“Good data protection isn’t about saying ‘no’ to everything, it’s about knowing when to say ‘yes’ safely.”
Caine Glancy
Data Protection Support Desk Manager
Caine's Posts
GDPR Radio, S2 Ep2: Data Protection News
Grok, the Online Safety Act, and UK AI Regulation
GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy cover early year enforcement activity from the ICO, debate what “valid consent” really looks like in modern digital ecosystems, and explore the growing pressure on social media platforms to protect children online, including age assurance and content moderation.
Listen back on Spotify
Episode highlights
This session covers three big themes that many organisations are grappling with right now.
1) PECR enforcement is back on the agenda
We discuss recent ICO fines linked to unsolicited marketing activity and PECR compliance, including the practical lessons for opt-outs, consent language, and third-party data sources.
2) Third-party marketing lists and the “consent problem”
A key discussion point is what “informed” consent looks like when individuals are presented with long lists of third parties, and whether any approach is truly usable, granular, and easy to withdraw in practice.
3) Social media, under-16s, and age assurance
We explore the UK conversation about restricting under-16 access to social media, and the operational reality behind age verification, predictive age estimation, and the privacy and security risks that can come with them.
Key takeaways for organisations
- If your marketing activity relies on PECR, ensure opt-out routes are clear and effortless, and your lawful basis and consent language stand up to scrutiny.
- If you use third-party data, check what individuals were actually told, what they agreed to, and whether withdrawal can realistically be managed.
- If you operate services used by children or young people, start stress-testing your age assurance approach now, including supplier due diligence, security, and data minimisation.
- When new tech risks emerge, reactive fixes often fall short, governance and risk management need to be built in from day one.
Useful links
Related from Data Protection People
- STAIRs event, 5 February, Leeds (limited tickets remaining)
- Upcoming session: DPIAs that actually protect people
- SARs content and events coming soon, plus an upcoming article on weaponising SARs and recent ICO guidance
About GDPR Radio
GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.
Speakers
Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People
Lessons For Data Retention
Santa’s Naughty List, Lessons For Data Retention
Data Protection Made Easy Podcast, Episode 228 – Hosted by Caine Glancy and Special Guest Katerina Douni
This week’s episode takes a festive look at one of the most common challenges in data protection, knowing what to keep, what to delete, and what to safely archive. Inspired by Santa’s famous naughty list, Caine Glancy and first time guest host Katarina Douni lead a lively discussion on data retention, storage limitation, and the practical steps organisations can take to stay compliant without holding information for longer than needed.
Katarina joined the podcast for her debut session and quickly set the tone with a clear message, many organisations continue to struggle with retention. She explored why data decisions matter, how retention periods should be approached, and why email is often the biggest culprit for uncontrolled storage. The session sparked strong engagement from our live audience and the chat was filled with questions, examples, and shared challenges around retention, erasure, and day to day pressures inside busy teams.
Caine and Katarina walked listeners through common problems such as the over use of email as a filing system, storing information long after its purpose has expired, and the difficulty teams face when deciding how long is long enough. They also discussed the risks of under collecting or over collecting information, the impact this has on storage limitation, and how organisations can simplify their retention rules to reduce confusion and avoid unnecessary risk.
As always, the live chat added a valuable layer to the discussion. Attendees shared their own retention periods, debated tricky scenarios, and raised questions that pushed the session further. The interactive nature of the podcast remains one of its key strengths and gives practitioners the chance to test ideas, compare approaches, and learn from each other in real time.
This episode is ideal for anyone who handles personal data, manages email systems, or oversees compliance. It provides clear explanations, relatable examples, and practical steps that can be applied immediately. With year end approaching, the timing could not be better for organisations reviewing their retention schedules or tackling email backlogs.
If you listened back on Spotify and want to join a future episode live, you can request an invite by emailing info@dataprotectionpeople.com. Live attendees can take part in the chat, ask questions, and access the deeper insight that comes from community discussion.
We host Data Protection Made Easy every Friday at 12:30 and new listeners are always welcome. Our community continues to grow each week with hundreds joining live and many more tuning in through audio platforms.
If you work in the housing sector, you may also be interested in our upcoming in person STAIRs event taking place on the 5th of February. Details can be found on our website and on LinkedIn.
Listen below and enjoy this festive and practical dive into data retention.
DUA Act – Part Two
The Data (Use and Access) Act 2025 – Podcast Part Two
On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.
Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.
If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.
Listen on Spotify
Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.
Download the Slides
We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides
What We Covered
- Real-life scenarios and case study examples based on DUA Act principles
- Detailed Q&A on legitimate interest balancing tests, soft opt-in rules, and data subject rights
- Compliance challenges and how to overcome them using good governance frameworks
- The DUA Act’s expected impact on privacy management programmes and internal policies
- Preparing your teams, clients, and data flows for the changes ahead
Join the Data Protection Made Easy Community
By joining our free community, you’ll get:
- Early access to upcoming podcast sessions and event invites
- Weekly insights into legislation like the DUA Act and GDPR
- Exclusive downloads including templates, tools, and guides
- Invitations to in-person events across the UK
- Access to session recordings and slides
- A place to ask questions, share experiences, and stay ahead
We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.
The Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 – Podcast Part One Recap
On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.
Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.
Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.
Listen back on Spotify
Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.
Download the Slides
We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides
What We Covered
- What the DUA Act is and how it evolved from the DPDI Bill
- Key changes to Subject Access Requests, Legitimate Interests, and the role of the ICO
- Updates to PECR enforcement powers and cookie consent exemptions
- The Act’s impact on data sharing, organisational accountability, and regulatory expectations
- What public and private sector organisations need to prepare for
Part Two – Live on Thursday 18th July
Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.
Click here to visit the Part Two event page and register your place: View Part Two
Join the Data Protection Made Easy Community
By joining our free community, you’ll get:
- Early access to future podcast sessions
- Weekly email updates with analysis and guidance on the DUA Act
- Exclusive content including white papers, practical templates, and checklists
- Invites to free in-person events across the UK
- Recordings and slides from every live session
- A chance to ask questions and share challenges with other professionals
We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.
Managing Subject Access Requests from Employees & Ex-Employees- Part 2
Managing Subject Access Requests from Employees & Ex-Employees- Part 2
Data Protection Made Easy Podcast – Episode 214
After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.
Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
What We Covered
Understanding What Drives SARs
We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.
When You Must Respond – And When You Don’t
We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.
Managing Excessive or Repetitive Requests
Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.
Balancing Transparency and Internal Protection
Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.
Lessons from Real Grievance and Disciplinary Cases
We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.
Proactive Preparation: Getting Ahead of SARs
Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.
Avoiding Common Mistakes
From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.
Handling Escalation and Risk
Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.
Want More Like This?
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing info@dataprotectionpeople.com
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
Meet the Panel
- Philip Brining – Managing Director and Founder of Data Protection People
- Catarina Santos – Data Protection Consultant
- Caine Glancy – Data Protection Support Consultant
- Nia Roberts – DPO at Woodgate & Clarke
Looking Ahead
As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.
Know someone who would benefit? Share the podcast link and help others take the complexity out of compliance.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
Managing Employee SARs
Managing Subject Access Requests from Employees & Ex-Employees
Data Protection Made Easy Podcast – Episode 114
Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.
If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
What We Covered
This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:
🔹 Common Triggers and Misconceptions
From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”
As Catarina Santos explained, it’s essential to reframe the narrative:
“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”
🔹 SARs and Organisational Culture
The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.
🔹 The Community Speaks
This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.
Philip Brining highlighted the value of the community:
“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”
🔹 Tools of the Trade: Teams, WhatsApp & Chat Platforms
Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.
🔹 Balancing Access, Proportionality, and Security
SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:
“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”
The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.
What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:
“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”
Want More Like This?
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing info@dataprotectionpeople.com
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
Meet the Panel
- Philip Brining – Managing Director and Founder of Data Protection People
- Catarina Santos – Data Protection Consultant
- Caine Glancy – Data Protection Support Consultant
- Nia Roberts – DPO at Woodgate & Clarke
Looking Ahead
Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
Special May Promotion: Free SAR Consultations
This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.
Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.
📩 Simply email us at info@dataprotectionpeople.com with the subject line “SAR Support”, and we’ll book in a free 30-minute consultation.
Joe Kirk’s Top 10 Tips
Joe Kirk’s Top 10 Tips: Lessons from a Career in Data Protection
In this special episode of the Data Protection Made Easy podcast, long-time host and data protection consultant Joe Kirk reflects on his journey through the world of privacy and compliance—from his early days in sales, speaking to hundreds of DPOs across the UK, to becoming a consultant himself and working with a wide range of clients across every major sector.
As this marks Joe’s final regular appearance on the podcast, we dedicated the session to the Top 10 Lessons He’s Learned over the last four years. These are practical, honest, and experience-based takeaways that he hopes will help current and aspiring DPOs make a meaningful impact in their roles.
Key Themes Discussed
- How sales and consulting provide different but complementary perspectives on data protection
- The common challenges DPOs face regardless of sector or organisation size
- The importance of empathy, curiosity, and communication in building trust
- Avoiding the “tick-box” mentality and becoming a strategic advisor
- Keeping your knowledge current in a fast-moving legal and tech landscape
- How to show your value to the business even when you’re not customer-facing
- Why DPOs should be involved in decision-making at the earliest possible stage
- Balancing legal risk with operational reality
- Encouraging a culture of accountability, not fear
- The importance of continuous learning – and what Joe would do differently if starting today
These tips are relevant whether you’re new to data protection, already in a DPO role, or even an employer looking to build a successful privacy function.
A Time of Transition for Data Protection Made Easy
Joe’s departure also marks the beginning of a new phase for the Data Protection Made Easy community. As we look to evolve and bring even more value to our subscribers, we’re making some important changes:
Podcast Frequency
We will now host one episode per month, instead of weekly. This allows us to:
- Deep dive into more meaningful topics
- Reintroduce guest speakers and expert panels
- Focus on sector-specific challenges and use cases
- Provide more actionable takeaways for our listeners
In-Person Events
To complement our podcast, we’ll be launching monthly in-person events, starting with a Housing Sector Roundtable in Leeds. These will be free to attend and packed with:
- Expert guest speakers
- Open discussion sessions
- Networking opportunities
- Food, drink, and sector-specific guidance
If you’re in the housing sector or work in data protection in Yorkshire, this is a great chance to connect with our team face-to-face. More info coming soon.
Monthly Newsletter
To replace our weekly GDPR Radio news episodes, we’ve launched a monthly email newsletter with:
- Top stories from the ICO and UK government
- Regulation changes and enforcement action recaps
- Insights from the Data Protection People team
- Highlights from recent podcasts and events
If you’re a subscriber, your first issue should already be in your inbox! If not, sign up here:
What’s Next?
We’ll soon be publishing a full article on Joe’s Top 10 Tips for DPOs, expanding on the episode with real-life examples, links to useful tools, and guidance from our team. This will be available in the Resource Centre and shared with our newsletter subscribers.
We’ll also be sharing details on our 10-Year Anniversary Celebration taking place in July 2025. If you’re based in Leeds and would like to attend this free event, keep an eye out for the invitation — food, drinks, music, and privacy professionals all under one roof (plus a special guest DJ set from Joe himself!).
Keep in Touch with Joe
While Joe is stepping away from the podcast, you may still hear him pop up as a guest speaker in future episodes or events. He’s made a lasting impact on our community and we’d love for you to stay connected with him: Connect with Joe on LinkedIn
Catch Up On Demand
Listen to Episode 213 – Joe Kirk’s Top 10 Tips on Spotify
Or find us on Apple Podcasts, Amazon Music, and all major streaming platforms.
Thank you to Joe for four years of thoughtful, passionate, and incredibly valuable contributions to the Data Protection Made Easy community. We’ll miss him as a regular host, but we know this isn’t goodbye – just see you later.
Are Verbal Discussions Caught by the GDPR?
Data Protection Made Easy: Episode 210
Are Verbal Discussions Caught by the GDPR?
On Friday, 8th March, we hosted Episode 210 of the Data Protection Made Easy podcast — another packed session of GDPR Radio, our fortnightly deep dive into the biggest headlines and hot topics in the world of data protection and privacy.
Hosted by Phil Brining, Joe Kirk, and Caine Glancy, this episode delivered a healthy blend of practical insight, thought-provoking discussion, and plenty of live audience participation from our growing community of data protection professionals. We were once again joined by over 100 live listeners, all contributing ideas and questions via our interactive Microsoft Teams chat.
What We Discussed
1. Are Verbal Discussions Caught by the GDPR?
This episode’s title topic sparked a lively conversation. Our hosts explored whether verbal exchanges — such as internal meetings, phone calls, and spoken instructions — fall under the scope of the UK GDPR. The discussion unpacked key principles such as the definition of “processing”, whether recording or note-taking changes the legal position, and how organisations should manage verbal communication when it contains personal data.
This sparked some brilliant insights from both the hosts and the live audience. We covered scenarios in HR, support desks, and customer service, offering practical advice for DPOs and compliance professionals who might be navigating grey areas in their organisations.
2. Prince Harry and the Visa Controversy
We also turned our attention to the news story making international headlines: Prince Harry’s visa application and the allegations that contradict information he disclosed in his autobiography. Our team explored the privacy, transparency, and data-sharing implications of the case, and how international jurisdictions handle cross-border data issues differently — a useful case study in the growing complexities of public disclosure and personal data rights.
What’s Coming Up Next: Episode 211 – Becoming an Impactful DPO
Next Friday, 15th March, we’re proud to host Episode 211 of the Data Protection Made Easy podcast – a special session titled:
“Standing Out as a DPO – What Makes a High-Quality Data Protection Officer”
Whether you’re an experienced Data Protection Officer, a practitioner looking to step up, or someone hiring for DPO roles, this is a session not to be missed.
We’ll cover:
- What makes a great DPO stand out in today’s landscape
- The skills and attributes that employers are really looking for
- Career development tips for DPOs – from training to certifications and soft skills
- How to differentiate yourself during job interviews
- What to say (and what not to say!) when looking for your next opportunity
- Key qualities that help DPOs influence, lead, and deliver real change within organisations
This session will be hosted by Phil Brining, Caine Glancy, and Joe Kirk, and is aimed at anyone working in or alongside data protection, whether you’re job hunting, recruiting, or simply looking to refine your skills.
At Data Protection People, we’re always on the lookout for bright and brilliant DPOs to join our team. If you, or someone you know, is actively looking for a new challenge in data protection, feel free to send a CV to one of our team members or reach out via our website.
Why Join the Podcast Live?
Our podcast is more than just a listen-along — it’s a live, interactive community of like-minded professionals. Each week, our hosts are joined by a growing audience of data protection, privacy, and cyber security practitioners, who participate live via Microsoft Teams.
By joining us live, you can:
- Ask questions in real-time
- Get involved in live polls and discussions
- Access links to useful resources shared during the session
- Network with others in the field
And best of all — it’s completely free to join!
Can’t Make It Live?
No problem. Every episode of the Data Protection Made Easy podcast is uploaded to Spotify, Amazon Music, and all other major streaming platforms. So whether you want to rewatch a session or catch up on our back catalogue of over 200 episodes, it’s all available for you — whenever it suits your schedule.
📅 View Upcoming Events & Register to Join Live
Subscribe to Join Us Weekly
Subscribing is easy and ensures you receive an invite to each live episode. We host our sessions every Friday at 12:30PM, alternating between topical discussions and GDPR Radio — both designed to keep you informed, compliant, and ahead of the curve.
Visit our events page and sign up once to join our mailing list and receive weekly invites, reminders, and access to all the extras shared in the live sessions.
Data Protection Made Easy
By practitioners, for practitioners. Making complex subjects easier, every Friday.