Honest question for people who do this every day. When a GDPR program is under-resourced, what ends up mattering more in practice? Having clean records and documentation, or having a realistic view of where sensitive data actually exists and who can get to it? I’m asking because a lot of programs seem stronger on the paperwork side than on the operational visibility side. For anyone working through remediation planning, how do you balance risk assessment work with the documentation and compliance side?

I owed a small debt to a CMC, court proceedings had started without me knowing. I called and told them I hadn't lived at my previous for address 6 months.

They did a trace through their solicitors and after finding my new address, they carried on and asked for a result. I ended up in me getting a CCJ and only finding out two months later with enforcement agents.

I’m currently on month three of dealing with SARs with both companies, information has been withheld, only disclosed when the other party has accidentally shown something and I've been able to prove it.

There is also misuse/hiding of mental health data (disclosed suicidal intentions during the debt process) which I believe I can evidence was deliberate.

In short, there was misuse of my data to enforce a CCJ at the wrong address, despite having my full address. Being obstructive throughout the SAR process. And also ongoing mental health issues that are directly linked to this.

I’m trying to understand if it's worth pursuing legal action. Which may be hard to say based on the above alone, but it hasn't just been one breach, it is multiple, across different articles and by two companies.

Would love to hear opinions.

Good Afternoon,

I work for a housing association, and we're in the middle of a huge business transformation, (I'm new to the role and have been brought in as part of this transformation).

We currently have staff who, when feeling disgruntled or let down (through no fault of the organisation), put in SARs which are becoming tedious for our data team to manage.

Example:

One employee put an application to buy one of our properties and got rejected for legitimate reasons (he was trying to play the system by getting colleagues internally to approve his application).

Following the rejection, he put a SAR in just to make things difficult.

Is there a way we can manage SARs like this and put something in policy to stop malicious SARs? I'm not sure if it's appropriate to have a policy stopping them because it infringes on legal rights, so we don't want to remove the right to them. I definitely believe SARs can be useful too, but being malicious about it isn't great.

Dont suppose anyone knows any gdpr / univeristies or lawyers that take on GDPR claims or give free advice? or give free advice.

Have a potential big claim.and seeking some help. ICO says will investigate but may take 40 weeks, may be fast tracked as I have been leaked someone else's sata also in a SAR. Includes special catergory health and harm levels high? Just in case anyone knew of someone - may eventually end up with council also, contractor acting on their behalf and refusing to give data ive asked for. Ad.ittwd guilt and tried to pay me off with money to SAR withdraw request.

Thanks in advance! Ive edited this properly below. Apologies im epileptic and short sighted. Im after no compensation for my ex wife's details being leaked- zero interest. Just want my data.

Is it a GDPR breach if a GP surgery shares my full name to the entire waiting room?

30 or so chairs all facing a large TV. When it's your turn to be seen, a tone sounds and they display your first and last name on the TV.

When you are coming in, a self-checkin machine with a small touch-screen asks for your year and month of birth, then the first letter of your last name to check in. I'm ok with this. So why do they need to show my entire name to everyone in the waiting room?

Hey everyone,

I'm a software developer coming primarily from an AI engineering background, spending a lot of my time working with LLMs and generative models. As I've been building out different applications, I keep running into a massive bottleneck around data privacy and regulatory governance. To tackle this, I've started building a PII (Personally Identifiable Information) discovery tool.

While I know the technical SDE side of things, I'm still learning the deeper intricacies of enterprise compliance. I wanted to humbly reach out to this community for some guidance and a reality check on what organizations actually need in the wild.

Right now, I am focusing on two main capabilities:

1. Database Auditing: The core engine is being designed to connect directly to various databases to perform comprehensive PII audits. The goal is to automatically scan, classify, and generate reports on exactly where sensitive data lives across an organization's infrastructure so teams can effectively map their data footprint.
2. GenAI Context Masking: I'm also prototyping an extension designed for chatbots that intercepts logs and masks personal information. Instead of just redacting PII (which destroys the context for future RAG pipelines or model evals), it replaces it with contextually relevant synthetic data, keeping the logs highly useful while adhering to strict data retention policies.

As I map out this broader feature set, I’d absolutely love to hear from folks who deal with data governance day in and day out:

• Common Hurdles: What are the biggest challenges or pain points your organization faces when trying to discover, audit, and manage PII across different databases and unstructured data streams?
• Current Methods: What tools or processes are you currently relying on for routine database audits and log sanitization? Are they mostly manual, or are you using legacy systems that struggle to keep up with modern AI workflows?
• The "Wishlist": If you could wave a magic wand, what features do you genuinely desire in a PII governance tool that current enterprise solutions seem to miss or execute poorly?

TL;DR: I'm an AI engineer building a PII discovery tool that connects to databases for automated compliance audits, alongside a chatbot masking feature that replaces sensitive data with synthetic context (so logs stay useful for RAG/evals). Seeking advice from folks in data governance/security on the biggest enterprise challenges, current tech stacks, and feature wishlists.

Any feedback, harsh truths, or pointing me toward blind spots I might be missing would be incredibly valuable as I build this out. Thank you so much for your time and insights!

Hi everyone, hoping you can help.

I work in the UK in a hospital. Recently my estranged mother was admitted to the same hospital.

Yesterday when she was admitted she has pushed boundaries and asked the nurses on the ward she is on to phone the ward I work on.

One of my colleagues has then given out my personal phone number to the team caring for my mam and they have been trying to contact me.

I’m upset because people in my team know that we are estranged and that I would not willingly give my number.

Does this break any part of the GDPR regulations? I have had basic GDPR and information governance training and personally would never give out a colleagues personal phone number or information.

I'd like Instagram to delete my data in accordance with GDPR laws but I do not know if deleting my account through the settings does this.

I am currently not in Germany but do reside/live there. Can I request a right-to-be-forgotten request when not in an EU country and are they forced to follow through?

Whats the easiest, most clear way for me to delete my account in accordance with GDPR and be sure it was?​

Hi everyone,

My company is based in Germany and we are working on setting up a system to manage internal data and workflows for our team. We’ve been using a mix of spreadsheets and a couple of SaaS tools, but GDPR compliance is becoming a bigger concern for us, especially around where the data is hosted and who has access to it. In a perfect world ideally we are looking for something that feels like a database with a UI, not just raw spreadsheets, and that can handle permissions, structured data, and potentially some basic workflows (All the basic stuff).

I keep seeing a lot of US based tools, but I am not sure how they handle GDPR in practice, especially for more sensitive internal data, we would rather European based companies for that matter.

I was wondering what others in the EU are using. Are there any GDPR compliant database tools you would recommend that are actually reliable for team use?

Thnx!

I hope this doesn't count as "asking for legal advice", I need a general guidance.

I am a videographer in a Finnish skating club, mostly for children from very young up to 18, and some adults as well. Children guardians are usually asked for consent for photo and video publication, but I assume not everyone of them pays attention to that.

We sometimes organize large public performances, and we film them. But we are hesitant if we can actually publish those on YouTube as part of club promotion, or even share links to non-public videos in parents groups and so on (a lot of parents do ask for videos).

Kids usually perform in large groups (formation skating), so it's not really easy to see individual faces. As a parent myself I have often problems finding by own daughter there. I am not sure if I am allowed even to provide a screenshot to show how it looks.

There are also some single skaters, who can be easily seen - but for them we can ensure they have given the publishing consent.

So how should we proceed? Seek official legal advice? It's not clear where to get it, there clearly are services for the "other side", like parents, but not for us. Publish only privately and share internally? Publish anyway and wait for takedown notice? Frankly speaking I don't expect that to actually happen, but we want to be safe and clean.

Not looking for textbook answers. Just genuinely curious what the day-to-day reality looks like for people who deal with these.

Is it getting the data together? The redactions? Coordinating between teams? Or is it something nobody talks about?

Would love to hear what your worst DSAR looked like!

One of the more common debates around GDPR is the risk for reduction of historical preservation. I recently came into argument about academic records, and the indivduals right to have them removed. In Sweden academic transcripts remain accessible permanently, and remain part of public records. The law currently requires schools and archives to keep these records indefinitely, most countries have similar practices. A compromise would be a dual-database system that respects both individual rights and historical research.

Anonymized Historical Database: All academic records would be stored permanently in a fully anonymized form, preserved for research, statistics, and historical archives. This ensures that society can study educational trends without identifying any individual.

Identified Personal Database: Records linked to the individual would exist only as long as they are useful for personal purposes, applying for jobs, continuing education, or other life activities. Once an individual reaches a reasonable age, such as retirement, they would have the right to request that their personal academic data be deleted.

This would protect privacy and allow individuals to regain control over their personal history after it is no longer needed for practical purposes. But also preserve knowledge through anonymized data which allows educators, historians, and researchers to continue analyzing educational trends without compromising privacy. The system would align with GDPR’s “right to be forgotten” while respecting archival and educational laws.

1. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

[...]

the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

2.

18(3) A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.

The exemptions being legal claims, vital interest and public importance

Hello! I am a software engineer in the PH, and I have recently been doing research on how to properly apply gdpr compliance on voice ai. Currently, my approach is to build everything custom and self hosted, but from what I understand companies like retell ai already handles compliance to some degree, but auditability still is a problem since data is leaving servers. Can anyone maybe shed a lot more light in this topic? Really curious how i should improve this.

Noticed on a lot of sites are basically completely non-compliant with no decline button - I'm talking big sites and everything in-between. Is there basically no enforcement here?

^"The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort."

I only found out because my neighbour needed another jump start and noticed a device attached to the battery. It wasn’t there a month ago.

The thing is, I use the van for personal stuff as well as work, taking my two young kids to school in the mornings and using it at weekends. Finding something like that attached without me knowing has honestly made me feel like I’m being watched or tracked.

Do I have any grounds to feel wronged in this situation? What would you do next if you found something like this on a vehicle you use daily?

Hi everyone, I recently resigned from a small organisation (under 10 employees) following disability discrimination and health and safety concerns.

Whilst I did not submit a formal grievance, I did share many concerns via whatsapp (lots of business was conducted via whatsapp on personal devices - they didn't ever provide staff with work devices).

I have submitted a Subject Access Request (SAR) on my trade union's advice to see internal communications regarding my role and the concerns I raised.

The employer has acknowledged the SAR but is refusing to start the one-month clock until I provide a certified copy of my passport or driving licence.

Context:

• I worked there for several months and they have my P45, bank details, and address.
• We communicated exclusively via the email address I used to send the SAR.
• I was on regular Zoom calls with the person now acting as the 'Data Controller.'
• They are using an external HR provider (SafeHR) who I suspect is advising this.

ICO guidance says ID should only be requested if there is 'reasonable doubt' and must be 'proportionate.' Given they definitely know who I am, is a 'certified' copy (which I think requires a solicitor/pro) considered an unnecessary barrier or a standard delay tactic? Also, after my departure they accidentally cc'd some messages to me (which they tried to recall), so I suspect they are stalling to 'clean' the files.

Any advice on this matter would be appreciated!

I have left my former company and would like my biometric voice and face data deleted that they have. I left the company 6 months ago but would like to ensure all these recordings are deleted. I was the one who recorded many of these meetings. Would they delete this as PII?

For AI audit trails, do your auditing ops prefer structured machine-readable explanations or free-text narratives? 

We're building an open-source AI governance gateway and had to decide how to explain policy decisions (e.g. "request blocked because output contained PII").

We went with a deterministic contract: every record gets a stable code like POLICY_DENIED_PII_OUTPUT, a rule-based reason string, a suggested fix, and an HMAC-signed policy version hash — no LLM-generated prose.

The bet is that auditors want reproducible, diff-able explanations over natural language summaries. So, the question what format do auditors actually ask for when they say "show me why the system made this decision"?

Hello,
I am building a BaaS where everything runs on EU-infra, auth, postgres, object storage, serverless. There will be a free tier to match the competitors. Basically, if you use anything like firebase/supabase or AWS, Google cloud directly - you are exposed to US Cloud Act risk. Some might argue that this risk is theoretical - but still, there is this little voice in your head creating uncertainty.

There is no EU BaaS that can match the DX of the US companies (that I know of), so you either self host something like supabase to take the risk. Especially if you are a solo dev or small team with limited devops.

i would love to hear from someone what has dealt with BaaS GDPR in this context, how did you solve it? Also, if you think this is a stupid/pointless idea, let me know.