Category: GDPR

Post Office Reprimand Following Horizon Data Breach 

You would think that the Post Office has learnt its lessons from the Horizon IT Scandal. And of course it would have taken extra care to ensure that the victims of the UK’s most widespread miscarriage of justice are not further harmed by their actions in dealing with the aftermath. Not so, judging by the Information Commissioner’s Office (ICO) announcement on Tuesday.  

The ICO has issued a reprimand to Post Office Limited following an ‘entirely preventable’ data breach which resulted in the unauthorised disclosure of personal data belonging to hundreds of postmasters who were the victims of the Horizon IT scandal.  The breach occurred when the Post Office’s communications team mistakenly published an unredacted version of a legal settlement document on its corporate website. The document contained the names, home addresses and postmaster status of 502 people who were part of group litigation against the organisation. The document remained publicly accessible for almost two months in 2024, before being removed following notification from an external law firm. 

During its investigation, the ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s personal data. There was a lack of documented policies or quality assurance processes for publishing documents on the Post Office website, as well as insufficient staff training, with no specific guidance on information sensitivity or publishing practices.  

In the ‘gold old days’ such a data breach would have attracted a substantial fine; especially considering the impact on the victims described by their lawyers (‘the shock and anxiety of this incident cannot help but compound all of the adverse harms suffered by our clients as a result of the wider Horizon scandal’.) Remember when the ICO fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online? 

 But we are in a new age of GDPR ‘enforcement’! The ICO says it had initially considered imposing a fine of up to £1.094 million on the Post Office Limited. However, it did not consider that the data protection infringements identified reached the threshold of ‘egregious’ under its public sector approach, and a reprimand has been issued instead. This approach, which was extended recently after a two year trial,  ‘prioritises early engagement and other enforcement tools such as warnings, reprimands, and enforcement notices, while issuing fines for only the most egregious breaches in the public sector’ so says the ICO. Not everyone agrees. The law firm, Handley Gill, has just published an analysis of the ICO’s public sector approach trial and the new version of it, essentially concluding that reprimands unaccompanied by enforcement notices won’t achieve the stated objective of driving up data protection standards in the public sector. 

The ICO highlights the following key lessons from this reprimand: 

  • Establish clear publication protocols: Sensitive documents should go through a formal review and approval process before being published online. A multi-step sign-off process can help prevent errors. 
  • Understand the data you handle: Every team, especially those handling public-facing content, must be trained to recognise personal information and assess its sensitivity in context. This includes understanding the reputational and emotional impact of disclosure. 
  • Centralise and classify documents: Use secure, shared repositories with clear access controls and classification labels. Avoid reliance on personal storage systems such as OneDrive and Google Drive. 
  • Define roles and responsibilities: Ensure that everyone involved in publishing content understands their role and the checks required before publication. 
  • Tailor training to the task: General data protection training is not enough. Teams need specific guidance on publishing protocols, data classification, and risk awareness.  

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update workshop.The new (2nd) edition of the UK GDPR Handbook has been published. It contains all the changes made by the Data (Use and Access) Act 2025. 

ICO Public Sector Enforcement Policy to Continue

Last month, the Information Commissioner’s Office (ICO) announced that it will continue its controversial approach to enforcement of the UK GDPR against public sector organisations.   

A trial of the approach was launched in June 2022, in an open letter to public authorities from John Edwards. In the letter Mr Edwards indicated that greater use would be made of the ICO’s wider powers, including warnings, reprimands and enforcement notices, with fines only issued in the most serious cases. This approach has seen much criticism levelled at the ICO. Opponents say that it reduces the importance of data protection and gives special treatment to the public sector.  

One example of the approach, is the ICO’s action (or lack of it) in the Ministry of Defence’s Afghan Data breach. This involved an MoD official mistakenly emailing a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy.  The breach was only discovered in August 2023, when excerpts of the data appeared on Facebook. By then, the damage was done. A new resettlement scheme for those on the leaked list was set up and has seen 4,500 Afghans arrive in the UK so far. The Afghan Relocation Route has cost £400m so far, and the Government has said it is expected to cost a further £450m. Despite the scale and sensitivity of the breach, the ICO decided not to take any regulatory action; not even a reprimand! In its press release, the ICO praised the MoD’s internal investigation and mitigation efforts, stating that “no further regulatory action is required at this time”.  

Following a review last year, and despite strong criticism of its enforcement track record, the ICO has now announced that it will continue its public sector enforcement approach. In his blog post, John Edwards, said: 

“Fines in the public sector, particularly in local government, risk punishing the same people harmed by a breach by reducing budgets for vital services. They still have their place in some cases, but so do other enforcement tools.  

The review of our public sector approach trial reaffirmed that reprimands drive change and publishing them creates strong reputational incentives for compliance, while also offering other organisations valuable lessons from the mistakes of others… 

Focusing on a proactive approach of working with organisations to identify risks and implement improvements can influence sustainable change, protect public trust, and ensure taxpayer money is invested in prevention rather than punishment. The net benefit of this approach is higher data protection standards and faster remediation, backed by sanctions when necessary.” 

Following a consultation earlier this year, the ICO has also published a clearer definition of organisations in scope and the circumstances under which a fine may be issued.  

STOP PRESS: The law firm, Handley Gill, has just published an analysis of the ICO’s Public Sector Approach trial and the new version of it, essentially concluding that reprimands unaccompanied by enforcement notices won’t achieve the stated objective of driving up data protection standards in the public sector.

Revised GDPR Handbook  

  The data protection landscape continues to evolve. With the Data (Use and Access) Act 2025 now in force, practitioners need to ensure their materials reflect the latest changes to the UK GDPR, Data Protection Act 2018, and PECR.  

The newly updated UK GDPR Handbook (2nd edition) brings these developments together in one practical reference. It includes all amendments introduced by the DUA Act, with colour-coded changes for easy navigation and links to relevant recitals, ICO guidance, and caselaw that help make sense of the reforms in context. We have included relevant provisions of the amended DPA 2018 to support a deeper understanding of how the laws interact. Delegates on our future GDPR certificate courses will receive a complimentary copy of the UK GDPR Handbook as part of their course materials.   

If you are looking to implement the changes made by the DUA Act to the UK data protection regime, consider our very popular half day workshop. 

Proposed Changes to the EU GDPR: Could we see more changes to the UK GDPR?

Yesterday the European Commission published its long awaited Digital Omnibus Regulation Proposal and Digital Omnibus on AI Regulation Proposal. If approved, these proposals will mean significant changes to the EU GDPR and other EU legislation and may even encourage the UK to further amend the UK GDPR. 

The aim of the “Digital Omnibus” package is to ease administrative burdens for businesses across areas like privacy, cybersecurity and artificial intelligence. Although the EU GDPR is considered balanced and fit for purpose, “targeted changes” are proposed to address concerns, particularly from smaller companies. These include:

  • Clarification of Definitions: The definition of “personal data” is clarified. Information is not considered personal to a company if it does not possess means “reasonably likely” to be used to identify an individual.
  • Processing for AI Training: It is clarified that the processing of personal data for the development and training of AI systems can constitute a “legitimate interest” under certain conditions.
  • Simplified Reporting of Data Breaches: The reporting obligation to supervisory authorities is aligned with the threshold for notifying data subjects. A report is only required if there is a “high risk” to the rights and freedoms of natural persons. The deadline for reporting is extended to 96 hours.
  • Harmonization of Data Protection Impact Assessments (DPIA): National lists of processing operations requiring a DPIA (or not) are to be replaced by unified EU-wide lists to promote harmonisation.
  • Scientific Research: The conditions for data processing for scientific research purposes are clarified by defining “scientific research” and clarifying that this constitutes a legitimate interest.

The EU AI Act also faces a number of amendments, including simplifications for small and medium-sized enterprises and small mid-cap companies in the form of pared-back technical documentation requirements. Other measures involve sandboxes for real-world testing and to “reinforce the AI Office’s powers and centralise oversight of AI systems built on general-purpose AI models, reducing governance fragmentation”.

Both omnibus packages now have a long road ahead as they enter into the trilogue negotiations with European Parliament and the Council of the European Union. It is expected to take at least several months until negotiations are finalised. 

Impact on the UK

The UK has already enacted its own package of amendments to the UK GDPR in the form of the Data (Use and Access) Act 2025 which received Royal Assent on 19th June 2025. The amendments are quite modest even before comparing them to the EU proposals above. 

A more bolder list of amendments were contained in the Data Protection and Digital Information Bill published in 2022 by the Conservative Government. This included proposals to amend the definition of personal data and to replace Data Protection Officers with Senior Responsible Individuals. This bill was later replaced by a diluted bill of the same name (number 2 Bill) only for that to be dropped in the Parliamentary “wash up” stage before the last General Election.

Could the EU reforms (if enacted) lead to the UK making more fundamental changes to the UK GDPR? We doubt it. The Labour Government has more pressing priorities and with the passing of the DUA Act they can say they have “done GDPR reform”. If we get a change in Government, then Reform and the Conservatives might target the UK GDPR as way of reigning in “pesky human rights laws”. 

Data protection professionals need to assess the changes to the UK data protection regime made by the DUA Act. Our half day workshop will explore the Act in detail giving you an action plan for compliance. A revised UK GDPR Handbook is now available incorporating the changes made by the DUA Act. 

ICO Enforcement Guidance Consultation Launched 

The Information Commissioner’s Office has launched a consultation on new guidance setting out how it approaches investigations and takes enforcement action. Among other things, the guidance explains:  

  • How the ICO decides whether to open an investigation and the other ways it may instead seek to resolve any concerns. 
  • What to expect from the ICO during an investigation. 
  • How it will use its information gathering powers, including new powers under the Data (Use and Access) Act 2025 to require people to answer questions and organisations to provide reports.  
  • How the ICO decides on the outcome of an investigation and use of its enforcement powers, such as warnings, reprimands, and enforcement and penalty notices. 
  • When it considers settlement with a reduced fine is appropriate and the process involved.  

The new guidance, once finalised, will sit alongside the ICO’s Data Protection Fining Guidance published last year. Together they will replace the statutory guidance currently set out in the Regulatory Action Policy.  

The Data (Use and Access) Act 2025 also includes provisions that will bring the ICO’s investigatory and enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR) broadly into line with its powers under the data protection legislation.  While there remain some differences, the ICO proposes to generally take the same approach to the use of its powers in relation to PECR as set out in the draft guidance in relation to the data protection legislation.  

The consultation will run for 12 weeks until Friday 23 January 2026.   

Revised GDPR Handbook 

The data protection landscape continues to evolve. With the Data (Use and Access) Act 2025 now in force, practitioners need to ensure their materials reflect the latest changes to the UK GDPR, Data Protection Act 2018, and PECR. 

The newly updated UK GDPR Handbook (2nd edition) brings these developments together in one practical reference. It includes all amendments introduced by the DUA Act, with colour-coded changes for easy navigation and links to relevant recitals, ICO guidance, and caselaw that help make sense of the reforms in context. We have included relevant provisions of the amended DPA 2018 to support a deeper understanding of how the laws interact. Delegates on our future GDPR certificate courses will receive a complimentary copy of the UK GDPR Handbook as part of their course materials.  

If you are looking to implement the changes made by the DUA Act to the UK data protection regime, consider our very popular half day workshop.  

In case you missed it… 

In October, Capita was fined £14 million following a cyber-attack in March 2023 which saw hackers gain access to 6.6 million people’s personal data; from pension and staff records to the details of customers of organisations Capita supports. For some people, this included details of criminal records and financial data. This and other recent cyber-attacks has increased the importance of cyber security training. We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop. 

Also in October, the BBC reported that Gregg Wallace, the former MasterChef presenter, has issued proceedings against the BBC and BBC Studios for failing to respond to his subject access requests (SAR) in accordance with the UK GDPR.  Wallace was sacked by the BBC in July following an inquiry into alleged misconduct. As the saying goes, “Revenge is a dish best served cold!” Any BBC Executives reading this (if you are not too busy at the moment), are advised to attend ourHow to Handle a Subject Access Request workshop. No doubt there will be a few more SARs to the BBC in the coming weeks… 

The Information Commissioner, John Edwards, recently gave evidence to the House of Commons  Science, Innovation and Technology Committee.   Mr Edwards faced some tough questions about his response to the Afghan data breach, in which a Ministry of Defence (MoD) official mistakenly emailed a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy (ARAP). The breach was only discovered in August 2023, when excerpts of the data appeared on Facebook. By then, the damage was done. A new resettlement scheme for those on the leaked list was set up and has seen 4,500 Afghans arrive in the UK so far. The Afghan Relocation Route has cost £400m so far, and the Government has said it is expected to cost a further £450m.  This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop 

Finally, there are only two FOI Practitioner Certificate courses left till Christmas! This foundation course is designed for those wishing to acquire detailed knowledge of the FOI and develop the practical skills to enable them to become a more effective FOI Officer.  The syllabus has been developed by FOI experts after analysing all the skills, knowledge and competencies required for the FOI Officer role. By the end of the course, you will be able to practically handle FOI requests, apply the exemptions and draft Refusal Notices. You will also be able to differentiate between FOI requests and requests under the Environmental Information Regulations. 

Prince Andrew: The Data Protection Angle 

Over the weekend, the Mail on Sunday piled more pressure on Prince Andrew.  

It alleged that he asked his police protection officer to investigate his accuser, Virginia Giuffre,  just before the newspaper published a photo of Ms Giuffre’s first meeting with the prince in February 2011. The Mail alleges that Prince Andrew gave the officer her date of birth and social security number. The Sunday Telegraph also claimed that he “sought to dig up dirt” on Ms Giuffre. 

Ms Giuffre, who took her own life earlier this year, said she was among the girls and young women sexually exploited by convicted sex offender Jeffrey Epstein and his wealthy circle. Prince Andrew has consistently denied all allegations against him. 

The Metropolitan Police said on Sunday, “We are aware of media reporting and are actively looking into the claims made.” Of course we don’t have detailed information about the circumstances around latest allegations against Prince Andrew, but (if true) there is a possible breach of Section 170 of the Data Protection Act 2018 (DPA). This makes it a criminal offence for a person to knowingly or recklessly:  

(a) obtain or disclose personal data without the consent of the controller,  

(b) procure the disclosure of personal data to another person without the consent of the controller, or  

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 

So if the latest allegations are true, Prince Andrew and/or his police protection officer at the time, could have committed a criminal offence under the DPA 2018. Unlike the other allegations against him, this offence does not carry a prison term; just a fine. Successive Information Commissioners have argued that a custodial sentence under S.170 would be a better deterrent (but to no avail).  

Will the Information Commissioner’s Office be knocking on Prince Andrew’s door? In June 2023, the ICO disclosed that, since 1stJune 2018, 92 cases involving S.170 offences were investigated by its Criminal Investigations Team. There have been a number of more recent S.170 prosecutions. These often involve people accessing/disclosing confidential information for financial gain.  

Depending again on the circumstances, there may also be an offence under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment.  In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August 2022, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims.  

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.The new (2nd) edition of the UK GDPR Handbook has been published. It contains all the changes made by the Data (Use and Access) Act 2025. 

A Pinch of GDPR: Gregg Wallace Serves Up a Data Rights Claim 

Gregg Wallace, the former MasterChef presenter, has issued proceedings against the BBC and BBC Studios for failing to respond to his subject access requests (SAR) in accordance with the UK GDPR.  Wallace was sacked by the BBC in July following an inquiry into alleged misconduct. As the saying goes, “Revenge is a dish best served cold!”  

Background 

According to court documents, seen by the PA news agency, in March 2025 Wallace made SARs to the BBC and its subsidiary BBC Studios for all personal data held about him. Both requests related to his “work, contractual relations and conduct” spanning 21 years. 

The BBC acknowledged the request and deemed it “complex”. They probably invoked  Article 12(3) of the UK GDPR which allows a Data Controller to extend the one month SAR time limit by a further two months where necessary “taking into account the complexity and number of the requests.” By August, the BBC had apologised for the delay and said it was taking “reasonable steps” to process the request,  but still no data had been provided. BBC Studios, meanwhile, said it would withhold parts of the data because of “freedom of expression.” 

The court documents assert that the defendants had “wrongly redacted” information and had “unlawfully failed to supply all of the claimant’s personal data”. Wallace seeks “up to £10,000” for distress and harassment and an order compelling both entities to comply with his SARs.   

Freedom of Expression Exemption 

BBC Studios’ reliance on “freedom of expression” invites scrutiny. The exemption in Schedule 2 Part 5 of Data Protection Act 2018 (DPA 2018) applies only to personal data processing carried out for the special purposes (journalistic, artistic, academic, or literary)  and only so far as compliance would be incompatible with those purposes. 

The special purposes exemption is interpreted quite narrowly by the courts. If the withheld data consists of production notes, editorial discussions, or source material for broadcast, BBC Studios’ argument has force. But if the data relates to HR investigations, conduct complaints, or contractual matters, the processing is unlikely to be “journalistic”.  

Distress and Damages 

Article 82 UK GDPR gives a data subject a right to compensation for material or non-material damage for any breach of the UK GDPR. Section 168 of the DPA 2018 confirms that “non-material damage” includes distress. However the relevant case law shows (1) the courts distinguishing trivial upset from genuine distress and (2) modest damages being awarded. A long delay in responding to a SAR, especially in the midst of reputational damage, is not trivial. However, if Wallace’s is successful in his claim he is unlikely to be awarded anything close to £10,000: typical awards for emotional harm in data-rights breaches sit between £500 and £2,500. (The excellent Panopticon blog is a must-read for anyone needing help in navigating causation and quantum in such cases.) Furthermore, by limiting his claim to £10,000, Wallace’s case will probably be allocated to the Small Claims track where minimal costs are recoverable.  

ICO Action 

This court action by Greg Wallace may also draw the attention of the Information Commissioner’s Office (ICO). In March 2025, the ICO issued reprimands to two Scottish councils for repeatedly failing to respond to SARs within the statutory timeframe.  There is also the theoretical possibility of a criminal prosecution if the ICO, upon investigation, finds that the BBC has deliberately frustrated the requests.   
 
Section 173 of the DPA 2028 makes it a criminal offence, where a person has made a SAR, to “alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.” In September, Jason Blake, the director of a care home in Bridlington, was found guilty of an offence under S.173.  The court ordered him to pay a fine of £1,100 and additional costs of £5,440.   

Other Celebrity SARs 
 
This is not the first time a primetime BBC show has crossed paths with GDPR. A few years ago, some celebrity contestants on  Strictly Come Dancing alleged mistreatment by professional dancers and production staff. Lawyers acting on behalf of one of the dancers at the centre of the allegations, made a GDPR subject access request for, amongst other things, “all internal BBC correspondence related to the issue, including emails and text messages”.  

In July 2023, Dame Alison Rose, the then CEO of NatWest, resigned after Nigel Farage made a SAR which disclosed information that contradicted the bank’s justification for downgrading his account. There is potentially more SAR court drama to come. In March, the campaign group, Good Law Project(GLP),  “filed a trailblazing new group action” against Farage’s Reform UK at the High Court. GLP claims that Reform failed to comply with a number of SARs and is seeking damages on behalf of the data subjects.  

Whilst Greg Wallace’s case is unlikely to result in a groundbreaking legal judgment or a headline-making damages award, high-profile celebrities pursuing data protection claims are always a welcome development. They help raise awareness of data rights and, conveniently, give information governance professionals a perfect excuse to indulge in a reality TV binge, just in case any other interesting data protection issues arise! 

Our How to Handle a Subject Access Request workshop will help you navigate complex Subject Access Requests.

Scope of the GDPR: ICO Wins Clearview Appeal  

The Information Commissioner has won his appeal (to the Upper Tribunal) against the First-tier Tribunal (FTT) decision involving Clearview AI Inc.  

Clearview is a US based company which describes itself as the “World’s Largest Facial Network”. Its online database contains 20 billion images of people’s faces and data scraped from the internet and social media platforms all over the world. It allows customers to upload an image of a person to its app; the person is then identified by the app checking against all the images in the Clearview database. The appeal raised the issue of the extent to which processing of the personal data of UK data subjects by a private company based outside the UK is excluded from the scope of the GDPR, including where such processing is carried out in the context of its foreign clients’ national security or criminal law enforcement activities. 

Background 

In May 2022 the ICO issued a Monetary Penalty Notice of £7,552,800 to Clearview for breaches of the UK GDPR including failing to use the information of people in the UK in a way that is fair and transparent. Although Clearview is a US company, the ICO ruled that the UK GDPR applied because of Article 3(2)(b) (territorial scope). It concluded that Clearview’s processing activities “are related to…the monitoring of [UK resident’s] behaviour as far as their behaviour takes place within the United Kingdom.” The ICO also issued an Enforcement Notice ordering Clearview to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.  

In October 2023, the FTT overturned the ICO’s enforcement and penalty notice against Clearview. It concluded that although Clearview did carry out data processing related to monitoring the behaviour of people in the UK (Article 3(2)(b) of the UK GDPR), the ICO did not have jurisdiction to take enforcement action or issue a fine. Both the GDPR and UK GDPR provide that acts of foreign governments fall outside their scope; it is not for one government to seek to bind or control the activities of another sovereign state. However the Tribunal noted that the ICO could have taken action under the Law Enforcement Directive (Part 3 of the DPA 2018 in the UK), which specifically regulates the processing of personal data in relation to law enforcement. 

The Upper Tribunal Judgement  

The Upper Tribunal allowed the appeal, set aside the decision of the FTT and remitted the matter to the FTT to decide the substantive appeal on the basis that the Information Commissioner had jurisdiction to issue the notices. It also decided that the FTT was right to find that Clearview’s processing fell within the territorial scope of the GDPRs, albeit that it differed in its reasoning. 

In its judgment, the Upper Tribunal ruled  that: 

(1) The words “in the course of an activity which falls outside the scope of Union law” in Article 2(2)(a) of the GDPR (which provides for an exclusion from the material scope of the GDPR) refer only to those activities in respect of which Member States have reserved control to themselves and not conferred powers on the Union to act, and not to all matters without the competence of the Union (as the ICO argued) or to the activities of third parties whose processing “intersects” with their clients’ processing in the course of “quintessentially state functions” which would offend against comity principles (as Clearview argued); 

(2) The words “behavioural monitoring” in Article 3(2)(b) are to be interpreted broadly, as a response to the challenges posed by ‘Big Data’ in the digital age, and they can encompass passive collection, sorting, classification and storing of data by automated means with a view to potential subsequent use, including use by another controller, of personal data processing techniques which consist of profiling a natural person. “Behavioural monitoring” does not require an element of active “watchfulness” in the sense of human involvement;  

(3) The words “related to” in Article 3(2)(b) of the GDPR, as applied to Article 3(2)(b), have an expansive meaning, and apply not only to controllers who themselves conduct behavioural monitoring, but also to controllers whose data processing is related to behavioural monitoring carried out by another controller. 

Data protection practitioners should read the judgement of the Upper Tribunal as it clarifies the material and territorial scope provisions of the UK GDPR. This and other GDPR developments will be discussed in our forthcoming GDPR Updateworkshop.  

Advanced Certificate in GDPR Practice: Final Course for 2025 

Our final course leading to the Advanced Certificate in GDPR Practice starts on 9th October.  

Since its launch in 2020, this innovative course has attracted DPOs from across the public and private sectors. Feedback has been consistently positive with many participants commenting on how the course has given them the confidence and skills to be able to dissect complex data protection scenarios and give clear and practical compliance advice. Further advances in technology, especially in AI, has led us to revise the syllabus to ensure participants are engaging with the most up to date data protection issues and ICO/Tribunal decisions to inform their day to day work.  

New Assessment Format 

Based on extensive feedback from delegates over our suite of certificate programmes, we learned that delegates would prefer not to have to write extensive reports and would prefer to have the opportunity to showcase their critical thinking and communication skills. 

The new assessment consists of two parts. The first part requires participants to submit a personal development plan about how their learning from the course will inform and improve their practice as a data protection practitioner. The second part requires them to draft an executive summary setting out the issues and recommendations in relation to the fictional case study discussed in Masterclass 4. This summary will then be presented by participants in an oral examination, known as a Viva.  

Watch Alex, one of our recent delegates, give his verdict on the course. 

There are just three places left on the course starting on 9th October 2025.  

When Ignoring a GDPR Subject Access Request Becomes a Crime 

In March 2025,  the Information Commissioner’s Office (ICO) issued reprimands to two Scottish councils for repeatedly failing to respond to subject access requests (SARs) within the statutory timeframe under the UK GDPR. 
This is the ICO’s usual practice when it comes to complaints about SARs. However recently it went a step further and issued criminal proceedings against a company director. 

Section 173 of the Data Protection Act 2018 makes it a criminal offence, where a person has made a SAR, to “alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.” Both the Data Controller can be prosecuted as well as “a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.” 

On 3rd September 2025, the director of a care home in Bridlington was found guilty of an offence under S.173.  Jason Blake, 56, was found to have blocked, erased, or concealed records held by Bridlington Lodge Care Home between 12th April and 12th May 2023 to prevent information being disclosed.     

The background to the case is as follows: In April 2023, a woman requested personal data about her father from Bridlington Lodge Care Home.  She had the authority to do so due to a lasting power of attorney. The personal data requested included incident reports, copies of CCTV footage and notes relating to her father’s care.   

After Mr Blake refused to respond to the request, a complaint was made to the ICO. During the investigation, Mr Blake did not provide any explanation about why his organisation would not respond to the SAR. The court ordered him to pay a fine of £1,100 and additional costs of £5,440. 

This prosecution, possibly the first of its kind, is a warning to employees and directors of Data Controllers to ensure that they have systems in place to respond to SARs in a timely manner. Failure to do so could lead to personal liability and a criminal record.  

There is potentially more subject access court drama to come. In March the campaign group, Good Law Project(GLP),  “filed a trailblazing new group action” against Nigel Farage’s Reform UK at the High Court. GLP claims that Reform failed to comply with a number of subject access requests and is seeking damages on behalf of the data subjects. This is the first case in the UK under Article 80(1) of the UK GDPR, which allows data subjects to mandate a body or organisation to act on their behalf to lodge complaints, exercise data protection rights, and seek compensation for infringements of their data protection rights. 

Our upcoming Handling SARs course can help you deal with complex subject access requests.  

Our 23rd Birthday! Celebrate with Us and Save on Training  

This month marks 23 years of Act Now Training. We delivered our first course in 2003 (on the Data Protection Act 1998!) at the National Railway Museum in York. Fast forward to today, and we deliver over 300 training days a year on AI, GDPR, records management, surveillance law and cyber security; supporting delegates across multiple jurisdictions including the Middle East.  

Our success comes from more than just longevity; we are trusted by clients across every sector, giving us a unique insight into the real-world challenges of information governance. That’s why our education-first approach focuses on practical skills, measurable impact, and lasting value for your organisation. 

Anniversary Offer: To celebrate, we are giving you a £50 discount on any one-day workshop, if you book by 30th September 2025. Choose from our most popular sessions like GDPR and FOI A to Z, or explore new topics like AI and Information Governance and the Risk Managment in IG

Simply quote “23rd Anniversary” on your booking form to claim your discount.