Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
The UK data protection landscape continues to evolve, with the introduction of a new lawful basis for processing personal data.
The ICO has introduced guidance on Recognised Legitimate Interests, brought in through the Data (Use and Access) Act 2025.
This development is important for organisations relying on legitimate interests. While it may appear to be a simpler alternative, in practice it is more limited and requires careful compliance.
In practice, this lawful basis is most relevant to organisations involved in activities such as safeguarding or public safety. However, it may also apply in limited situations to private organisations supporting these purposes.
Recognised Legitimate Interests are a new lawful basis for processing personal data, introduced through updates to UK data protection law.
Unlike the standard legitimate interests basis, this applies only to a limited set of pre-approved purposes defined in law.
Pre-approved purposes refer to specific legal conditions where organisations can rely on this lawful basis.
Organisations can process personal data where necessary for detecting, investigating or preventing crime, or prosecuting offenders.
Examples include money laundering, terrorist financing, fraud, scams, and CCTV monitoring for retail theft.
These are not explicitly defined in law but generally include:
This applies to protecting vulnerable individuals, including children under 18 and adults at risk.
It includes protection from harm, neglect, and support for wellbeing. Organisations must ensure the individual qualifies as vulnerable and that processing is necessary.
This applies where processing is necessary during an emergency under the Civil Contingencies Act 2004.
Organisations can share personal data where necessary for another organisation to carry out public tasks.
This applies only where the receiving organisation has a lawful public function.
One key difference is that organisations do not need to carry out a balancing test.
This is because the interests are already recognised in law.
However, this is not a free pass. Organisations must still ensure:
Organisations must still comply with UK GDPR and the Data Protection Act 2018, including:
Individuals still have rights, including the right to object.
Organisations must assess objections in line with UK GDPR requirements.
This lawful basis can only be used where processing is necessary for one of the recognised conditions.
Organisations must clearly identify and document which condition applies.
In some cases, multiple conditions may apply and should all be recorded.
Recognised Legitimate Interests provide greater certainty for specific public interest processing activities.
However, they still sit within the UK GDPR and Data Protection Act framework, meaning organisations must continue applying core principles.
The ICO makes it clear that while compliance may be simplified in some areas, accountability remains unchanged.
We support organisations with DSAR process reviews, policy development, and staff training to ensure compliance and consistency with ICO expectations.
They are a lawful basis under UK GDPR for specific purposes such as safeguarding, crime prevention and emergencies.
No balancing test is required, but processing must still be necessary and proportionate.
Only when processing meets one of the recognised legal conditions and is properly documented.
Yes, but only in limited circumstances linked to public interest or safety.
Yes, all core principles must still be followed.
Yes, including the right to object.
No, it is unlikely to apply to commercial marketing activities.
Not for public tasks, only in limited other circumstances.
Yes, but extra care is required.
Additional legal conditions must be met under UK GDPR and the Data Protection Act 2018.
Yes, documentation is required to demonstrate compliance.
Weaponised Subject Access Requests (SARs) are being used more strategically, often to apply pressure, support disputes, or disrupt organisations. We are seeing a clear rise in both volume and complexity across our clients. This is being accelerated by AI, increased awareness of data rights, and the sheer volume of data organisations now hold. To respond effectively, businesses need structured processes, confidence in applying the law, and the ability to handle SARs at scale.
A Subject Access Request is a legal right under the UK GDPR that allows individuals to access their personal data.
At its core, a SAR is about transparency. It enables individuals to understand what data an organisation holds about them, why it is being used, and how it is being processed.
Organisations are required to respond without undue delay and within one month and provide a copy of the relevant data, along with supporting information about how it is used.
In practice, this sounds straightforward. However, the reality for many organisations is very different, particularly as the volume and complexity of requests has grown.
At Data Protection People, we have seen first-hand how SARs have changed.
We began as a data protection consultancy, supporting organisations with governance, compliance, and advisory services. Over time, however, we started to see a consistent increase in SAR-related challenges across our clients. What was once an occasional task quickly became a recurring operational issue.
As a result, we expanded our services to meet this demand.
Today, a significant proportion of our work is dedicated to SAR handling. We now have a specialist team of 25 trained redactors who review and redact thousands of documents every day, supporting organisations across multiple sectors.
This shift reflects a wider trend. SARs are no longer just a compliance requirement, they have become a core operational function that organisations must manage effectively.
A weaponised SAR is a request that is submitted with a clear strategic motive, rather than purely to access personal data.
While the request itself remains valid under the law, the intent behind it is often different. These SARs are commonly used to create pressure, gain leverage, or disrupt an organisation’s operations.
In many cases, they are linked to ongoing disputes. This could include employment issues, complaints, or potential legal action. The request is used as a tool to extract large volumes of information, often placing significant strain on internal resources.
What makes these requests particularly challenging is not just their intent, but their structure. They are often broad, complex, and time-consuming to fulfil, requiring careful review and judgement at every stage.
Across the organisations we support, there are clear and consistent patterns emerging.
Firstly, the volume of SARs is increasing. Many organisations are receiving significantly more requests than they were just a few years ago, particularly in sectors where there is a high level of public interaction or sensitive data processing.
Secondly, the complexity of requests has grown. SARs now regularly involve large datasets, including emails, internal communications, and sometimes CCTV footage where individuals are identifiable. This increases both the time required to respond and the risk of error.
We are also seeing a shift in how SARs are being used. More requests are linked to disputes or strategic positioning, rather than simple data access. This changes the way organisations need to approach them, requiring a more considered and structured response.
Finally, there is a clear strain on internal teams. Many organisations simply do not have the resource or expertise to manage these requests at scale, particularly when multiple SARs are received at once.
Artificial intelligence is playing a significant role in accelerating this trend.
One of the biggest changes is accessibility. AI tools make it far easier for individuals to generate detailed and well-structured SARs. Requests that would have previously required legal knowledge or significant effort can now be created in minutes.
At the same time, awareness of data rights has increased. People are more informed about what they can ask for and how to frame their requests effectively.
There is also the issue of data growth. Organisations now hold more data than ever before, across emails, messaging platforms, and digital systems. This makes each SAR inherently more complex and time-consuming to manage.
AI also enables quicker escalation. If a response is delayed or incomplete, individuals can rapidly generate follow-up requests or complaints, increasing pressure on the organisation.
The result is a perfect combination of increased demand, greater complexity, and faster escalation.
Responding effectively requires more than just following a basic process. It requires confidence, structure, and a clear understanding of your legal position.
The first step is having a well-defined SAR process. This should clearly outline responsibilities, timelines, and how requests are managed from start to finish. Without this, responses can quickly become inconsistent or delayed.
Organisations also need to be confident in applying the law. Not every request needs to be fulfilled in full. Where a request is manifestly unfounded or excessive, organisations may refuse to act on the it, but must be able to clearly justify their decision. . Similarly, exemptions can be applied where appropriate, but this must be done carefully and with proper justification.
Early engagement is key. Clarifying the scope of a request at the outset can significantly reduce the volume of data that needs to be reviewed, saving both time and resource.
Another critical factor is the ability to review and redact data efficiently. This is often the most time-consuming part of the process and where many organisations struggle. Having the right capability in place, whether internally or through specialist support, can make a significant difference.
Finally, documentation is essential. Keeping a clear record of decisions, communications, and actions taken ensures that organisations can demonstrate compliance if challenged.
The rise of weaponised SARs is not a temporary trend. It is part of a broader shift in how data rights are being used.
We expect to see continued growth in both the volume and complexity of requests. SARs will increasingly be used as part of wider disputes, and organisations will face greater scrutiny over how they respond.
At the same time, technology will continue to evolve. Tools that support data discovery, redaction, and workflow management will become more common. However, these tools will not replace the need for human judgement, particularly when applying exemptions or making complex decisions.
Organisations that invest in strong processes and scalable solutions now will be far better positioned to manage this in the future.
SARs are no longer a simple compliance task. For many organisations, they represent a significant operational and legal challenge.
Our SAR Support Service is designed to take that pressure away. We support organisations throughout the entire SAR process, from initial scoping through to final response.
With a dedicated team of 25 redactors and extensive experience handling complex requests, we help organisations respond efficiently, accurately, and with confidence.
On the 10th of April we will be hosting a session on weaponised SARs in more detail as part of the Data Protection Made Easy podcast.
This session will focus on real-world examples, the trends we are seeing across organisations, and practical advice on how to respond.
If you want to stay ahead of this growing challenge, it is a conversation worth being part of.
At Data Protection People, we now provide a complete CCTV redaction service combining advanced AI powered redaction technology with expert human review from experienced data protection consultants.
This ensures organisations can disclose footage lawfully, protect the privacy of third parties, and respond to Subject Access Requests (SARs) with confidence.
Organisations across the UK are increasingly receiving Subject Access Requests that include CCTV footage. Responding to these requests can be complex because footage often contains multiple individuals whose personal data must be protected before disclosure.
Before footage can be shared, organisations must ensure that third party personal data is redacted. Without proper redaction, organisations risk unlawfully disclosing personal data.
Data Protection People now provide a complete CCTV redaction service designed to make this process fast, secure and compliant with the UK GDPR and Data Protection Act 2018.
Under the UK GDPR, individuals have the right to request access to their personal data. This includes images or recordings where they can be identified within CCTV footage.
However, CCTV recordings often capture other individuals. Organisations must therefore ensure that the privacy of third parties is protected before releasing footage.
Failure to properly redact CCTV footage can lead to:
Redacting CCTV manually can take many hours. Modern redaction technology allows organisations to respond to requests much faster while maintaining compliance.
Data Protection People utilise advanced redaction technology capable of automatically identifying personal data within video footage.
Using artificial intelligence, the platform can automatically detect and redact:
This allows footage to be processed with over 99 percent detection accuracy, dramatically reducing the time required to prepare footage for disclosure.
In many cases, a 10 minute CCTV clip can be redacted in approximately 10 minutes, compared to hours using manual methods.
Many redaction tools simply provide software. Data Protection People combine advanced technology with expert human oversight.
Our consultants specialise in Subject Access Requests and information rights law, ensuring that all disclosures are handled correctly.
This provides organisations with:
This combination of automation and expert quality assurance ensures organisations remain compliant while responding quickly to requests.
Data Protection People are recognised as one of the UK’s leading consultancies supporting organisations with Subject Access Requests.
Our SAR Support Service helps organisations:
With the addition of CCTV redaction capabilities, we now provide a fully comprehensive service covering every type of personal data disclosure.
Our technology and consultants can support with redaction across a wide range of visual data sources, including:
This service is particularly valuable for organisations operating in sectors such as:
Handling video containing personal data requires strict security controls.
Our redaction platform maintains a secure chain of custody, ensuring organisations maintain full visibility over how footage is processed.
This includes:
All processing is designed to align with the requirements of the UK GDPR and data protection best practice.
While CCTV redaction is most commonly required for Subject Access Requests, organisations may also require redaction when:
In all cases, organisations must ensure that third party personal data is protected before footage is disclosed.
If your organisation needs support responding to a Subject Access Request involving CCTV footage, our team can help.
Data Protection People combine expert data protection consultants with advanced redaction technology to ensure requests are handled quickly, securely and in full compliance with the law.
Speak to an expert today to discuss your CCTV redaction requirements.
The upcoming Social Tenants Access to Information Requirements (STAIRs) will introduce new expectations for housing associations to improve transparency and make key information more accessible to residents.
From October 2026, housing providers will be expected to proactively publish specific organisational information for tenants. From April 2027, organisations will also need to respond to formal tenant requests for information about how their homes are managed.
For many housing providers, this represents a significant operational change. Publication schemes, internal processes, governance documentation, and tenant communication procedures may all need reviewing to ensure the organisation is ready.
To support housing associations through this transition, Data Protection People has developed a structured STAIRs Readiness Assessment designed specifically for the housing sector.
Our team works closely with housing associations across the UK to support transparency obligations, information governance, and tenant data rights.
Following a recent STAIRs event hosted in Leeds, we worked with housing professionals to explore how the requirements will impact organisations of different sizes and structures.
During the session, housing providers raised practical questions about publication schemes, tenant information access, and how internal teams should prepare for the new rules.
We have published a full resource covering those discussions which you can explore here:
Frequently Asked Questions – STAIRs
Building on this work, our consultants have developed a dedicated STAIRs Readiness Assessment to help organisations identify gaps and prepare their teams ahead of implementation.
The STAIRs Readiness Assessment is a structured review designed to help housing associations understand how prepared they are for the upcoming transparency requirements.
The assessment examines your organisation’s current policies, governance documentation, information management processes, and tenant communication practices.
By the end of the process, you will have a clear understanding of:
This ensures your organisation can begin preparing early, rather than reacting once the requirements become mandatory.
A specialist consultant will review your existing documentation related to transparency, governance, and information handling.
This includes policies, procedures, and any information currently published for tenants.
The goal of this phase is to identify potential gaps between your current practices and the expected STAIRs publication requirements. This may include areas such as governance documentation, organisational performance reporting, and housing management information that tenants may expect to access.
The review also considers how your existing transparency documentation aligns with the proposed Publication Scheme approach expected under STAIRs.
We will conduct structured discussions with key leaders within the organisation.
This typically includes teams responsible for:
The purpose of these interviews is to understand how information about tenant services, policies, decisions, and organisational performance is currently managed and shared.
We also assess how easily this information could be provided if tenants submit requests once STAIRs is fully implemented.
Following the assessment, you will receive a comprehensive summary report outlining the findings.
This report highlights:
The final report provides your leadership team with a clear roadmap for preparing the organisation before the new requirements come into effect.
Although STAIRs requirements will not fully come into force until 2026 and 2027, the changes may require significant organisational preparation.
Housing providers may need to review publication processes, governance transparency, tenant communication channels, and internal procedures for responding to information requests.
Early preparation allows organisations to:
By identifying potential gaps early, housing providers can introduce improvements gradually rather than under regulatory pressure.
Our consultants regularly support housing associations with information governance, transparency requirements, and tenant data rights.
If you would like to explore how the STAIRs Readiness Assessment could support your organisation, our team would be happy to discuss the process and what preparation may look like for your housing provider.
You can also explore our sector resources and STAIRs guidance through the article below: STAIRs Update for Housing Providers
Need support preparing for STAIRs?
On Friday 10 April, the Data Protection Made Easy podcast hosted a live discussion on one of the fastest-growing challenges in information rights, weaponised Subject Access Requests, often referred to as weaponised SARs.
Led by Catarina Santos and Caine Glancy, the session attracted 180 live participants, with a highly active chat and more questions than could be answered in a single session.
This signals a clear shift. Weaponised SARs are no longer a niche issue. They are a growing operational challenge affecting organisations across housing, healthcare, local authorities and the private sector.
Subject Access Requests are increasingly being used strategically. Rather than purely supporting transparency, they are now being submitted alongside complaints, grievances, legal disputes and disrepair claims.
This does not remove the legal right of access. It does mean organisations must work harder to define scope, manage intent and respond in a way that is both compliant and proportionate.
If your organisation is already dealing with increasingly complex requests, our SAR Support Service helps teams manage Subject Access Requests efficiently and with confidence. Many organisations also benefit from wider governance support through our Data Protection Support Service and Outsourced DPO service.
During the session, Catarina highlighted that this trend is becoming more frequent and more disruptive.
As she explained, “Unfortunately, it’s becoming more regular and is definitely something that organisations are seeing on a very regular basis.”
The core issue is a tension between legal rights and strategic use. Individuals have a right to access their personal data, but some requests are clearly being used to apply pressure or gain leverage.
Caine reinforced this by highlighting a common pattern seen across organisations: “They only ask if they think there is a smoking gun.”
This reflects a wider shift. Many SARs are no longer exploratory, they are targeted, often driven by disputes or a belief that key evidence exists within organisational records.
Artificial intelligence is accelerating this trend.
Catarina explained how AI tools are shaping behaviour: “They are relying a lot on ChatGPT and other AI platforms… SARs are something that you should always submit.”
Caine added: “Practically everybody within the meeting today has probably received a request that looks like it’s come from an AI platform.”
This creates a new challenge. Requests now often appear legally confident, broad in scope and poorly understood by the requester.
As a result, organisations are dealing not only with the initial request, but also repeated AI-generated follow-ups and challenges.
A member of the community commented, “We are seeing data subjects use AI more and more to contradict our responses. It’s becoming a real issue.”
This is one reason why having a practical SAR process matters more than ever. A clear workflow, strong template letters and the right internal escalation points can reduce risk and improve consistency. For organisations that need extra support, our SAR Support Service is designed to help with scoping, review, redaction and response management.
The live chat reinforced just how widespread this issue has become.
A member of the community commented, “Weaponised suits our situation. Customers will send us a SAR to delay actions or find us in the wrong.”
Another added, “Most of our requests ‘scream’ ChatGPT now.”
Another highlighted the operational frustration, commenting, “We spend so much time responding, just for it to be put back through AI and asked again in a different way.”
A recurring theme was expectation versus reality. Many requesters expect full disclosure of documents, while organisations must apply the law correctly and proportionately.
Another key discussion point was the role of solicitors and representatives.
Catarina noted that tone is often used strategically: “The tone is definitely to create fear among the people managing these requests.”
This is often combined with misunderstandings about the scope of a SAR.
A member of the community commented, “The lawyers advising them are oblivious of the fact that documents do not form part of a DSAR response.”
Another added, “Just because they ask for something, data protection still applies.”
This highlights a critical point for organisations. A SAR is a right to personal data, not a blanket right to all documents, emails or internal records.
That distinction sits at the heart of good SAR handling. It also links closely with broader compliance and governance practice, which is where services such as our Data Protection Support Service and Outsourced DPO service can help organisations build stronger foundations.
One of the most important takeaways from the session was the need to clarify scope early.
Catarina advised: “Don’t be scared to clarify the request.”
Broad requests such as “all my personal data” can quickly become disproportionate if not narrowed.
She also reinforced a key legal distinction: “The right is to personal data, nothing more, nothing less.”
Clarification helps reduce unnecessary workload, focus on relevant data, improve response accuracy and manage expectations early.
A member of the community commented, “Provide everything you have on me is exhausting.”
The discussion also highlighted the strain on internal teams.
Caine explained: “A lot of people do SARs individually… that might not be feasible anymore.”
This was strongly reflected in the chat.
A member of the community commented, “I’m just one person.”
Another added, “I have a team of 11 and it’s still not enough.”
Another said, “Many of ours are overdue as we are overwhelmed.”
This demonstrates a clear gap between legal expectations and operational reality.
Where internal resource is stretched, it often makes sense to bring in specialist support for complex or high-volume cases. Our SAR Support Service is built for exactly this, helping organisations reduce pressure on internal teams while maintaining a defensible and structured response process.
The session also explored frustrations around regulatory guidance.
Caine said: “What would really help is more detailed guidance.”
Catarina added: “It’s too broad… it’s hard to define what it means in practice.”
The community echoed this.
A member of the community commented, “I wish the ICO would issue clear guidance from experiences like this.”
Another said, “It’s hard to know whether the ICO has received a complaint or not.”
This lack of clarity leaves organisations making difficult judgement calls without consistent, practical support.
While there is no single solution, several practical steps emerged from the discussion.
Organisations should build a practical SAR process that reflects real workflows, use clear templates for acknowledgements, clarifications and responses, clarify scope early to avoid unnecessary work, document decisions and search methodologies, and apply the law confidently and proportionately.
Caine summarised this well: “You’ve got to not be afraid to push back when things are getting too far.”
In practice, that often means having the right mix of process, confidence and support. Our SAR Support Service helps organisations manage difficult requests from initial scoping through to final response, while our Data Protection Support Service and Outsourced DPO service support wider compliance, governance and decision-making.
With 180 attendees and a highly engaged discussion, it became clear that one session was not enough.
Several topics require deeper exploration, including repeat SAR requests, metadata requests, grievance-led SARs, solicitor authority, search methodology and proportionality.
As Caine confirmed: “We’ll be picking apart some of these requests and taking it into a second session.”
That feels exactly right. Weaponised SARs are not a passing frustration. They reflect a broader shift in how data rights are being used, challenged and operationalised.
For anyone working in data protection, compliance, information governance or complaints handling, this is a conversation that is only becoming more important.
Weaponised SARs are not a temporary trend. They reflect a broader shift in how data rights are being used.
If your organisation is experiencing increasing SAR volumes, more complex or strategic requests, or growing pressure on internal teams, now is the time to review your approach.
Explore our SAR Support Service to see how we help organisations manage Subject Access Requests efficiently, accurately and with confidence.
You may also find it useful to explore our wider Data Protection Support Service and Outsourced DPO service for ongoing compliance support.
A weaponised SAR is a Subject Access Request that appears to be used strategically, often alongside a complaint, grievance or dispute, rather than simply to understand how personal data is being processed.
Yes. A requester may still have a valid right of access even where the wider context is contentious. Organisations still need to assess the request properly, define scope and respond lawfully.
Yes. AI tools can make it easier for people to generate broad, legally worded requests and follow-up challenges, which can increase both the volume and complexity of SAR handling.
No. A SAR is a right to personal data, not a blanket right to every document, email or report in which a person may appear.
Yes. Clarifying a broad request can help narrow scope, reduce unnecessary work and ensure the response is more accurate and proportionate.
Organisations should use a practical SAR procedure, clear templates, documented search methods, confident decision-making and specialist support where internal capacity is limited.
GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy cover early year enforcement activity from the ICO, debate what “valid consent” really looks like in modern digital ecosystems, and explore the growing pressure on social media platforms to protect children online, including age assurance and content moderation.
This session covers three big themes that many organisations are grappling with right now.
1) PECR enforcement is back on the agenda
We discuss recent ICO fines linked to unsolicited marketing activity and PECR compliance, including the practical lessons for opt-outs, consent language, and third-party data sources.
2) Third-party marketing lists and the “consent problem”
A key discussion point is what “informed” consent looks like when individuals are presented with long lists of third parties, and whether any approach is truly usable, granular, and easy to withdraw in practice.
3) Social media, under-16s, and age assurance
We explore the UK conversation about restricting under-16 access to social media, and the operational reality behind age verification, predictive age estimation, and the privacy and security risks that can come with them.
GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.
Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People
Data Protection Made Easy Podcast, Episode 228 – Hosted by Caine Glancy and Special Guest Katerina Douni
This week’s episode takes a festive look at one of the most common challenges in data protection, knowing what to keep, what to delete, and what to safely archive. Inspired by Santa’s famous naughty list, Caine Glancy and first time guest host Katarina Douni lead a lively discussion on data retention, storage limitation, and the practical steps organisations can take to stay compliant without holding information for longer than needed.
Katarina joined the podcast for her debut session and quickly set the tone with a clear message, many organisations continue to struggle with retention. She explored why data decisions matter, how retention periods should be approached, and why email is often the biggest culprit for uncontrolled storage. The session sparked strong engagement from our live audience and the chat was filled with questions, examples, and shared challenges around retention, erasure, and day to day pressures inside busy teams.
Caine and Katarina walked listeners through common problems such as the over use of email as a filing system, storing information long after its purpose has expired, and the difficulty teams face when deciding how long is long enough. They also discussed the risks of under collecting or over collecting information, the impact this has on storage limitation, and how organisations can simplify their retention rules to reduce confusion and avoid unnecessary risk.
As always, the live chat added a valuable layer to the discussion. Attendees shared their own retention periods, debated tricky scenarios, and raised questions that pushed the session further. The interactive nature of the podcast remains one of its key strengths and gives practitioners the chance to test ideas, compare approaches, and learn from each other in real time.
This episode is ideal for anyone who handles personal data, manages email systems, or oversees compliance. It provides clear explanations, relatable examples, and practical steps that can be applied immediately. With year end approaching, the timing could not be better for organisations reviewing their retention schedules or tackling email backlogs.
If you listened back on Spotify and want to join a future episode live, you can request an invite by emailing info@dataprotectionpeople.com. Live attendees can take part in the chat, ask questions, and access the deeper insight that comes from community discussion.
We host Data Protection Made Easy every Friday at 12:30 and new listeners are always welcome. Our community continues to grow each week with hundreds joining live and many more tuning in through audio platforms.
If you work in the housing sector, you may also be interested in our upcoming in person STAIRs event taking place on the 5th of February. Details can be found on our website and on LinkedIn.
Listen below and enjoy this festive and practical dive into data retention.
Episode 227 of the Data Protection Made Easy Podcast hosted by experts at Data Protection People. This episode was hosted live via Microsoft Teams in front of a live audience of listeners.
The episode opens with a look at what the team have been working on. Catarina reflects on a very busy week supporting a major client project alongside her team. Caine shares updates on ongoing STAIRs sessions for social housing providers and hints at an in person STAIRs event coming soon.
Both hosts also discuss their guest appearance on another organisation’s podcast where they explored how users understand privacy information, how organisations communicate their obligations and why cross functional training is so important.
The main focus of the episode is the European Commission’s Digital Omnibus package, announced on 19 November. The discussion highlights several of the most significant proposals, including:
The proposal introduces a major shift. Information would be classed as personal data only if the controller has means reasonably likely to identify the individual.
The team explore:
Catarina outlines proposals that:
Caine questions whether reducing low risk reporting could hide patterns of poor practice and the group debate what this means for real world compliance.
The Digital Omnibus seeks to simplify cookie requirements by reducing reliance on consent for low risk purposes such as security and aggregated analytics. The team draw comparisons with the UK DUA Act and consider how consent fatigue has shaped this direction.
David shares two important observations:
Under the new proposals, organisations may reject or charge for a SAR if the purpose is not to access personal data, for example in an employment dispute. This could be a significant change for many organisations that currently process large volumes of tactical or grievance based SARs.
David explains that the EU is pushing back deadlines for identifying high risk AI processing due to a lack of clear guidance, with expectations now set for no later than December 2027.
Caine introduces a study from the CNIL which found that 65 percent of surveyed French citizens would sell their personal data for between 1 and 100 euros. The hosts explore:
The session closes with a reminder that the next podcast will explore data retention, followed by an update that the team are working on the new in house DPP studio.
Our podcast community is one of the most active privacy networks in the UK with more than 150 regular live attendees and over 1,600 subscribers across all audio platforms. Joining the community gives you access to:
Attending live offers clear benefits. You can join the conversation, shape the discussion, raise real world challenges and take part in polls, chat and Q and A. Many listeners tell us they get far more value from attending live than listening back later.
We also have a strong line up of sessions taking us through to the end of the year, covering topics such as data retention, AI risk, international transfers, STAIRs, marketing compliance and more.
If you are not yet part of the Data Protection Made Easy community, you can join for free and get involved straight away.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
