WithoutFire | John Elliott's occasional thoughts on data protection


Welcome. I’m John Elliott and this is my small bit of the Internet. I’m a data protection specialist working at the intersection between regulation and information technology. I’m typically engaged as a consultant or interim manager.

Data Protection and information security

I describe myself as dual-qualified - I can work happily in information security and/or data protection. I have an in-depth knowledge of data protection law (i.e. GDPR) and information security alongside experience in business-focussed IT delivery. I also have significant knowledge and experience in payment regulation (AISP and PISP within PSD2) and payment systems (card processing and Open Banking).

I'm able to act in an interim role as an organisation's CISO or DPO. I am good at helping information security teams to understand their responsibilities under GDPR's article 32, and DPOs to understand how to work with information security and IT teams.

I have the professional qualities to be a statutory Data Protection Officer — I’ve worked in that role for a large airline and have also advised many organisations about how they can comply with GDPR. I also worked at Open Banking looking at the whole data protection and privacy implications of the new API-based way of banking created by PSD2.

I've also worked as an interim Head of Information Security in financial services.

PCI DSS and payment security

I was fortunate to spend around three years as Visa Europe’s representative on the technical working groups of the Payment Card Industry (PCI) Security Standards Council (SSC). In that time I contributed extensively to PCI DSS v3 and P2PE v2 and I also answered lots of questions about the standards and payment security.

I’m currently the Chair of the UK Merchants’ PCI Working Group which consists of the people responsible for PCI compliance and/or information security for the largest merchants in the UK. Collectively the group members originate over 80% of all UK payment card transactions. We meet quarterly, engage with the PCI SSC and all the UK acquirers, and also have guest speakers from various technology companies.


I develop highly-rated training courses for Pluralsight (they are listed over there in the right margin). Pluralsight is a brilliant, online library of video based training courses made by real subject matter experts. One of the best aspects of being a course author is that I have access to the entire library which is full of awesome courses such as Troy Hunt's "hack yourself first".

Professional Qualifications etc.

I keep a number of professional qualifications to provide externally validated assurance of competence to my customers' management, non-executive board or their regulators. We can all debate the actual merits of various professional bodies, their exams, their strengths and weaknesses - but to provide confidence to people who engage me, I maintain1 membership of ISC(2), ISACA, IAPP and the British Computer Society2.

Professional: BCS Fellow, Chartered IT Professional

Information Security: CISSP, CISA, CRISC

Data Protection and Privacy: CIPP/E


I’ve an LLM (i.e. Masters of Law) Information Rights Law and Practice (Data Protection).

What do people say about me?

Former clients have been kind enough to provide recommendations on LinkedIn. This one is my favourite because saving half a million pounds for a company is a pretty cool thing to do and shows the benefit in a pragmatic approach to regulation.

“From the first day when John arrived at the Club to work with us through the initial difficult stages of PCI compliance, he was first class, not only to work with, but also the extent of his knowledge, pragmatic advice and guidance were second to none.

I will never forget a 5 minute conversation with John at a project board meeting where we proposed a number of actions costing approx. £500k. He challenged them, made us rethink it all, and the final cost to achieve the same end came out at £10k!!”


Get in touch via LinkedIn, @withoutfire or email to john@you_can _probably_guess_the_domain.


1 Maintain = 40 hours of CPE and about £600 a year, which is insane!

2 I know the name has changed to “BCS the Chartered Institute for IT” but I much prefer the old name.

You've successfully subscribed to WithoutFire | John Elliott's occasional thoughts on data protection
Great! Next, complete checkout for full access to WithoutFire | John Elliott's occasional thoughts on data protection
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.