“Good data protection isn’t about saying ‘no’ to everything, it’s about knowing when to say ‘yes’ safely.”
Caine Glancy
Data Protection Support Desk Manager
Caine's Posts
The Growing Privacy Dilemma
End-to-end encryption, Instagram, and the growing privacy dilemma
Meta has announced that it will remove end-to-end encryption from Instagram direct messages, raising questions not just about privacy, but about safety, regulation, and where the balance should sit.
What is end-to-end encryption?
End-to-end encryption is a way of protecting communications so that only the sender and the recipient can read the content. In simple terms, messages are “locked” on the sender’s device and can only be “unlocked” on the recipient’s device. No one else – not even the platform providing the service – can access the content of those messages (in theory).
This is widely considered one of the strongest forms of privacy protection available online. It reduces the risk of data breaches, unauthorised access, and surveillance.
However, it also means that platforms themselves cannot monitor what is being shared.
What is happening with Instagram?
Meta has confirmed that it will discontinue end-to-end encrypted messages on Instagram from May 2026. The feature, which was introduced relatively recently, allowed users to send messages that even Meta could not read. Its removal means that Instagram messages will no longer have this level of protection.
The company has suggested that the feature had low usage.
At the same time, there is a wider context. Regulators and policymakers – particularly in the UK (particularly with the Online Safety Act), US and Europe – have been placing increasing pressure on platforms to improve child safety and prevent harm online.
End-to-end encryption has become a focal point in that debate, because it limits the ability of platforms to detect illegal or harmful content.
TikTok’s contrasting approach
Interestingly, not all platforms are moving in the same direction. As Mark and I mentioned on the podcast a couple of weeks ago, TikTok has publicly stated that it does not intend to introduce end-to-end encryption for direct messages.
Its reasoning is clear: encryption of this kind can make it harder to detect harmful behaviour, including abuse and exploitation: without visibility of message content, both platforms and law enforcement may struggle to investigate concerns. In other words, TikTok is allegedly prioritising safety and oversight over maximum privacy in messaging.
The dilemma: privacy vs protection
This brings us to the core issue and one that organisations, regulators, and society more broadly are still grappling with. On this topic and as mentioned on the podcast, we are facing a massive dilemma:
On one hand, this mechanism is a powerful weapon for safeguards challenges, supporting confidentiality and reducing risks of hacking and misuse of data. On the other, it can limit the detection of harmful or illegal activity, can create challenges for safeguarding children and vulnerable users (that can be anyone, depending on the context as Charlotte mentioned on the podcast) and the big one being that reduces the ability of platforms to intervene proactively.
In the UK, this tension is reflected in legislation such as the Online Safety Act, which places duties on platforms to protect users – particularly children – from harm, while also raising concerns about how that can be achieved without weakening encryption.
From a data protection standpoint, this issue sits at the intersection of several key principles:
- Confidentiality and security (protecting personal data)
- Accountability (ensuring organisations can manage risks)
- Protection of vulnerable individuals, particularly children
There is, however, one thing that is clear: there is no one-size-fits-all answer!!
Strong encryption aligns closely with UK GDPR principles around security and integrity; but organisations also have obligations to mitigate risks and prevent harm particularly where children are concerned.
The shift by Meta – and the contrasting stance from TikTok – highlights that there is no settled industry position.
End-to-end encryption is often framed as a purely technical feature but it seems more than that: Meta’s decision to remove it from Instagram, alongside TikTok’s refusal to adopt it, shows just how complex that balance has become. The challenge ahead is not simply whether to use encryption, but how to reconcile two equally important goals:
protecting people’s privacy, and protecting people from harm.
Important links:
https://www.bbc.co.uk/news/articles/cly2m5e5ke4o
https://mashable.com/article/instagram-meta-end-to-end-encryption
STAIRs Update for Housing Associations
STAIRs Update for Housing Associations: Key Dates and What Social Landlords Should Do Now
Housing associations across the UK have received a further update on the upcoming Social Tenants Access to Information Requirements (STAIRs). These requirements will introduce new expectations for how social landlords provide information to tenants about the management of their homes.
The National Housing Federation (NHF) recently shared an update outlining key timelines and confirming that further operational guidance is currently being developed to support the sector.
Although the requirements will not come fully into force for some time, housing providers are being encouraged to begin preparing now. Reviewing how information is organised, published and shared internally will help ensure a smoother transition once the rules become mandatory.
What Are the Social Tenants Access to Information Requirements (STAIRs)?
STAIRs is a regulatory initiative designed to improve transparency between social landlords and tenants. The requirements will ensure residents can more easily access information about how their homes are managed, including policies, performance information and organisational decisions that affect them.
For housing providers, this means developing clear processes for publishing information and responding to tenant information requests in a structured and consistent way.
Himanshi Gulati, Data Protection Consultant at Data Protection People, explains:
“STAIRs will likely require housing providers to review how information is organised, published and shared with tenants. Starting early on developing processes around information management, request handling and complaints could make the transition much smoother.”
Key STAIRs Dates Housing Providers Should Know
The latest update confirms two important milestones for social landlords preparing for STAIRs.
- October 2026 – Housing associations will be required to proactively publish certain information for tenants.
- April 2027 – Organisations must meet full requirements for responding to tenant information requests.
Although these deadlines may seem some distance away, housing providers should begin preparing early. Developing the right internal governance, publication processes and request-handling procedures can take time to implement effectively across an organisation.
Operational Guidance Being Developed for Housing Associations
To support implementation across the housing sector, the National Housing Federation has commissioned law firm Anthony Collins, working alongside a cross-sector group of housing providers, to produce practical operational guidance.
This guidance will help organisations understand how to implement STAIRs in practice and is expected to cover areas such as:
- Creating and maintaining publication schemes
- Managing tenant information requests
- Handling complaints related to access to information
- Embedding operational processes across housing organisations
The guidance is expected to be published on 20 April 2026.
Housing Ombudsman Consultation on STAIRs Complaints
Alongside the operational guidance, the Housing Ombudsman has launched a consultation exploring how complaints relating to STAIRs should be handled once the requirements come into force.
Housing associations are being invited to share their views on how these complaints processes should operate in practice. The consultation is open until 17 March 2026.
For organisations in the sector, this provides an opportunity to shape how future disputes around tenant information access may be managed.
How Housing Providers Can Start Preparing for STAIRs
While the final operational guidance is still to be published, there are several steps housing providers can start considering now:
- Review how organisational information is stored and structured
- Identify what information may need to be proactively published
- Develop internal processes for responding to tenant information requests
- Ensure complaints processes align with future transparency requirements
As regulatory expectations around governance and transparency continue to grow in the housing sector, STAIRs represents another important step in strengthening trust between landlords and tenants.
As Himanshi highlights:
“For tenants, the aim is clearer access to information about how their homes are managed. For landlords, it’s another reminder that good governance and transparency are becoming central expectations in the sector.”
And while publication schemes may not always be the most exciting documents to prepare, getting them right early could save organisations significant time and complexity later.
STAIRs Frequently Asked Questions
Following discussions with housing professionals across the sector, we have also published a dedicated resource answering common questions about STAIRs and how housing providers can prepare.
Read our STAIRs FAQs for housing providers here
Need Support Preparing for STAIRs?
Our team at Data Protection People regularly supports housing providers with governance frameworks, tenant information requests, and developing processes that align with evolving regulatory expectations.
If your organisation would like guidance on preparing for STAIRs or strengthening information governance processes, our team would be happy to help.
CCTV Redaction Services
CCTV Redaction Services
At Data Protection People, we now provide a complete CCTV redaction service combining advanced AI powered redaction technology with expert human review from experienced data protection consultants.
This ensures organisations can disclose footage lawfully, protect the privacy of third parties, and respond to Subject Access Requests (SARs) with confidence.
Organisations across the UK are increasingly receiving Subject Access Requests that include CCTV footage. Responding to these requests can be complex because footage often contains multiple individuals whose personal data must be protected before disclosure.
Before footage can be shared, organisations must ensure that third party personal data is redacted. Without proper redaction, organisations risk unlawfully disclosing personal data.
Data Protection People now provide a complete CCTV redaction service designed to make this process fast, secure and compliant with the UK GDPR and Data Protection Act 2018.
Why CCTV Redaction is Necessary
Under the UK GDPR, individuals have the right to request access to their personal data. This includes images or recordings where they can be identified within CCTV footage.
However, CCTV recordings often capture other individuals. Organisations must therefore ensure that the privacy of third parties is protected before releasing footage.
Failure to properly redact CCTV footage can lead to:
- Unlawful disclosure of personal data
- Complaints to the Information Commissioner’s Office
- Potential regulatory action
- Damage to organisational reputation
Redacting CCTV manually can take many hours. Modern redaction technology allows organisations to respond to requests much faster while maintaining compliance.
AI Powered Video Redaction
Data Protection People utilise advanced redaction technology capable of automatically identifying personal data within video footage.
Using artificial intelligence, the platform can automatically detect and redact:
- Faces of individuals
- Vehicle number plates
- Screens and digital displays
- Text appearing in scenes such as house numbers or signage
- Other identifiable visual information
This allows footage to be processed with over 99 percent detection accuracy, dramatically reducing the time required to prepare footage for disclosure.
In many cases, a 10 minute CCTV clip can be redacted in approximately 10 minutes, compared to hours using manual methods.
What Makes Our CCTV Redaction Service Different
Many redaction tools simply provide software. Data Protection People combine advanced technology with expert human oversight.
Our consultants specialise in Subject Access Requests and information rights law, ensuring that all disclosures are handled correctly.
This provides organisations with:
- AI powered video redaction technology
- Expert review from data protection specialists
- Secure handling of sensitive footage
- Confidence that footage is safe to disclose
This combination of automation and expert quality assurance ensures organisations remain compliant while responding quickly to requests.
Part of Our Complete SAR Support Service
Data Protection People are recognised as one of the UK’s leading consultancies supporting organisations with Subject Access Requests.
Our SAR Support Service helps organisations:
- Manage and respond to complex SARs
- Review large volumes of information
- Apply lawful exemptions where appropriate
- Prepare compliant responses
- Reduce the operational burden of information requests
With the addition of CCTV redaction capabilities, we now provide a fully comprehensive service covering every type of personal data disclosure.
Types of Footage We Can Redact
Our technology and consultants can support with redaction across a wide range of visual data sources, including:
- CCTV systems
- Body worn cameras
- Dash cameras
- Mobile phone video recordings
- Security camera systems
- Incident recordings
This service is particularly valuable for organisations operating in sectors such as:
- Housing
- Retail
- Healthcare
- Education
- Transport
- Local government
Secure Processing and Chain of Custody
Handling video containing personal data requires strict security controls.
Our redaction platform maintains a secure chain of custody, ensuring organisations maintain full visibility over how footage is processed.
This includes:
- Controlled access to video files
- Secure processing environments
- Traceable redaction actions
- Secure storage and sharing
All processing is designed to align with the requirements of the UK GDPR and data protection best practice.
When Organisations Need CCTV Redaction
While CCTV redaction is most commonly required for Subject Access Requests, organisations may also require redaction when:
- Sharing footage with regulators
- Providing evidence to legal teams
- Publishing footage publicly
- Using footage for training or investigations
- Responding to information rights requests
In all cases, organisations must ensure that third party personal data is protected before footage is disclosed.
Speak to Our SAR Specialists
If your organisation needs support responding to a Subject Access Request involving CCTV footage, our team can help.
Data Protection People combine expert data protection consultants with advanced redaction technology to ensure requests are handled quickly, securely and in full compliance with the law.
Speak to an expert today to discuss your CCTV redaction requirements.
STAIRs Readiness Assessment
STAIRs Readiness Assessment for Housing Providers
The upcoming Social Tenants Access to Information Requirements (STAIRs) will introduce new expectations for housing associations to improve transparency and make key information more accessible to residents.
From October 2026, housing providers will be expected to proactively publish specific organisational information for tenants. From April 2027, organisations will also need to respond to formal tenant requests for information about how their homes are managed.
For many housing providers, this represents a significant operational change. Publication schemes, internal processes, governance documentation, and tenant communication procedures may all need reviewing to ensure the organisation is ready.
To support housing associations through this transition, Data Protection People has developed a structured STAIRs Readiness Assessment designed specifically for the housing sector.
Supporting Housing Providers Through STAIRs
Our team works closely with housing associations across the UK to support transparency obligations, information governance, and tenant data rights.
Following a recent STAIRs event hosted in Leeds, we worked with housing professionals to explore how the requirements will impact organisations of different sizes and structures.
During the session, housing providers raised practical questions about publication schemes, tenant information access, and how internal teams should prepare for the new rules.
We have published a full resource covering those discussions which you can explore here:
Frequently Asked Questions – STAIRs
Building on this work, our consultants have developed a dedicated STAIRs Readiness Assessment to help organisations identify gaps and prepare their teams ahead of implementation.
What is a STAIRs Readiness Assessment?
The STAIRs Readiness Assessment is a structured review designed to help housing associations understand how prepared they are for the upcoming transparency requirements.
The assessment examines your organisation’s current policies, governance documentation, information management processes, and tenant communication practices.
By the end of the process, you will have a clear understanding of:
- Where your current processes align with STAIRs expectations
- Where potential compliance gaps exist
- What actions should be prioritised before the 2026 and 2027 implementation dates
- How tenant information requests may be managed in practice
This ensures your organisation can begin preparing early, rather than reacting once the requirements become mandatory.
Our Three Phase STAIRs Readiness Process
Phase 1 – Policy and Documentation Review
A specialist consultant will review your existing documentation related to transparency, governance, and information handling.
This includes policies, procedures, and any information currently published for tenants.
The goal of this phase is to identify potential gaps between your current practices and the expected STAIRs publication requirements. This may include areas such as governance documentation, organisational performance reporting, and housing management information that tenants may expect to access.
The review also considers how your existing transparency documentation aligns with the proposed Publication Scheme approach expected under STAIRs.
Phase 2 – Leadership Interviews
We will conduct structured discussions with key leaders within the organisation.
This typically includes teams responsible for:
- Housing operations
- Compliance and governance
- Communications and tenant engagement
- Information governance and data protection
The purpose of these interviews is to understand how information about tenant services, policies, decisions, and organisational performance is currently managed and shared.
We also assess how easily this information could be provided if tenants submit requests once STAIRs is fully implemented.
Phase 3 – Reporting and Recommendations
Following the assessment, you will receive a comprehensive summary report outlining the findings.
This report highlights:
- Priority actions to prepare for STAIRs compliance
- Potential risks linked to transparency and information access
- Recommendations for proactive publication of tenant information
- Guidance on managing tenant information requests
- A breakdown of how remediation activities can be implemented
The final report provides your leadership team with a clear roadmap for preparing the organisation before the new requirements come into effect.
Why Housing Providers Should Start Preparing Now
Although STAIRs requirements will not fully come into force until 2026 and 2027, the changes may require significant organisational preparation.
Housing providers may need to review publication processes, governance transparency, tenant communication channels, and internal procedures for responding to information requests.
Early preparation allows organisations to:
- Reduce compliance risk
- Improve transparency with residents
- Align governance and communication processes
- Prepare staff for new tenant information access expectations
By identifying potential gaps early, housing providers can introduce improvements gradually rather than under regulatory pressure.
Speak to Our Housing Sector Team
Our consultants regularly support housing associations with information governance, transparency requirements, and tenant data rights.
If you would like to explore how the STAIRs Readiness Assessment could support your organisation, our team would be happy to discuss the process and what preparation may look like for your housing provider.
You can also explore our sector resources and STAIRs guidance through the article below: STAIRs Update for Housing Providers
Need support preparing for STAIRs?
ICO Guidance on the DUA
ICO Guidance on the Data (Use and Access) Act (DUA): What You Need to Know
The Information Commissioner’s Office (ICO) has released guidance on handling data protection complaints in line with the requirements from the Data (Use and Access) Act (DUAA) which are set to come into force on 19 June 2026.
Whilst most of the reforms brought about by Part 5 of the DUAA took effect on February 5, organisations have longer to prepare for the complaint requirements and the ICO’s guidance supports organisations on achieving best practice ahead of time.
What does the DUAA change regarding data protection complaints?
Whilst the ICO has previously expected organisations to address data protection complaints received from individuals, this has not been backed up by any legal obligation.
Following the changes under the DUAA, individuals now have the legal right to submit a complaint to an organisation about the handling of their personal data and organisations must implement processes and procedures to facilitate this.
What are the key requirements for handling data protection complaints in line with the DUAA and ICO guidance?
The ICO’s latest guidance outlines the following key steps organisations must take to meet the complaint requirements under the DUAA:
- Provide individuals with a way of making data protection complaints;
- Acknowledge data protection complaints within 30 days of receipt;
- Take appropriate steps to respond to complaints without undue delay, including making appropriate enquiries and keeping complainants informed; and
- Provide people with complaint outcomes without undue delay.
For organisations with existing complaints procedures, only minor changes are likely needed to reflect the DUAA requirements, but organisations lacking an established complaints process will now be expected to implement a substantive procedure.
This article highlights the key areas of focus for organisations in preparation for the DUAA complaints provisions coming into force and summarises recommendations for best practice based on the ICO’s guidance.
What constitutes a data protection complaint?
Not every complaint that is linked to data protection matters constitutes a data protection complaint. Where an individual complains about an organisation’s services or other matters whilst also exercising data protection rights this does not count, e.g. an employee raises a grievance and at the same time makes a subject access request.
The ICO’s guidance clarifies that data protection complaints arise where an individual complains specifically about an organisation’s handling of their personal data, whether this be about the handling of a subject access request (SAR) or quality of data security.
As with other personal data rights requests, individuals do not have to use legal terms of quote the legislation to make a data protection complaint. Where unsure if an individual is making a data protection complaint, organisations should seek clarification.
What must we do to prepare for handling data protection complaints?
Give people a way to make complaints
The starting point is to ensure that your organisation gives people a way to raise a data protection complaint. The ICO’s guidance allows organisations flexibility to choose which channels are most approach, whether through a complaint form, email address, telephone number, online portal, live chat facility or in person (if operating offline).
There is no requirement to set up a separate tool for receiving data protection complaints and organisations can rely on existing complaints channels and adapt these to include data protection complaints. As per the ICO’s SAR guidance, individuals are not obliged to follow the set process and can complain using any method of their choice. Nonetheless having a set complaints process is important for accountability.
Organisations with online presence should also consider how to handle complaints received through social media and bear in mind that liaising with complainants through social media is not secure and an alternative contact method should be sought.
Those within the scope of the ICO’s Age Appropriate Design Code should satisfy the requirements for handling complaints from children outlined at standard 15 of the Code, ensuring children can easily make and escalate complaints.
Inform people of their right to complain
Organisations are already required to inform individuals of their right to submit a complaint to the Information Commissioner at the point of collection of their personal data through a privacy notice and also when responding to SARs.
Following the DUAA, organisations must now also inform individuals of their right to make a data protection complaint to the organisation itself. Organisations should update privacy notices accordingly to inform data subjects of their right to complain and the organisation’s complaints process including a contact point.
Those processing personal data for law enforcement purposes must also inform individuals of their right to complain at other junctures, including when refusing other rights requests.
Implement a complaints procedure
The ICO’s guidance makes clear that for best practice, organisations should implement a complaints procedure if they do not already have one. It should use plain language (avoid legal jargon), be published online and be made available to individuals at the earliest opportunity to ensure they are aware of how to raise complaints.
It is recommended that a written process includes the set method for receiving complaints; the supporting evidence needed to investigate; the proof of ID and third-party authority accepted as well as information on communicating timescales (acknowledgement within 30 days), updates and outcomes.
Whilst it is acceptable to integrate data protection complaints into overarching complaints procedures and a standalone process is not required, organisations must ensure outcomes are issued on data protection complaints without undue delay. So, when responding as part of a wider complaint connected to other issues, if able to provide an outcome on the data protection aspect sooner, you must do so.
Review record keeping and training
Guidance on record keeping reiterates not only the importance of having up to date, clearly organised and labelled systems so information can be found quickly and effectively, but also to provide evidence of the following:
- Date complaints were received
- Acknowledgements sent
- Relevant conversations and documents
- Complaint outcomes
- Actions taken as a result
Not only does strong record keeping support compliance with the Art.5(2) UK GDPR Accountability principle by demonstrating compliance should the ICO or other industry bodies investigate, it is also beneficial for identifying recurring trends and underlying compliance issues.
In terms of training, all staff should as part of their overall data protection training be brought up to speed on recognising data protection complaints and knowing where to direct complaints internally when received.
Review Joint Controller and Processor arrangements
For Joint Controllers, emphasis is on having transparent arrangements in place given the timescale starts as soon as the complaint is received by a Controller so all parties must be clear on what to do, including in terms of:
- whether to have a central point of contact for complaints,
- how to inform people of where to complain and
- responsibilities for investigating complaints and liaising with complaints.
Controller-Processor data processing agreements should cover arrangements for handling data protection complaints. The typical role of Processors remains to provide assistance, including on complaint investigations and by supplying relevant information, with Controllers retaining the obligation for complaint handling.
How do we ensure best practice in the end-to-end process?
Acknowledging the complaint
You must acknowledge receipt of a data protection complaint within 30 days and the ICO’s guidance clarifies that an auto-acknowledgement will suffice.
This timeframe begins the day after the complaint is received, even if this falls on a weekend or public holiday. However, if the last day to acknowledge falls on a weekend or public holiday, you have until the next working day.
A practical approach is emphasised, for instance there is no need to provide an acknowledgement and outcome separately if you are able to provide a complaint outcome within 30 days, or if contacting the complainant to ask for proof of ID an additional acknowledgement is not needed.
The same complainant ID and third-party authority verification protocols apply as for other personal data rights requests, meaning you should:
- seek proof of ID at the earliest opportunity if in doubt
- not request further evidence if already in possession of sufficient information
- verify third party authority by requesting power of attorney or a signed letter of authority from the complainant they are acting on behalf of; and
- abstain from investigating the complaint until valid authority is received.
Conducting the investigation
Organisations must make enquiries into data protection complaints without undue delay, starting from when the complaint is received and not after the 30 day acknowledgement period ends.
This process generally involves fact finding, speaking to relevant staff, comparing the complaint information with that held and checking if organisational standards were upheld, and the ICO’s guidance recommends asking the complainant for more information if necessary as well as managing their expectations.
The ICO’s guidance recognises that complaints will vary in complexity, scale and harm, meaning a blanket timeframe for resolving complaints is not expected. Instead, focus should be on the specific circumstances of the complaint (and your organisation) and making reasonable and proportionate enquiries based on this.
Providing updates and outcomes
Giving timely progress updates to complainants is emphasised in the ICO’s guidance, with the priority on explaining timeframes for resolution and any expected delays.
As with investigating complaints, outcomes must also be issued without undue delay, which according to the guidance means ‘without an unjustifiable or excessive delay.’ Outcomes should include explanation of steps taken to resolve the complaint and actions taken as a result, and where you think you have complied with data protection law this should be explained in detail.
An internal review process for complainants unhappy with the outcome is recommended. It is also best practice to inform individuals of their right to complain to the ICO, which individuals have the right to do so at any point notwithstanding any internal review process.
Conclusion
The complaints requirements introduced by the DUAA can be viewed as formalising what the ICO has long expected from organisations in terms of addressing data protection complaints. The standards emphasised in the ICO’s latest guidance on complaints largely mirrors those expected when handling other personal data rights requests.
Indeed, the ICO will be aiming for a reduction in the number of complaints brought to it following the DUAA changes. The regulator has an established policy of diverting complaints to organisations in the first instance where the issue has not previously been raised with the organisation directly, and it now has a legal basis for doing so.
This latest guidance also coincides with the ICO’s publication of its complaint handling framework which is centred on prioritising high-value cases where the ICO can have the most significant impact, an objective more realisable if less time can be spent on lower impact matters and those where internal complaints procedures have not been utilised.
Moving forward, organisations can expect to be held to a higher standard in terms of complaint handling. Not having formal procedures in place will amount to a breach of the DPA, may trigger complaints from data subjects and will be looked on with greater scrutiny by the ICO.
Implementing a formalised end-to-end data protection complaints procedure ensures best practice and will be looked on far more favourably by the ICO should any concerns be raised or investigations initiated. Data Protection People has already supported many organisations in this regard. If your organisation requires assistance in this area, please reach out to us.
How Can Staff Training Prevent GDPR Compliance Failure?
GDPR compliance failure can have a huge impact on your business. It could lead to data breaches, fines and regulatory action. Not to mention the effect it might have on your reputation.
Compliance failure can be easily prevented through robust staff training. In this article, we’ll discuss why staff training needs to be your business’s front line of defence and how it reduces the risk of non-compliance.
How Does Training Prevent Common GDPR Compliance Failures?
Policies alone are not enough to ensure compliance. Without staff understanding, you are leaving your organisation vulnerable. GDPR training is the best way to make sure all of your employees have the understanding they need to help protect your business against non-compliance, data breaches and enforcement action from regulatory bodies.
How Does GDPR Training Improve Breach Detection and Reporting?
Effective GDPR training raises awareness of what data breaches are, how to recognise them and what to do when they occur. From phishing attacks, misdirected emails and insecure data sharing, training reduces the likelihood of a data breach happening in the first place, and encourages early internal reporting. It also reduces regulatory risk through a timely incident response.
How Does GDPR Training Reduce Personal Data Misuse?
Your business probably handles personal data in one way or another. But do your staff recognise what personal data is, and what they’re allowed to do with it? GDPR training clarifies what lawful bases the business has for handling personal data, and what the limits of use are.
It prevents function creep and unauthorised processing (like using existing data for marketing unrelated products or using fire security sign-in data to track employee attendance), reinforcing data minimisation in everyday tasks.
How Does GDPR Training Support Data Subject Rights Requests?
Along with personal data handling comes Data Subject Access Requests (SARs). Through GDPR training, your staff will understand what access, erasure or rectification requests actually look like, and how to handle them.
They’ll be able to prevent non-compliance through missed deadlines or unlawful refusals. Proper training will ensure that they handle SARs properly, rather than simply improvising because they don’t know any better.
How Does Training Improve GDPR Decision-Making?
One of the most important ways that effective GDPR training prevents non-compliance is by equipping staff to apply GDPR principles consistently.
By ensuring that all staff are trained, preferably in a practical, scenario-based way, they are empowered and confident in how their roles contribute to your organisation’s compliance.
Why is Ongoing GDPR Training Best?
Ongoing training, rather than a one-off session, is best because it ensures your staff stay up to date with the latest regulations, threats, and system or policy changes. It also means that any new staff are as compliant as older ones.
The benefits of ongoing refresher training include fewer incidents, stronger audit evidence and improved customer trust. Robust GDPR training is both a tool for compliance and business resilience – it shouldn’t be a box-ticking exercise.
Train Your Staff With Data Protection People
GDPR compliance failure is preventable, and proper training should be the first line of defence. At Data Protection People, we provide bespoke data protection training that’s created and delivered by a team of experts. With us, your team can learn remotely, in-person or via e-learning with CPD-accredited courses that genuinely reduce the risk of non-compliance.
Book your GDPR training with us today.
Reddit fined for children’s privacy failures
Reddit issued with £14.47m fine for children’s privacy failures
Last week the UK Information Commissioner’s Office (ICO) fined Reddit £14.47 million for unlawfully processing children’s personal data. And the problem here was that children under 13 were able to use the platform for years while Reddit relied mainly on users simply ticking a box to confirm their age. The ICO investigation found two core failures:
- Reddit did not properly verify users’ ages
- Reddit failed to carry out a Data Protection Impact Assessment (DPIA) before allowing risks to children to materialise
As a result, children under 13 had their personal data processed without a lawful basis and were potentially exposed to content they should never have seen.
What happened?
Reddit’s terms of service have long stated that children under 13 cannot use the platform. However, until July 2025, Reddit did not have meaningful measures in place to check users’ ages; people could open an account by declaring their age themselves. The ICO found that large numbers of under-13s were likely using the platform during this period, meaning their personal data was being processed without a lawful basis.
Even more concerning was the lack of early risk assessment: Reddit had not carried out a Data Protection Impact Assessment looking properly at risks to children until 2025 – despite allowing teenagers aged 13–17 to use the service.
According to the ICO, this meant children’s data was collected and used in ways they could not reasonably understand or control, potentially exposing them to harmful or inappropriate content.
Reddit has since introduced age assurance measures, including checks for access to mature content but ICO has made it clear that these changes came late and remain under review.
This is a great example for us to consider around age verification mechanisms. For ages, much of the intern relied on the self-declaration method: “please confirm you are over 13”. It seems reasonable enough to say that everyone (children, parents and organisations) were aware on how easy this was to bypass… and the big problem was the enforcement and its slow interference – many organisations convinced themselves that putting age limits in terms and conditions was enough and self-declaration is sufficient.
On this, ICO’s message is clear: relying mainly on users to declare their own age is not acceptable where children are likely to access a service – and this should go beyond social media: gaming platforms, forums apps, online communities
Age verification
I had the chance to explore this topic within my research for my thesis dissertation and I can easily say that one of the challenges organisations face is that stronger age checks can appear to conflict with data protection principles – for example, uploading passports to join an online community is excessive and this would come with its own risks. This is why I find the approach discussed by the Irish data protection commission particularly helpful: rather than pushing one technical solution, it focuses on proportionate, risk-based age assurance: the higher the risk to children, the stronger the assurance needed.
Not every service needs the same level of verification, but every organisation should be able to explain what risks to children exist, how likely access by children is and why the chosen safeguards are appropriate.
The ICO made it clear that it is now actively focusing on platforms that primarily rely on self-declaration – which means that Reddit is unlikely to be the last case…
Conclusion and takeaway
I actually welcome this decision; not because fines are the main goal (as they rarely solve problems on their own, particularly for these big companies) but because the clarity that they bring helps organisations move forward and to think about their own practices.
I think that for too long, there has been uncertainty around how far companies needed to go when it came to age checks and, at the same time, regulators and industry need to work together to avoid turning age assurance into mass identification or unnecessary data collection.
Links:
https://www.theguardian.com/technology/2026/feb/24/reddit-fined-uk-children-under-13-data
https://www.dataprotection.ie/en/dpc-guidance/fundamentals-child-oriented-approach-data-processing
Data Protection in the Sporting Industry
Data Protection in the Sporting Industry
Professional sport is built on performance, trust and loyalty, both on and off the field. Behind the scenes, however, modern sporting organisations are responsible for managing significant volumes of personal data belonging to players, staff, supporters, partners and wider communities. From ticketing systems and membership databases to athlete performance analytics and safeguarding records, the scope of personal data processed across the sporting sector continues to grow year on year.
In my role as Sales Team Leader at Data Protection People, and as someone with a genuine passion for professional sport, I have had the opportunity to work alongside specialist consultants to support organisations across the sector in strengthening their approach to data protection. Over the past few years, we have worked with an impressive portfolio of clients including Leeds United, England Netball, the RFU, Formula One affiliated organisations, and sports software providers such as Goodform.
Through these engagements, a number of consistent trends have emerged.
Increasing Volumes of Personal Data
Sporting organisations are now operating in highly digitised environments. Matchday ticketing, fan engagement platforms, biometric athlete monitoring, media accreditation, safeguarding responsibilities and commercial partnerships all rely on the collection and processing of personal data.
For many organisations, this has resulted in a shift from relatively simple data processing activities to far more complex ecosystems involving:
- Third party ticketing providers
- Performance analytics platforms
- Medical and rehabilitation records
- Recruitment and scouting databases
- Sponsorship and commercial partner integrations
- Community engagement and grassroots initiatives
With this increased complexity comes increased responsibility, particularly where sensitive or special category data is concerned.
Lessons from Recent Incidents
Over the last 12 months, the UK football landscape has seen a number of high profile cyber and data related incidents that demonstrate the risks facing sporting organisations.
Clubs across both the Premier League and English Football League have reported attempted phishing campaigns targeting staff email accounts, with attackers seeking access to internal communications and commercially sensitive information. In several cases, compromised credentials have resulted in unauthorised access to systems containing player and staff data.
Elsewhere, vulnerabilities within third party platforms used for fan engagement and online ticketing have exposed personal details including names, email addresses and purchase histories. While not always resulting in confirmed breaches, these incidents highlight the potential risks to supporters and the reputational impact that can follow.
For data subjects, these types of events can increase the risk of identity theft, targeted scams and misuse of personal information. For organisations, they reinforce the need for clear governance, supplier due diligence and robust internal processes.
The Rise of Outsourced DPO Support
One of the most common requirements we are seeing across the sporting sector is the need for independent oversight through an Outsourced Data Protection Officer.
Many clubs and governing bodies simply do not have the internal resource or specialist expertise to manage compliance obligations effectively alongside their operational priorities. An Outsourced DPO provides:
- Independent advice on regulatory responsibilities
- Support with Data Protection Impact Assessments
- Guidance on data subject rights requests
- Oversight of internal policies and procedures
- Incident response and breach management support
- Ongoing staff awareness and training
Importantly, this support helps organisations move from reactive compliance to a more structured and proactive approach.
Specialist Support for the Sector
I work closely with our specialist consultant, Oluwagbenga Onojobi, an ex-barrister with a law degree and a particular interest in supporting organisations within the sporting industry. While he is an avid Arsenal supporter, his focus remains firmly on helping clubs, governing bodies and commercial partners across the sector to meet their regulatory obligations and embed best practice.
Together, we support sporting organisations across a range of services including:
- Outsourced DPO provision
- SAR Support
- Data Protection Audits
- Policy Development and Governance
- Supplier Due Diligence
- Incident Management
- Staff Training and Awareness
- Data Protection Support
Our aim is to help organisations continue to innovate and engage with their supporters, athletes and partners without compromising the security and integrity of the personal data they are entrusted with.
Looking Ahead
As the sporting sector continues to embrace digital transformation, data protection will remain a critical component of organisational resilience. Whether managing supporter databases, safeguarding information or athlete performance data, clubs and governing bodies must ensure that compliance keeps pace with innovation.
At Data Protection People, we are proud to support organisations across the sporting landscape in navigating these challenges and building sustainable compliance frameworks that protect both their operations and the individuals they serve.
By Jordan Joseph-Kerrigan, Sales Team Leader, Data Protection People