Caine Glancy

GDPR Radio, S2 Ep2: Data Protection News

Grok, the Online Safety Act, and UK AI Regulation

GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy cover early year enforcement activity from the ICO, debate what “valid consent” really looks like in modern digital ecosystems, and explore the growing pressure on social media platforms to protect children online, including age assurance and content moderation.

Listen back on Spotify

Episode highlights

This session covers three big themes that many organisations are grappling with right now.

1) PECR enforcement is back on the agenda
We discuss recent ICO fines linked to unsolicited marketing activity and PECR compliance, including the practical lessons for opt-outs, consent language, and third-party data sources.

2) Third-party marketing lists and the “consent problem”
A key discussion point is what “informed” consent looks like when individuals are presented with long lists of third parties, and whether any approach is truly usable, granular, and easy to withdraw in practice.

3) Social media, under-16s, and age assurance
We explore the UK conversation about restricting under-16 access to social media, and the operational reality behind age verification, predictive age estimation, and the privacy and security risks that can come with them.

Key takeaways for organisations

• If your marketing activity relies on PECR, ensure opt-out routes are clear and effortless, and your lawful basis and consent language stand up to scrutiny.
• If you use third-party data, check what individuals were actually told, what they agreed to, and whether withdrawal can realistically be managed.
• If you operate services used by children or young people, start stress-testing your age assurance approach now, including supplier due diligence, security, and data minimisation.
• When new tech risks emerge, reactive fixes often fall short, governance and risk management need to be built in from day one.

Useful links

• Privacy notice
• Claim CPE credits
• Register for the podcast / join the community
• Listen on Spotify

Related from Data Protection People

• STAIRs event, 5 February, Leeds (limited tickets remaining)
• Upcoming session: DPIAs that actually protect people
• SARs content and events coming soon, plus an upcoming article on weaponising SARs and recent ICO guidance

About GDPR Radio

GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.

Speakers

Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People

STAIRs: What Housing Associations Need to Know

Social Tenant Access to Information Requirements (STAIRs): What Housing Associations Need to Know

From October 2026, social housing providers in England will face a new statutory transparency framework known as the Social Tenant Access to Information Requirements, commonly referred to as STAIRs. The regime introduces formal rights for tenants of housing associations and other private registered providers to access information about how their homes and services are managed.

STAIRs represents a significant shift for the sector. While transparency has long been encouraged through good governance and tenant engagement, STAIRs makes information access a legal requirement, with defined timescales, oversight, and routes of escalation.

Housing providers now have a clear window to prepare. The decisions made over the next 12 to 18 months will shape how smoothly organisations adapt to this change.

What is STAIRs and why was it introduced?

STAIRs was created to address an imbalance in tenant information rights across the social housing sector.

Tenants renting from local authorities already benefit from the Freedom of Information Act 2000. This allows them to request recorded information about repairs, spending, decision making, policies, and service performance.

Most housing associations, however, are private registered providers and are not subject to FOIA. As a result, their tenants have historically relied on data subject access requests under data protection law, which only provide access to personal data, not wider operational or service information.

STAIRs closes this gap by introducing a sector specific transparency regime. Rather than extending FOIA to housing associations, it creates a tailored framework that focuses on the management of social housing while recognising the need to protect personal data, confidential material, and third party information.

As Catarina Santos, Data Protection Consultant Manager, explains:

“STAIRs is not about opening the floodgates to unrestricted disclosure. It is about giving tenants meaningful visibility of how their homes and services are managed, while ensuring information is handled lawfully, consistently, and with appropriate safeguards in place.”

Importantly, STAIRs does not replace or override existing data protection law. UK GDPR and the Data Protection Act 2018 continue to apply in full. Providers must balance transparency with their ongoing legal obligations around privacy, confidentiality, and security.

How the STAIRs framework works

STAIRs is built around two core obligations, each with its own timeline and operational impact.

Chapter 1: Publication schemes

Deadline: 1 October 2026

By October 2026, all registered providers of social housing must have a compliant publication scheme in place. This is the first major milestone under STAIRs.

A publication scheme sets out what information a provider proactively makes available and how tenants can access it.

What information must be published?

STAIRs does not require providers to create new records. Instead, it focuses on publishing appropriate information that is already held, including:

• Governance and decision making, such as organisational structures, policies, consultation arrangements, and relevant meeting papers
• Spending and financial information, including grants and the use of service charge income
• Housing stock management, including maintenance programmes, planned works, and progress towards net zero commitments
• Performance information, such as Tenant Satisfaction Measures, complaints data, inspection outcomes, and regulatory ratings
• Housing services, including service descriptions and practical guidance for tenants
• Statutory lists and registers connected to social housing management

Accessibility and tenant awareness

Publication schemes must be easy to find and clearly communicated. Providers are expected to signpost them through websites, tenant handbooks, and regular communications.

Maintenance and redaction

Published information must be kept under review. Out of date material should be updated or replaced, and new information added where relevant.

Redactions are permitted where appropriate and reasonable, but decisions must be justifiable and applied consistently.

Complaints and escalation

If a tenant believes information has been wrongly withheld from the publication scheme, they can complain to the provider. Providers must respond within 30 calendar days. If the issue remains unresolved, tenants can escalate to the Housing Ombudsman.

Chapter 2: Requests for information

Effective from April 2027

From April 2027, tenants will have a legal right to request information relating to the management of social housing.

What information can be requested?

Requests may cover information about:

• Rent and service charges
• Repairs and maintenance
• Estate and communal area management
• Complaints handling and performance
• Health and safety
• Staffing and training
• Environmental and energy efficiency performance

Requests must relate to a provider’s social housing functions.

Who can make a request?

Requests can only be made by a tenant or a nominated representative acting on their behalf. Requests must be made in writing, and the applicant’s identity must be clear.

Response times and handling

Providers must respond promptly and no later than 30 calendar days after receiving a valid request. Extensions are only permitted in limited and exceptional circumstances.

Where information is already available via the publication scheme, providers may direct tenants to that material.

If relevant information is held by a managing agent or third party, providers are expected to make reasonable efforts to obtain and disclose it.

As Caine Clancy, Data Protection Support Manager, notes:

“One of the biggest practical challenges we see is distinguishing between what should already be published and what genuinely requires a bespoke response. Clear internal processes and staff confidence are essential to avoid delays and inconsistencies.”

Grounds for refusal

Requests may be refused where:

• Disclosure would be likely to cause harm, excluding reputational harm
• The requester’s identity cannot be verified
• The request is unclear, irrelevant, abusive, repeated, or coordinated
• Compliance would exceed 18 hours of staff time

Providers must publish a clear policy explaining how refusal decisions are assessed and recorded.

Data protection and STAIRs: Getting the balance right

STAIRs introduces enforceable transparency obligations, but it does not dilute data protection responsibilities.

Personal data, sensitive information, and third party material must still be handled lawfully, fairly, and securely. This makes governance, data classification, and redaction standards critical.

Housing providers that already have strong information governance frameworks will be better placed to adapt. For others, STAIRs highlights gaps that may not previously have been visible.

Learning from early adopters in the housing sector

Some housing associations have already begun preparing for STAIRs by mapping their information holdings, reviewing governance documentation, and trialling publication scheme structures.

At the upcoming STAIRs session on 5 February, practical insight will be shared by Sian Green from Yorkshire Housing, one of the organisations that moved early to understand the operational impact of the standard.

This perspective is particularly valuable for providers that are now starting their own STAIRs journey and want to understand what preparation looks like in practice rather than theory.

What housing providers should be doing now

Although the first formal deadline is October 2026, effective preparation takes time. Key early steps include:

• Building internal awareness of what STAIRs is and how it differs from data protection rights
• Identifying information that is likely to fall within the publication scheme
• Reviewing existing governance, complaints, and information handling processes
• Clarifying ownership for STAIRs compliance across teams
• Considering how tenants will be informed about their new rights

Early action reduces the risk of rushed implementation and helps embed transparency into day to day operations rather than treating STAIRs as a last minute compliance exercise.

Join the STAIRs discussion on 5 February

STAIRs raises practical questions that go beyond legislation, from handling complex requests to maintaining publication schemes over time.

On 5 February 2026, Data Protection People will be hosting a live STAIRs session featuring Catarina Santos, Caine Clancy, and special guest Sian Green from Yorkshire Housing. The session will explore real questions being raised by housing associations across the UK and how providers can prepare confidently and proportionately.

The session will be recorded, and access to the information shared by the speakers will be made available afterwards. However, those who join live will have the opportunity to hear the discussion as it happens and engage with the issues in real time.

For housing providers navigating STAIRs, this session offers a chance to deepen understanding, learn from peers, and stay ahead of the standard.

If you would like to join us live for this in-person session, you can secure your ticket here –The Next Step: Preparing for STAIRs

Lessons For Data Retention

Santa’s Naughty List, Lessons For Data Retention

Data Protection Made Easy Podcast, Episode 228 – Hosted by Caine Glancy and Special Guest Katerina Douni

This week’s episode takes a festive look at one of the most common challenges in data protection, knowing what to keep, what to delete, and what to safely archive. Inspired by Santa’s famous naughty list, Caine Glancy and first time guest host Katarina Douni lead a lively discussion on data retention, storage limitation, and the practical steps organisations can take to stay compliant without holding information for longer than needed.

Katarina joined the podcast for her debut session and quickly set the tone with a clear message, many organisations continue to struggle with retention. She explored why data decisions matter, how retention periods should be approached, and why email is often the biggest culprit for uncontrolled storage. The session sparked strong engagement from our live audience and the chat was filled with questions, examples, and shared challenges around retention, erasure, and day to day pressures inside busy teams.

Caine and Katarina walked listeners through common problems such as the over use of email as a filing system, storing information long after its purpose has expired, and the difficulty teams face when deciding how long is long enough. They also discussed the risks of under collecting or over collecting information, the impact this has on storage limitation, and how organisations can simplify their retention rules to reduce confusion and avoid unnecessary risk.

As always, the live chat added a valuable layer to the discussion. Attendees shared their own retention periods, debated tricky scenarios, and raised questions that pushed the session further. The interactive nature of the podcast remains one of its key strengths and gives practitioners the chance to test ideas, compare approaches, and learn from each other in real time.

This episode is ideal for anyone who handles personal data, manages email systems, or oversees compliance. It provides clear explanations, relatable examples, and practical steps that can be applied immediately. With year end approaching, the timing could not be better for organisations reviewing their retention schedules or tackling email backlogs.

If you listened back on Spotify and want to join a future episode live, you can request an invite by emailing info@dataprotectionpeople.com. Live attendees can take part in the chat, ask questions, and access the deeper insight that comes from community discussion.

We host Data Protection Made Easy every Friday at 12:30 and new listeners are always welcome. Our community continues to grow each week with hundreds joining live and many more tuning in through audio platforms.

If you work in the housing sector, you may also be interested in our upcoming in person STAIRs event taking place on the 5th of February. Details can be found on our website and on LinkedIn.

Listen below and enjoy this festive and practical dive into data retention.

EDPS v SRB: What It Means for Subject Access Requests

EDPS v SRB and Pseudonymisation: What It Means for Subject Access Requests

The recent judgment in EDPS v SRB (Case C-413/23 P, EU:C:2025:645) changes how we think about personal data. The court confirmed that opinions and views are personal data when they relate to an individual. It also ruled that pseudonymisation does not always take data outside the law. If your organisation handles Subject Access Requests, you must reassess what you disclose and how you decide whether information is personal.

Why This Matters Now

Organisations rely heavily on pseudonymisation for data sharing and analytics. At the same time, more people are exercising their rights and submitting SARs. The Two Birds article “Can pseudonymisation make data anonymous” explains that removing identifiers does not guarantee anonymity. The CJEU confirmed this point. Pseudonymised data remains personal if you hold the key to re-identify. Only when re-identification is practically impossible can you treat it as anonymous. This ruling matters because it affects what you disclose, what you explain in privacy notices, and how you manage third-party sharing. Getting this wrong can lead to complaints and regulatory action.

What’s Changed

The judgment provides two clear answers. First, opinions and comments that relate to a person are personal data. You must treat them as such. Second, pseudonymised data stays within scope when you hold re-identification keys or other means to link it back. A recipient who cannot realistically re-identify may treat it as anonymous, but only after checking risk carefully. The Two Birds article stresses that true anonymity is rare. You must consider technology, cost, time, and available information. These factors can change over time, so reviews should be ongoing.

Impact on Data Protection and SARs

This case has a direct impact on Subject Access Requests. When a person asks for their data, you must include any opinions or feedback about them. You must also check pseudonymised data and disclose it if you can re-identify the subject. Your privacy notices must explain what happens to the data you collect, including sharing with third parties in pseudonymised form. Clear notices build trust and show compliance. You must also assess identifiability using real-world conditions, not theory. If re-identification is reasonably likely, treat the data as personal and respond to the SAR.

What You Should Do Now

Start by reviewing your SAR process. Make sure your teams treat opinions as personal data and include them in disclosures where no exemption applies. Map where you use pseudonymisation. Record who holds keys and how you control access. Update your privacy notices so people know when you share data and how you protect it. Train staff on assessing identifiability using practical tests. Keep a record of each decision where you exclude pseudonymised data from a SAR. When in doubt, disclose or seek advice. You can also run a GDPR audit to test your process and identify gaps. Data protection training helps teams apply the rules consistently and with confidence.

Our View

We welcome this judgment because it gives clarity. Opinions are clearly personal data, and pseudonymisation is not a free pass. The question is always whether you can identify the person, not what you call the dataset. We recommend a risk-based approach. Treat data as personal unless you have strong evidence that re-identification is not possible. Keep your privacy notices up to date and document your decisions. This approach will reduce risk, speed up SAR responses, and build trust with individuals.

FAQs

Are opinions always personal data for SARs?

Yes. If an opinion relates to a person you can identify, treat it as personal data and consider it for disclosure.

When can pseudonymised data be treated as anonymous?

Only when you cannot re-identify the data subject and re-identification is not reasonably likely in practice. You must be able to show your reasoning.

Do privacy notices need updating?

Yes. You must tell people if you share their data, including in pseudonymised form, and explain how you protect it.

What records should we keep when excluding data?

Keep a short note explaining the context, what re-identification methods exist, why you ruled out identifiability, and who approved the decision.

Contact Us

If you need help improving your SAR process or reviewing pseudonymisation risks, we can support you. Explore our GDPR Audits, Data Protection Training, Data Protection Support, or SAR Support services today.

EU Moves Towards Data Adequacy Agreement with Brazil

Brazil and the EU: One Step Closer to Free and Safe Data Flows

The European Commission has taken the first step towards adopting a data adequacy decision with Brazil. This move would enable the free flow of personal data between the EU and Brazil, offering major benefits for businesses, public authorities, and researchers operating across both regions.

Why This Matters

Brazil has been recognised by the Commission as offering an ‘adequate’ level of data protection, meaning its legal framework provides comparable safeguards to those set out under the EU’s General Data Protection Regulation (GDPR). Once formalised, this mutual recognition will remove barriers for data transfers between the EU and Brazil, creating one of the broadest adequacy frameworks to date.

A Step Toward Global Data Alignment

The decision aligns with the EU’s broader aim to strengthen ties with countries that uphold high standards of privacy and data protection. Brazil is a key international partner, with strong cultural and economic links to Europe. By recognising each other’s frameworks, both sides aim to reinforce consumer trust and digital trade.

Voices from the Commission

Henna Virkkunen, Executive Vice President for Tech Sovereignty, Security, and Democracy, commented: “In these uncertain times, we must work closer to our natural partners. Brazil is evidently one of them.” She added that the mutual adequacy decisions will help bring both economies closer together, benefiting over 670 million people.

Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, also welcomed the decision, highlighting Brazil’s robust legal framework for data privacy. He stated: “When personal data is protected, so too are consumer rights, ensuring individuals have control, transparency, and security in their interactions with businesses and services.”

What Happens Next?

The draft adequacy decision will now be reviewed by the European Data Protection Board (EDPB) and will need approval from EU member states. The European Parliament also retains the right to scrutinise the decision. Once this process is complete, the Commission can formally adopt the final adequacy decision.

Like other adequacy decisions, this one will be subject to periodic review to ensure it continues to offer a sufficient level of protection.

What This Means for You

This is great news for organisations involved in international operations with Brazil. It will simplify data flows, reduce the need for Standard Contractual Clauses or Transfer Impact Assessments, and enhance business agility across borders. It also sends a clear signal that robust privacy frameworks support, not hinder, global innovation and cooperation.

Frequently Asked Questions

EU-US Data Transfers Update

Schrems I: The Ruling That Shook EU-US Data Transfers

Published in: International Data Transfers | Case Law Spotlight

In October 2015, the Court of Justice of the European Union (CJEU) issued a landmark judgment that changed the landscape of international data transfers. Known as the Schrems I ruling, the decision invalidated the EU-US Safe Harbour framework, a mechanism used by thousands of organisations to lawfully transfer personal data to the United States.

What Was the Schrems I Case About?

The case (C-362/14) began when Austrian privacy advocate Max Schrems filed a complaint with the Irish Data Protection Commissioner. He argued that the United States did not provide adequate protection for personal data, especially in light of revelations made by Edward Snowden about mass surveillance by US authorities, including the NSA.

At the time, data transfers between the EU and the US were permitted under the Safe Harbour agreement, a framework approved by the European Commission in 2000. Facebook Ireland, like many other organisations, relied on Safe Harbour to transfer EU user data to servers in the US.

The Court’s Judgment

On 6 October 2015, the CJEU ruled that the Safe Harbour decision was invalid.

The Court held that:

• Safe Harbour did not provide an essentially equivalent level of protection as required by EU data protection law.
• US national security and law enforcement interests overrode privacy rights and allowed public authorities to access EU data without clear limitations.
• EU citizens had no effective judicial remedy to challenge misuse of their data in the US.
• The decision restricted the powers of national supervisory authorities (like the Irish DPC), which was contrary to EU law.

As a result, the Safe Harbour framework was struck down with immediate effect. This ruling forced thousands of companies to reconsider how they handled cross-border data flows.

Why Schrems I Still Matters

This case wasn’t just about Facebook. Schrems I was a turning point for international data transfer governance. It established that:

• The European Commission’s adequacy decisions can be challenged and overturned.
• Surveillance practices and lack of judicial redress in third countries undermine adequacy.
• National regulators have a duty to act, even in the presence of a Commission decision.

Schrems I also set the stage for two major developments:

1. The creation of the EU-US Privacy Shield, which would later be invalidated in Schrems II (2020).
2. The increased use of Standard Contractual Clauses (SCCs) and the need for Transfer Impact Assessments (TIAs).

Key Takeaways for UK Organisations

Although this was an EU ruling, the implications still affect UK-based organisations under UK GDPR. Any UK company transferring personal data to the US (or other third countries) must ensure that:

• Transfers are based on lawful mechanisms (SCCs, IDTA, BCRs, etc.)
• Supplementary measures are considered, particularly when US surveillance risks apply
• They monitor adequacy rulings and legal developments in international data law

Need Help With Data Transfers?

Our consultancy team can support you with:

• Transfer Risk Assessments (TRAs)
• Advice Around Appropriate Safeguards
• International Compliance Strategy

Contact us to speak to a data protection expert or explore our international data transfer support.

DUA Act – Part Two

The Data (Use and Access) Act 2025 – Podcast Part Two

On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.

Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.

If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.

Listen on Spotify

Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.

Download the Slides

We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides

What We Covered

• Real-life scenarios and case study examples based on DUA Act principles
• Detailed Q&A on legitimate interest balancing tests, soft opt-in rules, and data subject rights
• Compliance challenges and how to overcome them using good governance frameworks
• The DUA Act’s expected impact on privacy management programmes and internal policies
• Preparing your teams, clients, and data flows for the changes ahead

Join the Data Protection Made Easy Community

By joining our free community, you’ll get:

• Early access to upcoming podcast sessions and event invites
• Weekly insights into legislation like the DUA Act and GDPR
• Exclusive downloads including templates, tools, and guides
• Invitations to in-person events across the UK
• Access to session recordings and slides
• A place to ask questions, share experiences, and stay ahead

We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.

The MoD’s Data Breach

The MoD’s Data Breach: What You Need to Know

A major data breach by the Ministry of Defence (MoD) has come to light, putting thousands of lives at risk and costing the UK government hundreds of millions of pounds. The details were kept under wraps by a super injunction until now.

Here’s what happened, why it matters, and what it tells us about data protection in practice.

What Happened?

In 2022, a serious mistake at the MoD led to the personal details of almost 20,000 Afghan nationals being exposed. These individuals had either worked with or supported British forces in Afghanistan and were applying to a UK relocation scheme called ARAP (Afghan Relocation and Assistance Policy).

The breach involved an email that was mishandled, containing a full list of names and other identifying details. It is still unclear if the Taliban ever accessed the list, but the risk to those individuals and their families was significant. Some named on the list have since been killed, although it’s not confirmed whether this was directly linked to the breach.

Despite the gravity of the situation, the British government placed a super injunction on the incident, blocking the press from reporting on it. It has only now been lifted, over three years after the breach occurred.

Why Is This So Serious?

This wasn’t just a case of sending an email to the wrong person or forgetting to BCC a list. It involved identifiable information about people whose lives were already in danger. The exposure has resulted in the relocation of up to 7,000 Afghan nationals to the UK and is expected to cost taxpayers £850 million at a minimum, possibly rising to as much as £7 billion.

Litigation is now underway. One law firm representing over 1,000 victims has criticised the MoD for hiding the breach from the public and delaying accountability. Claimants are now seeking compensation for the harm and distress caused.

What Has the Government Said?

The current Defence Secretary, John Healey, has apologised and said the lack of transparency around the breach was deeply concerning. An internal review played down the ongoing risks, but data protection professionals have rightly questioned that conclusion.

The Information Commissioner’s Office (ICO) previously fined the MoD £350,000 for a similar breach in 2021, which also exposed the identities of Afghan nationals via email.

Lessons for DPOs and Data Leaders

This case is a stark reminder of the very real consequences that poor data handling can have, especially when it involves vulnerable individuals. For DPOs, it raises key questions:

• Is your organisation properly training staff on secure communication?
• Are you managing access and visibility of sensitive data?
• Do you have robust breach response plans in place?
• How transparent would you be if a breach happened under your watch?

This incident also reminds us that even the highest levels of government can get it wrong, which is why independent oversight and timely reporting remain critical principles in data protection.

Stay Up to Date with the Latest in Data Protection

At Data Protection People, we’re committed to helping professionals across the UK stay informed, connected, and confident in their roles.

If you want updates like this straight to your inbox or discussed live by industry experts:

• Join our Data Protection Made Easy Podcast
• Subscribe to our free newsletter
• Become part of a growing community of 1,500+ DPOs and data leaders across the UK

We break down complex stories like this every week, helping you cut through the noise and stay ahead of the curve.