The Digital Omnibus: Plans to revise EU digital laws

November 2025

Is Europe on a collision course between cutting red tape and protecting fundamental rights?

There’s been plenty of chatter about the European Commission’s Digital Omnibus. The leaked text has been poured over and now the official draft has been published. For some it raises concerns of weakened regulation impacting on people’s fundamental rights. For others it represents a hope the burden of compliance will be eased and innovation unleashed.

The EC is very much pitching this as “innovation friendly AI rules” and an “innovation friendly privacy framework”

I suspect the UK Government will be watching developments across the Channel closely and could find itself wishing it had been bolder with the Data (Use and Access) Act 2025 (DUAA).

What is the Digital Omnibus?

This is not a new law, nor a complete overhaul of existing legislation but an EC proposal to streamline, align and introduce specific legislative updates to existing digital rules such as the EU AI Act, GDPR, ePrivacy Directive, Data Act and Data Governance Act. An attempt to remove duplication and inconsistencies, along with alleviating some the burden of compliance for European organisations and others who operate within the EU.

What’s potentially on the cards?

AI Act

Key proposals include a delay in the applicable date for obligations in relation to high-risk AI systems, reducing AI literacy obligations, removing obligations for providers to register on the EU’s public database and introducing reduced penalties for small to medium sized businesses.

GDPR and ePrivacy

Key legislative adjustments which could be ushered in include the following:

Personal data

A narrower definition is proposed whereby information would not be considered personal data for a given entity when that entity does not have ‘means reasonably likely’ to identify individuals.

This could ease the current and not inconsiderable issues and debates caused by assessing whether people can be ‘indirectly’ identifiable.  The existing GDPR definition states: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly.

Interestingly a similar tweak was proposed in the UK under the previous Conservative Government’s data reform plans, but wasn’t carried over into DUAA.

Special category data

The idea is data would only be classified as special category data if it ‘directly reveals’ information about an individual’s health, sex life, racial of ethnic origin, political opinions, trade union membership, religious or philosophical beliefs. If introduced this would mark a step change away from the current broader inference-based rule and is likely to be particularly contentious.

The following two new exemptions are also proposed to the existing prohibitions on processing special category data:

1) allowing for the ‘residual processing’ of special category data for the development and operation of an AI system or AI model – subject to certain conditions.
2) permitting the processing of biometric data when necessary to confirm someone’s identity, and where the data and means of verification are under the sole control of that individual i.e. where biometrics are on the user’s device.

Right of Access – Data Subject Access Requests

‘Abusive’ requests could be rejected or a fee charged, if a controller considers the request is being used by someone for other purposes than the ‘protection of their personal data’. Enhanced clarification is also expected on the conditions under which a request can be deemed excessive.

This recognises a growing issue of DSARs being ‘weaponised’ and used for other purposes, such as litigation. I imagine there are plenty of organisations hoping this proposal will not be ditched during negotiations. I for one would welcome this move and know plenty of UK organisations would benefit from a similar legislative amendment in the UK.

Personal Data Breaches

It’s proposed the requirement to report data breaches to a supervisory authority would only kick in where there was a ‘high risk’ rather than the current threshold of ‘risk’. This would align the threshold for both reporting to regulators and notification to affected individuals. The deadline for reporting could also be extended from 72 to 96 hours.

Data Protection Impact Assessments

In a move to try and make sure there’s a consistent approach across the EU, the European Data Protection Board is expected to be tasked with creating harmonised lists of processing activities requiring a DPIA and those which would be exempt. The EDPB would also develop a common template and methodology for conducting DPIAs.

Automated decision making

We could see more freedom to rely on entirely automated decisions with legal or similarly significant effect when necessary for a contract, even if the same decision could be made manually by a human.

Cookies and similar technologies

In an attempt to try and alleviate the confusion and annoyance for users, as well as the cost to business, the EC is proposing simplify the rules. The stated aim is to reduce the number of times cookie banners pop up and allow users to indicate their consent with ‘one-click’, with preferences saved via their browser and operating system’s settings.

Any processing of personal data is expected to be governed solely by GDPR – not the ePrivacy Directive. It’s also proposed certain purposes which pose a low risk to people’s rights and freedoms will not require consent, for example when cookies and similar technologies are used for security and aggregated audience measurement.

EU legislators may find themselves looking across the pond to California’s new “Opt Me Out Act”. From January 2027 this requires web browsers to offer a one-click opt-out which automatically tells websites not to sell or share their personal information. While just one state’s law this is expected to have a more far-reaching impact. It will be simpler for browsers to roll this feature out more widely, as they won’t know if the organisation which runs a website is based in California or not.

AI and legitimate interests

A new provision could be introduced confirming the lawful basis of legitimate interests could be used for processing personal data for training AI models. It’s highly likely this would still be subject to a balancing test.

Privacy notices

Providing a privacy notice to an individual may not become necessary if a controller believes the individual already knows the organisation’s identity, the organisation’s purposes for processing and how to contact any Data Protection Officer.

What next?

None of the above is set in stone, and all is subject to change. And for those of you who remember the years of wrangling trying to amend the ePrivacy Directive, which ultimately failed, there’s a long road of negotiation and lobbying ahead. Ultimately, will technological advances continue to streak ahead with legislators struggling to keep up?

Also see EC Press Release and EC Digital Omnibus proposals 

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

10 tips to prevent email errors

November 2025

It’s confession time. I recently copied the wrong person on an email. Same first name, different surname. Thankfully, it was easily resolved. But for someone in my line of work? Shameful. It’s like a chef putting ketchup on a pasta dish. Nonetheless, I decided to try my best to learn from the experience. Which got me thinking about two issues in particular:

a) Email errors are not just one of the major causes of personal data breaches, but also downright awkward even where there’s no personal data risk. They can lead to sharing commercially sensitive information, or opinions. They can breach client trust.

b) What are the best ways of reducing instances of human error?

I know I’m not alone. Other data protection folk have admitted making the occasional mistake too. A good friend of mine once accidentally sent an email to a client – not a data breach but she did lose the client. I’ll also never forget receiving an email and finding myself reading a fellow colleague’s rather disparaging views about my team.

Of course, there are the frequent data breaches – often small, sometimes big, caused by matters like emailing the wrong recipient, or using the CC field for multiple recipients.

Yet, for many, it’s ‘just one of those things.’ Oops! Then the embarrassment fades… until next time. So is it really enough to keep reminding people to double check before sending? Won’t there always be times when we’re overworked, dashing to go on holiday, or distracted by personal issues? Is it good enough to rely on recall features? Probably not, when in practice they’re often completely ineffective.

People will continue to make mistakes. To err is human.

What else can we do?

10 email tips

Here are a few suggestions for reducing the risk.

1. Disable or restrict auto-fill
Yes auto-fill is a handy way to quickly go through our address book and predict who we want to email. Nonetheless, it sometimes chooses the wrong person… and we don’t notice. This is what got me. I’ve disabled this feature, and shouldn’t have had it enabled in the first place. I am now very content to spend a couple of seconds finding the correct email address.

2. Avoid email altogether 
Encourage (or insist) that staff who need to share attachments, personal data or any other sensitive information use links to protected SharePoint folders/files rather than using email.

3. Attachments
Use software to prevent or restrict any email containing an attachment.

4. Detect personal data
If 3. is a a step too far, look at using software which can automatically detect personal data in attachments or email content and prevents it being sent – or prompts people to check they really want to send.

5. External recipients
Implement user prompts for external email recipients – ‘are you sure you want to send this externally?’

6. Multiple recipients
Use controls to alert users if they’re emailing multiple recipients using the CC field – prompting them to use BCC. Alternatively for teams who routinely send emails using BCC, use a bulk mail solution.

7. Delay on send
How often do you spot an error just after you’ve sent an email? Setting up a delay on send for your staff, gives people a chance to correct their mistakes.

8. ‘Reply to All’
Set an alert if people are about to reply to all, prompting them to check whether this is appropriate.

9. Revoke access after sending
Some more advanced email security solutions give you the ability to recall or revoke access to an email and its attachments, even after it hits the recipient’s inbox.

10. Email review
Where teams are responsible for routinely sending sensitive information by email, and there’s no alternative, have a review process so someone else checks before sending.

It’s worth checking what controls are available on your email system or looking at  additional software solutions. Some of the prompts mentioned above are available using Outlook’s MailTips.

Of course training, continually raising awareness and clear rules all play their part. Making sure your people know how you expect them to behave is crucial.

It also needs to be clear what action people should take when they’ve made a mistake. Are staff permitted to try and rectify this themselves, or does it always need to be immediately reported? The steps you expect your staff to take need to be easily understood and reinforced in training and culture. This also means supervisors should lead by example.

I’m a fan of quick reference guides supporting more detailed policies and procedures. In this case, a ‘golden rules for emails’ on one page, in plain English. with the rules and clear steps for what to do when things go wrong. Laminate it, turn it into posters – do whatever works to get the message home.

Ultimately, mistakes are inevitable. What isn’t inevitable, though, is the impact mistakes have once the ‘send’ button’s been hit. Every little step taken to mitigate email errors lessens the impact when one inevitably slips through the net. Most of us, after all, recognise the occasional mistake will occur. The problem is if they happen too often, it can undermining confidence in your people, your organisation and your brand.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Data Protection Complaints: NEW requirements

November 2025

A ‘must do’ for ALL organisations

By June 2026 organisations be legally required to have a procedure in place to handle data protection complaints. This was one of the few new obligations ushered in by the Data (Use and Access) Act 2025.

Final guidance from the ICO is expected this Winter, following a consultation which has now closed. This consultation document gave us some useful pointers on the steps to take.

The aim of this change is to give anyone who is unhappy with how your organisation has handled their personal information a clear method for raising a complaint. For example, they could have a complaint about;

  • a data breach which affected them
  • your response to their Data Subject Access Request
  • how long you’re keeping their data
  • how you’ve profiled them
  • or any other data protection relation matter

I’m sure some of you reading this will have received a letter from the ICO in the past asking for a complaint they’ve received to be resolved by you directly with the individual. Essentially this approach is changing. Moving forward, in the majority of cases when the ICO receives a complaint, the individual will be asked to go through your complaints procedure first.

A little warning. If you don’t have a clear procedure in place for data protection related complaints, the ICO may spot this pretty quickly should you come up on their radar.

What the law says

Organisations are legally required to fulfil the following:

  • Procedure – give people a way of raising data protection complaints
  • Acknowledgement – acknowledge each complaint within 30 days of receipt
  • Action and progress – take appropriate steps to respond without undue delay, including making any relevant enquiries and keeping complainants up to date on progress
  • Outcome – provide an outcome without undue delay

How people can raise a complaint

People must have a way of being able to raise a complaint directly with you. While the law doesn’t set out precisely how this must be done, the ICO gives some examples of different ways this could be achieved:

  • Complaints form – for people to submit their complaint either electronically or in writing
  • Telephone – allow people to make a complaint over the phone
  • Portal – provide an online complaints portal
  • Live chat – use a live chat function with the option to escalate to a human if needed
  • In person – provide a way to make complaints in person if you don’t have an online presence

Published complaints procedure

Many organisations particularly those in the public sector will already have a complaints procedure which could be adapted for this purpose. For those which don’t, the ICO expects you to write one and publish your procedure on your website, or provide it to people at the earliest opportunity. This would be expected to cover:

  •  How people can make data protection complaints
  • What people can expect from your process (e.g. acknowledgement within 30 days, kept informed of progress, and provided with an outcome without undue delay)

In our opinion it would seem fitting to add the key points of your complaints procedure to your external privacy notice, and replicate this in any other relevant audience specific privacy notices.

Asking for more information

If evidence or additional information is needed, such as reference numbers or proof of ID, this should be asked for at the earliest opportunity. It would be helpful to mention this in your published procedure, for example ‘we may need to ask for proof of ID’.

Complaints made on someone’s behalf

As with privacy rights requests, an individual may make a complaint on someone else’s behalf. You’ll therefore need to make sure they are authorised to do so, for example by seeking power of attorney or a signed letter of authority. The ICO is clear if you have no evidence a third party is authorised to act on someone’s behalf you aren’t required to investigate a complaint, but should respond explaining this.

The 5 step data protection complaints process

1. Acknowledge

The law doesn’t prescribe how an acknowledgement should be provided but the ICO gives the following examples:

  • Verbal complaints – Keep a record and follow up in writing (e.g. by email or post)
  • Email / live chat – an automated response could be used
  • Letters – acknowledgement by post

The 30 days in which you must acknowledge a complaint starts the day after you receive the complaint, regardless of whether you received this on a weekend or bank holiday. If the last day to acknowledge falls on a weekend or bank holiday you have until the next working day.

The ICO says you must have arrangements in place to acknowledge and continue handling complaints, regardless of whether key people are off sick or if your organisation is closed. An important point for organisations such as schools or colleges which may close for a period of time.

2. Investigate

You must investigate the complaint without undue delay. If it’s not clear what the complaint is about, you should ask for more detail as quickly as possible.

It may also be useful to ask people to let you now the outcome they’re seeking, and if you choose to use a complaints form, this point could be built-in.

You’ll need to gather the information necessary to respond to the complaint and the ICO tells us this might include taking actions such as;

  • Looking at relevant facts thoroughly, fairly and accurately
  • Speaking to relevant staff
  • Comparing information you hold with the information from the complainant
  • Checking you’ve upheld your own terms, policies and standards

3. Update on progress

There’s a duty to keep people updated on the progress of your investigation. If it’s likely an investigation is going to take some time, you’ll need to tell them you’re working to resolve the issue. You can always provide them with a date for when you expect to complete your investigation, and give them a point of contact if they have any questions.

4. Provide outcome

Once the investigation is completed you must provide an outcome to the complainant without undue delay. The ICO says this means ‘as soon as possible’, and would expect your response to include the following:

  • A clear explanation of what you’ve done to resolve their complaint
  • Any actions you’ve taken (where appropriate)
  • Enough information to help the individual understand how you’ve reached your conclusion

If the individual is not satisfied with your outcome, you should tell them they have the right to complaint to the ICO, and it would be good practise to provide them with the regulator’s contact details.

If they then tell you they’re planning to complain to the ICO you don’t have to get in touch with the regulator yourself. The ICO will come to you if they need more information.

Crucially you must be able to justify why you handled a complaint in the way you did. Which neatly brings us on to…

5. Record keeping

It will be necessary to keep evidence of your approach to each complaint you receive and the ICO recommends keep a record of the following:

  • the date you received the data protection complaint
  • your acknowledgement
  • any relevant conversations and documents
  • the outcome of the complaint
  • any actions you took as a result of your investigation

You may be asked to provide this evidence to the ICO, or other industry bodies.

In all of this don’t forget data retention, it would be a good idea to agree how long you’ll keep records of complaints.

Key steps to take now

We’d recommend taking the following actions:

  • Collaborate with relevant colleagues and agree your approach
  • Assign responsibility for investigating and reviewing complaints
  • Publish your complaints procedure (prior to June 2026)
  • Start raising awareness and adapt relevant training so staff know how to recognise a data protection complaint and know what to do if they receive one.

For more information see the draft ICO Complaints Guidance 

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

DUA Act – next steps

October 2025

When will provisions under the Data Use and Access Act 2025 (DUAA) take effect and when we can anticipate guidance to be published by the Information Commissioner’s Office?

The DUAA received Royal Assent on 19th June but while limited provisions came into effect immediately, the majority will be phased in over the coming months up to June 2026, with some requiring secondary legislation to be passed.

To be crystal clear, the DUAA does not replace UK GDPR, the Data Protection Act 2018 or the Privacy and Electronic Communications Regulations (PECR). The Act brings in amendments to these core pieces of legislation, much in the same way PECR was amended in 2009 with the so-called ‘cookie law’.

Commencement of DUAA provisions

With immediate effect: One provision which has come in with immediate effect is clarification that when responding to Data Subject Access Requests (the right of access) organisations only need to undertake a “reasonable and proportionate search”. This inserts a new Article 15(1A) into UK GDPR, and gives a statutory footing to existing case law and  guidance from the ICO.

From 20th August 2025 the following amendments will come into force:

Information Commissioner can serve notices by email 

This amends the Data Protection Act 2018 with a new section 141A permitting notices to be served by email. You may want to double check the email address the ICO has on file for your organisation on the register of fee payers, make sure this is regularly monitored and who/which team a notice should be immediately forwarded to.

Information Notices and ICO power to ask for documentation 

This grants the ICO the power to require organisations to provide documents as well as information when responding to an Information Notice.

Other measures commencing on 20th August include requirements for the Government to prepare a progress update and report on copyright and AI.

From September/October: Commencement is expected of measures on digital verification services.

Around December: Commencement of main changes to data protection legislation.

From January 2026 it looks like provisions such as the soft opt-in for charities, changes to the cookie rules and recognised legitimate interests will come into effect. For a top-level summary see DUAA 2025: 15 key changes ahead.

ICO guidance

The ICO has published a timeline of when we can expect updated or new guidance covering the changes the DUAA ushers in.

Summer 2025

 Data Subject Access Requests – update to detailed Right of Access guidance
Substantial public interests conditions – a new interactive tool
Cookies & similar technologies (Part 1) – update to ‘cookie guidance’ and renamed ‘guidance on storage and access technologies’.

Autumn 2025

Draft guidance on charities use of the soft opt-in 

Winter (2025/26)

Direct marketing and Privacy and Electronic Communications Regulations guidance – update to existing guidance
Complaints procedures – new guidance for organisations on how to handle data protection complaints
Lawful basis of recognised legitimate interests – new guidance
Legitimate interests – update to existing guidance
International data transfers guidance – update to existing guidance
Cookies & similar technologies (Part 2) – (‘guidance on storage and access technologies’).
The purpose limitation principle– updated and enhanced guidance
Anonymisation and pseudonymisation for research purposes – guidance

Spring 2026

Automated Decision Making (ADM) and Profiling – updated guidance
Research, archiving and statistics provision – updated guidance.
SME data essentials – guidance

More detail and other updates from the ICO can be found here: plans for new and updated guidance.

Codes of practice

The ICO will also in due course be producing codes of practice on edtech and artificial intelligence.

There’s lots to watch out for and we’ll try our best to keep you up to date with developments as and when they happen.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

The Little Book of Data Protection Nuggets

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

What’s a recognised legitimate interest?

August 2025

ICO publishes draft guidance on a new lawful basis

As a result of the Data (Use and Access) Act 2025 a seventh lawful basis for processing is being added to the UK GDPR. So, how does a recognised legitimate interest differ from a legitimate interest, and how does the ICO tell us this new lawful basis will work in practice?

Legitimate Interests

The existing lawful basis of legitimate interests may be appropriate depending on the purposes for which we’re collecting and using personal data. It’s considered the most flexible lawful basis, but the onus is on us to make sure our organisation’s interests are balanced with the interests, rights and freedoms of individuals. And while not strictly speaking a legal requirement to document this ‘balancing test’, the ICO stresses it would be difficult to meet our accountability obligations without a record of a Legitimate Interests Assessment (LIA).

Recognised Legitimate Interests

There are now five new conditions which are set in law as recognised legitimate interests, and while we still need to determine necessity we no longer need to conduct a balancing test.

The ICO’s draft recognised legitimate interests guidance sets out these pre-approved purposes for using personal data. This draft is open to consultation, so may be subject to some amendments. Additional purposes may be added to this list in due course.

1. Public Tasks Disclosure Condition

Sharing personal information with another organisation that has requested it from you because they need it for their public task or official functions. This condition will only apply if you can meet the following requirements:

  • another organisation asks you to share or disclose personal information;
  • that organisation states in their request they need the particular information for their public tasks or official functions which are laid down in the law; and
  • your disclosure of the personal information is necessary to respond to their request.

For more detail see ICO draft guidance: Public Tasks Condition

2. National Security, Public Security and Defence Condition

To safeguard national security, protect public security or for defence reasons. To use this condition, you must only intend to use personal information for these purposes and be able to demonstrate this use is necessary. The term ‘defence’ should be read as national defence, for example the protection, security and capability of the armed forces, and the civilian staff that support them.

See ICO draft guidance on this condition.

3. Emergencies Condition

To respond to, or deal with, an emergency situation. This covers situations which threaten serious damage to the environment or people’s welfare, or pose a serious threat to UK security.

See ICO draft guidance: Emergencies Condition

4. Crime Condition

To prevent, detect or investigate crimes, including the apprehension and prosecution of offenders. The scope of this condition includes economic crimes such as money laundering and scams. The ICO makes it clear if you’re handling criminal offence data you will still need to meet additional requirements under Article 10, UK GDPR.

See ICO draft guidance; Crime Condition

5. Safeguarding Condition

To protect the physical, mental or emotional well-being of people who need extra support or protect them from harm or neglect. To rely on this condition you must:

  • make sure what you’re planning to do with personal data falls within the definition of safeguarding
  • be satisfied the person you wish to safeguard is a child or an ‘at risk’ ‘adult
  • make sure the handling of personal information is necessary for this purpose

For more detail see ICO draft guidance on Safeguarding Condition.

Key points to bear in mind…

  • Public authorities can’t rely on recognised legitimate interests to perform their tasks or functions.
  • What you’re planning do to must meet one of the pre-approved conditions above.
  • You must be satisfied using personal information is necessary, taking into consideration the facts of each case and whether there’s another reasonable and less intrusive alternative.
  • More than one condition may and can apply to a particular situation or activity.
  • No condition is better or more important than the others.
  • The conditions can apply for different types of personal data including special category data. However, when relying on this lawful basis for special category data you’ll still also need to make sure you have a special category condition under Article 9 and meet any necessary requirements for that condition. You may also need to consider if conducting a Data Protection Impact Assessment is necessary or appropriate.

Relying on recognised legitimate interests may mean there’s no longer a need to conduct an LIA, but the ICO stresses this doesn’t mean there are no restrictions, and you’ll still need to comply with all other requirements under data protection law.

And to be clear, there’s no obligation to switch your lawful basis. If you’re currently rely on legitimate interests, have balanced this and are comfortable with it, you can keep things just as they are.

If you do choose to rely on recognised legitimate interests, remember you may need to update your Record of Processing Activities and any relevant privacy notice.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

When is it okay to record and transcribe meetings?

August 2025

Key considerations when using AI-enabled tools

It’s increasing common for online meetings and phone calls to be recorded and/or transcribed. A plethora of AI-enabled tools have popped up to make this very easy to do. Transcriptions can be really helpful to provide a written record, a short summary of the key points, or even to automate key actions. Often handy for those who can’t attend or for people with certain disabilities. Some apps can combine words with recorded video or audio content for reference.

However, while we rush to take advantage of these apps, we should be mindful of some privacy risks and be sure to have some measures and controls in place.

Unauthorised use and data leakage

Are people in your organisation going ahead with a ‘free trial’ and using recording or transcription services which have not been properly vetted or approved? This could result in poor controls on the outputs and data leakage to third parties. People need to know what they’re permitted to do, and what is not company policy. The safest bet is to go with an Enterprise version, so you can make sure there’s sufficient control and oversight of its use.

Does it turn on automatically?

Some apps are set to ‘on’ by default, so the settings may need editing to stop them automatically recording or transcribing when you don’t want them to.

Do you have permission?

It’s important to make sure everyone’s happy for the meeting to be recorded and/or transcribed. Good practice would be to let participants know in advance when there will be a recording and/or transcription made and ask them to let you know if they object. Also remind them at the start of the meeting, before you actually click ‘start’.

Is it accurate?

AI transcription tools can be extremely accurate, often better than humans. But even so, AI can still make mistakes. For example, AI can misinterpret certain nuances in the human voice or behaviours, or fail to grasp the context. This could affect the accuracy of the written output, or even its meaning. What we say isn’t always what we mean! Take different forms of humour, such as sarcasm, which might not come across well in raw text.

Human oversight is key – don’t assume everything you read is 100% accurate to the words or the context.

Data minimisation and retention

Do we really need both a video recording and a transcription? Depending on the nature of meetings, this could create a significant volume of personal data, or perhaps commercially sensitive data. One of the first things we should think about is deleting anything we don’t need at the earliest opportunity.

Sharing transcripts and recordings

Have we set any restrictions on who the outputs are shared with an in what form? We should take particular care to prevent unauthorised disclosure of sensitive information – either of a personal, confidential or commercial nature.

Sensitive meetings

Just because a meeting is of a sensitive nature, doesn’t necessarily mean it can’t be recorded or transcribed. We know of circumstances where both parties have been in agreement on this, for example in grievance proceedings meetings. However, in such cases all the other points above can become even more important – is it an approved app? is the output accurate? who should have access to it? And so on.

Can we handle privacy rights requests?

If recording and transcription tools are not set up and managed well, they may cause an unwelcome headache further down the line. Recordings and transcriptions may all be in scope if you receive a DSAR or erasure request. It’s therefore good to nail down, how long materials will be kept for, where they will be saved, and making sure they are searchable.

5 Quick Tips

1. DPIA: Depending on your planned use and how sensitive the personal data captured is likely to be, consider if a DPIA is required (or advisable).

2. Internal policy / guidelines for usage: Set guidelines on when and how recording and transcription services should and should not be used. Include expected standards such as telling people in advance, giving them an opportunity to object, rules on sharing, deletion etc

3. Access controls: Update your access controls to make sure only authorised individuals can access recordings and transcriptions.

4. Retention: Update your data retention policy/schedule to confirm retention periods. Clearly there may be exceptions to the rule, if there is information which needs to be kept longer.

5. DSARs: Update your DSAR procedure to reflect personal data captured in recordings and transcriptions may be within scope.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

ICO fines charity for destroying personal data

July 2025

We often talk about the risks of holding onto personal data for too long. The need to make sure data is destroyed when it’s no longer required and how the impact of a data breach could be far worse if it involves personal records which shouldn’t have kept. But now we have a case where it’s the destruction of records which caused a data breach.

The Scottish charity Birthlink has been fined £18,000 by the ICO for destroying approximately 4,800 records, some of which were irreplaceable photographs and letters.

The findings make for sobering reading. A catalogue of errors; lack of accountability, lack of policies and procedures, no appropriate data protection training and a failure to report a data breach for more than two years.

Who are Birthlink and what do they do?

Birthlink has maintained the Adoption Contact Register for Scotland since 1984. This is a service for adopted people or their relatives, and for birth parents or their relatives. It enables people to register their details with the hope of being ‘linked’ and potentially reunited.

Where a link is made, records are classified at “Linked Records”, and the personal data contained within such records can include sensitive documents such as:

Original birth certificates
Adoption Contact Register application form
Correspondence between Birthlink and service users
Other information relevant to the adoption
Irreplaceable items (e.g. handwritten letters from birth parents and birth families, photographs and other sensitive personal information)

These are physical documents relating to adopted people’s individual circumstances, which the charity held in filing cabinets.

What went wrong?

In January 2021 Birthlink was running out of space in the filing cabinets the Linked Records were stored in, so assessed whether they could destroy them. After a board meeting it was agreed there were no barriers to the destruction of the records, that retention periods should apply and only replaceable records should be destroyed.

However, it’s evident from the enforcement notice this was very badly managed. Due to poor records management, bags of paperwork were destroyed without a full understanding of what the documents entailed. To make matters worse, despite concerns being raised at the time about shredding people’s photographs and letters, the destruction continued.

More than two years later and following an inspection by the Care Inspectorate, the Board became aware irreplaceable items had in fact been destroyed. It was only then the data breach was reported to the ICO.

And the woeful tale continues. Poor record keeping means not only will the extent of what was destroyed never be fully known, Birthlink have also been left unable to identify people affected by the breach.

Key findings

Routinely in an article like this I’d write a bit about the key findings, but in this case I think they speak for themselves. You’ll not be surprised to learn Birthlink says there was limited knowledge of their data protection obligations at the time this breach took place.

Sally Anne Poole, Head of Investigations at ICO, said:

“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process. We do however welcome the improvements the charity has subsequently put in place, not least by appointing a data protection officer to monitor compliance and raise awareness of data protection throughout the organisation.

“Whilst we acknowledge the important work charities do, they are not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes.”

Key learnings

It’s too easy to see the mistakes here, and easy to pour scorn on Birthlink. However, all organisations will recognise taking a robust approach to data retention can be challenging to deliver in practice.

Many organisations face a careful balance between destroying personal data they have no justification for holding on to, and making sure they continue to retain records they still need to keep. Robust records management procedures, secure storage and archiving, clear data retention periods, and clear authorisation when the time comes for destruction are crucial – especially when handling sensitive information.

Sometimes a specific law tells us how long certain records should be kept, or personal data needs to be retained to meet contractual obligations. Often we need to consider people’s reasonable expectations – would they expect us to be still holding on to their personal details or not?

In the case of Birthlink, the answer was almost undoubtedly, yes, people would have expected irreplaceable records to be retained, or perhaps returned to them, rather than destroyed.

I can’t stress enough to effectively tackle data retention it needs shared ownership – clear accountability with assigned roles and responsibilities across the organisation. Good data governance is the key.

If this has given you an unwelcome nudge to revisit your approach to retention, see our 3 Steps to decide your data retention periods and our detailed Data Retention Guide.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.

  • This field is for validation purposes and should be left unchanged.