Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact Us
Data Protection People's world-class GDPR Support Desk. If you're navigating the complex landscape of data protection, PCI DSS, and cybersecurity, our support desk is your reliable compass.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
The UK is introducing mandatory age verification for accessing 18+ online content, including pornography, gambling and other age-restricted services. This change is designed to protect children, but it raises important questions for the data protection community. Are these measures safeguarding users or creating new risks? And how do organisations strike a balance between compliance and privacy?
Age verification is the process of confirming that a user is over a certain age threshold, usually 18, before granting access to restricted online content. The UK Government has committed to rolling this out in response to long-standing concerns about children accessing harmful material online.
Under the Online Safety Act 2023, platforms hosting 18+ content are now required to introduce robust age checks. This could involve ID scans, credit card verification, or even biometric facial recognition technology.
Is This a Win for Online Safety or a Risk to Privacy?
The move aims to protect vulnerable users, particularly children. But to verify age, websites must process more personal data and often very sensitive data. This creates tension between protection and privacy.
Positive Intentions
Potential Risks
Age verification is no longer just about ticking a box. Technology providers are introducing advanced tools to meet the UK’s requirements, including:
All of these involve processing personal data. Some even involve special category data, which demands greater safeguards under UK GDPR.
If your organisation is involved in publishing or enabling access to age-restricted content, there are immediate steps to take.
1. Conduct a Data Protection Impact Assessment (DPIA)
Any use of biometric or ID verification requires a DPIA. These technologies pose high risks to individual rights and freedoms and are likely to trigger Article 35 obligations under the UK GDPR.
2. Follow the Principles of Data Minimisation
Collect only what is necessary. If proof of age can be confirmed without identity, that’s preferable. Avoid systems that retain ID data longer than needed.
3. Use Trusted Verification Providers
Work with accredited Age Check Certification Scheme (ACCS) providers or other UK-recognised vendors who are independently audited and transparent.
4. Be Transparent with Users
Make it clear what data is being collected, how it is processed, and whether it is shared. This includes publishing clear privacy notices and cookie policies.
Is age verification required by law in the UK?
Yes. The Online Safety Act 2023 requires platforms hosting 18+ content to implement proportionate and effective age checks.
Do age verification systems fall under UK GDPR?
Yes. Any system that processes personal data—including biometric data or ID scans—must comply with UK GDPR requirements.
What’s the safest way to verify age?
Using third-party age assurance providers that issue verification tokens without exposing full identity data is currently considered best practice.
Can users opt out?
If access to the content is restricted by law, users cannot opt out of the age verification process. However, transparency and consent in how data is processed still apply.
Who enforces this?
Ofcom is the lead regulator under the Online Safety Act. The ICO oversees compliance with data protection laws related to these technologies.
For many, this change is a positive step towards safeguarding young people online. But it also signals a broader shift: privacy and safety are no longer separate priorities, they must coexist.
The risk is that platforms, in their rush to comply, adopt intrusive systems without fully understanding the data protection consequences. Age verification should not become identity verification by default.
The challenge now is to build trust through transparency, minimise data wherever possible, and ensure that age checks are done securely, proportionately, and fairly.
We believe data protection and child safety can go hand in hand, but only if implemented carefully. Mandating age verification should not open the door to excessive data harvesting or surveillance.
At Data Protection People, we support clients through this changing landscape, helping them stay compliant without compromising their users’ privacy. Our consultants can help you assess risks, write DPIAs, review third-party tools and update privacy documentation.
If your organisation is implementing or reviewing age verification systems, we’re here to support you.
We offer consultancy and audits that help organisations align with both the Online Safety Act and UK GDPR.
A data protection audit is an independent, expert-led review of your organisation’s compliance with UK data protection laws, including the UK GDPR, DUAA, DPA18 and PECR. At Data Protection People, audits are one of our top priorities. They are the foundation of how we help organisations identify risks, benchmark performance and improve accountability. Whether you’re a small business or a public sector body, a regular audit ensures your systems and practices are working as intended, helping you stay compliantand build trust with your stakeholders.
A Comprehensive Compliance Assessment
A GDPR audit evaluates how your organisation handles personal data. It checks whether your policies, procedures and technical controls meet the requirements of the UK GDPR and other relevant laws. It’s not just about ticking boxes; it’s about building confidence that your organisation is doing the right things the right way.
Identifying Gaps and Weaknesses
Even small gaps in your data protection practices can lead to big problems. A GDPR audit helps you uncover those gaps early. Whether it’s missing documentation, unclear lawful bases or ineffective SAR processes, identifying these weaknesses gives you the chance to put things right before they escalate.
Streamlining Internal Governance
Do your policies reflect what actually happens in practice? Are staff following the right procedures? Audits bring these questions to the surface. We don’t just assess paperwork, we evaluate real-world processes and behaviours to ensure your organisation is genuinely living up to its policies.
Building Stakeholder Trust
Showing that you’ve independently assessed your data protection compliance builds credibility. Whether it’s for the board, customers or regulators, being able to point to an audit from a trusted provider like Data Protection People helps demonstrate accountability.
We offer a wide range of audits to suit different needs, budgets and levels of maturity. Whether you need a light-touch review or a deep-dive audit, we have a solution.
GDPR Discovery Day
A high-level review that assesses how your organisation is currently managing data protection compliance. Ideal for organisations that want a snapshot of where they stand.
Who it’s for: Any organisation seeking quick insight and identify quick compliance wins
Time commitment: 1 day
Output: Executive summary of strengths, weaknesses and next steps
Gap Analysis
A detailed report that compares your practices against a robust compliance framework. You’ll get a visual benchmark and actionable insights to help close any gaps.
Who it’s for: Organisations preparing for audits or external scrutiny
Time commitment: 3 days
Output: Full benchmarking report with RAG-rated findings
Full GDPR Audit
A comprehensive audit covering all aspects of your data protection framework, including records of processing, risk assessments, policy controls, and compliance culture.
Who it’s for: Organisations seeking detailed assurance
Time commitment: 5 days
Output: Full audit report with evidence, recommendations, and improvement roadmap
PECR Audit
A focused review of how you manage electronic communications, cookies, and marketing consent under the Privacy and Electronic Communications Regulations (PECR).
Who it’s for: Organisations conducting digital marketing
Time commitment: 1–2 days
Output: Compliance report with recommendations
Tailored Audit Framework
We can design bespoke audit frameworks that align with your internal structures or specific sector requirements. These can be based on our established methodology or built from scratch.
Who it’s for: Regulated sectors or organisations with unique risks
Time commitment: Varies
Output: Custom framework, audit delivery, and repeatable toolkit
What is the purpose of a data protection audit?
A data protection audit helps you assess whether your organisation is complying with relevant laws and best practices. It identifies areas of risk, provides reassurance to stakeholders, and supports continuous improvement.
How often should we carry out an audit?
We recommend a full audit at least every 12–18 months. However, audits may be needed more frequently for high-risk sectors, major system changes or after a data breach.
Can we audit ourselves?
Internal reviews are useful but can lack objectivity. An external audit ensures independence and brings in specialist knowledge.
Do audits include subject access requests?
Yes, our audits assess how your organisation handles individuals’ rights including SARs, erasure, rectification and objection.
What laws and standards do you audit against?
We audit against the UK GDPR, PECR, ICO guidance, and where appropriate, international frameworks like NIST or ISO standards.
Expertise You Can Rely On
Our audit team includes certified professionals such as Catarina Santos, who bring years of real-world experience across sectors. We understand the law, the risks and the operational challenges.
Structured and Actionable
We don’t leave you with a vague report. Every audit concludes with clear, prioritised recommendations that you can act on. If needed, we can also support the implementation process.
Tailored to Your Organisation
We don’t believe in one-size-fits-all. Whether you’re a housing association, a retailer, or a healthcare provider, we tailor the audit to your data flows, systems, and risks.
Flexible, Repeatable Frameworks
Want to embed auditing into your governance processes? We can create reusable frameworks that allow you to conduct regular internal audits or annual reviews.
At Data Protection People, our mission is to make data protection easy to understand and easy to do. Our audit services are designed to help you benchmark, improve and maintain your compliance posture.
Most organisations believe their data protection practices are solid, until they take a closer look. A GDPR audit gives you the chance to step back and properly assess how your organisation handles personal data. It’s not just about compliance. It’s about building confidence that your systems, policies and people are doing the right things.
Whether you’re preparing for an inspection, responding to concerns, or just want to get ahead, a GDPR audit is the best place to start.
A GDPR audit is a structured, independent review of your organisation’s data protection arrangements. It looks at how you collect, store, use and share personal data across your operations.
At Data Protection People, our audits are clear, thorough and tailored to your needs. Some clients ask us for a simple high-level review to check the basics. Others need a full, in-depth audit that explores every part of their data protection strategy.
We also offer audits focused on specific areas like electronic communications or internal governance. Each audit is built to match the risks, size and structure of your organisation. We don’t use generic templates. We listen, understand and provide advice that fits your environment.
Data protection can easily fall down the priority list, especially when teams are busy. But that’s exactly when risks can creep in. A GDPR audit gives you an honest picture of where you stand and helps you address issues before they grow into problems.
It can also give your leadership team the confidence to make informed decisions. When data protection is done well, it protects more than just information—it protects your reputation, your customers and your future.
We also find that audits are a great way to bring teams together around a shared goal. The process highlights what’s working well and where improvements are needed, without placing blame or creating pressure.
A GDPR audit is useful for any organisation that handles personal data, regardless of size or sector. If you’ve never had one before, it’s worth scheduling an audit to create a baseline and check that your foundations are in place.
Organisations often reach out to us after a period of growth or change. If you’ve launched new services, moved systems, or experienced staff turnover, it’s a good time to review your compliance. We also work with clients who’ve had a breach or a near miss and want to understand what went wrong.
If you’re preparing for an ICO inspection or contract review, an audit can help you feel more confident and prepared. It’s not about ticking boxes. It’s about showing you’re serious about data protection and taking the right steps to get it right.
Our process is designed to make things easy for you. First, we start by understanding your organisation, how it operates, and where the data flows. We’ll talk through your systems, services and how personal data moves across your business.
Next, we review your key documents. That includes your policies, privacy notices, contracts, and staff training records. These documents give us a view of your governance and how you meet your legal obligations.
We may speak with relevant staff to understand how things work day to day. These conversations help us check that policies are being followed in practice, not just written on paper.
We then carry out a structured assessment, comparing your setup against GDPR requirements and sector best practices. Once complete, we provide a clear report. It explains what you’re doing well and where improvements are needed. Most importantly, we include a detailed action plan that helps you prioritise and take control of your compliance.
We’ve been helping organisations with data protection for over 15 years. Our consultants are experienced, practical and know how to explain things clearly. We understand the challenges businesses face when trying to stay compliant, and we’re here to make it easier.
Our audits are designed to work around you. We don’t disrupt your day-to-day operations or expect your team to speak legal jargon. We take the time to understand your business and provide advice that’s realistic, achievable and tailored to your situation.
Clients tell us they feel more confident after an audit with us. They know where they stand and what to do next. That’s what we aim for, clarity, confidence and practical solutions.
Once you receive your report, you’ll have a clear list of actions and priorities. You can choose to handle these internally, or we can help you implement the changes. Some clients ask us to support policy updates, deliver staff training or even take on the role of outsourced DPO.
Whether you need a little help or full support, we’re flexible and here to make compliance easier. Our goal is to help you build a strong, practical approach to data protection that grows with your organisation.
A GDPR audit isn’t something to put off or fear. It’s an opportunity to take stock, reduce risk and build better processes. By investing in a proper review, you protect more than just data, you protect your customers, your reputation and your business.
If you’ve been unsure where to start, or worried about what you might find, we’re here to help. Our team will guide you through the process step by step. You’ll come away with a clearer understanding of your responsibilities and a plan you can trust.
Ready to find out more?
Speak to our team today about booking a GDPR audit. We’ll help you understand what’s involved and how it can benefit your organisation.
Every year, as summer arrives and schools break up for the six-week holiday, many organisations begin to feel the pressure. But it’s not just the heat or the juggling of annual leave rotas that causes challenges. For data protection teams across the UK, summer has become known as SAR season, a time when Subject Access Requests (SARs) increase and internal resources are stretched thin.
At Data Protection People, we’ve supported hundreds of clients through this exact scenario. We’ve seen the same patterns emerge year after year: reduced staffing levels, mounting deadlines, and complex SARs that simply cannot wait. Understanding why this happens and how to prepare can make all the difference.
There isn’t one single reason, but rather a combination of factors that converge during July and August. First, many internal data protection and HR teams are operating with skeleton staff due to holidays. This makes it harder to keep up with SARs, especially those that are more involved, such as requests from current or former employees.
At the same time, there can be a rise in employee-related SARs during the summer break. Disagreements over flexible working, disputes linked to holiday entitlements, or even longer-standing grievances can lead to individuals submitting SARs as part of broader HR issues. In the education sector, we also see a rise in parent and student SARs being submitted just before the academic year begins, adding more pressure at an already busy time.
Add to this the fact that organisations have only one calendar month to respond to a SAR, with no extension allowed unless the request is particularly complex, and the situation quickly becomes challenging.
Failure to meet SAR deadlines doesn’t just inconvenience the individual making the request. It can trigger complaints to the Information Commissioner’s Office (ICO), damage your organisation’s reputation, and even result in financial penalties. In some cases, particularly involving employees or sensitive personal data, delays can lead to legal disputes or grievances that might otherwise have been avoided with a well-handled and timely response.
It’s also important to remember that a SAR isn’t just about handing over data. You need to ensure that third-party information is carefully redacted, privileged or confidential material is properly assessed, and that the response is complete and clearly structured. This is not something that can be rushed, especially when your internal teams are already overstretched.
We are proud to be recognised as the leading provider of SAR support in the UK, and we currently rank #1 on Google for SAR and DSAR support services. Our experience spans all sectors, including housing, education, healthcare, charity, and private organisations of all sizes. Whether you’re facing a one-off customer request or handling an employee SAR covering 15+ years of service, our team is equipped to help.
We have a dedicated team of 25 professional redactors who work solely on SARs. This means you’ll be supported by experts who understand not just the legal obligations, but the operational and reputational risks associated with each request. Our advanced SAR processing software allows us to de-duplicate documents, carry out high-precision redactions, and manage the full review process securely and efficiently.
Our clients value our ability to step in quickly, assess their needs, and deliver a professional, compliant response, often under tight time constraints. We’re more than just a redaction service. We work alongside your internal team to manage the SAR from start to finish, offering full visibility, clear communication, and high-quality results.
The summer holiday period can be a perfect storm for SAR compliance issues: fewer people in the office, growing backlogs, and no let-up in legal obligations. That’s why many organisations turn to external support during this time of year.
By working with us, you can reduce the stress on your internal team, ensure deadlines are met, and protect your organisation from unnecessary risk. We also offer ongoing SAR management support, policy reviews, and tailored training to help you build resilience and improve processes moving forward.
If you’ve received a complex SAR and are unsure where to start, or if you’re already facing time pressure due to annual leave cover, get in touch. We’ll help you regain control, stay compliant, and respond with confidence.
Our team is ready to help. Whether you need end-to-end SAR handling, software to streamline your internal response process, or simply some expert guidance, we’re here to support you. Contact us today or visit our SAR Support page for more information.
If you’d like to stay up to date with news, updates and practical advice on SARs and other data protection topics, join the Data Protection Made Easy community:
We break down complex topics, provide practical solutions, and help professionals at all levels feel more confident and in control.
On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.
Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.
If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.
Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.
Download the Slides
We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides
By joining our free community, you’ll get:
We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.
On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.
Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.
Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.
Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.
Download the Slides
We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides
Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.
Click here to visit the Part Two event page and register your place: View Part Two
By joining our free community, you’ll get:
We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.
Data Protection Made Easy Podcast – Episode 214
After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.
Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
Understanding What Drives SARs
We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.
When You Must Respond – And When You Don’t
We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.
Managing Excessive or Repetitive Requests
Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.
Balancing Transparency and Internal Protection
Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.
Lessons from Real Grievance and Disciplinary Cases
We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.
Proactive Preparation: Getting Ahead of SARs
Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.
Avoiding Common Mistakes
From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.
Handling Escalation and Risk
Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.
Know someone who would benefit? Share the podcast link and help others take the complexity out of compliance.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
Data Protection Made Easy Podcast – Episode 114
Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.
If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:
From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”
As Catarina Santos explained, it’s essential to reframe the narrative:
“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”
The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.
This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.
Philip Brining highlighted the value of the community:
“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”
Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.
SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:
“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”
The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.
What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:
“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing [email protected]
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.
Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.
📩 Simply email us at [email protected] with the subject line “SAR Support”, and we’ll book in a free 30-minute consultation.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
