Resources

Summer SAR Support

SAR Support During the Summer Holidays: Why Organisations Struggle and How to Stay Compliant

Every year, as summer arrives and schools break up for the six-week holiday, many organisations begin to feel the pressure. But it’s not just the heat or the juggling of annual leave rotas that causes challenges. For data protection teams across the UK, summer has become known as SAR season, a time when Subject Access Requests (SARs) increase and internal resources are stretched thin.

At Data Protection People, we’ve supported hundreds of clients through this exact scenario. We’ve seen the same patterns emerge year after year: reduced staffing levels, mounting deadlines, and complex SARs that simply cannot wait. Understanding why this happens and how to prepare can make all the difference.

Why Do SARs Increase During the Summer?

There isn’t one single reason, but rather a combination of factors that converge during July and August. First, many internal data protection and HR teams are operating with skeleton staff due to holidays. This makes it harder to keep up with SARs, especially those that are more involved, such as requests from current or former employees.

At the same time, there can be a rise in employee-related SARs during the summer break. Disagreements over flexible working, disputes linked to holiday entitlements, or even longer-standing grievances can lead to individuals submitting SARs as part of broader HR issues. In the education sector, we also see a rise in parent and student SARs being submitted just before the academic year begins, adding more pressure at an already busy time.

Add to this the fact that organisations have only one calendar month to respond to a SAR, with no extension allowed unless the request is particularly complex, and the situation quickly becomes challenging.

The Risk of Delayed or Incomplete SAR Responses

Failure to meet SAR deadlines doesn’t just inconvenience the individual making the request. It can trigger complaints to the Information Commissioner’s Office (ICO), damage your organisation’s reputation, and even result in financial penalties. In some cases, particularly involving employees or sensitive personal data, delays can lead to legal disputes or grievances that might otherwise have been avoided with a well-handled and timely response.

It’s also important to remember that a SAR isn’t just about handing over data. You need to ensure that third-party information is carefully redacted, privileged or confidential material is properly assessed, and that the response is complete and clearly structured. This is not something that can be rushed, especially when your internal teams are already overstretched.

Why Organisations Choose Data Protection People for SAR Support

We are proud to be recognised as the leading provider of SAR support in the UK, and we currently rank #1 on Google for SAR and DSAR support services. Our experience spans all sectors, including housing, education, healthcare, charity, and private organisations of all sizes. Whether you’re facing a one-off customer request or handling an employee SAR covering 15+ years of service, our team is equipped to help.

We have a dedicated team of 25 professional redactors who work solely on SARs. This means you’ll be supported by experts who understand not just the legal obligations, but the operational and reputational risks associated with each request. Our advanced SAR processing software allows us to de-duplicate documents, carry out high-precision redactions, and manage the full review process securely and efficiently.

Our clients value our ability to step in quickly, assess their needs, and deliver a professional, compliant response, often under tight time constraints. We’re more than just a redaction service. We work alongside your internal team to manage the SAR from start to finish, offering full visibility, clear communication, and high-quality results.

We’re Here When You Need Us Most

The summer holiday period can be a perfect storm for SAR compliance issues: fewer people in the office, growing backlogs, and no let-up in legal obligations. That’s why many organisations turn to external support during this time of year.

By working with us, you can reduce the stress on your internal team, ensure deadlines are met, and protect your organisation from unnecessary risk. We also offer ongoing SAR management support, policy reviews, and tailored training to help you build resilience and improve processes moving forward.

If you’ve received a complex SAR and are unsure where to start, or if you’re already facing time pressure due to annual leave cover, get in touch. We’ll help you regain control, stay compliant, and respond with confidence.

Need Support with a SAR or DSAR?

Our team is ready to help. Whether you need end-to-end SAR handling, software to streamline your internal response process, or simply some expert guidance, we’re here to support you. Contact us today or visit our SAR Support page for more information.

Stay Ahead of the Curve with Data Protection Made Easy

If you’d like to stay up to date with news, updates and practical advice on SARs and other data protection topics, join the Data Protection Made Easy community:

• Subscribe to our free newsletter
• Listen to the Data Protection Made Easy Podcast for weekly insights
• Access whitepapers, events, and support through one of the UK’s largest data protection communities

We break down complex topics, provide practical solutions, and help professionals at all levels feel more confident and in control.

PECR Masterclass (Online)

Privacy and Electronic Communications Regulations (PECR) – Masterclass

Join Data Protection People for an essential full-day masterclass focused on the Privacy and Electronic Communications Regulations (PECR) and how they interact with UK GDPR. This online session is tailored to help professionals understand how to manage electronic communications lawfully, meet consent requirements, and ensure cookie compliance across their digital platforms.

Date: Monday, 11 August 2025
Location: Online – Full-Day Session

Whether you’re responsible for marketing, compliance, or IT systems, this practical and engaging session will give you the confidence to apply PECR in real-world scenarios.

What You’ll Learn

• Introduction to PECR and how it differs from and complements the UK GDPR
• Direct Marketing Rules for B2B and B2C communications
• Understanding Consent and how to apply the soft opt-in exemption
• Cookies and Similar Technologies – legal obligations and best practice
• Key Exemptions and when they apply
• Real-World Case Studies and common pitfalls to avoid
• ICO Enforcement and Penalties – what to expect if you get it wrong
• Practical Compliance Steps – from policies to training and audits

Who Should Attend?

This session is designed for:

• Marketing professionals
• Compliance officers
• Data protection specialists
• IT and digital teams
• Anyone responsible for electronic marketing and cookie compliance

Hands-On Learning

• Interactive exercises to embed knowledge
• Tutor-led discussions using real-life case studies
• Bonus materials, including a downloadable workbook and guidance documents

Why Attend?

This masterclass goes beyond theory. You’ll leave with the tools and knowledge to improve compliance, reduce risk, and empower your organisation to communicate lawfully and confidently in the digital space.

Download the Flyer

Want to share this opportunity with your team or manager?
Download the full PECR Masterclass flyer here

Online Safety Act Enforcement

Online Safety Act Enforcement: Immediate Action Required for UK Businesses

July 2025 marks a critical turning point in the UK’s Online Safety Act (OSA) implementation. After extensive preparation, Ofcom has now commenced active enforcement of key provisions, issuing deadlines that demand immediate attention from businesses providing online services with a significant UK user base or targeting the UK market.

Ofcom’s consultation phase is over; enforcement is here. Businesses that have been preparing must now ensure their compliance measures are robust, particularly concerning children’s safety and illegal content, or face severe consequences.

What Your Business Needs to Know Now and Why Should Be Concerned:

Ofcom’s enforcement actions this week underscore several critical, immediate concerns:

• Children’s Risk Assessments Due Imminently: Formal information requests have been issued, requiring online service providers to submit their children’s risk assessment records by 7 August 2025. This is a statutory requirement, and these assessments must align with Ofcom’s Children’s Safety Codes of Practice, which came into effect on 24 April 2025. [1]
• Active Enforcement of Illegal Harms Duties: Enforcement began on 17 March 2025, with Ofcom already launching several investigations. Businesses must ensure their illegal harms risk assessments are complete and documented. [2]
•  Age Assurance for Adult Content: For services that publish or host pornographic content, the deadline for implementing “highly effective” age assurance measures is 25 July 2025. This is a critical and immediate requirement for these providers.[3]

 Consequences of Non-Compliance

The risks of non-compliance are severe and multi-faceted, extending far beyond financial penalties. Ignoring these duties could lead to significant financial, legal, and reputational repercussions, as follows:

1. Severe Financial Penalties: Ofcom can levy fines of up to £18 million or 10% of a provider’s qualifying worldwide revenue (QWR), whichever is greater. [4]
2. UK GDPR Overlap & Cumulative Risk: OSA duties often involve processing personal data (e.g., age verification, content moderation). This processing must strictly comply with UK GDPR. Breaches can incur separate fines from the ICO, up to £17.5 million or 4% of global annual turnover. A single incident could trigger parallel investigations from both Ofcom and the ICO, significantly escalating legal and financial exposure.
3. Criminal Liability for Directors: New criminal offences exist for senior managers in specific instances, notably for failure to comply with Ofcom information notices (e.g., Sections 109 & 110 of the OSA 2023). This introduces a significant personal risk. [5]
4. Business Disruption Measures: Ofcom can seek court orders to block UK access to non-compliant services or compel payment/advertising providers to withdraw services. This could effectively cut off revenue and market presence. [6]
5. Immense Reputational Damage: Beyond legal penalties, public investigations and associated media attention can severely damage brand trust and deter users and investors, often causing long-term financial and market impact.

What Businesses Should Do

For those who have been thinking about compliance, the time for ‘thinking’ is over; it’s time for decisive action. Businesses should:

1. Verify Risk Assessment Records (Urgent!): Ensure all children’s and illegal harms risk assessments are complete, comply with Ofcom’s guidance, and are thoroughly documented. Confirm these include Data Protection Impact Assessments (DPIAs) where necessary.
2. Prepare to Submit Information: Respond comprehensively and promptly to Ofcom’s statutory information requests.
3. Implement & Test Safety Measures: Confirm age verification, content moderation, and other safety mechanisms are fully operational and effective.

Looking Ahead

While July 2025 marks a pivotal enforcement phase, Ofcom’s work continues with upcoming activities including the publication of the register of categorised services, guidance on online safety for women and girls (end of 2025), and the launch of the super-complaints’ regime (consultation expected September 2025). Businesses must maintain an ongoing commitment to compliance as the regulatory framework evolves.

[1] See Ofcom Guidance on Child Safety: https://www.ofcom.org.uk/online-safety/protecting-children
[2] See Ofcom on Illegal Harms: https://www.ofcom.org.uk/online-safety/information-for-industry/illegal-harms and recent Investigations: https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/enforcing-the-online-safety-act-ofcom-opens-9-new-investigations
[3] Ofcom on Age Assurance Deadlines: https://www.ofcom.org.uk/online-safety/protecting-children/new-rules-for-a-safer-generation-of-children-online
[4] Chapter 6 of Part 7 of the Online Safety Act 2023; Ofcom’s “Online Safety Fees and Penalties” consultation: https://www.ofcom.org.uk/online-safety/illegal-and-harmful-content/consultation-online-safety-fees-and-penalties
[5] GOV.UK circular on new criminal offences: https://www.gov.uk/government/publications/online-safety-act-new-criminal-offences-circular/online-safety-act-new-criminal-offences-circular
[6] Ofcom’s “Guide for services: complying with the Online Safety Act” under “business disruption measures”: https://www.ofcom.org.uk/cymru/online-safety/information-for-industry/guide-for-services

The MoD’s Data Breach

The MoD’s Data Breach: What You Need to Know

A major data breach by the Ministry of Defence (MoD) has come to light, putting thousands of lives at risk and costing the UK government hundreds of millions of pounds. The details were kept under wraps by a super injunction until now.

Here’s what happened, why it matters, and what it tells us about data protection in practice.

What Happened?

In 2022, a serious mistake at the MoD led to the personal details of almost 20,000 Afghan nationals being exposed. These individuals had either worked with or supported British forces in Afghanistan and were applying to a UK relocation scheme called ARAP (Afghan Relocation and Assistance Policy).

The breach involved an email that was mishandled, containing a full list of names and other identifying details. It is still unclear if the Taliban ever accessed the list, but the risk to those individuals and their families was significant. Some named on the list have since been killed, although it’s not confirmed whether this was directly linked to the breach.

Despite the gravity of the situation, the British government placed a super injunction on the incident, blocking the press from reporting on it. It has only now been lifted, over three years after the breach occurred.

Why Is This So Serious?

This wasn’t just a case of sending an email to the wrong person or forgetting to BCC a list. It involved identifiable information about people whose lives were already in danger. The exposure has resulted in the relocation of up to 7,000 Afghan nationals to the UK and is expected to cost taxpayers £850 million at a minimum, possibly rising to as much as £7 billion.

Litigation is now underway. One law firm representing over 1,000 victims has criticised the MoD for hiding the breach from the public and delaying accountability. Claimants are now seeking compensation for the harm and distress caused.

What Has the Government Said?

The current Defence Secretary, John Healey, has apologised and said the lack of transparency around the breach was deeply concerning. An internal review played down the ongoing risks, but data protection professionals have rightly questioned that conclusion.

The Information Commissioner’s Office (ICO) previously fined the MoD £350,000 for a similar breach in 2021, which also exposed the identities of Afghan nationals via email.

Lessons for DPOs and Data Leaders

This case is a stark reminder of the very real consequences that poor data handling can have, especially when it involves vulnerable individuals. For DPOs, it raises key questions:

• Is your organisation properly training staff on secure communication?
• Are you managing access and visibility of sensitive data?
• Do you have robust breach response plans in place?
• How transparent would you be if a breach happened under your watch?

This incident also reminds us that even the highest levels of government can get it wrong, which is why independent oversight and timely reporting remain critical principles in data protection.

Stay Up to Date with the Latest in Data Protection

At Data Protection People, we’re committed to helping professionals across the UK stay informed, connected, and confident in their roles.

If you want updates like this straight to your inbox or discussed live by industry experts:

• Join our Data Protection Made Easy Podcast
• Subscribe to our free newsletter
• Become part of a growing community of 1,500+ DPOs and data leaders across the UK

We break down complex stories like this every week, helping you cut through the noise and stay ahead of the curve.