Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
Dedicated data protection compliance software is important because it reduces the reliance on cumbersome manual processes. Instead of relying on static documentation like spreadsheets, automated platforms allow organisations to maintain ongoing compliance simply and easily.
Dedicated data protection compliance software is a centralised platform designed to help businesses comply with GDPR. Often referred to as Privacy Information Management Systems (PIMS), it streamlines SARs, RoPAs and DPIAs, as well as training records, risk registers and more.
Datawise is Data Protection People’s compliance software, helping DPOs stay on top of everything they need to stay GDPR compliant.
Dedicated compliance software is important because it makes demonstrating accountability (an integral part of GDPR compliance) much simpler.
With one system for data mapping, risk tracking and incident management, a centralised platform eliminates fragmented processes.
GDPR requires you to provide evidence of compliance, not just policies. Gathering this evidence can take hundreds of hours, depending on how big the organisation is. Dedicated privacy compliance software streamlines this task.
Compliance software removes reliance on spreadsheets and standardises workflows, helping to reduce the risk of human error.
The most effective GDPR compliance software includes tools that support everyday compliance and long-term governance. The features that should be included are:
A dedicated compliance platform is built around specific regulatory requirements, going above and beyond a simple data storage tool. Software like Datawise manages compliance processes from end-to-end, automating workflows and centralising everything you need to be compliant in one place.
Dedicated data protection compliance software is not a legal requirement, but it significantly improves the efficiency and accuracy of GDPR audits. It makes evidence gathering faster, audits easier and gives you better visibility of your organisation’s risk factors.
Datawise is Data Protection People’s proprietary compliance software. It’s built on a world-class platform, enabling easier compliance management by centralising and streamlining data management. Get in touch to find out more.
Data protection compliance software is a tool designed to help organisations manage GDPR obligations, including SARs, DPIAs and data records.
Yes, you can, but using manual tools is inefficient, and can lead to inaccuracies. Dedicated software centralises everything, improving ongoing GDPR compliance.
Put simply, it makes demonstrating your organisation’s compliance much easier. Dedicated compliance software centralises records, provides audit trails and structured documentation.
During a GDPR audit, assessors look at how your business or organisation collects, processes and protects personal data. They identify compliance gaps and risks, allowing you to meet UK GDPR requirements.
A GDPR audit is a review of your business’s data protection practices, assessing whether it is GDPR compliant.
The purpose of a GDPR audit is to:
An effective audit evaluates the policies and practices of your organisation’s data handling, and helps to uncover any data exposure risks.
A GDPR audit from Data Protection People always follows the same structure to ensure that we don’t miss anything.
A Data Protection People GDPR audit starts with discovery. We need to understand your sector, size, data flows and key risks to ensure the audit is tailored to your business needs.
We explore your existing documentation and processes, including policies, procedures, records of processing (RoPA), contracts and technical controls.
To understand how data processing works in practice, and not just on paper, we speak to key individuals across departments.
We conduct gap analysis against UK GDPR requirements to identify areas of non-compliance or areas that are at risk of non-compliance.
Rather than a list of things that need fixing with no clear focus or urgency, we prioritise findings based on risk level, impact and likelihood, so you know what to focus on first.
You receive a clear overview of your organisation’s compliance position, with the key risks highlighted.
We also provide a prioritised, actionable roadmap to bring your business closer towards full compliance.
As an optional extra, we can continue working with you to implement the recommendations, either through our support service or an outsourced DPO.
Our GDPR audits are tailored to your organisation’s size, maturity and risk profile. The structure stays the same, but the depth, focus and outputs vary depending on the audit type. We offer:
At Data Protection People, our GDPR audits are tailored to your needs. Whether you’re a complex organisation in need of clarity or a start-up keen to get it right, we can help you focus on what actually matters.
Get in touch with our team today.
How long a GDPR audit takes depends on the organisation’s size and complexity, ranging from a few days to several months.
Your business needs a GDPR audit if you lack visibility over your data protection risks or compliance status.
No, it’s not mandatory to have dedicated software to manage a GDPR audit. However, it does significantly improve the audit’s efficiency and accuracy.
By Amber Sivill, Junior Data Protection Consultant at Data Protection People
AI is already in the workplace, whether leadership has approved it or not. UK data shows business use is rising, with 26% of businesses reporting use of at least one AI technology in March 2026, while nearly half of employers who use or plan to use AI expect their business model to use or rely on it within three to five years. At the same time, wider workplace research suggests many employees are using their own tools without formal approval. For SMEs, that creates a familiar problem in a new form, productivity pressure on one side, data protection and cyber risk on the other.
From Data Protection People’s perspective, the answer is not a blanket ban, but instead the controlled adoption and oversight of AI tools. The Information Commissioner’s Office is clear that there is no AI exemption to data protection law, and the National Cyber Security Centre advocates that AI systems introduce distinct security risks that must be designed for, monitored, and managed. The practical goal is to let staff use AI where the benefit is real, while keeping personal data, confidential information, and security controls intact.
The real issue is not only formal AI projects, but also shadow AI. Microsoft found that 78% of AI users bring their own tools to work, which is even more common in small and medium sized companies. This is particularly problematic because a quick prompt can become a security incident if staff paste in names, emails, case notes, HR material, complaints, contracts or commercial information. Cross border processing is often missed too. If personal data is sent, or simply made accessible, to a separate organisation outside the UK, the ICO treats that as a restricted transfer under UK GDPR. In parallel, the ICO has warned that wrongly relying on generative AI outputs as factually accurate information about individuals can lead to misinformation, reputational damage and other harms to individuals.
The ICO also notes that AI models can contain personal data and may embed training data in ways that could allow retrieval or disclosure. The NCSC adds that AI systems are exposed to both familiar cyber threats and AI specific threats such as prompt injection, data poisoning, and model inversion.
An overarching ban has one advantage, it is simple to implement. But it is not realistic, and it can make the risk less visible by driving AI use underground. Controlled adoption is harder, but it is normally the better fit for UK SMEs because it accepts how work is realistically happening and gives you a route to govern it.
| Approach | Benefits | Risks | When appropriate |
|---|---|---|---|
| Ban | Clear message, lower immediate exposure in very high-risk areas | Workarounds, shadow AI, lost productivity, weak visibility | Highly sensitive processing, no approved secure tooling, active incident or regulatory concern |
| Controlled adoption | Better visibility, practical governance, safer productivity gains, staff trust | Needs policies, reviews, training, monitoring and resourcing | Most SMEs, where AI is already appearing in admin, marketing, IT or drafting work |
This is consistent with current evidence showing rising adoption, strong employee demand and the need for governance rather than denial.
Communication for staff has to be clearly communicated and easy to understand. Organisations should be able to tell individuals the rules of what is required, what they have to do and when to ask for guidance. That approach aligns with ICO expectations on accountability and NCSC guidance on awareness, secure use and human oversight. It is also crucial that we continue to support staff by providing quality and regular training.
For most organisations, the right control set is straightforward: keep an AI register, publish an AI policy, set an approval workflow, run DPIAs where risk justifies it, complete supplier due diligence, assess international transfers, and apply technical controls around access, logging and data loss prevention. ICO guidance is clear that a DPIA is required where new technology use is likely to result in high risk, and if in doubt, doing one is recommended. DSIT’s AI Management Essentials also directs SMEs towards an AI system record, an accessible AI policy, impact assessment, risk assessment and communication with employees.
When someone in your organisation wants to use an AI tool, you do not need a complicated process, but you do need a consistent one.
Start with a simple question, will the tool involve personal data or sensitive information?
If the answer is no, carry out a basic check. Look at who provides the tool, whether it is secure, and whether it fits your business and the rules of your AI policy. If you are comfortable, you can allow a limited trial and keep it under review.
If the answer is yes, you need to slow things down and consider if the processing can comply with the UK GDPR.
Once that is done, decide:
After approval, the job is not finished. You should monitor how the tool is used, review it periodically, and be prepared to stop using it if risks change.
These are practical first steps for SMEs and align with current ICO, NCSC and DSIT guidance.
You cannot police every prompt, and you do not need to. Reasonable enforcement means proportionate controls and visible accountability. Use SSO and approved tool access where you can, browser or network restrictions for clearly banned tools, logging sufficiently to investigate incidents, targeted audits in high-risk teams, and a simple route for staff to ask before using a new tool. The NCSC specifically recommends monitoring and log data that lets you audit use, investigate compromise and manage security incidents, while DSIT’s hidden AI risks work makes the same point from an organisational angle, successful AI governance is cultural as well as technical.
At Data Protection People, we are seeing AI move from a side conversation to a core compliance issue. We support clients with practical AI guidance, policy and framework design, DPIA and international transfer support, contract and supplier review, documentation templates, training and ongoing advisory support through our consultancy, toolkit and support services. Our wider view is simple, organisations should protect themselves first, but they should not pretend AI is going away. The sensible path is to embrace it with caution, good governance and clear boundaries.
We will also be discussing this on the Data Protection Made Easy podcast on Friday 24 April, joined by Caine Glancy and myself, Amber Sivill. The podcast is hosted live every Friday at lunchtime and is designed for practical discussion, not theory, which is exactly what this topic needs. If you are reading this after 24 April 2026, you will be able to listen to the full discussion via Spotify. Click here to listen to the Data Protection Made Easy podcast.
Under UK GDPR, individuals have the right to request access to the personal data an organisation holds about them. Known as Subject Access Requests (SARs), these requests must be responded to within 30 days. Responding correctly requires more than simply locating and sending data. For SMEs without dedicated data protection support, SARs can be one of the most time-consuming and high-risk compliance obligations they face.
In this article, we cover why SARs are challenging for SMEs, how the right SAR support can make a difference and how data protection specialists like Data Protection People can help.
SARs are particularly challenging for SMEs without a dedicated data protection team for several reasons:
Designate a member of staff to manage SARs, whether an internal Data Protection Officer (DPO) or a nominated individual. Ensure employees receive SAR training so they can recognise requests and escalate them promptly.
Consider outsourcing your DPO function to data protection specialists such as Data Protection People. Our outsourced DPO service ensures you have expert support to handle SARs compliantly, along with ongoing data protection support and targeted training to help your team understand when and how to escalate requests.
A clear SAR procedure should outline how requests are received, logged, verified, tracked and closed. It should include the criteria for extensions and the escalation procedure for complex or high-volume cases.
We support SMEs by establishing these procedures, creating templates for consistency and advising on data mapping strategies to locate information efficiently. This transforms SAR handling from a reactive task into a structured, repeatable workflow. We also ensure full documentation is maintained throughout, recording all actions, decisions and communications to provide a complete audit trail.
Before starting any data search, it’s essential to define what the request covers and what personal data is in scope, particularly where third-party data or sensitive information is involved. This makes the process more efficient and reduces the risk of over- or under-disclosure.
At Data Protection People, we supported an organisation handling a SAR from a long-serving former employee, where the volume of emails and records raised concerns about meeting the deadline. We helped narrow the scope appropriately, clarifying that not all internal correspondence falls within scope. By helping the client interpret the scope, we significantly reduced the workload while maintaining compliance with UK GDPR.
Where third-party personal data is included, redactions must be applied with clear legal justification. Responses must be clear and GDPR-compliant, with any withheld information explained and the legal basis for withholding it explicitly stated.
These situations can be particularly challenging. For example, housing providers may receive SARs from tenants requesting CCTV footage or information relating to complaints made against them. Even where visible data is redacted, contextual elements, such as camera positioning, may still make individuals identifiable.
We support organisations in assessing whether disclosure is appropriate, advising on the limitations of redaction and ensuring the final response is compliant.
For SMEs without dedicated data protection resources, having the right support in place is not just a compliance measure; it’s a necessity.
If your business is struggling with SAR management or wants to implement stronger processes, get in touch to find out how Data Protection People can help.
GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy walk through the latest developments in data protection, highlighting recent regulatory activity, enforcement trends, and key stories organisations need to be aware of.
These sessions are designed to give a clear, practical overview of what is happening right now, helping organisations stay informed without needing to dig through complex legal updates.
This session focuses on recent news and real-world developments in the data protection landscape.
1) Recent data protection news and updates We cover the latest developments across GDPR and wider privacy regulation, including new guidance, legal updates, and shifts in how data protection is being applied in practice.
2) Data breaches and enforcement action The episode looks at recent breaches and fines, helping to highlight common risks and what organisations can learn from real cases.
3) Regulator decisions and trends We explore activity from regulators, including enforcement approaches and what this signals for organisations moving forward.
4) Big tech and privacy developments Discussion includes how large organisations are handling personal data, and what this means for compliance expectations across all sectors.
GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.
Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People
On Friday 10 April, the Data Protection Made Easy podcast hosted a live discussion on one of the fastest-growing challenges in information rights, weaponised Subject Access Requests, often referred to as weaponised SARs.
Led by Catarina Santos and Caine Glancy, the session attracted 180 live participants, with a highly active chat and more questions than could be answered in a single session.
This signals a clear shift. Weaponised SARs are no longer a niche issue. They are a growing operational challenge affecting organisations across housing, healthcare, local authorities and the private sector.
Subject Access Requests are increasingly being used strategically. Rather than purely supporting transparency, they are now being submitted alongside complaints, grievances, legal disputes and disrepair claims.
This does not remove the legal right of access. It does mean organisations must work harder to define scope, manage intent and respond in a way that is both compliant and proportionate.
If your organisation is already dealing with increasingly complex requests, our SAR Support Service helps teams manage Subject Access Requests efficiently and with confidence. Many organisations also benefit from wider governance support through our Data Protection Support Service and Outsourced DPO service.
During the session, Catarina highlighted that this trend is becoming more frequent and more disruptive.
As she explained, “Unfortunately, it’s becoming more regular and is definitely something that organisations are seeing on a very regular basis.”
The core issue is a tension between legal rights and strategic use. Individuals have a right to access their personal data, but some requests are clearly being used to apply pressure or gain leverage.
Caine reinforced this by highlighting a common pattern seen across organisations: “They only ask if they think there is a smoking gun.”
This reflects a wider shift. Many SARs are no longer exploratory, they are targeted, often driven by disputes or a belief that key evidence exists within organisational records.
Artificial intelligence is accelerating this trend.
Catarina explained how AI tools are shaping behaviour: “They are relying a lot on ChatGPT and other AI platforms… SARs are something that you should always submit.”
Caine added: “Practically everybody within the meeting today has probably received a request that looks like it’s come from an AI platform.”
This creates a new challenge. Requests now often appear legally confident, broad in scope and poorly understood by the requester.
As a result, organisations are dealing not only with the initial request, but also repeated AI-generated follow-ups and challenges.
A member of the community commented, “We are seeing data subjects use AI more and more to contradict our responses. It’s becoming a real issue.”
This is one reason why having a practical SAR process matters more than ever. A clear workflow, strong template letters and the right internal escalation points can reduce risk and improve consistency. For organisations that need extra support, our SAR Support Service is designed to help with scoping, review, redaction and response management.
The live chat reinforced just how widespread this issue has become.
A member of the community commented, “Weaponised suits our situation. Customers will send us a SAR to delay actions or find us in the wrong.”
Another added, “Most of our requests ‘scream’ ChatGPT now.”
Another highlighted the operational frustration, commenting, “We spend so much time responding, just for it to be put back through AI and asked again in a different way.”
A recurring theme was expectation versus reality. Many requesters expect full disclosure of documents, while organisations must apply the law correctly and proportionately.
Another key discussion point was the role of solicitors and representatives.
Catarina noted that tone is often used strategically: “The tone is definitely to create fear among the people managing these requests.”
This is often combined with misunderstandings about the scope of a SAR.
A member of the community commented, “The lawyers advising them are oblivious of the fact that documents do not form part of a DSAR response.”
Another added, “Just because they ask for something, data protection still applies.”
This highlights a critical point for organisations. A SAR is a right to personal data, not a blanket right to all documents, emails or internal records.
That distinction sits at the heart of good SAR handling. It also links closely with broader compliance and governance practice, which is where services such as our Data Protection Support Service and Outsourced DPO service can help organisations build stronger foundations.
One of the most important takeaways from the session was the need to clarify scope early.
Catarina advised: “Don’t be scared to clarify the request.”
Broad requests such as “all my personal data” can quickly become disproportionate if not narrowed.
She also reinforced a key legal distinction: “The right is to personal data, nothing more, nothing less.”
Clarification helps reduce unnecessary workload, focus on relevant data, improve response accuracy and manage expectations early.
A member of the community commented, “Provide everything you have on me is exhausting.”
The discussion also highlighted the strain on internal teams.
Caine explained: “A lot of people do SARs individually… that might not be feasible anymore.”
This was strongly reflected in the chat.
A member of the community commented, “I’m just one person.”
Another added, “I have a team of 11 and it’s still not enough.”
Another said, “Many of ours are overdue as we are overwhelmed.”
This demonstrates a clear gap between legal expectations and operational reality.
Where internal resource is stretched, it often makes sense to bring in specialist support for complex or high-volume cases. Our SAR Support Service is built for exactly this, helping organisations reduce pressure on internal teams while maintaining a defensible and structured response process.
The session also explored frustrations around regulatory guidance.
Caine said: “What would really help is more detailed guidance.”
Catarina added: “It’s too broad… it’s hard to define what it means in practice.”
The community echoed this.
A member of the community commented, “I wish the ICO would issue clear guidance from experiences like this.”
Another said, “It’s hard to know whether the ICO has received a complaint or not.”
This lack of clarity leaves organisations making difficult judgement calls without consistent, practical support.
While there is no single solution, several practical steps emerged from the discussion.
Organisations should build a practical SAR process that reflects real workflows, use clear templates for acknowledgements, clarifications and responses, clarify scope early to avoid unnecessary work, document decisions and search methodologies, and apply the law confidently and proportionately.
Caine summarised this well: “You’ve got to not be afraid to push back when things are getting too far.”
In practice, that often means having the right mix of process, confidence and support. Our SAR Support Service helps organisations manage difficult requests from initial scoping through to final response, while our Data Protection Support Service and Outsourced DPO service support wider compliance, governance and decision-making.
With 180 attendees and a highly engaged discussion, it became clear that one session was not enough.
Several topics require deeper exploration, including repeat SAR requests, metadata requests, grievance-led SARs, solicitor authority, search methodology and proportionality.
As Caine confirmed: “We’ll be picking apart some of these requests and taking it into a second session.”
That feels exactly right. Weaponised SARs are not a passing frustration. They reflect a broader shift in how data rights are being used, challenged and operationalised.
For anyone working in data protection, compliance, information governance or complaints handling, this is a conversation that is only becoming more important.
Weaponised SARs are not a temporary trend. They reflect a broader shift in how data rights are being used.
If your organisation is experiencing increasing SAR volumes, more complex or strategic requests, or growing pressure on internal teams, now is the time to review your approach.
Explore our SAR Support Service to see how we help organisations manage Subject Access Requests efficiently, accurately and with confidence.
You may also find it useful to explore our wider Data Protection Support Service and Outsourced DPO service for ongoing compliance support.
A weaponised SAR is a Subject Access Request that appears to be used strategically, often alongside a complaint, grievance or dispute, rather than simply to understand how personal data is being processed.
Yes. A requester may still have a valid right of access even where the wider context is contentious. Organisations still need to assess the request properly, define scope and respond lawfully.
Yes. AI tools can make it easier for people to generate broad, legally worded requests and follow-up challenges, which can increase both the volume and complexity of SAR handling.
No. A SAR is a right to personal data, not a blanket right to every document, email or report in which a person may appear.
Yes. Clarifying a broad request can help narrow scope, reduce unnecessary work and ensure the response is more accurate and proportionate.
Organisations should use a practical SAR procedure, clear templates, documented search methods, confident decision-making and specialist support where internal capacity is limited.
GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy cover early year enforcement activity from the ICO, debate what “valid consent” really looks like in modern digital ecosystems, and explore the growing pressure on social media platforms to protect children online, including age assurance and content moderation.
This session covers three big themes that many organisations are grappling with right now.
1) PECR enforcement is back on the agenda
We discuss recent ICO fines linked to unsolicited marketing activity and PECR compliance, including the practical lessons for opt-outs, consent language, and third-party data sources.
2) Third-party marketing lists and the “consent problem”
A key discussion point is what “informed” consent looks like when individuals are presented with long lists of third parties, and whether any approach is truly usable, granular, and easy to withdraw in practice.
3) Social media, under-16s, and age assurance
We explore the UK conversation about restricting under-16 access to social media, and the operational reality behind age verification, predictive age estimation, and the privacy and security risks that can come with them.
GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.
Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People
Data Protection Made Easy Podcast, Episode 228 – Hosted by Caine Glancy and Special Guest Katerina Douni
This week’s episode takes a festive look at one of the most common challenges in data protection, knowing what to keep, what to delete, and what to safely archive. Inspired by Santa’s famous naughty list, Caine Glancy and first time guest host Katarina Douni lead a lively discussion on data retention, storage limitation, and the practical steps organisations can take to stay compliant without holding information for longer than needed.
Katarina joined the podcast for her debut session and quickly set the tone with a clear message, many organisations continue to struggle with retention. She explored why data decisions matter, how retention periods should be approached, and why email is often the biggest culprit for uncontrolled storage. The session sparked strong engagement from our live audience and the chat was filled with questions, examples, and shared challenges around retention, erasure, and day to day pressures inside busy teams.
Caine and Katarina walked listeners through common problems such as the over use of email as a filing system, storing information long after its purpose has expired, and the difficulty teams face when deciding how long is long enough. They also discussed the risks of under collecting or over collecting information, the impact this has on storage limitation, and how organisations can simplify their retention rules to reduce confusion and avoid unnecessary risk.
As always, the live chat added a valuable layer to the discussion. Attendees shared their own retention periods, debated tricky scenarios, and raised questions that pushed the session further. The interactive nature of the podcast remains one of its key strengths and gives practitioners the chance to test ideas, compare approaches, and learn from each other in real time.
This episode is ideal for anyone who handles personal data, manages email systems, or oversees compliance. It provides clear explanations, relatable examples, and practical steps that can be applied immediately. With year end approaching, the timing could not be better for organisations reviewing their retention schedules or tackling email backlogs.
If you listened back on Spotify and want to join a future episode live, you can request an invite by emailing info@dataprotectionpeople.com. Live attendees can take part in the chat, ask questions, and access the deeper insight that comes from community discussion.
We host Data Protection Made Easy every Friday at 12:30 and new listeners are always welcome. Our community continues to grow each week with hundreds joining live and many more tuning in through audio platforms.
If you work in the housing sector, you may also be interested in our upcoming in person STAIRs event taking place on the 5th of February. Details can be found on our website and on LinkedIn.
Listen below and enjoy this festive and practical dive into data retention.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
