Discover the comprehensive range of data protection services at Data Protection People. Tailored to meet the unique needs of your organisation, our expert team has successfully handled every challenge imaginable. Whether you’re navigating compliance complexities or enhancing data security, trust DPP to be your partner in safeguarding information.
Data Protection People have a wide range of training services catering for every need. Whether its general training for operational or admin staff or specific training for specialist roles, we have something for you. watch the short video below to meet the team and find out more about our training services.
Contact Us
DataWise is the original privacy tech platform designed to simplify GDPR compliance management. Since its inception in 2011, DataWise has continuously evolved, solidifying its reputation as the pioneering "privacy tech" solution.
Contact Us
Unlock Compliance Excellence with Our GDPR Consultancy Services. Navigating the intricate realm of data protection laws and standards demands expert guidance.
Contact Us
A data protection officer doesn't have to be a full time employee and in many respects it's better to have a company like DPP take on the role. Watch the video below to find out more about our outsourced DPO and privacy officer services or reach out and get in touch with us.
Contact UsAt Data Protection People, our cyber security services are designed to fortify your digital defences. With a proven track record spanning diverse sectors in the UK, our seasoned team brings a wealth of experience in handling a wide array of cybersecurity challenges. Reach out to us and explore how DPP can enhance your organisation’s cyber resilience.
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
A PCI assessment is an audit for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards for merchants who accept, process, store or transmit credit card information.
Contact Us
Our experts can support you with Dark Web Monitoring - Data Protection People offer a free dark web scan for your organisation.
Contact Us
Our tailored program, guided by industry-certified experts, supports your ISO 27001 compliance journey. Whether you need advice on certification scope, assistance with remediation work, or comprehensive ISO 27001 consultancy, we’re here to guide you every step of the way.
Contact Us
At Data Protection People, we recognise the dynamic challenges and unique responsibilities of the Data Protection Officer (DPO) role. Beyond offering standard support, we provide a comprehensive suite of services crafted to empower DPOs at every step.
Collaborative Community: Navigating the intricate landscape of data protection can be isolating. That’s why we’ve fostered a collaborative community of privacy professionals. As a DPO with us, you’re never alone. Our network serves as a forum for insightful discussions, sharing solutions, and building a sense of camaraderie.
Expert Guidance and Advice: The journey of a DPO is often filled with complex decisions. Our seasoned team of experts is your reliable resource, offering timely advice and strategic guidance. We’re not just a service provider; we’re your dedicated partners in overcoming challenges and making informed decisions.
Advanced Training for Continuous Growth: Stay ahead in your role with our advanced training programs. Tailored for DPOs, our courses delve into intricate aspects of data protection, providing you with a competitive edge. It’s not just about meeting the present challenges but ensuring your continuous growth and excellence in your role.
Audits, Assessments, and Document Reviews: Our services extend beyond conventional boundaries. From comprehensive audits and assessments to meticulous document reviews, we ensure that your data protection strategies are not only compliant but also optimised for efficiency.
Simplifying Complexity for Future Ease: Beyond addressing current challenges, our mission is to simplify the complexities inherent in data protection. By partnering with Data Protection People, you’re not just solving problems – you’re ensuring a smoother, more efficient role in the future. We streamline processes, making your responsibilities more manageable and your decisions more impactful.
At Data Protection People, our expertise spans across diverse sectors, ensuring that businesses of all sizes and orientations receive tailored Data Protection and Cyber Security solutions. From the dynamic commercial sector and agile SMEs to the impactful third sector and expansive multi-nationals, we extend our services to fortify the digital defences of every business entity.
Elevate your data protection and cybersecurity standards in the bustling landscape of the Commercial Sector. We offer tailored solutions designed to safeguard your sensitive information, ensuring compliance and resilience against evolving threats. Partner with us to fortify your digital assets and foster a secure environment for sustained growth.
Small and Medium Enterprises (SMEs) form the backbone of innovation. Our data protection and cybersecurity services are crafted to match the agility of SMEs. Navigate the digital landscape securely, optimize your operations, and scale confidently with our tailored solutions that prioritize your unique business needs.
For organisations in the Third Sector driven by purpose, our data protection and cybersecurity expertise align with your mission. Safeguard sensitive data, build stakeholder trust, and amplify your positive impact. Let our solutions be the backbone of your technology infrastructure, ensuring that your focus remains on making a difference.
For the global footprint of Multi Nationals, our data protection and cybersecurity services provide a comprehensive shield. Navigate the complexities of international regulations with confidence. From compliance strategies to threat intelligence, we've got your data security needs covered, empowering your multinational endeavors with resilience.
In the Public Sector, trust and accountability are paramount. Our data protection and cybersecurity consultancy ensures that your operations align seamlessly with regulatory requirements. From confidential citizen data to streamlined governance, our solutions empower public entities to serve with integrity and technological excellence.
Data Protection People have the UK’s #1 Data Protection Podcast with over 150 episodes available across all audio streaming platforms, we also post regular content designed to simplify complex areas of data protection and cyber security, check out some of the podcasts and articles below and make data protection easy today.
Weaponised Subject Access Requests (SARs) are being used more strategically, often to apply pressure, support disputes, or disrupt organisations. We are seeing a clear rise in both volume and complexity across our clients. This is being accelerated by AI, increased awareness of data rights, and the sheer volume of data organisations now hold. To respond effectively, businesses need structured processes, confidence in applying the law, and the ability to handle SARs at scale.
A Subject Access Request is a legal right under the UK GDPR that allows individuals to access their personal data.
At its core, a SAR is about transparency. It enables individuals to understand what data an organisation holds about them, why it is being used, and how it is being processed.
Organisations are required to respond without undue delay and within one month and provide a copy of the relevant data, along with supporting information about how it is used.
In practice, this sounds straightforward. However, the reality for many organisations is very different, particularly as the volume and complexity of requests has grown.
At Data Protection People, we have seen first-hand how SARs have changed.
We began as a data protection consultancy, supporting organisations with governance, compliance, and advisory services. Over time, however, we started to see a consistent increase in SAR-related challenges across our clients. What was once an occasional task quickly became a recurring operational issue.
As a result, we expanded our services to meet this demand.
Today, a significant proportion of our work is dedicated to SAR handling. We now have a specialist team of 25 trained redactors who review and redact thousands of documents every day, supporting organisations across multiple sectors.
This shift reflects a wider trend. SARs are no longer just a compliance requirement, they have become a core operational function that organisations must manage effectively.
A weaponised SAR is a request that is submitted with a clear strategic motive, rather than purely to access personal data.
While the request itself remains valid under the law, the intent behind it is often different. These SARs are commonly used to create pressure, gain leverage, or disrupt an organisation’s operations.
In many cases, they are linked to ongoing disputes. This could include employment issues, complaints, or potential legal action. The request is used as a tool to extract large volumes of information, often placing significant strain on internal resources.
What makes these requests particularly challenging is not just their intent, but their structure. They are often broad, complex, and time-consuming to fulfil, requiring careful review and judgement at every stage.
Across the organisations we support, there are clear and consistent patterns emerging.
Firstly, the volume of SARs is increasing. Many organisations are receiving significantly more requests than they were just a few years ago, particularly in sectors where there is a high level of public interaction or sensitive data processing.
Secondly, the complexity of requests has grown. SARs now regularly involve large datasets, including emails, internal communications, and sometimes CCTV footage where individuals are identifiable. This increases both the time required to respond and the risk of error.
We are also seeing a shift in how SARs are being used. More requests are linked to disputes or strategic positioning, rather than simple data access. This changes the way organisations need to approach them, requiring a more considered and structured response.
Finally, there is a clear strain on internal teams. Many organisations simply do not have the resource or expertise to manage these requests at scale, particularly when multiple SARs are received at once.
Artificial intelligence is playing a significant role in accelerating this trend.
One of the biggest changes is accessibility. AI tools make it far easier for individuals to generate detailed and well-structured SARs. Requests that would have previously required legal knowledge or significant effort can now be created in minutes.
At the same time, awareness of data rights has increased. People are more informed about what they can ask for and how to frame their requests effectively.
There is also the issue of data growth. Organisations now hold more data than ever before, across emails, messaging platforms, and digital systems. This makes each SAR inherently more complex and time-consuming to manage.
AI also enables quicker escalation. If a response is delayed or incomplete, individuals can rapidly generate follow-up requests or complaints, increasing pressure on the organisation.
The result is a perfect combination of increased demand, greater complexity, and faster escalation.
Responding effectively requires more than just following a basic process. It requires confidence, structure, and a clear understanding of your legal position.
The first step is having a well-defined SAR process. This should clearly outline responsibilities, timelines, and how requests are managed from start to finish. Without this, responses can quickly become inconsistent or delayed.
Organisations also need to be confident in applying the law. Not every request needs to be fulfilled in full. Where a request is manifestly unfounded or excessive, organisations may refuse to act on the it, but must be able to clearly justify their decision. . Similarly, exemptions can be applied where appropriate, but this must be done carefully and with proper justification.
Early engagement is key. Clarifying the scope of a request at the outset can significantly reduce the volume of data that needs to be reviewed, saving both time and resource.
Another critical factor is the ability to review and redact data efficiently. This is often the most time-consuming part of the process and where many organisations struggle. Having the right capability in place, whether internally or through specialist support, can make a significant difference.
Finally, documentation is essential. Keeping a clear record of decisions, communications, and actions taken ensures that organisations can demonstrate compliance if challenged.
The rise of weaponised SARs is not a temporary trend. It is part of a broader shift in how data rights are being used.
We expect to see continued growth in both the volume and complexity of requests. SARs will increasingly be used as part of wider disputes, and organisations will face greater scrutiny over how they respond.
At the same time, technology will continue to evolve. Tools that support data discovery, redaction, and workflow management will become more common. However, these tools will not replace the need for human judgement, particularly when applying exemptions or making complex decisions.
Organisations that invest in strong processes and scalable solutions now will be far better positioned to manage this in the future.
SARs are no longer a simple compliance task. For many organisations, they represent a significant operational and legal challenge.
Our SAR Support Service is designed to take that pressure away. We support organisations throughout the entire SAR process, from initial scoping through to final response.
With a dedicated team of 25 redactors and extensive experience handling complex requests, we help organisations respond efficiently, accurately, and with confidence.
On the 10th of April we will be hosting a session on weaponised SARs in more detail as part of the Data Protection Made Easy podcast.
This session will focus on real-world examples, the trends we are seeing across organisations, and practical advice on how to respond.
If you want to stay ahead of this growing challenge, it is a conversation worth being part of.
At Data Protection People, we now provide a complete CCTV redaction service combining advanced AI powered redaction technology with expert human review from experienced data protection consultants.
This ensures organisations can disclose footage lawfully, protect the privacy of third parties, and respond to Subject Access Requests (SARs) with confidence.
Organisations across the UK are increasingly receiving Subject Access Requests that include CCTV footage. Responding to these requests can be complex because footage often contains multiple individuals whose personal data must be protected before disclosure.
Before footage can be shared, organisations must ensure that third party personal data is redacted. Without proper redaction, organisations risk unlawfully disclosing personal data.
Data Protection People now provide a complete CCTV redaction service designed to make this process fast, secure and compliant with the UK GDPR and Data Protection Act 2018.
Under the UK GDPR, individuals have the right to request access to their personal data. This includes images or recordings where they can be identified within CCTV footage.
However, CCTV recordings often capture other individuals. Organisations must therefore ensure that the privacy of third parties is protected before releasing footage.
Failure to properly redact CCTV footage can lead to:
Redacting CCTV manually can take many hours. Modern redaction technology allows organisations to respond to requests much faster while maintaining compliance.
Data Protection People utilise advanced redaction technology capable of automatically identifying personal data within video footage.
Using artificial intelligence, the platform can automatically detect and redact:
This allows footage to be processed with over 99 percent detection accuracy, dramatically reducing the time required to prepare footage for disclosure.
In many cases, a 10 minute CCTV clip can be redacted in approximately 10 minutes, compared to hours using manual methods.
Many redaction tools simply provide software. Data Protection People combine advanced technology with expert human oversight.
Our consultants specialise in Subject Access Requests and information rights law, ensuring that all disclosures are handled correctly.
This provides organisations with:
This combination of automation and expert quality assurance ensures organisations remain compliant while responding quickly to requests.
Data Protection People are recognised as one of the UK’s leading consultancies supporting organisations with Subject Access Requests.
Our SAR Support Service helps organisations:
With the addition of CCTV redaction capabilities, we now provide a fully comprehensive service covering every type of personal data disclosure.
Our technology and consultants can support with redaction across a wide range of visual data sources, including:
This service is particularly valuable for organisations operating in sectors such as:
Handling video containing personal data requires strict security controls.
Our redaction platform maintains a secure chain of custody, ensuring organisations maintain full visibility over how footage is processed.
This includes:
All processing is designed to align with the requirements of the UK GDPR and data protection best practice.
While CCTV redaction is most commonly required for Subject Access Requests, organisations may also require redaction when:
In all cases, organisations must ensure that third party personal data is protected before footage is disclosed.
If your organisation needs support responding to a Subject Access Request involving CCTV footage, our team can help.
Data Protection People combine expert data protection consultants with advanced redaction technology to ensure requests are handled quickly, securely and in full compliance with the law.
Speak to an expert today to discuss your CCTV redaction requirements.
The upcoming Social Tenants Access to Information Requirements (STAIRs) will introduce new expectations for housing associations to improve transparency and make key information more accessible to residents.
From October 2026, housing providers will be expected to proactively publish specific organisational information for tenants. From April 2027, organisations will also need to respond to formal tenant requests for information about how their homes are managed.
For many housing providers, this represents a significant operational change. Publication schemes, internal processes, governance documentation, and tenant communication procedures may all need reviewing to ensure the organisation is ready.
To support housing associations through this transition, Data Protection People has developed a structured STAIRs Readiness Assessment designed specifically for the housing sector.
Our team works closely with housing associations across the UK to support transparency obligations, information governance, and tenant data rights.
Following a recent STAIRs event hosted in Leeds, we worked with housing professionals to explore how the requirements will impact organisations of different sizes and structures.
During the session, housing providers raised practical questions about publication schemes, tenant information access, and how internal teams should prepare for the new rules.
We have published a full resource covering those discussions which you can explore here:
Frequently Asked Questions – STAIRs
Building on this work, our consultants have developed a dedicated STAIRs Readiness Assessment to help organisations identify gaps and prepare their teams ahead of implementation.
The STAIRs Readiness Assessment is a structured review designed to help housing associations understand how prepared they are for the upcoming transparency requirements.
The assessment examines your organisation’s current policies, governance documentation, information management processes, and tenant communication practices.
By the end of the process, you will have a clear understanding of:
This ensures your organisation can begin preparing early, rather than reacting once the requirements become mandatory.
A specialist consultant will review your existing documentation related to transparency, governance, and information handling.
This includes policies, procedures, and any information currently published for tenants.
The goal of this phase is to identify potential gaps between your current practices and the expected STAIRs publication requirements. This may include areas such as governance documentation, organisational performance reporting, and housing management information that tenants may expect to access.
The review also considers how your existing transparency documentation aligns with the proposed Publication Scheme approach expected under STAIRs.
We will conduct structured discussions with key leaders within the organisation.
This typically includes teams responsible for:
The purpose of these interviews is to understand how information about tenant services, policies, decisions, and organisational performance is currently managed and shared.
We also assess how easily this information could be provided if tenants submit requests once STAIRs is fully implemented.
Following the assessment, you will receive a comprehensive summary report outlining the findings.
This report highlights:
The final report provides your leadership team with a clear roadmap for preparing the organisation before the new requirements come into effect.
Although STAIRs requirements will not fully come into force until 2026 and 2027, the changes may require significant organisational preparation.
Housing providers may need to review publication processes, governance transparency, tenant communication channels, and internal procedures for responding to information requests.
Early preparation allows organisations to:
By identifying potential gaps early, housing providers can introduce improvements gradually rather than under regulatory pressure.
Our consultants regularly support housing associations with information governance, transparency requirements, and tenant data rights.
If you would like to explore how the STAIRs Readiness Assessment could support your organisation, our team would be happy to discuss the process and what preparation may look like for your housing provider.
You can also explore our sector resources and STAIRs guidance through the article below: STAIRs Update for Housing Providers
Need support preparing for STAIRs?
The Information Commissioner’s Office (ICO) has released guidance on handling data protection complaints in line with the requirements from the Data (Use and Access) Act (DUAA) which are set to come into force on 19 June 2026.
Whilst most of the reforms brought about by Part 5 of the DUAA took effect on February 5, organisations have longer to prepare for the complaint requirements and the ICO’s guidance supports organisations on achieving best practice ahead of time.
Whilst the ICO has previously expected organisations to address data protection complaints received from individuals, this has not been backed up by any legal obligation.
Following the changes under the DUAA, individuals now have the legal right to submit a complaint to an organisation about the handling of their personal data and organisations must implement processes and procedures to facilitate this.
The ICO’s latest guidance outlines the following key steps organisations must take to meet the complaint requirements under the DUAA:
For organisations with existing complaints procedures, only minor changes are likely needed to reflect the DUAA requirements, but organisations lacking an established complaints process will now be expected to implement a substantive procedure.
This article highlights the key areas of focus for organisations in preparation for the DUAA complaints provisions coming into force and summarises recommendations for best practice based on the ICO’s guidance.
Not every complaint that is linked to data protection matters constitutes a data protection complaint. Where an individual complains about an organisation’s services or other matters whilst also exercising data protection rights this does not count, e.g. an employee raises a grievance and at the same time makes a subject access request.
The ICO’s guidance clarifies that data protection complaints arise where an individual complains specifically about an organisation’s handling of their personal data, whether this be about the handling of a subject access request (SAR) or quality of data security.
As with other personal data rights requests, individuals do not have to use legal terms of quote the legislation to make a data protection complaint. Where unsure if an individual is making a data protection complaint, organisations should seek clarification.
The starting point is to ensure that your organisation gives people a way to raise a data protection complaint. The ICO’s guidance allows organisations flexibility to choose which channels are most approach, whether through a complaint form, email address, telephone number, online portal, live chat facility or in person (if operating offline).
There is no requirement to set up a separate tool for receiving data protection complaints and organisations can rely on existing complaints channels and adapt these to include data protection complaints. As per the ICO’s SAR guidance, individuals are not obliged to follow the set process and can complain using any method of their choice. Nonetheless having a set complaints process is important for accountability.
Organisations with online presence should also consider how to handle complaints received through social media and bear in mind that liaising with complainants through social media is not secure and an alternative contact method should be sought.
Those within the scope of the ICO’s Age Appropriate Design Code should satisfy the requirements for handling complaints from children outlined at standard 15 of the Code, ensuring children can easily make and escalate complaints.
Organisations are already required to inform individuals of their right to submit a complaint to the Information Commissioner at the point of collection of their personal data through a privacy notice and also when responding to SARs.
Following the DUAA, organisations must now also inform individuals of their right to make a data protection complaint to the organisation itself. Organisations should update privacy notices accordingly to inform data subjects of their right to complain and the organisation’s complaints process including a contact point.
Those processing personal data for law enforcement purposes must also inform individuals of their right to complain at other junctures, including when refusing other rights requests.
The ICO’s guidance makes clear that for best practice, organisations should implement a complaints procedure if they do not already have one. It should use plain language (avoid legal jargon), be published online and be made available to individuals at the earliest opportunity to ensure they are aware of how to raise complaints.
It is recommended that a written process includes the set method for receiving complaints; the supporting evidence needed to investigate; the proof of ID and third-party authority accepted as well as information on communicating timescales (acknowledgement within 30 days), updates and outcomes.
Whilst it is acceptable to integrate data protection complaints into overarching complaints procedures and a standalone process is not required, organisations must ensure outcomes are issued on data protection complaints without undue delay. So, when responding as part of a wider complaint connected to other issues, if able to provide an outcome on the data protection aspect sooner, you must do so.
Guidance on record keeping reiterates not only the importance of having up to date, clearly organised and labelled systems so information can be found quickly and effectively, but also to provide evidence of the following:
Not only does strong record keeping support compliance with the Art.5(2) UK GDPR Accountability principle by demonstrating compliance should the ICO or other industry bodies investigate, it is also beneficial for identifying recurring trends and underlying compliance issues.
In terms of training, all staff should as part of their overall data protection training be brought up to speed on recognising data protection complaints and knowing where to direct complaints internally when received.
For Joint Controllers, emphasis is on having transparent arrangements in place given the timescale starts as soon as the complaint is received by a Controller so all parties must be clear on what to do, including in terms of:
Controller-Processor data processing agreements should cover arrangements for handling data protection complaints. The typical role of Processors remains to provide assistance, including on complaint investigations and by supplying relevant information, with Controllers retaining the obligation for complaint handling.
You must acknowledge receipt of a data protection complaint within 30 days and the ICO’s guidance clarifies that an auto-acknowledgement will suffice.
This timeframe begins the day after the complaint is received, even if this falls on a weekend or public holiday. However, if the last day to acknowledge falls on a weekend or public holiday, you have until the next working day.
A practical approach is emphasised, for instance there is no need to provide an acknowledgement and outcome separately if you are able to provide a complaint outcome within 30 days, or if contacting the complainant to ask for proof of ID an additional acknowledgement is not needed.
The same complainant ID and third-party authority verification protocols apply as for other personal data rights requests, meaning you should:
Organisations must make enquiries into data protection complaints without undue delay, starting from when the complaint is received and not after the 30 day acknowledgement period ends.
This process generally involves fact finding, speaking to relevant staff, comparing the complaint information with that held and checking if organisational standards were upheld, and the ICO’s guidance recommends asking the complainant for more information if necessary as well as managing their expectations.
The ICO’s guidance recognises that complaints will vary in complexity, scale and harm, meaning a blanket timeframe for resolving complaints is not expected. Instead, focus should be on the specific circumstances of the complaint (and your organisation) and making reasonable and proportionate enquiries based on this.
Giving timely progress updates to complainants is emphasised in the ICO’s guidance, with the priority on explaining timeframes for resolution and any expected delays.
As with investigating complaints, outcomes must also be issued without undue delay, which according to the guidance means ‘without an unjustifiable or excessive delay.’ Outcomes should include explanation of steps taken to resolve the complaint and actions taken as a result, and where you think you have complied with data protection law this should be explained in detail.
An internal review process for complainants unhappy with the outcome is recommended. It is also best practice to inform individuals of their right to complain to the ICO, which individuals have the right to do so at any point notwithstanding any internal review process.
The complaints requirements introduced by the DUAA can be viewed as formalising what the ICO has long expected from organisations in terms of addressing data protection complaints. The standards emphasised in the ICO’s latest guidance on complaints largely mirrors those expected when handling other personal data rights requests.
Indeed, the ICO will be aiming for a reduction in the number of complaints brought to it following the DUAA changes. The regulator has an established policy of diverting complaints to organisations in the first instance where the issue has not previously been raised with the organisation directly, and it now has a legal basis for doing so.
This latest guidance also coincides with the ICO’s publication of its complaint handling framework which is centred on prioritising high-value cases where the ICO can have the most significant impact, an objective more realisable if less time can be spent on lower impact matters and those where internal complaints procedures have not been utilised.
Moving forward, organisations can expect to be held to a higher standard in terms of complaint handling. Not having formal procedures in place will amount to a breach of the DPA, may trigger complaints from data subjects and will be looked on with greater scrutiny by the ICO.
Implementing a formalised end-to-end data protection complaints procedure ensures best practice and will be looked on far more favourably by the ICO should any concerns be raised or investigations initiated. Data Protection People has already supported many organisations in this regard. If your organisation requires assistance in this area, please reach out to us.
GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy cover early year enforcement activity from the ICO, debate what “valid consent” really looks like in modern digital ecosystems, and explore the growing pressure on social media platforms to protect children online, including age assurance and content moderation.
This session covers three big themes that many organisations are grappling with right now.
1) PECR enforcement is back on the agenda
We discuss recent ICO fines linked to unsolicited marketing activity and PECR compliance, including the practical lessons for opt-outs, consent language, and third-party data sources.
2) Third-party marketing lists and the “consent problem”
A key discussion point is what “informed” consent looks like when individuals are presented with long lists of third parties, and whether any approach is truly usable, granular, and easy to withdraw in practice.
3) Social media, under-16s, and age assurance
We explore the UK conversation about restricting under-16 access to social media, and the operational reality behind age verification, predictive age estimation, and the privacy and security risks that can come with them.
GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.
Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People
Data Protection Made Easy Podcast, Episode 228 – Hosted by Caine Glancy and Special Guest Katerina Douni
This week’s episode takes a festive look at one of the most common challenges in data protection, knowing what to keep, what to delete, and what to safely archive. Inspired by Santa’s famous naughty list, Caine Glancy and first time guest host Katarina Douni lead a lively discussion on data retention, storage limitation, and the practical steps organisations can take to stay compliant without holding information for longer than needed.
Katarina joined the podcast for her debut session and quickly set the tone with a clear message, many organisations continue to struggle with retention. She explored why data decisions matter, how retention periods should be approached, and why email is often the biggest culprit for uncontrolled storage. The session sparked strong engagement from our live audience and the chat was filled with questions, examples, and shared challenges around retention, erasure, and day to day pressures inside busy teams.
Caine and Katarina walked listeners through common problems such as the over use of email as a filing system, storing information long after its purpose has expired, and the difficulty teams face when deciding how long is long enough. They also discussed the risks of under collecting or over collecting information, the impact this has on storage limitation, and how organisations can simplify their retention rules to reduce confusion and avoid unnecessary risk.
As always, the live chat added a valuable layer to the discussion. Attendees shared their own retention periods, debated tricky scenarios, and raised questions that pushed the session further. The interactive nature of the podcast remains one of its key strengths and gives practitioners the chance to test ideas, compare approaches, and learn from each other in real time.
This episode is ideal for anyone who handles personal data, manages email systems, or oversees compliance. It provides clear explanations, relatable examples, and practical steps that can be applied immediately. With year end approaching, the timing could not be better for organisations reviewing their retention schedules or tackling email backlogs.
If you listened back on Spotify and want to join a future episode live, you can request an invite by emailing info@dataprotectionpeople.com. Live attendees can take part in the chat, ask questions, and access the deeper insight that comes from community discussion.
We host Data Protection Made Easy every Friday at 12:30 and new listeners are always welcome. Our community continues to grow each week with hundreds joining live and many more tuning in through audio platforms.
If you work in the housing sector, you may also be interested in our upcoming in person STAIRs event taking place on the 5th of February. Details can be found on our website and on LinkedIn.
Listen below and enjoy this festive and practical dive into data retention.
Episode 227 of the Data Protection Made Easy Podcast hosted by experts at Data Protection People. This episode was hosted live via Microsoft Teams in front of a live audience of listeners.
The episode opens with a look at what the team have been working on. Catarina reflects on a very busy week supporting a major client project alongside her team. Caine shares updates on ongoing STAIRs sessions for social housing providers and hints at an in person STAIRs event coming soon.
Both hosts also discuss their guest appearance on another organisation’s podcast where they explored how users understand privacy information, how organisations communicate their obligations and why cross functional training is so important.
The main focus of the episode is the European Commission’s Digital Omnibus package, announced on 19 November. The discussion highlights several of the most significant proposals, including:
The proposal introduces a major shift. Information would be classed as personal data only if the controller has means reasonably likely to identify the individual.
The team explore:
Catarina outlines proposals that:
Caine questions whether reducing low risk reporting could hide patterns of poor practice and the group debate what this means for real world compliance.
The Digital Omnibus seeks to simplify cookie requirements by reducing reliance on consent for low risk purposes such as security and aggregated analytics. The team draw comparisons with the UK DUA Act and consider how consent fatigue has shaped this direction.
David shares two important observations:
Under the new proposals, organisations may reject or charge for a SAR if the purpose is not to access personal data, for example in an employment dispute. This could be a significant change for many organisations that currently process large volumes of tactical or grievance based SARs.
David explains that the EU is pushing back deadlines for identifying high risk AI processing due to a lack of clear guidance, with expectations now set for no later than December 2027.
Caine introduces a study from the CNIL which found that 65 percent of surveyed French citizens would sell their personal data for between 1 and 100 euros. The hosts explore:
The session closes with a reminder that the next podcast will explore data retention, followed by an update that the team are working on the new in house DPP studio.
Our podcast community is one of the most active privacy networks in the UK with more than 150 regular live attendees and over 1,600 subscribers across all audio platforms. Joining the community gives you access to:
Attending live offers clear benefits. You can join the conversation, shape the discussion, raise real world challenges and take part in polls, chat and Q and A. Many listeners tell us they get far more value from attending live than listening back later.
We also have a strong line up of sessions taking us through to the end of the year, covering topics such as data retention, AI risk, international transfers, STAIRs, marketing compliance and more.
If you are not yet part of the Data Protection Made Easy community, you can join for free and get involved straight away.
After our first SARs session, we picked up the phone and asked our listeners what they struggle with most in real life. They shared questions, tricky scenarios and points of disagreement. In this follow up episode of the Data Protection Made Easy podcast, Caine Glancy and Oluwagbenga Onojobi work through those issues live with members of our community.
In this session we explore:
Listeners share how they handle these issues in housing and HR, which gives a rounded view of what is happening on the ground, not just what the legislation says.
If you are trying to balance transparency with protecting third party rights, you will find this discussion especially useful.
You can listen back to this episode now on Spotify and all major podcast platforms.
If you are not yet part of the Data Protection Made Easy community, complete our contact form and ask to join. Membership is free. You will receive a weekly invite to our live Friday sessions, access to visual materials, and ongoing support from over 1,500 like minded data protection practitioners.
This week our live Friday session is a GDPR Radio episode. Caine, Catarina and the team will be back to look at the latest news, enforcement action and real world challenges from across our community. If you would like to receive an invite, fill in our contact form and the team will add you to the mailing list.
We host events on a weekly basis for the community of data protection practitioners and have built up a network of over 1200 subscribers, who tune in each week to listen to discussions about the hot topics from the fast-paced and evolving world of data protection and cyber security. Check out our upcoming events and become part of our growing community.
View AllOur mission is to make data protection and cyber security easy: easy to understand and easy to do. We do that through the mantra of benchmark, improve, maintain.
