Get to Know Caine
Caine is the Manager of the Data Protection Support Desk at Data Protection People and the host of the Data Protection Made Easy podcast. Over the past four years, he has supported organisations across the UK with clear, practical guidance on data protection, drawing on the real‑world challenges raised through the support desk and the conversations he leads on the podcast.
Caine has built a strong foundation in the housing and educational sectors, where he developed a people centred approach to problem‑solving and communication. These experiences continue to shape the way he supports clients, ensuring that complex compliance issues are translated into straightforward, actionable advice.
Earlier in his career, Caine also spent time in professional rugby for both Leeds Rhinos and Castleford Tigers, an environment that strengthened his resilience, discipline, and teamwork qualities.
Whether engaging with clients or facilitating industry wide discussions on the important topics, Caine is committed to making data protection more accessible, more understandable, and easier to get right.
Experience
Caine Glancy is an experienced data protection professional and the Support Desk Manager at DPP, where he has spent years developing a strong and practical understanding of the data protection landscape. Throughout his career, Caine has built a reputation for delivering clear, accessible, and actionable advice to organisations navigating complex regulatory requirements. His work has been particularly focused on supporting housing associations and the education sector, where he has provided guidance on a wide range of issues including FOIA, STAIRs, and day to day data protection challenges.
Caine is known for his ability to simplify intricate legislation and translate it into straightforward, meaningful steps that organisations can confidently implement. His approach is grounded in practicality and clarity, ensuring that clients not only understand their obligations but feel empowered to meet them. This commitment to demystifying data protection has made him a trusted point of contact for organisations seeking reassurance, expertise, and a calm, knowledgeable voice in moments of uncertainty.
Beyond his operational role, Caine is also a co‑host of the Data Protection Made Easy podcast, a growing community platform where professionals come together to discuss emerging issues, share experiences, and explore best practices. Through the podcast, he contributes to open, engaging conversations that help make data protection more approachable for a wide audience. His passion for community learning and accessible guidance continues to shape his work and influence within the sector.
“Good data protection isn’t about saying ‘no’ to everything, it’s about knowing when to say ‘yes’ safely.”
Caine Glancy
Data Protection Support Desk Manager
Caine's Posts
S2 Ep22: GDPR Radio- Data Protection News Of The Week
AI-Generated SARs, ICO Complaints and Social Media Bans, What This Means for Organisations
The data protection landscape rarely stands still, but recent developments suggest organisations may be facing new challenges from multiple directions.
In a recent episode of GDPR Radio, Caine Glancy and Catarina Pereira dos Santos explored several of the biggest stories currently impacting the profession, including the growing number of AI-generated Subject Access Requests (SARs), criticism of the ICO’s complaints handling processes, the resignation of Information Commissioner John Edwards, and the UK’s proposed social media restrictions for under-16s.
Whilst these issues may appear unrelated, they all raise important questions about accountability, regulation and how organisations can prepare for an increasingly complex compliance environment.
Organisations Are Seeing More Subject Access Requests
One of the first topics discussed was the significant increase in Subject Access Requests being experienced by some organisations, particularly within the housing sector.
Catarina explained that several clients have reported substantial increases in SAR volumes compared to the same period last year, with some organisations managing dozens of requests simultaneously.
Whilst organisations often look for common causes such as complaints or service issues, the discussion highlighted another potential factor, the growing use of artificial intelligence.
Is AI Driving The Rise In SARs?
The conversation explored how AI tools such as ChatGPT are making it easier than ever for individuals to draft and submit Subject Access Requests.
Catarina described conducting her own test using ChatGPT and discovering that many of the requests being received by one client closely mirrored the wording generated by the AI platform.
“Twenty-eight of them are literally coming from ChatGPT because it was a copy and paste of the one that I have seen in front of me.”
The discussion highlighted both the opportunities and challenges this creates. On one hand, AI can help individuals better understand and exercise their rights. On the other, organisations may find themselves dealing with increasing volumes of requests that are generated quickly and submitted with little effort.
When AI Creates A Compliance Challenge
The discussion also highlighted a less obvious issue.
According to Caine, organisations are increasingly finding themselves engaged in lengthy back-and-forth exchanges where AI-generated responses repeatedly challenge the organisation’s position.
Rather than helping resolve requests, AI can sometimes create what Caine described as a “hamster wheel” of ongoing correspondence. Organisations respond, AI generates a counterargument, and the cycle continues.
This creates an important challenge for organisations. Knowing when a SAR has been answered appropriately and when communication can reasonably come to an end is becoming increasingly important.
Questions Continue To Be Raised About ICO Complaint Handling
The conversation then turned to the Information Commissioner’s Office and recent criticism of its complaints framework.
The hosts discussed concerns raised by campaign groups regarding the ICO’s approach to lower-risk complaints and whether sufficient action is being taken when individuals exercise their data protection rights.
The discussion explored the difficult balance regulators face between prioritising resources and maintaining public confidence.
Catarina questioned whether data subject rights risk becoming theoretical if complaints are routinely stored for information purposes without further action.
“The regulators should be there to protect the rights and freedoms… but then they complain and they are used for informational purposes rather than actually helping the data subjects.”
What John Edwards’ Resignation Could Mean
The resignation of Information Commissioner John Edwards was another major topic.
Whilst the hosts acknowledged that the full circumstances remain a matter of public record, the discussion focused on what the change could mean for the future direction of the ICO.
Catarina suggested that the timing may provide an opportunity for the regulator to review its processes and priorities.
The broader question raised throughout the discussion was whether the ICO’s current approach remains fit for purpose in an environment where data protection concerns continue to grow in both volume and complexity.
The Social Media Ban Debate
The final major topic centred around the UK’s proposed social media restrictions for under-16s.
The proposal has been positioned as a measure to improve online safety and reduce the risks children face online. Catarina acknowledged the positive intentions behind the proposal, particularly given the ongoing concerns around children’s privacy, harmful content and the misuse of personal data.
However, the discussion also raised several practical concerns.
Is Responsibility Being Placed On The Right People?
A recurring theme throughout the discussion was accountability.
Rather than focusing solely on restricting access for younger users, both hosts questioned whether greater responsibility should be placed on the platforms themselves.
As Catarina explained, the conversation appears to focus heavily on controlling users whilst paying less attention to the role social media companies play in creating and maintaining online environments.
The discussion also raised questions around age verification, enforcement and whether restrictions alone can address the root causes of online harm.
The Challenge Of Balancing Safety And Freedom
The conversation concluded by recognising that online safety is rarely a straightforward issue.
Whilst protecting children remains an important objective, both hosts questioned whether blanket restrictions alone can solve the wider challenges associated with social media, harmful content and digital wellbeing.
As Caine noted, the underlying issue may not simply be access to social media, but the platforms themselves and the environments they create.
Looking Ahead
The episode highlighted several developments that organisations should continue monitoring closely.
The rise of AI-generated SARs is already creating operational challenges for some organisations. Questions around ICO enforcement and complaints handling continue to attract attention. Meanwhile, proposals around online safety and social media restrictions are likely to generate ongoing debate.
Whilst the outcomes remain uncertain, one thing is clear. Data protection professionals will need to remain adaptable as technology, regulation and public expectations continue to evolve.
Frequently Asked Questions
Are AI-generated Subject Access Requests valid?
Yes. A Subject Access Request can still be valid even if it has been created using an AI tool. Organisations should assess the request in the same way they would any other SAR.
Why are organisations seeing more SARs?
Increased awareness of data protection rights, the use of AI tools and wider public discussion around privacy may all be contributing to higher SAR volumes.
How should organisations deal with repeated AI-generated responses?
Organisations should follow their internal SAR procedure, document their decisions and ensure they have responded appropriately. Once a request has been handled properly, it is important to know when further correspondence is no longer necessary.
Does the ICO investigate every data protection complaint?
The ICO uses a risk-based approach when reviewing complaints. This means some complaints may be prioritised depending on factors such as risk, harm and wider public interest.
Why is the proposed social media ban for under-16s controversial?
Although the proposal aims to protect children online, concerns remain around age verification, enforcement, privacy and whether enough responsibility is being placed on social media platforms themselves.
How can organisations prepare for increasing SAR volumes?
Organisations can prepare by having clear SAR procedures, training staff, maintaining good records and seeking specialist data protection support where needed.
Need Support Managing Subject Access Requests?
Managing Subject Access Requests, responding to regulatory challenges and keeping up with changing data protection expectations can be difficult, particularly when organisations are facing increasing workloads and limited internal resource.
Our Data Protection Support Service, Outsourced DPO Service and Training and Awareness Services help organisations navigate complex compliance challenges with confidence.
Whether you need support managing SARs, reviewing governance processes or improving staff awareness, our team can help you make data protection easier to understand and easier to manage.
Celebrating 250 Episodes
Celebrating 250 Episodes of the Data Protection Made Easy Podcast
250 Episodes Later, We’re Just Getting Started
This week marks a huge milestone for everyone involved in the Data Protection Made Easy community as we celebrate our 250th podcast episode.
What started as a simple idea has grown into the UK’s number one data protection podcast, bringing together thousands of professionals from across the public, private and third sectors to discuss the latest developments in data protection, privacy, information governance and cyber security.
Today, the community has grown to more than 1,700 subscribers, attracts over 100 live attendees every single week, and has generated more than 20,000 streams on Spotify alone. What makes us most proud, however, is not the numbers. It is the community that has formed around them.
For 250 episodes, our goal has remained exactly the same, to make data protection easier to understand, more accessible, and more practical for organisations of all sizes.
Why We Started the Podcast
Back when the podcast first launched, there were very few places where data protection professionals could come together regularly to discuss real-world challenges.
Most of the information available was either highly technical, heavily legalistic, or difficult for busy professionals to digest.
At Data Protection People, we recognised a gap.
We wanted to create a space where professionals could learn from one another, ask questions, share experiences and discuss the practical realities of managing data protection within organisations.
Rather than lengthy presentations or sales pitches, we wanted conversations.
Conversations about the issues that organisations are genuinely facing every day.
Conversations about legislation, regulatory changes, subject access requests, international data transfers, cyber security incidents, artificial intelligence, children’s data, marketing compliance, Freedom of Information requests and everything in between.
Most importantly, we wanted those conversations to be accessible to everyone, regardless of whether they were a seasoned Data Protection Officer or completely new to the profession.
More Than a Podcast, A Community
Over the years, something remarkable happened.
The podcast stopped being just a podcast.
It became a community.
Every Friday at lunchtime, professionals from across the UK and beyond join us live to discuss current issues, share experiences and learn from one another.
Many attendees have been joining us for years. New faces arrive every week. Friendships have formed. Professional networks have grown. Career opportunities have been created.
The Data Protection Made Easy community has become a place where people can ask questions without judgement, share challenges openly and gain insights from others facing similar situations.
This collaborative approach is what makes the community special.
No one person has all the answers in data protection. The best outcomes often come from sharing perspectives and learning from the experiences of others.
What We Cover
Across 250 episodes, we have covered virtually every area of data protection and information governance.
Topics have included:
- UK GDPR compliance
- Data Protection Act 2018
- Subject Access Requests
- Personal Data Breaches
- International Data Transfers
- Data Protection Impact Assessments
- Artificial Intelligence
- Cookies and PECR
- Freedom of Information
- Children’s Data
- Law Enforcement Processing
- Direct Marketing
- Data Retention
- Employee Monitoring
- Cyber Security
- PCI DSS
- ISO 27001
- Emerging regulatory developments
- ICO guidance and enforcement action
Our aim has always been to provide practical takeaways that attendees can apply within their organisations immediately.
The Impact So Far
The numbers tell part of the story:
- 250 episodes delivered
- 1,700+ community subscribers
- 100+ live attendees every week
- 20,000+ Spotify streams
- Hundreds of hours of free educational content
- Thousands of professionals reached across the UK
But the real impact lies in the feedback we receive.
We regularly hear from practitioners who have used insights from the podcast to improve compliance programmes, handle complex requests, respond to breaches, influence senior leadership teams and develop their own careers.
Many attendees tell us the podcast has become a key part of their professional development.
That is exactly why we continue to invest in it.
Bringing Data Protection Professionals Together
One of the most exciting developments over recent years has been taking the community beyond the virtual world.
The relationships built through the podcast have led to in-person events, workshops, roundtable discussions and networking opportunities.
These events allow community members to meet face-to-face, share experiences and continue conversations that started during our weekly sessions.
The success of these events has reinforced something we have always believed:
Data protection is ultimately about people.
The strongest compliance programmes are built through collaboration, shared learning and open discussion.
Looking Ahead to the Next 250 Episodes
While reaching 250 episodes is a fantastic achievement, we see it as just the beginning.
The world of privacy, data protection and cyber security is changing faster than ever before.
Artificial intelligence continues to reshape how organisations process personal data.
The Data (Use and Access) Act is bringing significant changes to the UK regulatory landscape.
New technologies, evolving threats and increasing public awareness mean organisations face fresh challenges every year.
Our commitment is to continue helping professionals navigate those challenges.
Over the coming years, attendees can expect:
- More expert guest speakers
- More practical workshops
- More community-driven discussions
- More in-person networking events
- More training opportunities
- Greater coverage of AI and emerging technologies
- Expanded cyber security content
- Continued analysis of UK and international developments
Most importantly, we will continue providing a free platform where professionals can learn, network and stay informed.
How to Join the Community
Joining the Data Protection Made Easy community is completely free.
Every Friday at lunchtime, we host a live session where attendees can watch discussions, ask questions, network with peers and participate in conversations about the latest developments in data protection, privacy and cyber security.
You can also catch up on previous episodes through Spotify, Apple Podcasts and other major podcast platforms, with more than 250 episodes now available on demand.
Whether you are a Data Protection Officer, Information Governance professional, compliance specialist, cyber security practitioner, senior leader, or simply someone with an interest in privacy and data protection, there is a place for you within the community.
To join the community, subscribe to the Data Protection Made Easy podcast and register for our free weekly live sessions via the Data Protection People website.
Thank You
Reaching 250 episodes would not have been possible without the incredible support of our speakers, guests, contributors and community members.
Thank you to everyone who has joined a live session, listened to an episode, asked a question, shared an insight, attended an event or recommended the podcast to a colleague.
You are the reason this community exists.
Here’s to the next 250 episodes.
Join the Data Protection Made Easy Community Today
- Live every Friday at lunchtime
- 250+ episodes available on demand
- 1,700+ subscribers
- 100+ live attendees every week
- 20,000+ Spotify streams
- Free to join
Because data protection should be made easy.
GDPR Radio, S2 Ep2: Data Protection News
Grok, the Online Safety Act, and UK AI Regulation
GDPR Radio is our regular news roundup, where we break down the biggest stories from the world of data protection, privacy, and emerging tech. In this episode, Catarina Santos and Caine Glancy cover early year enforcement activity from the ICO, debate what “valid consent” really looks like in modern digital ecosystems, and explore the growing pressure on social media platforms to protect children online, including age assurance and content moderation.
Listen back on Spotify
Episode highlights
This session covers three big themes that many organisations are grappling with right now.
1) PECR enforcement is back on the agenda
We discuss recent ICO fines linked to unsolicited marketing activity and PECR compliance, including the practical lessons for opt-outs, consent language, and third-party data sources.
2) Third-party marketing lists and the “consent problem”
A key discussion point is what “informed” consent looks like when individuals are presented with long lists of third parties, and whether any approach is truly usable, granular, and easy to withdraw in practice.
3) Social media, under-16s, and age assurance
We explore the UK conversation about restricting under-16 access to social media, and the operational reality behind age verification, predictive age estimation, and the privacy and security risks that can come with them.
Key takeaways for organisations
- If your marketing activity relies on PECR, ensure opt-out routes are clear and effortless, and your lawful basis and consent language stand up to scrutiny.
- If you use third-party data, check what individuals were actually told, what they agreed to, and whether withdrawal can realistically be managed.
- If you operate services used by children or young people, start stress-testing your age assurance approach now, including supplier due diligence, security, and data minimisation.
- When new tech risks emerge, reactive fixes often fall short, governance and risk management need to be built in from day one.
Useful links
Related from Data Protection People
- STAIRs event, 5 February, Leeds (limited tickets remaining)
- Upcoming session: DPIAs that actually protect people
- SARs content and events coming soon, plus an upcoming article on weaponising SARs and recent ICO guidance
About GDPR Radio
GDPR Radio is part of the Data Protection Made Easy podcast. Join live to ask questions, share views in the chat, and keep up with what’s happening across regulation, enforcement, and practice.
Speakers
Catarina Santos, Data Protection Consultant, Data Protection People
Caine Glancy, Data Protection Consultant, Data Protection People
Lessons For Data Retention
Santa’s Naughty List, Lessons For Data Retention
Data Protection Made Easy Podcast, Episode 228 – Hosted by Caine Glancy and Special Guest Katerina Douni
This week’s episode takes a festive look at one of the most common challenges in data protection, knowing what to keep, what to delete, and what to safely archive. Inspired by Santa’s famous naughty list, Caine Glancy and first time guest host Katarina Douni lead a lively discussion on data retention, storage limitation, and the practical steps organisations can take to stay compliant without holding information for longer than needed.
Katarina joined the podcast for her debut session and quickly set the tone with a clear message, many organisations continue to struggle with retention. She explored why data decisions matter, how retention periods should be approached, and why email is often the biggest culprit for uncontrolled storage. The session sparked strong engagement from our live audience and the chat was filled with questions, examples, and shared challenges around retention, erasure, and day to day pressures inside busy teams.
Caine and Katarina walked listeners through common problems such as the over use of email as a filing system, storing information long after its purpose has expired, and the difficulty teams face when deciding how long is long enough. They also discussed the risks of under collecting or over collecting information, the impact this has on storage limitation, and how organisations can simplify their retention rules to reduce confusion and avoid unnecessary risk.
As always, the live chat added a valuable layer to the discussion. Attendees shared their own retention periods, debated tricky scenarios, and raised questions that pushed the session further. The interactive nature of the podcast remains one of its key strengths and gives practitioners the chance to test ideas, compare approaches, and learn from each other in real time.
This episode is ideal for anyone who handles personal data, manages email systems, or oversees compliance. It provides clear explanations, relatable examples, and practical steps that can be applied immediately. With year end approaching, the timing could not be better for organisations reviewing their retention schedules or tackling email backlogs.
If you listened back on Spotify and want to join a future episode live, you can request an invite by emailing info@dataprotectionpeople.com. Live attendees can take part in the chat, ask questions, and access the deeper insight that comes from community discussion.
We host Data Protection Made Easy every Friday at 12:30 and new listeners are always welcome. Our community continues to grow each week with hundreds joining live and many more tuning in through audio platforms.
If you work in the housing sector, you may also be interested in our upcoming in person STAIRs event taking place on the 5th of February. Details can be found on our website and on LinkedIn.
Listen below and enjoy this festive and practical dive into data retention.
DUA Act – Part Two
The Data (Use and Access) Act 2025 – Podcast Part Two
On Thursday, 18th July 2025, we hosted Part Two of our DUA Act discussion, with over 200 live attendees joining us for a deeper dive into the Data (Use and Access) Act 2025.
Led by Phil Brining and Caine Glancy, this session focused on answering the questions raised in Part One, exploring complex scenarios, and sharing practical advice for professionals preparing for the new regulations.
If you couldn’t attend live or want to revisit the insights, you can now listen back to the full recording and access the presentation slides shared during the event.
Listen on Spotify
Click below to listen to Part Two on Spotify or search ‘Data Protection Made Easy’ on Apple Podcasts, Audible or any major platform.
Download the Slides
We’ve made the full slide deck from Part Two available to download and share:
Download Part Two Presentation Slides
What We Covered
- Real-life scenarios and case study examples based on DUA Act principles
- Detailed Q&A on legitimate interest balancing tests, soft opt-in rules, and data subject rights
- Compliance challenges and how to overcome them using good governance frameworks
- The DUA Act’s expected impact on privacy management programmes and internal policies
- Preparing your teams, clients, and data flows for the changes ahead
Join the Data Protection Made Easy Community
By joining our free community, you’ll get:
- Early access to upcoming podcast sessions and event invites
- Weekly insights into legislation like the DUA Act and GDPR
- Exclusive downloads including templates, tools, and guides
- Invitations to in-person events across the UK
- Access to session recordings and slides
- A place to ask questions, share experiences, and stay ahead
We’re here to help you transition confidently into the new data protection landscape, making compliance clearer, simpler, and more achievable.
The Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 – Podcast Part One Recap
On Friday, 28th June 2025, we hosted our biggest podcast session ever, with 295 live attendees joining us to explore the Data (Use and Access) Act 2025.
Hosted by Phil Brining, Caine Glancy, and Catarina Santos, the session provided a clear and practical breakdown of the most significant changes to UK data protection law since the GDPR.
Whether you missed it live or want to listen again, you can catch the full episode now and download the slide deck shared during the session.
Listen back on Spotify
Click below to listen to the episode via Spotify or find us on Apple Podcasts, Audible and all major streaming platforms.
Download the Slides
We’ve made the full slide deck from the session available to download and share:
Download Presentation Slides
What We Covered
- What the DUA Act is and how it evolved from the DPDI Bill
- Key changes to Subject Access Requests, Legitimate Interests, and the role of the ICO
- Updates to PECR enforcement powers and cookie consent exemptions
- The Act’s impact on data sharing, organisational accountability, and regulatory expectations
- What public and private sector organisations need to prepare for
Part Two – Live on Thursday 18th July
Due to overwhelming demand and brilliant questions from our community, Part Two is already confirmed. In this follow-up session, we’ll dig deeper into unanswered questions, explore real-world scenarios, and share practical next steps for compliance and governance.
Click here to visit the Part Two event page and register your place: View Part Two
Join the Data Protection Made Easy Community
By joining our free community, you’ll get:
- Early access to future podcast sessions
- Weekly email updates with analysis and guidance on the DUA Act
- Exclusive content including white papers, practical templates, and checklists
- Invites to free in-person events across the UK
- Recordings and slides from every live session
- A chance to ask questions and share challenges with other professionals
We’re committed to supporting our community through the transition to the DUA Act and beyond, making compliance simpler, clearer, and easier to manage.
Managing Subject Access Requests from Employees & Ex-Employees- Part 2
Managing Subject Access Requests from Employees & Ex-Employees- Part 2
Data Protection Made Easy Podcast – Episode 214
After one of our most popular episodes to date, Data Protection Made Easy is back on Friday 13th June with Part Two of our deep dive into Subject Access Requests (SARs) from employees and ex-employees.
Our expert hosts Catarina Santos, Phil Brining and Caine Glancy return with special guest Nia Roberts to pick up where we left off, tackling some of the most challenging real-world scenarios and offering practical advice you can put into action.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
What We Covered
Understanding What Drives SARs
We’ll begin by exploring the reasons why employees and former staff submit SARs. Understanding their motivations – whether it’s part of a grievance, a disciplinary matter, or simply curiosity – can help you take a more informed, strategic approach when responding.
When You Must Respond – And When You Don’t
We’ll clarify the legal obligations around SARs, including when you are required to respond and the circumstances under which you may lawfully refuse. We’ll cover how to apply exemptions correctly and avoid common legal missteps.
Managing Excessive or Repetitive Requests
Some SARs are straightforward, but others can be lengthy, repeated or even used tactically during disputes. We’ll discuss practical strategies for managing high-volume or difficult requests while staying compliant and maintaining control.
Balancing Transparency and Internal Protection
Sharing data is a legal requirement, but it can pose risks. We’ll explain how to balance the need for openness with the importance of protecting internal communications and third-party data, especially in sensitive workplace situations.
Lessons from Real Grievance and Disciplinary Cases
We’ll walk through real examples where SARs intersect with HR issues, highlighting the challenges and how they were overcome. These case studies bring the legislation to life and offer useful insights for handling similar requests in your own organisation.
Proactive Preparation: Getting Ahead of SARs
Being prepared can save you a lot of time and stress. We’ll share practical steps to help you get ready for future SARs, such as mapping employee records, putting redaction protocols in place, and training managers to write with potential disclosure in mind.
Avoiding Common Mistakes
From over-disclosing sensitive data to misinterpreting exemptions, there are several pitfalls to watch out for. We’ll help you spot the most common mistakes and show you how to avoid them through better planning and communication.
Handling Escalation and Risk
Sometimes SARs escalate into wider legal or reputational issues. We’ll outline how to manage those risks and what to do when a request becomes more than just a request – protecting your organisation and your people in the process.
Want More Like This?
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing info@dataprotectionpeople.com
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
Meet the Panel
- Philip Brining – Managing Director and Founder of Data Protection People
- Catarina Santos – Data Protection Consultant
- Caine Glancy – Data Protection Support Consultant
- Nia Roberts – DPO at Woodgate & Clarke
Looking Ahead
As always, this podcast is completely free to attend and open to everyone. Whether you’re new to SARs or navigating a particularly difficult one, this session will leave you better equipped to respond with clarity and confidence.
Know someone who would benefit? Share the podcast link and help others take the complexity out of compliance.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
Managing Employee SARs
Managing Subject Access Requests from Employees & Ex-Employees
Data Protection Made Easy Podcast – Episode 114
Subject Access Requests (SARs) submitted by current or former employees are among the most sensitive and complex data protection challenges organisations face. In Episode 114 of the Data Protection Made Easy Podcast, we welcomed Nia Roberts from Woodgate & Clarke to share her insights alongside our regular hosts Philip Brining, Catarina Santos, and Caine Glancy.
If you’re involved in HR, legal, compliance, or data protection, this is an episode you won’t want to miss. SARs from staff can surface during contentious periods and often involve highly personal data, workplace grievances, and emotionally charged decisions.
Listen below or find us on Spotify, Apple Podcasts, and all major streaming platforms.
What We Covered
This session dives into some of the most frequently asked questions and overlooked risks when handling SARs from employees and ex-employees. The team explored:
🔹 Common Triggers and Misconceptions
From employment disputes and grievances to misunderstanding of rights, we discussed the motivations behind employee SARs and how these requests are sometimes unfairly perceived as “troublemaking.”
As Catarina Santos explained, it’s essential to reframe the narrative:
“The moment an employee submits a SAR, there’s often suspicion. But they’re simply exercising a right, and organisations need to avoid viewing this as a hostile act.”
🔹 SARs and Organisational Culture
The episode opened with a reflection on how important organisational attitude is when dealing with SARs internally. Do line managers panic? Do HR teams try to limit the scope unfairly? The cultural tone of how SARs are approached sets the standard for compliance, and respect for rights.
🔹 The Community Speaks
This episode was particularly lively, with dozens of listeners sharing personal experiences in the live chat, from management asking for redaction reviews to WhatsApp messages being considered disclosable.
Philip Brining highlighted the value of the community:
“We’re not here to preach, we’re here to learn from each other. Today’s discussion proved again how much experience exists across this community.”
🔹 Tools of the Trade: Teams, WhatsApp & Chat Platforms
Are your workplace chat tools covered by SARs? Very possibly. The group discussed how platforms like Microsoft Teams, Slack, and WhatsApp are increasingly scrutinised during employee SARs especially if conversations include personal data.
🔹 Balancing Access, Proportionality, and Security
SAR compliance doesn’t mean giving everything. As Caine Glancy pointed out, organisations must strike a balance between access and protection:
“It’s easy to get swept up in emotion, especially when the SAR involves current staff. But we need to remain impartial, proportional, and legally grounded.”
The team also touched on unfounded and excessive requests, case law, and the ICO’s guidance on managing SARs in the workplace — especially when IT systems and data security are involved.
What made this episode stand out was the depth of real-world experiences shared. Guest speaker Nia Roberts brought front-line insight, including how to manage expectations and collaborate across departments:
“You need strong communication between data protection and IT teams. It’s essential, especially when you’re dealing with chat logs or historic data held in messaging tools.”
Want More Like This?
The Data Protection Made Easy Podcast is the UK’s leading podcast for privacy professionals, with over 50,000 streams and a thriving live community.
Subscribe to our mailing list by emailing info@dataprotectionpeople.com
Join live discussions every Friday at lunchtime
Find out more about our events, training, and in-person roundtables
Meet the Panel
- Philip Brining – Managing Director and Founder of Data Protection People
- Catarina Santos – Data Protection Consultant
- Caine Glancy – Data Protection Support Consultant
- Nia Roberts – DPO at Woodgate & Clarke
Looking Ahead
Due to overwhelming demand and an overflowing chat box, we’re exploring a Part 2 to this session, diving deeper into recurring SAR issues, including excessive requests, HR workflows, and lessons from recent case law.
Stay subscribed for updates, and don’t forget to follow us on LinkedIn for all the latest news and event invites.
Special May Promotion: Free SAR Consultations
This month, we’re offering free consultations on SAR handling to any organisation looking to improve their internal process.
Whether you’re struggling with redaction, document searches, or managing requests from difficult cases, speak to one of our experts for practical support.
📩 Simply email us at info@dataprotectionpeople.com with the subject line “SAR Support”, and we’ll book in a free 30-minute consultation.