Under-16s Social Media Ban

Under-16s Social Media Ban: Is 16 the Right Age, or Have We Gone Too Far?

By Catarina Santos, Head of Data Protection Consultancy at Data Protection People

Today, Prime Minister Keir Starmer confirmed that the UK will ban under-16s from using a range of social media platforms, including Snapchat, TikTok, YouTube, Instagram, Facebook and X. Messaging apps such as WhatsApp1i and Signal will not be affected, and the government says the new rules will come into force early next year. 

I must admit that my first reaction was good and before anyone jumps to comments, I will explain why. 

I work in data protection and spend a lot of time helping organisations think about how they protect children and young people. The reality is that we’ve all seen the stories: children being exposed to content they shouldn’t be seeing, dangerous online trends, cyberbullying, grooming, unrealistic pressures about appearance and lifestyle, and spending far too much time scrolling. 

None of this is new and none of it should be ignored… So I completely understand why the government feels it needs to do something (particularly when this is already a given for so many other countries).  

Where I’m less convinced is whether banning under-16s from social media is the right solution. 

Also, I couldn’t help but notice that WhatsApp and Signal have been excluded. If the concern is protecting children online, does it really make sense to ban Instagram and TikTok whilst allowing access to private encrypted messaging services? 

Some of the most concerning online harms don’t happen in public comment sections. They happen in private conversations, private groups and increasingly through AI-powered tools that operate away from public view.

But is 16 the right age?

This is where I’m unsure.  I understand why the government has chosen 16, but I’m not sure if I agree with it. Other countries have gone down different routes. Australia has introduced a ban for under-16s, whilst parts of the US, including Florida, have set the age lower. That alone shows there isn’t a clear answer to this. 

By that age, most young people already have phones: they’re messaging friends, using technology for school, watching videos, gaming and spending a large part of their social lives online. Whether we like it or not, technology is part of growing up. 

For me, the question is whether keeping young people off social media until 16 actually helps them, or whether it simply delays them learning how to use these platforms safely. 

I absolutely support stronger protections for children online. I’m just not convinced that 16 is the right place to draw the line. 

Will a ban actually solve the problem?

This is probably the part I struggle with most. I don’t think many teenagers are suddenly going to stop using social media because a law tells them to (or parents or schools). 

If anything, they’ll find ways around it! Teenagers are usually far better with technology than most adults and where there’s a will, there’s usually a way. 

My concern is that we’re focusing so much on the age limit that we’re missing the bigger issue: the conversation seems to be about keeping children off social media, but not enough about why social media can be harmful in the first place. 

If a platform is exposing children to harmful content, encouraging them to spend hours scrolling, or creating pressures around appearance and popularity, does that suddenly stop being a problem when someone turns 16? I’m not sure it does. 

That’s why I’m not convinced that a ban on its own is the answer. It may help, and it may reduce some risks, but I don’t think it deals with the reasons why so many people are worried about social media in the first place. 

For organisations, I don’t think this announcement should come as a surprise. Children’s privacy and online safety have been high on the agenda for regulators for a long time. If your organisation provides services that children can access, you should already be thinking carefully about how you collect and use their information. 

The proposed ban doesn’t change that. If anything, it reinforces the direction of travel and the expectation that organisations put children’s interests first. 

If you’d like to explore these themes further, I’d really recommend a listen to Shared Screens, Split Realities: Rethinking Online Safety Together from UCL’s Grand Challenges series. It’s a thoughtful discussion covering social media, mental health, regulation, digital literacy and the lived experiences of young people, including neurodivergent communities, and it touches on many of the same questions I’ve raised here about how we build a safer, more inclusive digital world without simply shutting the door on it. UCL Grand Challenges does excellent work tackling issues like this through interdisciplinary research, and this episode is well worth thirty minutes of your time. You can listen to it on SoundCloud.

My view

I can see both sides of the argument. I understand why the government has taken this step and I agree that something needs to be done to better protect children online.  

What I’m less sure about is whether banning under-16s from social media is the answer. For me, the bigger question is whether we’re focusing on the right thing. If social media is causing harm to young people, shouldn’t we also be asking much more of the companies behind these platforms? A teenager doesn’t suddenly become immune to harmful content on their 16th birthday. 

That’s why I think this conversation needs to be about more than age limits. 

What do you think?

I’d be interested to hear what others think. Is 16 the right age? Should it be younger? Or is the focus on the wrong issue altogether? 

If your organisation provides services for children or young people and you’d like to talk about the data protection side of things, feel free to get in touch with our team at Data Protection People. 

 Catarina Santos is Head of Data Protection Consultancy at Data Protection People and co-hosts the Data Protection Made Easy podcast. She has a background in children’s safeguarding through data protection and works with clients across multiple sectors on privacy compliance, risk and strategy. 

The Growing Privacy Dilemma

End-to-end encryption, Instagram, and the growing privacy dilemma

Meta has announced that it will remove end-to-end encryption from Instagram direct messages, raising questions not just about privacy, but about safety, regulation, and where the balance should sit.

What is end-to-end encryption?

End-to-end encryption is a way of protecting communications so that only the sender and the recipient can read the content. In simple terms, messages are “locked” on the sender’s device and can only be “unlocked” on the recipient’s device. No one else – not even the platform providing the service – can access the content of those messages (in theory).

This is widely considered one of the strongest forms of privacy protection available online. It reduces the risk of data breaches, unauthorised access, and surveillance.

However, it also means that platforms themselves cannot monitor what is being shared.

What is happening with Instagram?

Meta has confirmed that it will discontinue end-to-end encrypted messages on Instagram from May 2026. The feature, which was introduced relatively recently, allowed users to send messages that even Meta could not read. Its removal means that Instagram messages will no longer have this level of protection.

The company has suggested that the feature had low usage.

At the same time, there is a wider context. Regulators and policymakers – particularly in the UK (particularly with the Online Safety Act), US and Europe – have been placing increasing pressure on platforms to improve child safety and prevent harm online.

End-to-end encryption has become a focal point in that debate, because it limits the ability of platforms to detect illegal or harmful content.

TikTok’s contrasting approach

Interestingly, not all platforms are moving in the same direction. As Mark and I mentioned on the podcast a couple of weeks ago, TikTok has publicly stated that it does not intend to introduce end-to-end encryption for direct messages.

Its reasoning is clear: encryption of this kind can make it harder to detect harmful behaviour, including abuse and exploitation: without visibility of message content, both platforms and law enforcement may struggle to investigate concerns. In other words, TikTok is allegedly prioritising safety and oversight over maximum privacy in messaging.

The dilemma: privacy vs protection

This brings us to the core issue and one that organisations, regulators, and society more broadly are still grappling with. On this topic and as mentioned on the podcast, we are facing a massive dilemma:

On one hand, this mechanism is a powerful weapon for safeguards challenges, supporting confidentiality and reducing risks of hacking and misuse of data. On the other, it can limit the detection of harmful or illegal activity, can create challenges for safeguarding children and vulnerable users (that can be anyone, depending on the context as Charlotte mentioned on the podcast) and the big one being that reduces the ability of platforms to intervene proactively.

In the UK, this tension is reflected in legislation such as the Online Safety Act, which places duties on platforms to protect users – particularly children – from harm, while also raising concerns about how that can be achieved without weakening encryption.

From a data protection standpoint, this issue sits at the intersection of several key principles:

• Confidentiality and security (protecting personal data)
• Accountability (ensuring organisations can manage risks)
• Protection of vulnerable individuals, particularly children

There is, however, one thing that is clear: there is no one-size-fits-all answer!!

Strong encryption aligns closely with UK GDPR principles around security and integrity; but organisations also have obligations to mitigate risks and prevent harm particularly where children are concerned.

The shift by Meta – and the contrasting stance from TikTok – highlights that there is no settled industry position.

End-to-end encryption is often framed as a purely technical feature but it seems more than that: Meta’s decision to remove it from Instagram, alongside TikTok’s refusal to adopt it, shows just how complex that balance has become. The challenge ahead is not simply whether to use encryption, but how to reconcile two equally important goals:

protecting people’s privacy, and protecting people from harm.

 Important links:

https://www.bbc.co.uk/news/articles/cly2m5e5ke4o

 https://mashable.com/article/instagram-meta-end-to-end-encryption

AI-Generated Fake Images and Data Protection: What the Grok Case Reveals

AI-Generated Fake Images and Data Protection: What the Grok Case Reveals

Recent reports have raised serious concerns after the AI chatbot Grok was used to generate fake images of women and girls appearing undressed, without their consent. The incident has drawn criticism from UK ministers and reignited debate about how generative AI tools can be misused.

While the images were artificially generated, the harm caused was real. From a data protection perspective, this case highlights significant risks around unlawful processing, safeguarding failures, and loss of control over personal data.

Why This Matters Now

Generative AI tools are becoming widely available and easy to use. Grok, developed by xAI and integrated into the X platform, allows users to generate images and text through prompts.

Although these tools offer innovation, they also create new risks. When AI can generate realistic images of identifiable individuals, the potential for abuse increases sharply.

This case has attracted attention from UK ministers, including Liz Kendall, who described the images as deeply disturbing. Her comments reflect growing concern that existing safeguards are not keeping pace with AI development.

What Happened

The reports focus on the use of Grok to generate sexualised images of women and girls. In some cases, the individuals depicted were real people whose images had been altered or reimagined by the AI.

Grok can produce images based on text prompts. Where users reference real individuals, the tool may draw on existing online images or patterns learned during training.

Although the final output is synthetic, it still relates to identifiable individuals. That distinction is critical under data protection law.

Why This Is a Data Protection Issue

Under UK GDPR, personal data includes any information that relates to an identified or identifiable person. Images clearly fall within this definition.

In this case, the AI-generated images relate to real individuals. That means data protection law may apply to how the images are created, processed, stored, and shared.

Several UK GDPR principles are engaged, including:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Integrity and confidentiality

Where images are sexualised, this may also involve special category data. Processing this type of data requires an even higher legal threshold.

Consent would be difficult to rely on here. The individuals affected did not agree to their data being used in this way. Other lawful bases are also unlikely to apply, particularly where the processing causes distress or harm.

What Organisations Using AI Should Be Doing

This case shows why AI governance cannot be an afterthought.

Organisations using generative AI should:

• Carry out DPIAs for AI systems that process personal data
• Restrict prompts and outputs that reference real individuals
• Implement strong content moderation and misuse controls
• Monitor outputs and user behaviour
• Provide clear reporting routes for harmful content

Staff should also understand that misuse of AI can create reportable data breaches. Our Data Protection Training supports teams in managing these risks.

Our View

This view has been shared by our Head Data Protection Consultant, Catarina Santos.

Like many people working in data protection, I see the benefits of modern digital tools every day. When used properly, they can improve services, widen access, and support innovation. However, recent revelations about the Grok AI image tool show what happens when powerful technology is released without proper safeguards, especially when children are the ones paying the price.

The statement from the Head of Hotline, Ngaire Alexander, is deeply troubling. Analysts have confirmed the existence of criminal imagery involving girls aged between 11 and 13, reportedly created using the Grok image tool and shared on dark web forums. While some of the initial images may fall under Category C under UK law, the most alarming issue is how they are being used as a starting point to create far more extreme Category A content using other tools.

As Alexander rightly said, “the harms are rippling out”. That phrase matters, because this is not a single failure or a contained incident. It is a chain of harm.

From a UK GDPR perspective, children’s personal data requires special care and protection. This includes images, likenesses, and anything that allows a child to be identified or realistically represented.

Once an image exists, even a fake one, it can be copied, altered, escalated, and reused. All of this can happen completely outside the control of the child or their family.

That is exactly what we are seeing here. One tool produces a sexualised image. Another tool turns it into something far more extreme. The original system may not host the final content, but that does not remove responsibility. UK GDPR expects organisations to think ahead. Where risks are obvious, particularly risks to children, organisations are expected to anticipate misuse. When those risks are ignored, that is not neutral. It is negligent.

Safeguarding cannot be an afterthought. This case highlights a recurring problem. Safeguards are often added only after harm has already occurred, rather than being built into products from the start.

Children do not get a second chance at privacy. Once an image is created and shared, the damage is permanent. The emotional impact, fear, shame, and long-term consequences do not disappear because an image was generated rather than photographed.

From a safeguarding perspective, allowing a product to be released to the public when it can be used to create sexualised images of children is simply unacceptable.

As Alexander said clearly, “There is no excuse for releasing products to the global public which can be used to abuse and hurt people, especially children.” This is not anti-innovation. It is common sense.

Tools like generative AI are not automatically harmful. Many are impressive and, in the right hands, genuinely useful. However, capability without control is dangerous. Saying a tool can be used for good does not excuse weak age protections, ineffective safeguards, or ignoring known risks to children.

We would never accept this approach in education, healthcare, or social care. Digital products should not be treated differently.

Speaking as a data protection consultant, I find this deeply concerning. Not because technology exists, but because basic principles of safeguarding and UK GDPR appear to have been pushed aside.

Children should not be used as test cases for innovation. They should not be collateral damage. They should never be expected to carry lifelong consequences for someone else’s product decisions.

If a system cannot be confidently released without enabling harm to children, then it should not be released at all. This is not a radical position. It is the bare minimum.

FAQs

Does UK GDPR apply to AI-generated images?

Yes. If an image relates to an identifiable individual, it can be personal data, even if it is artificially generated.

Is consent required to use images in AI training?

In many cases, yes. Particularly where images are sensitive or involve children.

What should organisations do if AI generates harmful content?

They should act immediately, assess whether a data breach has occurred, and report to the ICO if required.

Contact Us

If your organisation uses AI or plans to deploy generative tools, we can help you assess risk and stay compliant. Our Data Protection Support, GDPR Audits, and Training services make AI governance practical and manageable. Contact us today.

Source

The Guardian, report on Grok AI generating fake images and the UK government response.

Weaponised SARs

What Are Weaponised SARs? Key Insights from 180 Data Protection Professionals

On Friday 10 April, the Data Protection Made Easy podcast hosted a live discussion on one of the fastest-growing challenges in information rights, weaponised Subject Access Requests, often referred to as weaponised SARs.

Led by Catarina Santos and Caine Glancy, the session attracted 180 live participants, with a highly active chat and more questions than could be answered in a single session.

This signals a clear shift. Weaponised SARs are no longer a niche issue. They are a growing operational challenge affecting organisations across housing, healthcare, local authorities and the private sector.

Subject Access Requests are increasingly being used strategically. Rather than purely supporting transparency, they are now being submitted alongside complaints, grievances, legal disputes and disrepair claims.

This does not remove the legal right of access. It does mean organisations must work harder to define scope, manage intent and respond in a way that is both compliant and proportionate.

If your organisation is already dealing with increasingly complex requests, our SAR Support Service helps teams manage Subject Access Requests efficiently and with confidence. Many organisations also benefit from wider governance support through our Data Protection Support Service and Outsourced DPO service.

Why are weaponised SARs rising?

During the session, Catarina highlighted that this trend is becoming more frequent and more disruptive.

As she explained, “Unfortunately, it’s becoming more regular and is definitely something that organisations are seeing on a very regular basis.”

The core issue is a tension between legal rights and strategic use. Individuals have a right to access their personal data, but some requests are clearly being used to apply pressure or gain leverage.

Caine reinforced this by highlighting a common pattern seen across organisations: “They only ask if they think there is a smoking gun.”

This reflects a wider shift. Many SARs are no longer exploratory, they are targeted, often driven by disputes or a belief that key evidence exists within organisational records.

The role of AI in weaponised Subject Access Requests

Artificial intelligence is accelerating this trend.

Catarina explained how AI tools are shaping behaviour: “They are relying a lot on ChatGPT and other AI platforms… SARs are something that you should always submit.”

Caine added: “Practically everybody within the meeting today has probably received a request that looks like it’s come from an AI platform.”

This creates a new challenge. Requests now often appear legally confident, broad in scope and poorly understood by the requester.

As a result, organisations are dealing not only with the initial request, but also repeated AI-generated follow-ups and challenges.

A member of the community commented, “We are seeing data subjects use AI more and more to contradict our responses. It’s becoming a real issue.”

This is one reason why having a practical SAR process matters more than ever. A clear workflow, strong template letters and the right internal escalation points can reduce risk and improve consistency. For organisations that need extra support, our SAR Support Service is designed to help with scoping, review, redaction and response management.

Real challenges shared by the data protection community

The live chat reinforced just how widespread this issue has become.

A member of the community commented, “Weaponised suits our situation. Customers will send us a SAR to delay actions or find us in the wrong.”

Another added, “Most of our requests ‘scream’ ChatGPT now.”

Another highlighted the operational frustration, commenting, “We spend so much time responding, just for it to be put back through AI and asked again in a different way.”

A recurring theme was expectation versus reality. Many requesters expect full disclosure of documents, while organisations must apply the law correctly and proportionately.

Solicitors, tone and pressure tactics in SARs

Another key discussion point was the role of solicitors and representatives.

Catarina noted that tone is often used strategically: “The tone is definitely to create fear among the people managing these requests.”

This is often combined with misunderstandings about the scope of a SAR.

A member of the community commented, “The lawyers advising them are oblivious of the fact that documents do not form part of a DSAR response.”

Another added, “Just because they ask for something, data protection still applies.”

This highlights a critical point for organisations. A SAR is a right to personal data, not a blanket right to all documents, emails or internal records.

That distinction sits at the heart of good SAR handling. It also links closely with broader compliance and governance practice, which is where services such as our Data Protection Support Service and Outsourced DPO service can help organisations build stronger foundations.

Why clarifying a SAR request is essential

One of the most important takeaways from the session was the need to clarify scope early.

Catarina advised: “Don’t be scared to clarify the request.”

Broad requests such as “all my personal data” can quickly become disproportionate if not narrowed.

She also reinforced a key legal distinction: “The right is to personal data, nothing more, nothing less.”

Clarification helps reduce unnecessary workload, focus on relevant data, improve response accuracy and manage expectations early.

A member of the community commented, “Provide everything you have on me is exhausting.”

The growing pressure on data protection teams

The discussion also highlighted the strain on internal teams.

Caine explained: “A lot of people do SARs individually… that might not be feasible anymore.”

This was strongly reflected in the chat.

A member of the community commented, “I’m just one person.”

Another added, “I have a team of 11 and it’s still not enough.”

Another said, “Many of ours are overdue as we are overwhelmed.”

This demonstrates a clear gap between legal expectations and operational reality.

Where internal resource is stretched, it often makes sense to bring in specialist support for complex or high-volume cases. Our SAR Support Service is built for exactly this, helping organisations reduce pressure on internal teams while maintaining a defensible and structured response process.

ICO guidance, challenges and uncertainty

The session also explored frustrations around regulatory guidance.

Caine said: “What would really help is more detailed guidance.”

Catarina added: “It’s too broad… it’s hard to define what it means in practice.”

The community echoed this.

A member of the community commented, “I wish the ICO would issue clear guidance from experiences like this.”

Another said, “It’s hard to know whether the ICO has received a complaint or not.”

This lack of clarity leaves organisations making difficult judgement calls without consistent, practical support.

How organisations should respond to weaponised SARs

While there is no single solution, several practical steps emerged from the discussion.

Organisations should build a practical SAR process that reflects real workflows, use clear templates for acknowledgements, clarifications and responses, clarify scope early to avoid unnecessary work, document decisions and search methodologies, and apply the law confidently and proportionately.

Caine summarised this well: “You’ve got to not be afraid to push back when things are getting too far.”

In practice, that often means having the right mix of process, confidence and support. Our SAR Support Service helps organisations manage difficult requests from initial scoping through to final response, while our Data Protection Support Service and Outsourced DPO service support wider compliance, governance and decision-making.

Why this conversation is not over, part two is coming soon

With 180 attendees and a highly engaged discussion, it became clear that one session was not enough.

Several topics require deeper exploration, including repeat SAR requests, metadata requests, grievance-led SARs, solicitor authority, search methodology and proportionality.

As Caine confirmed: “We’ll be picking apart some of these requests and taking it into a second session.”

That feels exactly right. Weaponised SARs are not a passing frustration. They reflect a broader shift in how data rights are being used, challenged and operationalised.

For anyone working in data protection, compliance, information governance or complaints handling, this is a conversation that is only becoming more important.

Need support with complex or weaponised SARs?

Weaponised SARs are not a temporary trend. They reflect a broader shift in how data rights are being used.

If your organisation is experiencing increasing SAR volumes, more complex or strategic requests, or growing pressure on internal teams, now is the time to review your approach.

Explore our SAR Support Service to see how we help organisations manage Subject Access Requests efficiently, accurately and with confidence.

You may also find it useful to explore our wider Data Protection Support Service and Outsourced DPO service for ongoing compliance support.

Frequently asked questions about weaponised SARs

What is a weaponised SAR?

A weaponised SAR is a Subject Access Request that appears to be used strategically, often alongside a complaint, grievance or dispute, rather than simply to understand how personal data is being processed.

Are weaponised SARs still valid?

Yes. A requester may still have a valid right of access even where the wider context is contentious. Organisations still need to assess the request properly, define scope and respond lawfully.

Can AI increase the number of SARs?

Yes. AI tools can make it easier for people to generate broad, legally worded requests and follow-up challenges, which can increase both the volume and complexity of SAR handling.

Do SARs give people the right to all documents?

No. A SAR is a right to personal data, not a blanket right to every document, email or report in which a person may appear.

Should organisations clarify broad SARs?

Yes. Clarifying a broad request can help narrow scope, reduce unnecessary work and ensure the response is more accurate and proportionate.

How can organisations manage complex SARs more effectively?

Organisations should use a practical SAR procedure, clear templates, documented search methods, confident decision-making and specialist support where internal capacity is limited.

GDPR Radio – Digital Omnibus, Personal Data and SAR Reform

Digital Omnibus, Personal Data Changes and What They Mean for You

Episode 227 of the Data Protection Made Easy Podcast hosted by experts at Data Protection People. This episode was hosted live via Microsoft Teams in front of a live audience of listeners.

What We Covered in This Session

A Catch Up from Caine and Catarina

The episode opens with a look at what the team have been working on. Catarina reflects on a very busy week supporting a major client project alongside her team. Caine shares updates on ongoing STAIRs sessions for social housing providers and hints at an in person STAIRs event coming soon.

Both hosts also discuss their guest appearance on another organisation’s podcast where they explored how users understand privacy information, how organisations communicate their obligations and why cross functional training is so important.

The Digital Omnibus Package Explained

The main focus of the episode is the European Commission’s Digital Omnibus package, announced on 19 November. The discussion highlights several of the most significant proposals, including:

1. A New Approach to Personal Data

The proposal introduces a major shift. Information would be classed as personal data only if the controller has means reasonably likely to identify the individual.
The team explore:

• how this could narrow the scope of personal data
• what this means for indirect identifiers and pseudonymised data
• how case law from Europe is already pushing towards this direction
• how this might affect UK organisations if mirrored in future reforms

2. Changes to Data Breach Reporting

Catarina outlines proposals that:

• raise the threshold so only high risk breaches need regulator notification
• extend the deadline from 72 to 96 hours

Caine questions whether reducing low risk reporting could hide patterns of poor practice and the group debate what this means for real world compliance.

3. Reforms to Cookie Rules

The Digital Omnibus seeks to simplify cookie requirements by reducing reliance on consent for low risk purposes such as security and aggregated analytics. The team draw comparisons with the UK DUA Act and consider how consent fatigue has shaped this direction.

Insights from Guest Contributor David Appleyard

David shares two important observations:

1. SAR Purpose Tests

Under the new proposals, organisations may reject or charge for a SAR if the purpose is not to access personal data, for example in an employment dispute. This could be a significant change for many organisations that currently process large volumes of tactical or grievance based SARs.

2. High Risk AI Processing

David explains that the EU is pushing back deadlines for identifying high risk AI processing due to a lack of clear guidance, with expectations now set for no later than December 2027.

CNIL Research on Selling Personal Data

Caine introduces a study from the CNIL which found that 65 percent of surveyed French citizens would sell their personal data for between 1 and 100 euros. The hosts explore:

• why people undervalue their own data
• how advertising, profiling and AI training increase the true value
• the growing need for public awareness and transparent communication

Looking Ahead

The session closes with a reminder that the next podcast will explore data retention, followed by an update that the team are working on the new in house DPP studio.

About the Data Protection Made Easy Community

Our podcast community is one of the most active privacy networks in the UK with more than 150 regular live attendees and over 1,600 subscribers across all audio platforms. Joining the community gives you access to:

• free weekly live sessions with the chance to ask questions
• practical guidance from experienced consultants
• early access to slides and resources
• networking with other privacy and security professionals
• invites to in person events, workshops and sector focused discussions
• exclusive content only available to our community members

Attending live offers clear benefits. You can join the conversation, shape the discussion, raise real world challenges and take part in polls, chat and Q and A. Many listeners tell us they get far more value from attending live than listening back later.

We also have a strong line up of sessions taking us through to the end of the year, covering topics such as data retention, AI risk, international transfers, STAIRs, marketing compliance and more.

If you are not yet part of the Data Protection Made Easy community, you can join for free and get involved straight away.

Cookies in 2025 – Trick or Treat, Part Two

10 Years of Data Protection People

Celebrating 10 Years of Data Protection People & 5 Years of the Data Protection Made Easy Podcast

Last week we marked not one, but two major milestones, 10 years of Data Protection People and the 5th birthday of the Data Protection Made Easy Podcast. To celebrate, we hosted a special live session with Philip Brining, Caine Glancy, Catarina Santos, and returning host Joe Kirk. Together, we looked back at the Top 10 Most Streamed Episodes from the past five years, revisiting the conversations that have shaped our community.

Key Themes from the Session

• Subject Access Requests (SARs) – still one of the most complex and frequently discussed areas of data protection.
• Data Protection Impact Assessments (DPIAs) – exploring challenges around risk, practicality, and when a DPIA is truly needed.
• Legislative Changes – including Brexit, the Data Protection and Digital Information Bill, and the new DUA Act.

The team also reflected on why topics like ROPA and audits don’t always feature as highly among listeners, and why broad themes resonate more strongly than sector-specific discussions.

Insights from Our Community

Our special guest Joe Kirk shared valuable insights from moving into an in-house DPO role, including the importance of tackling cookie compliance and ensuring correct ICO registration. The panel also discussed the ICO’s new guidance on complaints handling and recognised legitimate interests, highlighting the practical steps organisations should take ahead of expected implementation in June 2026.

The Return of Weekly Podcasts

To celebrate our 10-year anniversary and the continued growth of our community, we are excited to announce that the Data Protection Made Easy Podcast is returning to a weekly schedule. Every Friday at lunchtime, we’ll be live with fresh discussions, community insights, and practical guidance for data protection professionals.

You can sign up on our Events Page to join future live sessions, or contact us here to subscribe and become part of the UK’s biggest data protection community.

Listen Back to the Anniversary Episode

If you missed it live, you can catch up now on Spotify using the player below:

Here’s to 10 years of making data protection easier, and 5 years of building a community where professionals can learn, share, and grow together. Thank you to everyone who has been part of the journey so far.

Caught in the Act: The UK’s New Age Verification Law

Online Safety Act, age checks, and real world risks, highlights from Episode 218

Recorded on Friday 29 August 2025, this live episode of Data Protection Made Easy brings together Catarina Santos, Caine Glancy and Philip Brining to explain what the latest Online Safety Act changes mean in practice. The team walk through how age verification works, why VPN downloads have surged in the UK, and the real impact on privacy, user experience and compliance.

Episode: 218, Data Protection Made Easy
Recorded: late August, Leeds and online
Hosts: Philip Brining, Catarina Santos, Caine Glancy

We are Data Protection People, a consultancy and a community. More than 1,500 practitioners join our live sessions for practical help and straight talking advice. We keep things human, current, and useful.

What we covered

• Online Safety Act, where it fits with the Children’s Code, why it goes further on content and safety.
• Age assurance, facial estimation, ID checks, open banking, and the privacy trade offs behind each approach.
• Supply chain risk, real incidents in education and vetting, why processor controls and backups still fail.
• Education, why literacy and resilience matter as much as technical gates.
• Community update, weekly sessions return in September, likely in focused 30 minute formats.

Highlights and opinions

Scope and categories. Ofcom guidance gives the most usable overview. Scale drives duties, category one providers face the heaviest lift. Smaller services still need proportionate controls.

“The Act is about content, the Children’s Code is about design, together they set expectations for what people actually see and share.” — Philip

Age checks in practice. Facial estimation and ID checks can help, they are not perfect. People will try VPNs and workarounds, so policy and education must sit alongside technology.

“There is no magic potion for age checks, the solution cannot be technology alone.” — Catarina

“If suppliers rush controls without thinking about retention and purpose limitation, we move risk rather than reduce it.” — Caine

Supply chain failures. Contracts need clear migration and deletion steps, restore tests must be real, controller oversight must be active, not paper based.

“Where is the weak link, backups, migration steps, subprocessors, or the missing instructions in the DPA.” — Philip

Freedom of expression and harm. Public concern is real. The intent is to reduce harm to children, not silence debate. Practical application will need careful balancing.

Practical takeaways for organisations

• Write a content risk assessment if your service can be accessed by children, update it on a schedule, record decisions.
• Map processors and subprocessors, include precise steps for transfers and deletion, test restores, not only backups.
• Choose proportionate age assurance, record lawful basis, retention, and vendor due diligence, avoid copying IDs unless necessary.
• Blend controls with education, publish clear user guidance, support parents and teachers, avoid dark patterns.

About the community

Data Protection Made Easy is the live podcast and discussion space run by Data Protection People. More than 1,500 members join to share cases, templates, and practical steps. We will return to weekly sessions in September, short and focused, with time for questions.

Contribute to a future episode

We are always looking for contributors and topics, case studies, SAR puzzles, transfer questions, or views on the Online Safety Act. Get support or advice, or pitch a slot for an upcoming episode.

Explore more in our Resource Centre, including recent episodes and guides.