching in 2025, including the very popular AI Governance Practitioner Certificate, we are seeing a surge in demand for in house and public training courses. To service this demand, we are welcoming an additional information law expert to our team.  

Dr. Cedric Krummes has worked as a Data Protection Officer, Information Governance Manager, Information Security Officer, and Data Owner in various sectors. He has been teaching and training for over 20 years in a wide range of industries, countries, and languages. He has presented papers at international conferences, spoken on panels and facilitated workshops. Cedric can explain complex topics in an engaging, practical, and jargon-free way. He will be assisting our team to deliver everything from one-day workshops to advanced practitioner certificate courses. 

Ibrahim Hasan, Director of Act Now Training, said: 

“I am very pleased that Cedric has joined our team. His strong educational background coupled with experience of working in IG for many years, will help us continue to equip IG professionals with the knowledge and skills they need to navigate the rapidly evolving landscape of data protection and privacy landscape.” 

First Damar IG Apprentices Successfully Achieve Qualification

In 2022, Act Now Training teamed up with Damar Training to support their delivery of the new Data Protection and Information Governance Practitioner Apprenticeship. The aim was to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address future IG challenges.

Damar Training recently announced that the first Data Protection and Information Governance apprentices have successfully achieved their qualification. 13 apprentices have passed their End Point Assessment (EPA) with many more completions due over the coming months. 

Damar is now England’s largest provider of this apprenticeship, with 176 apprentices enrolling on the programme at companies such as BBC, National Express, Dunelm and Auto Trader, as well as a range of universities, NHS trusts, councils and government departments. Act Now is pleased to continue to support Damar through the design and delivery of specialist workshops and training materials.

Congratulations to all the apprentices who have passed the EPA. Best of luck to those who have their EPAs coming up. 

More on the apprenticeship here. Feel free to get in touch with us to discuss further.

Have you Considered an Apprentice?

Act Now Training has teamed up with Damar Training on materials and expertise underpinning its new Data Protection and Information Governance Practitioner Level 4 Apprenticeship.


The apprenticeship will help develop the skills of those working in the increasingly important fields of data protection and information governance.

With the rapid advancement of technology, there is a huge amount of personal data being processed by organisations, which is the subject of important decisions affecting every aspect of people’s lives. This poses significant legal and ethical challenges, as well as the risk of incurring considerable fines from regulators for non compliance.

This apprenticeship aims to develop individuals into accomplished data protection and information governance practitioners with the knowledge, skills and competencies to address these challenges.

If you know someone who you think would benefit from doing an apprenticeship in DP and IG, then this may be the perfect solution for them.
Places are limited for each cohort. Cohorts start in September, January and May.

Further details can be found at https://www.actnow.org.uk/apprenticeship