Author: Hanna Hanna
What is a Data Subject Access Request (DSAR)?
A Data Subject Access Request, or DSAR, is a formal request from an individual asking to see the personal data an organisation holds about them. Under UK GDPR, individuals have the right to access their data, understand how it’s being used, and receive a copy – usually free of charge.
DSARs can come from customers, employees, suppliers, or anyone whose data you process. They might arrive by email, letter, or even verbally. Regardless of how they’re submitted, you have a legal obligation to respond within one month (extendable to three months in complex cases, with justification).
For many UK businesses, DSARs are rare. But when one lands in your inbox, it can feel like a legal grenade. You need to act fast, gather the right data, redact sensitive information, and respond in a way that’s both compliant and professional. Get it wrong, and you risk ICO fines, legal action, or reputational damage.
Why DSARs Matter for UK Businesses
DSARs are one of the most common ways individuals exercise their data protection rights. The ICO takes them seriously, and so should you. A poorly handled DSAR can trigger a complaint to the regulator, especially if you miss the deadline, refuse without valid grounds, or provide incomplete information.
But DSARs aren’t just a compliance risk – they’re also an opportunity. Handling them well demonstrates transparency, builds trust, and shows you take privacy seriously. On the flip side, ignoring or mishandling a DSAR can escalate into a full ICO investigation, especially if the requester is persistent or legally represented.
Common DSAR scenarios include:
Former employees requesting copies of emails, performance reviews, or HR records
Customers asking what data you hold after a data breach or privacy concern
Individuals involved in disputes or legal proceedings seeking evidence
Competitors or journalists using DSARs to gather intelligence (yes, this happens)
The DSAR Process: Step-by-Step
Handling a DSAR efficiently requires a clear process. Here’s how to do it right:
Step 1: Verify the Identity of the Requester
Before handing over any data, you need to confirm the requester’s identity. This protects both you and the individual. Ask for proof of identity – a passport, driving licence, or utility bill usually suffices. If the request is submitted by a third party (such as a solicitor), ask for written authorisation from the individual.
Step 2: Clarify the Scope of the Request
Some DSARs are vague: “Send me everything you have on me.” Others are laser-focused: “I want copies of all emails between me and John Smith from January to March 2025.” If the request is unclear, contact the requester and ask them to narrow it down. This saves you time and ensures you provide what they actually want.
Step 3: Search for the Data
This is where it gets messy. You need to search all systems where the individual’s data might be stored: emails, CRM platforms, HR systems, cloud storage, paper files, and even backup servers. Don’t forget less obvious places like Slack messages, WhatsApp groups, or handwritten notes.
For complex requests, consider using e-discovery tools or working with an IT specialist to ensure you don’t miss anything.
Step 4: Redact Third-Party Data
You can only disclose the requester’s personal data, not someone else’s. If an email thread includes other people’s names, opinions, or personal details, you’ll need to redact them. This is time-consuming but essential. The ICO provides guidance on redaction and exemptions to help you get it right.
Step 5: Respond Within the Deadline
You have one month from receipt of the request to respond. If you need more time (up to three months), you must tell the requester within the first month and explain why. Missing the deadline without good reason is a red flag for the ICO.
Your response should include:
A copy of the personal data you hold
Information about how you use it and who you share it with
Details of how long you keep it
Information about the individual’s other rights (e.g. to rectify or erase data)
Common DSAR Challenges and How to Overcome Them
Challenge 1: Excessive or Vexatious Requests
Sometimes, individuals submit repeated or clearly unreasonable DSARs. UK GDPR allows you to refuse these, but you need to document your reasons carefully. If in doubt, seek legal or DPO advice before refusing.
Challenge 2: Data Spread Across Multiple Systems
If your data is scattered across different platforms, gathering it all can be a nightmare. This is why having a clear data inventory (or Record of Processing Activities) is so important. It tells you where to look.
Challenge 3: Balancing Transparency with Confidentiality
You might hold data that reveals confidential business information, trade secrets, or legal advice. In some cases, you can withhold this under exemptions, but you must justify your decision and inform the requester.
How Athlex DSAR Services Can Help
Handling DSARs in-house can be stressful, especially if you’re dealing with your first one or a particularly complex request. At Athlex, we provide expert DSAR support to help you respond quickly, compliantly, and confidently.
Our DSAR services include:
Advice on verifying identity and scoping the request
Guidance on searching for and gathering data
Support with redaction and exemptions
Review of your draft response before you send it
Ongoing support if the requester challenges your response
We also offer DSAR support as part of our Outsourced DPO packages, so you have expert help on hand whenever you need it.
Whether you’re facing your first DSAR or dealing with a tricky repeat requester, we’ll help you handle it efficiently and avoid costly mistakes.
Conclusion
Data Subject Access Requests are a fact of life under UK GDPR. They can be time-consuming and stressful, but with the right process and expert support, you can handle them smoothly and stay compliant.
If you’ve received a DSAR and need help, or if you want to put a robust process in place before the next one arrives, get in touch with Athlex today. We’ll guide you through every step, so you can respond with confidence.
What is a Data Protection Impact Assessment (or Privacy Impact Assessment)?
A Data Protection Impact Assessment (DPIA) under UK GDPR (also known as a Privacy Impact Assessment), is a structured process that helps organisations identify and minimise the data protection risks of a project or system. If you’re launching a new service, implementing new technology, or changing how you handle personal data, a DPIA helps you spot potential privacy problems before they become compliance headaches or data breaches.
Think of it as a health check for your data processing activities. It forces you to ask the right questions: What data are we collecting? Why do we need it? Who has access? What could go wrong? And most importantly, how do we fix it?
Under UK GDPR, a DPIA is mandatory in certain high-risk situations. But even when it’s not legally required, it’s often the smartest move you can make. It demonstrates accountability, reduces the risk of fines, and shows customers you take their privacy seriously.
When is a Data Protection Impact Assessment Required?
You must conduct a DPIA when your processing is likely to result in a high risk to individuals’ rights and freedoms. The ICO provides clear guidance on when a DPIA is necessary, but here are the most common scenarios:
Large-Scale Processing of Sensitive Data
If you’re processing special category data (health records, biometric data, criminal convictions) on a large scale, a DPIA is required. For example, a healthcare provider rolling out a new patient management system would need to complete a DPIA before going live.
Systematic Monitoring
Any systematic and extensive monitoring of publicly accessible areas triggers the DPIA requirement. CCTV networks, location tracking apps, and workplace monitoring systems all fall into this category.
Automated Decision-Making
If you’re using algorithms or AI to make decisions that significantly affect individuals – such as credit scoring, recruitment screening, or fraud detection – you need a DPIA. This includes profiling activities that could lead to discrimination or unfair treatment.
New Technology Deployments
Rolling out new technology that processes personal data in a novel way? A DPIA is your friend. Whether it’s a new CRM platform, marketing automation tool, or AI-powered chatbot, assessing the privacy risks upfront saves trouble later.
For more detailed guidance on when a DPIA is required, visit the ICO’s DPIA guidance page. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/data-protection-impact-assessments-dpias/
How to Conduct a Privacy Impact Assessment
A good DPIA follows a clear structure. You don’t need a law degree to complete one, but you do need to be thorough and honest about the risks.
Step 1: Describe the Processing
Start by documenting what you’re planning to do. What personal data will you collect? Where will it come from? Who will have access? How long will you keep it? Be specific. Vague descriptions lead to vague risk assessments.
Step 2: Identify the Necessity and Proportionality
Ask yourself: do we really need all this data? Is there a less intrusive way to achieve the same goal? This is where many organisations trip up. Just because you can collect data doesn’t mean you should.
Step 3: Identify and Assess Risks
This is the heart of the DPIA. What could go wrong? Could the data be accessed by unauthorised people? Could it be lost or stolen? Could individuals be harmed if the data is misused? Rate each risk by likelihood and severity.
Common risks include:
Unauthorised access or data breaches
Function creep (using data for purposes beyond the original intent)
Discrimination or unfair treatment from automated decisions
Reputational damage to individuals
Loss of trust in your organisation
Step 4: Identify Measures to Mitigate Risks
For each risk, document how you’ll reduce it. This might include encryption, access controls, staff training, regular audits, or anonymisation techniques. The goal is to bring risks down to an acceptable level.
Step 5: Sign Off and Review
Your DPIA should be approved by senior management and, if you have one, your Data Protection Officer. It’s not a one-and-done document – you should review it regularly, especially if the processing changes or new risks emerge.
For a step-by-step template and practical examples, the ICO offers a free DPIA template that UK businesses can adapt, or we can assist you with a custom DPIA suited to your business..
Common Mistakes to Avoid
Many organisations treat DPIAs as a box-ticking exercise. They rush through the process, copy-paste generic risk assessments, and file the document away without acting on it. This is worse than not doing a DPIA at all, because it creates a false sense of security.
Here are the most common mistakes:
Starting too late: A DPIA should be done at the design stage, not after you’ve already built the system.
Ignoring stakeholder input: Consult the people who will be affected. Their insights often reveal risks you hadn’t considered.
Underestimating risks: If something feels risky, it probably is. Don’t downplay risks to make the project look safer.
Failing to act on findings: A DPIA is only useful if you implement the mitigations you identify. If high risks remain, you may need to consult the ICO before proceeding.
How Athlex Can Help
Conducting a privacy impact assessment can feel overwhelming, especially if it’s your first time. At Athlex, we provide expert support to help you complete a thorough, compliant DPIA without the stress.
Our Privacy Impact Assessment service includes:
Guidance on scoping and structuring your DPIA
Risk identification and mitigation advice
Review and feedback on your draft DPIA
Support with ICO consultation if required
We also offer this as part of our Outsourced DPO packages, so you have ongoing support for all your data protection needs.
Whether you’re launching a new product, adopting AI tools, or rolling out a new HR system, we’ll help you get your DPIA right the first time.
Conclusion
A Privacy Impact Assessment isn’t just a compliance requirement – it’s a practical tool that helps you build better, safer systems. By identifying risks early and taking steps to mitigate them, you protect your customers, your reputation, and your business.
If you’re unsure whether you need a DPIA, or you’d like expert help completing one, get in touch with Athlex today. We make data protection simple, so you can focus on growing your business with confidence.
AI is changing how people ask questions
The ICO has published new guidance on AI-generated FOI requests to help public authorities deal with Freedom of Information requests involving artificial intelligence.
The guidance explains that people now use AI tools to help them make information requests. As a result, some requests may look longer, more formal or more complex than before. Some may also rely on wording that does not quite fit the law.
Why this matters beyond FOI
At first, this may sound like a public sector issue.
However, private businesses should still pay attention.
If people can use AI tools to write Freedom of Information requests, they can also use them to write subject access requests, complaints, contract challenges and customer queries.
Therefore, this is not just a story about FOI.
It gives businesses a useful warning about what comes next.
People now have tools that help them ask formal questions quickly. Sometimes those questions will make sense. Sometimes they will not. Either way, businesses need to know how to respond.
Why this matters for UK businesses
Freedom of Information law applies to public authorities. Therefore, most private businesses do not need to respond to FOI requests.
However, private businesses do need to deal with data protection rights under the UK GDPR.
For example, individuals may ask for a copy of their personal data through a subject access request. Athlex has a helpful DSAR guide for SMEs that explains what these requests involve and why they can become difficult to manage.
Individuals may also ask how your business uses, shares, stores or deletes their data.
AI can make requests look more formal
Because of AI tools, those requests may now look more detailed.
They may also sound more legal than before.
That does not mean the request is correct. However, your business still needs a clear process for handling it.
In practice, your team should know:
- who deals with requests;
- how they track deadlines;
- where they can find personal data;
- when they need legal input;
- how they check whether AI tools play a role;
- how they respond clearly and fairly.
Without that structure, even a simple request can create stress.
Once stress enters the process, mistakes become more likely. Because apparently one awkward email can still ruin everyone’s afternoon.
The real risk is not the AI-generated request
AI-generated requests may feel frustrating. They may run too long. They may quote the wrong law. They may also ask for information the person cannot receive.
However, the request itself is not the main risk.
The bigger risk appears when your business cannot explain what it does with personal data.
Requests test your data protection controls
For example, a business may struggle if it cannot explain:
- what personal data it holds;
- why it holds that data;
- where teams keep it;
- who can access it;
- which suppliers process it;
- whether AI tools use it;
- how long the business keeps it;
- whether the privacy notice matches reality.
As a result, a request can quickly become more than an admin task.
It can test your data protection controls.
It can also show whether your policies match what actually happens inside the business.
If you need practical support reviewing your current position, Athlex’s GDPR consultancy services can help you assess gaps and decide what needs attention first.
AI makes transparency more important
Many businesses already use AI in everyday ways.
For example, they may use AI to:
- summarise customer emails;
- support recruitment;
- review complaints;
- analyse customer behaviour;
- support fraud checks;
- write internal notes;
- power website chatbots;
- prioritise sales leads.
Some of these uses may feel low risk.
However, personal data changes the position.
If an AI tool uses personal data, the business needs to understand what happens to that data.
That means asking clear questions.
What data does the tool use? Why does the business use it? Has the business told the person? Does a supplier help process the data? Can the supplier use the data to train the tool? Could the output affect someone?
These are not abstract legal questions.
They are practical business questions.
Increasingly, customers, staff and regulators may expect clear answers.
Automated decision-making is where AI gets serious
Some AI tools simply help teams work faster. Others go further. They may help decide who gets an interview, whether a transaction looks suspicious, what price someone is offered, or whether a customer should receive a service. At that point, AI is no longer just a helpful tool in the background. It may be influencing decisions that affect real people.
That is why automated decision-making needs special care.
The Data Use and Access Act 2025 has changed parts of the UK’s data protection rules. In simple terms, it gives organisations more flexibility to use automated systems for significant decisions. However, the ICO is clear that this flexibility depends on appropriate safeguards still being in place.
So, this is not a free pass to hand decisions to AI and walk away whistling. Where an automated decision has a legal or similarly significant effect on someone, businesses still need to think carefully about fairness, transparency and challenge. For example, people may need to be told about the decision, given a chance to challenge it, allowed to make their views known and given access to meaningful human involvement.
This matters for businesses using AI in areas such as:
* recruitment;
* fraud checks;
* lending or affordability decisions;
* customer risk scoring;
* access to services;
* pricing;
* complaints handling.
The key question is not simply:
Are we using AI?
The better question is:
Could this AI use affect someone in a meaningful way?
If the answer is yes, the business needs to slow down and check the rules before the system goes live.
That means understanding what the AI tool does, what data it uses, how decisions are made, what role humans play and how people can challenge the outcome. Because “the system recommended it” is not a data protection strategy.
It is a sentence that usually arrives shortly before someone asks for evidence. In short, AI can support better decisions. However, businesses still need to understand how those decisions are made and whether people have proper safeguards.
A human review also needs to be real. If someone simply accepts the AI output without thinking, that is not meaningful oversight. It is just automation wearing a human hat, which is less comforting than some people seem to think.
What businesses should do now
The answer is not to panic.
It is also not to ban every AI tool and pretend everyone will go back to manual spreadsheets.
Instead, businesses should take practical steps.
1. Map where AI is being used
First, find out where AI is being used across the business.
This should include obvious tools, such as chatbots and AI platforms. However, it should also include less obvious uses in HR, marketing, sales, customer service, finance and operations.
For each use, ask:
* Is personal data involved?
* What is the AI tool doing?
* Is a supplier involved?
* Is the output used to make decisions?
* Has anyone checked the data protection position?
This does not need to be complicated. However, it does need to be clear.
2. Review your privacy notices
Next, check whether your privacy notices still reflect reality. If your business uses AI in a way that affects personal data, your privacy information may need to explain this. For example, you may need to explain what data is used, why it is used, who it is shared with and what rights people have. A privacy notice should not be a dusty webpage that nobody trusts. Instead, it should be a clear explanation of what actually happens. Athlex can support businesses with practical privacy notice and compliance reviews through its data protection services.
3. Prepare for AI-assisted DSARs and complaints
Businesses should also prepare for more detailed requests and complaints. For example, people may use AI to help them ask about:
* what personal data you hold;
* how AI tools use their data;
* whether decisions are automated;
* how long information is kept;
* whether data has been shared with suppliers;
* whether they can object or challenge a decision.
In addition, AI tools may make complaints look more formal, more detailed and more legal than before. Some complaints may be valid and well explained. However, others may be based on misunderstandings, incorrect assumptions or wording copied from an AI tool without much thought behind it. As a result, your DSAR and complaint process should be easy to follow.
Your team should know what to do, who to involve and when to escalate. They should also understand how to respond clearly when a complaint is broad, unclear, abusive, repetitive or based on incorrect legal points.
That way, the business can respond properly without turning one email into a full organisational incident.
Received a data protection complaint and not sure what to do first?
Athlex has created a free Data Protection Complaints Checklist to help businesses take a calm, practical first step when a data protection complaint comes in.
The checklist helps you think through:
* what the complaint is actually about;
* whether personal data is involved;
* whether there is a potential breach;
* who needs to be involved internally;
* what evidence should be kept;
* when the issue should be escalated;
* how to avoid making the situation worse.
It is designed to help you respond clearly, quickly and with more confidence.
Ask us for your free checklist – hello@athlex.co.uk
4. Check your supplier contracts
AI suppliers can create hidden risks. Therefore, before using AI tools with personal data, businesses should check the contract position. In particular, they should understand:
* whether the supplier is a processor or controller;
* where the data is stored;
* whether the supplier uses the data to train AI models;
* which sub-processors are involved;
* what security measures apply;
* what happens if there is a breach;
* whether the supplier can support DSARs and deletion requests.
If those answers are unclear, the business may not be ready to use the tool with personal data. That may slow things down. However, it is better than discovering the issue after a complaint. If you are reviewing AI supplier terms, Athlex’s contract and clause review support can help you understand the risks before you sign.
5. Use DPIAs for higher-risk AI
Finally, businesses should complete a Data Protection Impact Assessment where AI use is likely to create higher risks. A DPIA helps identify privacy risks before a project goes live. It is especially useful where AI is used for profiling, monitoring, recruitment, fraud checks, special category data or decisions that may affect people.
A good DPIA should ask:
* Is this use of AI necessary?
* Is it fair?
* Can we explain it?
* Could it harm people?
* Are the safeguards strong enough?
* Can a human properly review the outcome?
In other words, a DPIA should not be treated as a form to complete at the end. It should help the business make better decisions from the start. Athlex provides DPIA support for businesses that need practical guidance on higher-risk processing, including AI projects.
The Athlex view: AI readiness is now part of data protection readiness
The ICO’s guidance on AI-generated FOI requests is aimed at public authorities. However, the wider message applies to many organisations. AI is changing how people ask questions. It is also changing how businesses use personal data. As a result, data protection processes need to keep up. For UK businesses, this means AI governance should not sit in a separate future project.
Instead, it should be built into everyday data protection work. That includes:
* clear records of processing;
* accurate privacy notices;
* strong supplier checks;
* practical DPIAs;
* clear DSAR processes;
* sensible human review;
* evidence of decisions;
* a clear process for handling complaints.
The businesses that manage this well will not be the ones with the longest AI strategy document. They will be the ones that can explain what they are doing, show why it is fair and respond properly when challenged. That is what builds trust. And trust is still one of the strongest data protection tools a business has. For businesses that need ongoing support, Athlex’s outsourced DPO services can help keep data protection work moving without adding pressure to already stretched teams. https://athlex.co.uk/outsourced-dpo/
Need help with AI, complaints and data protection?
Athlex helps UK businesses understand data protection in a clear and practical way. We support businesses with AI risk reviews, DPIAs, privacy notices, DSAR processes, supplier checks, complaint handling and outsourced DPO support. If your business is using AI, planning to use AI, or only just realising that your teams are already using it, now is the time to get your data protection foundations in order.
Not sure where to start with a complaint? Get our free Data Protection Complaints Checklist and get clear, practical steps for handling complaints before they escalate.
Athlex makes data protection clear, practical and built for real business decisions. Data protection made simple.
Claude Mythos and the Accountability Gap: What Happens When AI Finds the Weakness First?
What happens when AI finds the weakness before you do?
Most businesses know the basics: patch systems, manage access, check suppliers and prepare for breaches.
The problem is not awareness.
The problem is delay.
Those tasks get pushed into “next quarter”, passed between teams, half-documented or quietly left to gather dust in a folder labelled “cyber review”. Claude Mythos makes that habit harder to ignore.
Anthropic’s Claude Mythos Preview has attracted attention because of its advanced cyber capabilities. The UK AI Security Institute evaluated the model and found that it showed significant improvement on capture-the-flag challenges and multi-step cyber-attack simulations. In controlled testing, where AISI explicitly directed the model and gave it network access, the model could carry out multi-stage attacks on vulnerable networks and discover and exploit vulnerabilities autonomously. (AI Security Institute)
That sounds dramatic. It is.
But for most organisations, the key issue is not whether Claude Mythos itself will attack them.
The better question is this:
If AI can find vulnerabilities faster, can your organisation show that it manages cyber and data protection risk quickly enough?
That is the accountability gap.
Claude Mythos is not just a hacking story
The public debate around Claude Mythos has focused on cyber capability. That makes sense. “AI can help find software vulnerabilities” is a more exciting headline than “please review your supplier register”, even though the second one is probably where the real trouble starts.
AISI reported that Claude Mythos Preview achieved a 73% success rate on expert-level capture-the-flag tasks. It also became the first model to complete “The Last Ones”, a 32-step simulated corporate network attack, succeeding from start to finish in 3 out of 10 attempts and completing an average of 22 out of 32 steps across all attempts. (AI Security Institute)
Why multi-step attacks matter
Real cyber incidents rarely happen in one clean step.
Attackers often move through a chain of activity: reconnaissance, access, privilege escalation, movement across systems and exploitation.
In plain English: they do not usually knock politely on the front door. They look for a loose window, climb in, find the keys, wander around and then everyone acts surprised that the security policy did not save them.
AI systems that can help connect those steps change the risk environment.
But Claude Mythos is not only a story about what attackers might do. It is also a story about what businesses may now need to prevent, detect, document and explain.
The old basics matter more, not less
It would be easy to treat advanced AI cyber capability as something so futuristic that normal organisations cannot do anything about it.
That would be convenient.
It would also be wrong.
AISI did not test Mythos against fully defended real-world systems. Its test environments lacked protections such as active defenders and defensive tooling. AISI therefore said it could not conclude that Mythos Preview could attack well-defended systems. (AI Security Institute)
Weak security is becoming easier to expose
AISI’s practical message was still clear: Mythos Preview can exploit systems with weak security posture, and more models with similar capabilities are likely to follow. AISI highlighted basic controls including regular security updates, robust access controls, secure configuration and comprehensive logging. (AI Security Institute)
So the lesson is not “buy a panic room for your servers”.
The lesson is this:
Weak security basics are becoming easier to find, easier to test and harder to excuse.
For many organisations, the biggest risk is not a science-fiction AI attack. It is much more ordinary:
- software that nobody patched;
- excessive admin access;
- old accounts that still work;
- suppliers with unclear security obligations;
- systems nobody owns;
- logs nobody checks;
- incident plans nobody has tested;
- policies that say the right thing while reality quietly does something else.
Claude Mythos does not create all of those weaknesses.
It makes them more exposed.
The real issue: can you evidence “appropriate security”?
This is where the data protection angle matters.
The UK GDPR requires organisations to process personal data securely using appropriate technical and organisational measures. The ICO explains that this security principle requires organisations to consider risk analysis, organisational policies, and physical and technical measures. (ICO)
That does not mean perfect security. No regulator expects a small business to defend itself like a national intelligence agency, which is merciful, because most organisations are still debating who owns the shared inbox.
But it does mean organisations must match their security measures to the risk.
“Appropriate” changes as the threat changes
The word appropriate matters.
As cyber capability changes, what counts as appropriate may also change.
If AI-assisted tools make it easier to discover and exploit weaknesses, organisations may need to ask whether their current arrangements still work.
Not in theory.
In evidence.
Can you show:
- what systems hold personal data;
- who has access;
- when teams last reviewed access;
- how quickly teams apply critical patches;
- which suppliers access or host personal data;
- what contracts say about cyber incidents;
- when your breach response plan was last tested;
- how teams escalate risks;
- who makes notification decisions;
- what records you keep?
The question after a breach is not only “what happened?”
After a personal data breach, regulators, customers, insurers and business partners may ask a second question:
What did you do before it happened?
That is where many organisations get uncomfortable.
Not because they did nothing, necessarily. Often, they did some of the right things. The problem is that nobody recorded them clearly, nobody owned them properly, or nobody checked whether they still worked.
That is the accountability gap in practice.
The overlooked issue: supplier risk
One of the most under-discussed issues with Claude Mythos is not just who can use AI to find vulnerabilities.
It is who benefits first when vulnerabilities are found.
Anthropic’s Project Glasswing gives selected organisations and critical software maintainers access to Claude Mythos Preview for defensive work. Anthropic describes the initiative as a way to secure critical software and give defenders a head start, with launch partners including AWS, Apple, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA and Palo Alto Networks. (Anthropic)
Most businesses will not get direct access to frontier AI tools
Project Glasswing may help improve widely used software. If major providers find and fix vulnerabilities earlier, many downstream users may benefit.
But most ordinary businesses will not use frontier AI security tools directly.
SMEs, charities, professional services firms and smaller regulated businesses usually depend on:
- software vendors;
- cloud providers;
- managed IT providers;
- payment platforms;
- HR systems;
- marketing platforms;
- outsourced processors;
- cyber security suppliers.
That creates a practical accountability problem.
If AI accelerates vulnerability discovery, businesses need to know whether their suppliers can respond quickly enough.
Supplier security is part of your accountability
It is no longer enough to assume “our provider deals with security”.
Organisations need to understand:
- which suppliers process or access personal data;
- whether contracts include appropriate security obligations;
- how quickly suppliers must report incidents;
- who applies updates;
- whether suppliers use sub-processors;
- what happens if a critical provider suffers a compromise;
- whether business continuity plans are realistic.
A supplier’s cyber weakness can trigger your personal data breach obligations.
That is the bit businesses need to sit with, preferably before signing another contract where the security schedule has been treated as decorative paperwork.
The defensive inequality problem
Claude Mythos also points to a wider issue: defensive inequality.
Large technology companies may use advanced AI to find and fix vulnerabilities. They have specialist teams, mature processes, direct access to frontier tools and budgets that do not immediately burst into flames when someone says “security testing”.
Smaller organisations usually do not.
They rely on vendors to fix problems, suppliers to notify them, IT providers to apply patches and internal teams to understand what all of that means for personal data.
SMEs do not need an AI cyber lab
Smaller organisations are not helpless.
But they do need good governance.
For SMEs, the priority is not building their own AI cyber lab. That would be absurdly expensive and, in most cases, about as proportionate as buying a submarine to cross a puddle.
The priority is making sure the basics are understood, documented and owned.
That means:
- keeping an up-to-date record of systems and suppliers;
- reviewing contracts with key processors;
- confirming who handles updates and patches;
- checking access controls regularly;
- maintaining breach response procedures;
- documenting key decisions;
- training staff;
- testing incident escalation.
This is where data protection governance becomes practical risk management, not just paperwork.
The dual-use dilemma
Claude Mythos also reminds us that AI cyber capability is dual-use.
The same technology that could help attackers find vulnerabilities can help defenders fix them.
Bruce Schneier, writing in The Guardian, argues that modern generative AI systems are becoming good at finding and exploiting software vulnerabilities, but defenders can also use those capabilities to identify and patch weaknesses. He points to Mozilla’s use of Mythos to find vulnerabilities in Firefox, which Mozilla then fixed. (The Guardian)
Attackers and defenders may not move at the same speed
AI may make software more secure in the long run. It could help developers spot weaknesses earlier, test systems more thoroughly and reduce the number of vulnerabilities that reach production.
But the short-term picture may be messier.
Attackers and defenders may both gain new capabilities, but not at the same speed. Some organisations will patch quickly. Others will not. Some suppliers will communicate clearly. Others will send vague emails titled “Important service update” and bury the terrifying bit in paragraph seven.
That is why governance matters.
The question is not only:
What can the AI do?
The better question is:
Who is responsible for managing the risk when AI changes the speed of the threat?
What businesses should do now
Claude Mythos should not push organisations into panic.
It should push them into action.
1. Map your systems and data
You cannot protect what you do not understand.
Organisations should know:
- what systems they use;
- what personal data they hold;
- where that data sits;
- who can access it;
- which suppliers are involved;
- which systems support critical services.
This should connect with your records of processing, supplier register, asset list and breach response process. If those things do not speak to each other, now is the time to fix that.
2. Review supplier contracts and security commitments
Supplier risk creates one of the biggest practical issues.
Businesses should check whether key contracts clearly cover:
- security standards;
- incident notification timescales;
- audit or assurance rights;
- use of sub-processors;
- patching responsibilities;
- business continuity;
- return or deletion of data;
- support with regulatory obligations.
The aim is not to turn every supplier relationship into a legal wrestling match. Tempting, but no.
The aim is to know where responsibility sits before something goes wrong.
3. Check patching and vulnerability management
If AI tools can find vulnerabilities faster, delays matter more.
Businesses should know:
- who applies updates;
- how teams prioritise critical patches;
- whether unsupported systems remain in use;
- how suppliers update managed systems;
- whether teams record patching decisions;
- who approves and reviews exceptions.
“Someone in IT probably sorts that” is not a control. It is a hope wearing a lanyard.
4. Tighten access controls
Access is one of the most common weak points.
Organisations should review:
- multi-factor authentication;
- admin privileges;
- shared accounts;
- leaver access;
- dormant users;
- supplier accounts;
- role-based permissions.
People should have the access they need, not the access they accidentally inherited during a project three reorganisations ago.
5. Test your breach response plan
A breach response plan only helps if people know how to use it.
Testing should cover:
- who identifies and escalates incidents;
- who assesses whether personal data is involved;
- who contacts suppliers;
- who decides whether the organisation must notify the ICO;
- who manages affected individual communications;
- who speaks to insurers;
- who keeps the decision log;
- who updates senior management.
A plan that nobody has tested is not a plan. It is decorative compliance.
6. Bring AI governance into the same conversation
Organisations cannot treat AI governance, cyber security and data protection as separate boxes.
If staff use AI tools to write code, review documents, analyse logs, summarise customer information, generate marketing content or automate workflows, organisations need clear rules.
That means:
- acceptable use policies;
- AI supplier due diligence;
- confidentiality controls;
- human review;
- records of AI use;
- risk assessments for higher-risk tools;
- clear accountability.
The issue is not just whether staff use AI.
It is whether anyone knows how, where, why and with what safeguards.
The Athlex view
Claude Mythos is not a reason for businesses to despair.
It is a reason to stop pretending that cyber security, data protection and AI governance are separate conversations.
They are not.
AI may change the speed at which vulnerabilities are found. It may change what attackers can do. It may also change what defenders can achieve.
But for most organisations, the immediate challenge is simpler:
Can you show that you understand your risks and have taken reasonable steps to manage them?
That is the accountability gap.
The practical lesson for ordinary businesses
Claude Mythos may be a frontier AI story, but the lesson for ordinary businesses is practical:
- know what data you hold;
- know where it sits;
- know who has access;
- know which suppliers matter;
- know how incidents are handled;
- know whether your controls actually work;
- document the decisions you make.
AI may be getting better at finding weaknesses.
Businesses need to get better at fixing them, and proving they did not ignore them.
At Athlex, we help organisations make data protection, AI governance and practical compliance easier to understand, easier to evidence and easier to maintain.
Because waiting until a vulnerability becomes a breach is not a strategy.
It is procrastination with consequences.
Need help reviewing your data protection, supplier or AI governance arrangements?
Athlex helps organisations turn complex compliance requirements into clear, practical steps.
From supplier reviews and breach readiness to AI governance and data protection documentation, we help you understand your risks before they become problems.
The decision to appoint a data protection officer often feels daunting for UK businesses. While some organisations legally require a DPO under GDPR, many others recognise the value of professional data protection oversight even when not mandated. An outsourced DPO offers a compelling solution, providing expert guidance without the overhead of a full-time employee. This approach delivers significant benefits that extend far beyond basic compliance.
Understanding the DPO Requirement
GDPR Article 37 outlines specific circumstances requiring DPO appointment. Public authorities must have one, as must organisations whose core activities involve regular and systematic monitoring of individuals on a large scale. Companies processing special category data as a core activity also fall under this requirement. However, determining whether your organisation meets these criteria isn’t always straightforward.
The complexity begins with defining “core activities” and “large scale.” Regulators provide guidance, but grey areas remain. Many organisations operate near the threshold, unsure whether they legally require a DPO. Others clearly fall outside mandatory requirements but recognise the value of professional data protection oversight.
Even when not legally required, appointing a DPO demonstrates commitment to data protection. It sends a powerful message to customers, partners, and regulators about taking privacy seriously. In an era of increasing data breaches and privacy concerns, this commitment provides competitive advantages.
The reality is that all organisations processing personal data need someone responsible for data protection. Whether titled DPO or privacy lead, someone must ensure GDPR compliance, respond to data subject requests, and manage privacy risks. The question becomes how best to fulfil this need.
Why Outsourcing Makes Sense
Outsourcing DPO services uk businesses need provides numerous advantages over hiring internally. The most obvious benefit is cost. A qualified in-house DPO commands substantial salary, benefits, and ongoing training investment. Senior professionals with appropriate experience often expect compensation exceeding £70,000 annually in major UK cities.
Beyond direct employment costs, consider the hidden expenses. Recruitment takes time and money, with no guarantee of finding suitable candidates quickly. Once hired, new DPOs need time to understand your business, build relationships, and establish credibility. If they leave, the process starts again.
An outsourced data protection officer brings immediate expertise without these overheads. They’ve worked with multiple organisations, understanding common challenges and proven solutions. This breadth of experience proves invaluable when addressing complex compliance issues or implementing best practices.
Independence represents another crucial advantage. Internal employees face inherent conflicts of interest. They rely on the organisation for their livelihood, potentially compromising their ability to challenge senior management or recommend costly but necessary changes. An external GDPR consultant maintains professional independence, providing objective advice even when it’s uncomfortable.
Scalability offers practical benefits for growing businesses. Data protection needs fluctuate with business activities. Launching new products, entering new markets, or implementing new technologies create temporary spikes in privacy work. An outsourced provider scales support accordingly, increasing assistance during busy periods and reducing it when needs diminish.
Key Responsibilities of Your Outsourced DPO
Understanding what an outsourced DPO does helps organisations maximise value from the relationship. While specific activities vary by organisation, certain core responsibilities remain consistent across engagements.
Regulatory liaison tops the list. Your DPO serves as the primary contact point with the Information Commissioner’s Office and other supervisory authorities. They handle correspondence, manage investigations, and ensure appropriate responses to regulatory inquiries. This expertise proves invaluable during stressful situations like data breach notifications or compliance audits.
Risk assessment and mitigation form another crucial function. Your DPO identifies privacy risks across business operations, prioritising them based on likelihood and impact. They develop practical mitigation strategies balancing protection with business needs. This might involve recommending technical controls, updating policies, or redesigning processes.
Training and awareness activities ensure staff understand their data protection obligations. Your DPO develops training programmes tailored to different roles, from general awareness for all employees to specific guidance for high-risk functions. Regular updates keep pace with regulatory changes and emerging threats.
Policy development and maintenance keeps documentation current and comprehensive. Your DPO reviews existing policies, identifies gaps, and drafts new procedures as needed. They ensure policies reflect actual practices while meeting regulatory requirements. This documentation proves essential during audits or investigations.
Data subject request management requires careful handling. Your DPO establishes processes for receiving, validating, and responding to access requests, deletion requests, and other individual rights. They balance legal obligations with practical constraints, ensuring timely compliant responses.
Building Effective Relationships
Success with an outsourced DPO depends on building strong working relationships. This starts with clear expectations on both sides. Define roles, responsibilities, and communication channels from the outset. Establish regular reporting requirements and escalation procedures for urgent matters.
Integration with existing teams proves crucial. Your DPO needs to understand business operations, culture, and constraints. Introduce them to key stakeholders early, ensuring they build relationships across the organisation. The most effective DPOs become trusted advisors rather than external consultants.
Communication styles matter. Some organisations prefer formal monthly reports and quarterly board presentations. Others favour informal weekly catch-ups and ad-hoc advice. Discuss preferences openly, adjusting approaches as relationships develop. The goal is finding communication methods that keep everyone informed without creating unnecessary bureaucracy.
Knowledge transfer should flow both directions. Your DPO brings privacy expertise, while your team understands business operations. Encourage open dialogue where both parties share insights. The best outcomes emerge when privacy compliance and business objectives align.
Measuring Success
Defining success metrics helps ensure outsourced data protection delivers value. While compliance remains the primary goal, effective programmes deliver broader benefits worth tracking.
Compliance indicators provide obvious starting points. Track completion of required activities like privacy impact assessments, policy updates, and training sessions. Monitor response times for data subject requests and regulatory correspondence. Measure reduction in compliance gaps identified through audits or assessments.
Risk reduction metrics demonstrate programme effectiveness. Track identified risks, implemented controls, and residual risk levels. Monitor security incidents, near misses, and actual breaches. Declining incident rates suggest improving data protection practices.
Business benefits often surprise organisations. Many find that structured data protection programmes improve operational efficiency. Clear data inventories enable better decision-making. Defined retention schedules reduce storage costs. Privacy-conscious design creates better customer experiences.
Staff engagement provides another success indicator. Track training completion rates, policy acknowledgements, and questions raised. Increasing engagement suggests growing privacy awareness and culture change. The most successful programmes see staff proactively identifying privacy issues rather than waiting for DPO intervention.
Common Challenges and Solutions
Every organisation faces data protection challenges. Understanding common issues helps set realistic expectations and develop effective solutions. Your outsourced DPO has likely encountered similar situations before, accelerating problem resolution.
Resource constraints affect most organisations. Data protection competes with other priorities for limited budgets and attention. Effective DPOs understand these constraints, recommending phased approaches that address highest risks first. They help build business cases for necessary investments, demonstrating return through risk reduction and efficiency gains.
Legacy systems create ongoing headaches. Older technologies often lack modern security features or audit capabilities. Wholesale replacement rarely proves feasible. Your DPO helps develop compensating controls, policy workarounds, and migration strategies that manage risks while respecting practical constraints.
Cultural resistance emerges in many organisations. Staff may view data protection as bureaucratic overhead hindering their work. Skilled DPOs address resistance through education, demonstrating how good data protection practices actually simplify work and reduce risks. They find champions within teams who influence colleagues positively.
Regulatory uncertainty challenges even experienced professionals. Data protection law continues evolving through new legislation, regulatory guidance, and court decisions. Your DPO monitors developments, assessing impacts on your organisation and recommending appropriate responses.
Selecting Your Outsourced DPO Provider
Choosing the right provider requires careful evaluation. Start by confirming appropriate qualifications and experience. Look for recognised privacy certifications, relevant degree qualifications, and demonstrable experience in your sector.
Industry knowledge matters. Healthcare organisations face different challenges than financial services or retail businesses. Providers familiar with your sector understand specific requirements, common challenges, and practical solutions. They speak your language and grasp operational constraints.
Service scope deserves attention. Some providers offer basic compliance checking while others provide comprehensive support including training, audit preparation, and incident response. Consider current and future needs when evaluating options. Starting relationships with providers offering broader services provides flexibility as needs evolve.
Cultural fit influences success. Meet potential DPOs before committing. Assess whether their communication style, approach, and values align with your organisation. The most qualified provider delivers little value if personality clashes prevent effective collaboration.
Reference checking provides valuable insights. Speak with current clients facing similar challenges. Ask about responsiveness, practical value, and working relationships. The best providers readily share references, confident in their service delivery.
Making the Transition
Transitioning to an outsourced DPO requires planning for smooth implementation. Start by documenting current data protection arrangements, identifying what works well and what needs improvement. This baseline helps your new DPO understand starting positions and priorities.
Knowledge transfer from any existing privacy resources proves crucial. Whether replacing an internal DPO or formalising ad-hoc arrangements, capture institutional knowledge before it disappears. Document key relationships, ongoing projects, and known issues requiring attention.
Stakeholder communication manages expectations across the organisation. Explain why you’re appointing an outsourced DPO, what they’ll do, and how people should interact with them. Address concerns about external oversight early, emphasising benefits rather than allowing suspicion to build.
Quick wins build credibility and momentum. Work with your DPO to identify improvements deliverable within the first few months. These might include updating critical policies, resolving overdue data subject requests, or delivering targeted training. Early successes demonstrate value and encourage ongoing support.
The Long-term Perspective
Viewing outsourced DPO services as long-term partnerships rather than short-term fixes delivers greatest value. Privacy compliance isn’t a project with defined endpoints – it’s an ongoing journey requiring continuous attention.
Regulatory landscapes will continue evolving. New technologies create novel privacy challenges. Customer expectations keep rising. Your outsourced DPO helps navigate these changes, ensuring your organisation adapts appropriately. Their broad experience across multiple clients provides early warning of emerging trends.
Building internal capability should remain a goal even with outsourced support. The most effective DPO relationships develop client skills over time. Through training, mentoring, and knowledge transfer, organisations become increasingly self-sufficient for routine matters while retaining expert support for complex issues.
Regular relationship reviews ensure ongoing alignment. Annual assessments of service delivery, changing needs, and relationship health keep partnerships productive. Don’t hesitate to discuss concerns or request changes – good providers welcome feedback and adapt accordingly.
Conclusion
An outsourced DPO transforms data protection from a compliance burden into a business enabler. By providing expert guidance, independence, and scalability, they help organisations navigate complex requirements while controlling costs. The key lies in selecting the right partner and building effective working relationships.
Athlex Ltd offers comprehensive outsourced DPO services designed for UK businesses. Our experienced team provides the perfect blend of legal expertise and business pragmatism. We understand that effective data protection must work within real-world constraints while ensuring robust compliance.
Whether you need full DPO services or targeted support for specific challenges, our privacy experts deliver tailored solutions that protect your business and build customer trust. Transform your approach to data protection today – contact Athlex Ltd to discover how outsourced DPO services can benefit your organisation.
In the digital age, protecting customer data isn’t just good practice – it’s a legal requirement. Since the implementation of GDPR in 2018, UK businesses face unprecedented obligations to safeguard personal information. The consequences of non-compliance can be devastating, with fines reaching up to 4% of annual global turnover or £17.5 million, whichever is higher. This reality makes professional data protection services essential for businesses of all sizes.
Understanding the Data Protection Landscape
The data protection landscape has evolved dramatically over recent years. What once seemed like a concern primarily for large corporations now affects every organisation that processes personal data. From small retail shops collecting customer emails to multinational corporations handling millions of records, the requirements remain equally stringent.
Many business owners underestimate the complexity of data protection regulations. GDPR compliance involves far more than simply adding a privacy policy to your website. It requires a comprehensive understanding of data flows, processing activities, legal bases for processing, and individual rights. The regulations touch every aspect of how organisations collect, store, use, and delete personal information.
The stakes have never been higher. Data breaches make headlines regularly, damaging reputations and resulting in significant financial penalties. In 2023 alone, the Information Commissioner’s Office issued millions of pounds in fines to UK organisations for data protection failures. These weren’t just technology giants – they included healthcare providers, retailers, and local authorities.
The Role of a Data Protection Officer
Under GDPR, certain organisations must appoint a data protection officer. This requirement applies to public authorities, organisations whose core activities involve large-scale systematic monitoring, or those processing special category data on a large scale. However, even when not legally required, having access to DPO services UK businesses can rely on proves invaluable.
A skilled data protection expert brings specialised knowledge that most internal teams lack. They understand the nuances of privacy compliance, stay updated on regulatory changes, and can translate complex legal requirements into practical business processes. Their expertise helps organisations navigate the intricate balance between operational efficiency and regulatory compliance.
The responsibilities of a data protection officer extend far beyond basic compliance tasks. They serve as the primary point of contact with supervisory authorities, conduct privacy impact assessments, provide staff training, and ensure the organisation maintains appropriate technical and organisational measures. This comprehensive role requires both legal knowledge and practical business acumen.
Benefits of Outsourced Data Protection
For many organisations, an outsourced DPO provides the perfect solution. Rather than hiring a full-time specialist, businesses can access expert guidance when needed while controlling costs. This approach offers several distinct advantages that make it particularly attractive for small and medium-sized enterprises.
Cost efficiency stands out as a primary benefit. Hiring a qualified in-house data protection officer commands a significant salary, often exceeding £60,000 annually. Add recruitment costs, ongoing training, and employee benefits, and the investment becomes substantial. Outsourced data protection services provide the same expertise at a fraction of the cost.
Independence represents another crucial advantage. An external GDPR consultant brings objectivity that internal staff might struggle to maintain. They can challenge existing practices, identify vulnerabilities, and recommend changes without concern for internal politics or relationships. This independence proves particularly valuable during audits or investigations.
Flexibility allows organisations to scale support according to their needs. During quiet periods, they might require minimal assistance. When implementing new systems or responding to data subject requests, they can increase support accordingly. This adaptability ensures businesses receive appropriate help without paying for unused capacity.
Common Data Protection Challenges
Modern businesses face numerous data protection challenges. Understanding these common pitfalls helps organisations appreciate why professional support proves so valuable. Many companies struggle with basic requirements, let alone the more complex aspects of compliance.
Data mapping often presents the first hurdle. Organisations frequently lack a clear picture of what personal data they hold, where it’s stored, and how it flows through their systems. Without this fundamental understanding, achieving compliance becomes impossible. Professional services help create comprehensive data inventories that form the foundation of effective data protection strategies.
Consent management creates ongoing headaches for many businesses. GDPR raised the bar for valid consent, requiring it to be freely given, specific, informed, and unambiguous. Many organisations still rely on pre-ticked boxes or buried consent clauses that no longer meet legal standards. Expert guidance ensures consent mechanisms meet current requirements while remaining user-friendly.
Third-party risk management represents another significant challenge. Most businesses share data with suppliers, partners, or service providers. Each relationship creates potential vulnerabilities. Proper data processing agreements, due diligence procedures, and ongoing monitoring help manage these risks effectively.
Data Breach Prevention Strategies
Preventing data breaches requires more than good intentions. It demands systematic approaches to identifying and addressing vulnerabilities before criminals exploit them. Effective data breach prevention combines technical measures, organisational policies, and staff awareness.
Technical safeguards form the first line of defence. Encryption, access controls, and regular security updates help protect data from external threats. However, technology alone isn’t sufficient. Human error remains the leading cause of data breaches, making staff training and awareness crucial components of any prevention strategy.
Incident response planning proves equally important. Despite best efforts, breaches can still occur. Organisations with robust response plans minimise damage and demonstrate accountability to regulators. These plans should detail roles, responsibilities, and procedures for containing breaches, assessing impact, and notifying affected individuals and authorities within required timeframes.
Regular testing validates prevention measures. Penetration testing, vulnerability assessments, and simulated phishing attacks help identify weaknesses before real attackers find them. Professional data protection services include these assessments, ensuring organisations maintain effective defences against evolving threats.
The Future of Data Protection
Data protection requirements will only intensify in coming years. Emerging technologies like artificial intelligence and Internet of Things devices create new privacy challenges. Regulatory frameworks continue evolving to address these developments, making ongoing compliance increasingly complex.
International data transfers face growing scrutiny. Following the Schrems II decision, organisations must carefully assess the legal basis for transferring data outside the UK. New standard contractual clauses and transfer impact assessments add layers of complexity that require expert navigation.
Consumer awareness continues rising. People increasingly understand their data rights and won’t hesitate to exercise them. Organisations must prepare for more data subject requests, complaints, and scrutiny from privacy-conscious customers. Meeting these expectations requires robust processes and knowledgeable staff.
Choosing the Right Support
Selecting appropriate data protection support requires careful consideration. Organisations should evaluate potential providers based on qualifications, experience, and understanding of their specific industry. The right partner combines technical expertise with practical business sense.
Look for providers offering comprehensive services. Basic compliance checking isn’t sufficient – organisations need partners who understand their business, identify risks, and provide pragmatic solutions. The best providers offer ongoing support rather than one-off assessments.
Consider the provider’s approach to knowledge transfer. Effective partners don’t just solve immediate problems – they help organisations build internal capabilities. Through training, documentation, and mentoring, they enable businesses to handle routine matters independently while remaining available for complex issues.
Making Data Protection Work for Your Business
Effective data protection shouldn’t hinder business operations. When implemented properly, it enhances customer trust, improves operational efficiency, and creates competitive advantages. The key lies in finding the right balance between protection and practicality.
Start by understanding your current position. Conduct a thorough assessment of existing practices, identify gaps, and prioritise improvements based on risk and resource availability. Professional support accelerates this process, helping organisations focus efforts where they’ll have maximum impact.
Build data protection into business processes from the outset. Privacy by design principles ensure new projects consider data protection requirements from conception rather than retrofitting compliance later. This approach reduces costs and creates more effective solutions.
Conclusion
Data protection represents both a legal obligation and business opportunity. Organisations that embrace comprehensive data protection strategies build trust, avoid penalties, and position themselves for sustainable growth. While the complexity of requirements can seem overwhelming, professional support makes compliance achievable.
Athlex Ltd provides expert data protection services tailored to UK businesses. Our team of qualified specialists understands the challenges organisations face and delivers practical solutions that balance compliance with operational needs. Whether you need ongoing DPO support or project-based assistance, we help protect your business and your customers’ data. Contact our expert team to discuss how we can support your data protection journey.
Legitimate interests is one of the most commonly relied-on lawful bases under the UK GDPR; nevertheless, it is also one of the most commonly misapplied. In practice, it can be an entirely appropriate basis for processing personal data, particularly where the processing is expected, proportionate, and supported by sensible safeguards. However, because this basis depends on context and balancing, it only really holds up when you can demonstrate that you have assessed necessity and impact through a Legitimate Interests Assessment (LIA). The ICO’s guidance makes clear that organisations should consider when legitimate interests is appropriate and keep records that help demonstrate compliance. (ICO)
This guide explains what legitimate interests is, when it works well (and when it doesn’t), and how small businesses can produce an LIA that is structured, defensible, and aligned with their privacy notice.
Why legitimate interests matters (and why it causes problems)
Legitimate interests is attractive because it feels operationally realistic: unlike consent, it is not withdrawn on a whim, and unlike contractual necessity, it does not require every processing activity to be “strictly required” to deliver a service. However, that flexibility comes with a trade-off, because you must be able to show that your interests are not overridden by the individual’s rights and freedoms, especially where the processing is unexpected or could create a tangible risk to the individual.
Although the UK GDPR does not provide a rigid definition of what counts as a legitimate interest, the ICO notes that the concept is broad and can include straightforward commercial interests, provided your assessment and safeguards are appropriate to the processing. (ICO)
The three-part LIA test (purpose, necessity, balancing)
A robust Legitimate Interests Assessment typically follows three stages. While templates vary, the underlying logic is consistent: you identify the interest, test whether the processing is necessary, and then balance that against the individual’s interests.
1) Purpose test: What is the legitimate interest?
Start by defining the interest clearly and specifically. “Running the business” is too vague to be meaningful; by contrast, “preventing fraud on customer accounts” or “maintaining network security” is more precise, measurable, and defensible.
At this stage, you should also confirm that the interest is lawful and genuine, and that the processing is not being used to justify something that would be better supported by another lawful basis.
2) Necessity test: Is this processing necessary to achieve it?
Here, “necessary” should be understood as proportionate and targeted, rather than “no alternative exists.” In other words, you are asking whether there is a less intrusive, reasonably available way to achieve the same aim with reduced impact on individuals.
For example, if your interest is preventing automated spam submissions, limited rate-limiting and short-lived security logs may be proportionate; however, building detailed behavioural profiles of visitors for indefinite periods is unlikely to be “necessary” for that purpose.
3) Balancing test: Do the individual’s interests override yours?
This is where legitimate interests either survives scrutiny or collapses on contact with reality.
A strong balancing test typically considers:
- the nature of the data (basic identifiers vs more sensitive information);
- the relationship (customer, employee, prospect, website visitor);
- reasonable expectations (is this what people would anticipate?);
- the likely impact (financial harm, distress, exclusion, or loss of control); and
- the safeguards in place (minimisation, retention limits, opt-outs, access controls).
The ICO highlights that legitimate interests requires consideration of the impact on individuals, and that additional care is required in higher-risk contexts, such as children’s data. (ICO)
What a good LIA looks like in practice
A defensible LIA is readable, specific, and reviewable. Importantly, it should not be written as if it is trying to “win” a conclusion; instead, it should demonstrate that you have genuinely assessed whether legitimate interests is appropriate, and what mitigations are necessary to make it fair.
The ICO provides a sample LIA template that is genuinely useful as a baseline structure, particularly for SMEs trying to introduce repeatable governance without turning every decision into a legal project. (ICO)
A practical LIA record usually includes:
- a short description of the processing (what you do, whose data, where it comes from);
- the interest you are pursuing (purpose test);
- why the processing is proportionate (necessity test);
- the balancing analysis (expectations, risks, impacts);
- safeguards and mitigations;
- the outcome (proceed / proceed with changes / use another lawful basis); and
- review triggers (new tools, new purposes, new audiences, new risks).
Common pitfalls that undermine legitimate interests
Pitfall 1: Using legitimate interests as the default for everything
While legitimate interests is flexible, it is not universal. If you are forcing the assessment to “pass,” that is often a sign that the processing is too intrusive, too unexpected, or insufficiently safeguarded.
Pitfall 2: Forgetting transparency
If you rely on legitimate interests, your privacy notice should not only name the lawful basis, but also explain what the legitimate interests are and how individuals can object. The ICO’s small-organisation guidance on privacy notices is a strong reference point for the content and clarity expected. (ICO)
Notably, the ICO flags that some privacy notice guidance is under review following the Data (Use and Access) Actcoming into law on 19 June 2025, which is a helpful reminder that “set and forget” documentation rarely stays compliant for long. (ICO)
Pitfall 3: Treating the LIA as a one-off form
An LIA should be reviewed when the processing changes. For example, if you introduce new analytics tools, expand into new markets, begin using AI features, or start collecting new categories of data, your previous balancing assumptions may no longer be reliable.
Pitfall 4: Ignoring reasonable expectations
If your processing would surprise a typical person, your balancing test needs to be stronger, your safeguards tighter, and your transparency sharper. Put differently, surprise increases risk; therefore, you should either redesign the processing or choose a different lawful basis.
SME examples: where legitimate interests often works well
These are not blanket approvals; rather, they illustrate scenarios where legitimate interests is commonly relied upon, assuming the LIA supports it and safeguards are implemented.
Example A: Security logging
Purpose: prevent unauthorised access and investigate incidents Necessity: limited logging supports detection and response Safeguards: short retention, access controls, monitoring, minimised fields
Example B: Service communications and account administration
Purpose: ensure continuity of service, manage accounts, prevent fraud Necessity: basic identifiers and contact details are proportionate Safeguards: clear privacy information, retention controls, role-based access
Example C: B2B prospecting (carefully)
Purpose: business development Necessity: limited contact details for targeted outreach Safeguards: clear opt-out, restrained frequency, suppression lists, and a stronger balancing test where expectations are less clear
How to reflect legitimate interests in your privacy notice
If you are using legitimate interests, your privacy notice should explain it in plain English. A simple, readable format is often the most effective:
- Purpose: why you process the data
- Lawful basis: legitimate interests
- Our legitimate interests: the specific interest pursued
- Your choices: how to object or opt out
For guidance on what should be included and how to write it clearly, the ICO’s privacy notice guidance for small organisations is a useful reference, and its “create your own privacy notice” tool can be helpful as a starting point for SMEs. (ICO)
When to choose a different lawful basis instead
Legitimate interests is often unsuitable where the processing is unexpected, intrusive, or high impact, particularly where:
- you are processing children’s data;
- you are using special category data in ways that increase risk; or
- the processing could materially affect an individual’s opportunities, access, or treatment.
When the balancing test is strained, it is usually more effective to step back and reconsider the design of the processing itself, rather than trying to “paper over” risk with optimistic wording.
How Athlex can help
If you want legitimate interests to be defensible, you need more than a template you downloaded and forgot to tailor. You need processing-specific reasoning, a workable record, and wording that matches what you do day-to-day.
Athlex can support in a few ways:
- Outsourced DPO support (ongoing guidance, governance, and risk management). (Athlex Limited)
- Practical advisory support (including contract reviews, clause support, and compliance packages). (Athlex Limited)
Coming soon: Athlex templates built for small businesses. We’re launching a set of downloadable templates designed to be practical, plain-English, and SME-ready, including LIAs, privacy notice wording, and other essentials. They’re built to reflect real-world processing, so you can implement them quickly without the usual “generic filler” problem.
In the meantime, you may find our UK GDPR compliance checklist for small businesses a useful quick-start resource. (Athlex Limited)
Key takeaways
Legitimate interests can be a strong, flexible basis under the UK GDPR; however, it only works when you can show your reasoning. If you document your LIA properly, apply safeguards that reduce risk, and align your privacy notice with what you actually do, you are far more likely to end up with compliance that is credible rather than cosmetic.
FAQ
What is legitimate interests under UK GDPR?
Legitimate interests is a lawful basis that may allow processing when you have a genuine interest that is not overridden by the individual’s rights and freedoms, provided the processing is fair and proportionate. (ICO)
Do I need a legitimate interests assessment (LIA)?
In practice, yes. An LIA is the clearest way to document your purpose, necessity, and balancing analysis, and the ICO provides a sample template to support structured decision-making. (ICO)
Do I need to mention legitimate interests in my privacy notice?
Yes. If you rely on legitimate interests, your privacy notice should communicate that basis and explain what the interests are, using clear, accessible language. (ICO)
A GDPR privacy notice explains how your business uses personal data, and your website terms set the rules for using your site. Transparent communication is the cornerstone of effective data protection. A privacy notice tells customers how you handle their personal data, while website terms explain the rules of using your site. Together, they form a vital part of your compliance strategy. For UK businesses, getting these documents right is essential to meet obligations under the UK GDPR and build trust with clients and partners. This guide outlines key elements of a privacy notice and website terms and explains how to develop documents that are both informative and legally sound.
Why a Privacy Notice Matters
A GDPR privacy notice is your evidence of transparency: it shows people what you collect, why, and what choices they have. A privacy notice is a public statement about how your organisation collects, uses and safeguards personal data. It covers details like the types of data collected, why you collect it, how long you keep it, who you share it with and what rights individuals have. Athlex’s privacy notice begins by explaining that it covers personal data when people contact the company, visit its website or use its services. It clarifies that personal data includes any information that can directly or indirectly identify an individual. Starting with this definition helps set expectations and aligns with legal requirements.
Information You Should Include
Your privacy notice should be comprehensive yet easy to understand. Consider including the following sections:
- Who You Are: Identify your business name and contact details. If you have a Data Protection Officer (DPO) or representative, include their contact information.
- What Data You Collect: Explain the categories of data you collect, such as names, contact details and information about a person’s role. If you collect data indirectly, describe the scenarios, for example receiving information from clients or through public sources.
- How You Obtain Data: Describe the different ways you collect personal data, from website forms and customer interactions to third-party sources.
- Why You Collect Data: Outline the purposes for processing personal data, such as providing services, sending marketing communications or complying with legal obligations.
- Lawful Basis: Identify the legal basis for each purpose, such as consent, contract, legitimate interests or legal obligation.
- How You Share Data: Explain if you share data with third parties and why. Be transparent about processors, partners or platforms used for marketing and analytics.
- Data Retention: State how long you keep personal data and what criteria determine retention periods. If you have different retention periods for different data types, explain this clearly.
- Security Measures: Summarise the technical and organisational measures you use to protect data.
- Individual Rights: Inform people about their rights, including access, rectification, erasure, restriction, objection and data portability. Explain how they can exercise these rights and provide contact details for requests.
- International Transfers: If you transfer data outside the UK or EU, describe how you safeguard those transfers.
- Updates: Indicate how you will notify people of changes to the notice.
Avoid legal jargon and keep sentences straightforward. Use headings and bullet points so readers can find information easily. Remember to provide the notice in a format accessible to people with disabilities.
Creating Website Terms
Website terms of use set expectations for visitors and protect your business from misuse. These terms should be tailored to your services and industry. Key areas to cover include:
- Acceptance of Terms: State that by using the site, users agree to the terms and any related policies (privacy notice, cookie policy). Athlex’s terms open by welcoming users and advising them to read the terms alongside the Privacy Notice and Cookie Notice.
- Permitted Uses: Explain how users may interact with your site. For example, they may view and print pages for personal use but must not reproduce content for commercial purposes without permission. If you allow quoting, specify that they must credit your business.
- Prohibited Conduct: List activities you prohibit, such as attempting to gain unauthorised access, interfering with the site’s operation or uploading malicious code. Athlex’s terms warn against unlawful use, hacking and introducing malware. Rewriting these rules in positive, plain language – as done in the optimisation above – helps clarity.
- Intellectual Property: Assert your ownership of the website’s content and branding. Outline what users can and cannot do with your content.
- Liability and Disclaimers: Limit your liability for errors or interruptions on the site. Clarify that the site’s content is general information, not legal advice. If you offer downloadable materials, explain that users rely on them at their own risk.
- Links to Third Parties: Include a disclaimer that you are not responsible for the content of external sites. If you allow others to link to your homepage, set conditions for doing so.
- Governing Law: Specify which jurisdiction’s laws govern the terms and where disputes will be resolved.
- Changes to Terms: Reserve the right to update the terms and advise users to check back regularly.
It is also important to consider accessibility. Provide the terms in a readable format and ensure they are easy to find – typically in the website footer.
Aligning Privacy Notices and Website Terms
While privacy notices and website terms serve different purposes, they should be consistent. Your terms should reference your privacy notice and cookie policy, and vice versa. Ensure definitions match and that you use the same language across documents. If you update the cookie policy in response to the DUAA, reflect that change in the terms by referring to the updated policy.
Keeping Documents Up to Date
Laws and business practices change. The DUAA introduces new duties, such as stricter cookie consent rules and expanded subject access rights. Keep an eye on guidance from the Information Commissioner’s Office and update your documents as necessary. Use clear effective dates and inform users when significant changes occur. Keeping a revision history in a separate log can help demonstrate accountability if regulators review your compliance.
Practical Tips for SMEs
- Use Templates Wisely: Starting with a reputable template can save time but customise it to your business. Make sure the purposes, lawful bases and contact details reflect your operations.
- Seek Professional Advice: For complex processing, hiring a data protection consultant or outsourcing your DPO can help you draft documents that meet legal requirements and business needs.
- Educate Your Team: Everyone who interacts with customers or data should understand what the privacy notice says. Training ensures consistent messaging and helps staff recognise when to direct people to the notice.
- Make It Visible: Link to your privacy notice and terms in the website footer, sign-up forms and anywhere you collect data. Transparency builds trust.
- Monitor Feedback: Pay attention to questions or complaints about your privacy notice or terms. If users find something unclear, update it.
If you’re using a template, make sure your GDPR privacy notice matches what you actually do in practice, not what the template guesses.
Conclusion
A clear privacy notice and well-structured website terms are cornerstones of good data protection practice. They help you comply with the UK GDPR, prepare for changes under the DUAA and set expectations for how visitors should use your site. By explaining what data you collect, why you collect it and how people can exercise their rights, you demonstrate respect for privacy. Clear website terms protect your business from misuse and reinforce that your content and services are valuable. Investing time in crafting these documents pays off in greater trust, fewer misunderstandings and reduced legal risk.
Cookies are a core part of modern web design. They keep your shopping cart items in place, remember your language preference and help websites understand how visitors use their pages. Yet cookies also raise significant privacy concerns. In the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR) govern how organisations can deploy cookies. The forthcoming Data (Use & Access) Act 2025 (DUAA) strengthens these rules, making cookie compliance even more important for small and medium-sized enterprises (SMEs). This guide explains the types of cookies, why consent matters and how to align your practices with the law.
What Are Cookies and Why Do They Matter?
A cookie is a small text file placed on your device when you visit a website. Cookies help sites function properly, remember your preferences and understand how visitors interact with the site. For businesses, cookies enable analytics, personalise content and support targeted advertising. However, they also collect personal information such as IP addresses, device identifiers and browsing behaviour. Because this data can sometimes identify a person, it is subject to data protection laws.
The UK GDPR recognises that cookies involve processing personal data. Under PECR, organisations must obtain consent before storing or accessing information on a user’s device, except where the cookie is strictly necessary for the service requested by the user. Non-essential cookies – including those used for analytics, functionality and marketing – require valid consent. With regulators imposing higher fines and the DUAA raising the bar for accountability, SMEs cannot ignore these obligations.
Categories of Cookies
Understanding the different types of cookies helps you determine which require consent and how to communicate their purpose. The main categories are:
- Strictly Necessary Cookies: These are essential for the website to function, for example for security and load balancing. They do not require user consent but must still be explained in your cookie notice.
- Performance or Analytics Cookies: These cookies collect data about how visitors use your site, such as which pages they visit and how long they stay. Tools like Google Analytics fall into this category. Because they are not essential, you need consent before placing them.
- Functionality Cookies: These remember user preferences and settings, such as language or region. They enhance the user experience but are not strictly necessary, so consent is required.
- Marketing or Advertising Cookies: These track users across websites to display relevant ads and measure campaign performance. They often involve third parties and require explicit consent.
Knowing which cookies you use and why you use them is the first step towards compliance.
Consent Requirements Under UK GDPR
Consent under the UK GDPR must be freely given, specific, informed and unambiguous. Pre-ticked boxes, implied consent or bundling consent with other terms are not allowed. Users must understand what they are agreeing to and should be able to withdraw consent as easily as they give it. Your cookie banner should clearly state the categories of cookies, allow users to accept or reject each type and link to a detailed cookie policy.
Your cookie notice should explain what cookies are, list the cookies used on your site and describe their purpose, expiry and whether they are set by you or a third party. Athlex’s cookie notice outlines plans to provide a full list of cookie names, purposes and expiry dates. It also reminds users that they can manage preferences via the cookie banner or browser settings. Providing this level of detail helps build trust and meets regulatory expectations.
New Rules Under the DUAA 2025
The Data (Use & Access) Act 2025 introduces stricter requirements for cookie consent. The Act clarifies that cookie banners must be clear and separate from other requests. It confirms that pre-ticked boxes and implicit consent are not acceptable and that users must have a genuine choice and be able to withdraw consent as easily as they give it. These rules reinforce existing UK GDPR principles but emphasise enforcement. SMEs should audit their cookie practices now to prepare for these changes.
Third-Party Cookies and Marketing
Many websites rely on third-party services for analytics, advertising or social media integration. Third-party cookies may be set by companies like Google, LinkedIn or Mailchimp. When you use these services, you remain responsible for informing users about the cookies and obtaining consent. You should list each third party in your cookie notice and link to their own privacy or cookie policies. The DUAA’s focus on electronic marketing rules means that organisations that send targeted ads must be especially careful to document and manage cookie consents.
How to Achieve Compliance
- Audit Your Cookies: Identify all cookies used on your site, their purposes and whether they are first- or third-party. Pay special attention to scripts and plugins that may add cookies without your knowledge.
- Update Your Cookie Policy: Ensure your cookie policy is comprehensive and up to date. Use clear language to describe each cookie category and its purpose. Provide information about how users can manage their preferences and withdraw consent.
- Implement a Consent Management Platform: Use a compliant cookie banner that allows users to accept or reject cookies by category. The banner should not obstruct access to strictly necessary services and should not disappear until the user makes a choice.
- Record Consent: Keep records of user consent, including time stamps and the version of your cookie policy in place at the time. This documentation is essential if regulators investigate your practices.
- Review Third-Party Services: Check that your third-party providers also comply with the UK GDPR and DUAA. You may need to update contracts to ensure they assist with consent management and honour users’ choices.
- Monitor Changes: Cookie laws evolve. Follow updates from the Information Commissioner’s Office and review your cookie practices regularly. The DUAA is being rolled out in stages, so more guidance is expected in the coming months.
Benefits of Compliance
Beyond avoiding fines, strong cookie compliance improves user trust. Transparent communication about how you use data shows that you respect privacy. It can also improve the quality of your analytics because users who knowingly opt in are more engaged. Finally, compliance helps future-proof your business as regulators around the world tighten privacy rules.
Conclusion
Cookies are powerful tools that enhance websites but must be used responsibly. For SMEs, the combination of UK GDPR, PECR and the upcoming DUAA 2025 means that cookie compliance is no longer just a technical issue – it is a strategic imperative. By auditing your cookies, updating your policies, obtaining valid consent and keeping clear records, you can meet regulatory requirements and build lasting customer trust. Now is the time to get your cookie house in order before the new rules take effect.
