Data Protection and Online Safety: Finding the Balance in Digital Identity

Online safety depends on knowing enough about people to protect them.

Data protection asks a quieter question: how much do we really need to know?

The Online Safety Act and UK data protection law are often spoken about separately.

In practice, they meet at one of the most sensitive points in digital life: how organisations verify people, protect children, limit access, and keep data collection proportionate.

The same tension appears in age assurance, subject access requests (SARs), standard email, digital identity, and the practical steps leadership teams can take without the work becoming overwhelming.

For this episode, we caught up with Founder and CEO of Beyond Encryption Paul Holland, to talk about how organisations can balance safety, privacy, and identity, in real-world customer journeys.

The Tension Between Safety and Privacy

The Act explainer describes the Online Safety Act as a framework for protecting children and adults online, including duties for platforms to reduce risks from illegal and harmful content.

At the same time, UK data protection law asks organisations to be careful, proportionate, and specific about the personal data they collect and retain.

Safety Needs Signals, Privacy Needs Restraint

The challenge is that two protective regimes can pull organisations in different operational directions.

"Our data is precious, and I really hope people are beginning to understand, in an increasingly digital world, how important it is to put our arms around it and protect it."

Paul Holland, Founder and CEO, Beyond Encryption

Online safety duties can require in-scope services to understand more about user activity, risk, or whether someone meets a threshold, such as being over 18.

Data protection principles ask whether each piece of information is adequate, relevant, and limited to what is necessary.

That makes proportionality the central question.

Age Assurance Is a Trust Moment

Age assurance is one of the clearest examples of this tension.

Ofcom’s age checks guidance explains that age assurance can include age verification, age estimation, or a combination of both, and that methods must be highly effective where required.

The user experience matters because people are often being asked to share sensitive information with a website or service they may not know well.

That creates a trust gap.

People may understand why a service needs to confirm they are old enough to access something, but still feel uncomfortable handing over identity documents or biometric information when a lighter-touch method could be enough.

The joint statement from the ICO and Ofcom is useful here because it looks directly at the interaction between online safety and data protection in age assurance.

Data Minimisation Still Matters

Data minimisation helps organisations decide what information is genuinely needed for a specific purpose.

Collect for the Purpose, Not the Possibility

Many organisations have historically tried to collect as much as possible at the start of a customer relationship, so they never have to ask again.

That can feel efficient, especially in regulated sectors where identity, authority, eligibility, financial crime checks, and customer due diligence all matter.

But it can also create unnecessary risk.

The ICO’s data minimisation guidance says personal data should be adequate, relevant, and limited to what is necessary for the stated purpose.

The better question is: what is the minimum information needed to perform this specific function?

For a high-risk anti-money laundering check, deeper identity evidence may be necessary.

For confirming that someone is over a threshold age, a privacy-preserving age signal may be more appropriate than a full identity disclosure.

Context Should Shape the Level of Checking

Not every interaction needs the same level of verification.

Some journeys require high-assurance identity and verification checks.

Others may only need to confirm one fact, such as whether a person is old enough to access a particular service.

This is where contextual, dynamic, and consent-led processes become important.

Instead of designing one heavy identity journey for every scenario, organisations can think in layers: what is the risk, what is the user trying to do, what evidence is proportionate, and what can be avoided?

The Subject Access Request Challenge

Subject access requests are another useful example because they bring rights, identity, and secure communication together.

A person has the right to ask an organisation for a copy of their personal data.

But before releasing that data, the organisation also needs to be satisfied that the requester is who they claim to be.

The Right to Access Needs the Right Safeguards

The ICO’s subject access guidance says organisations can ask for information to verify someone’s identity if they are unsure who the requester is.

That sounds simple, but the practical question is how to do it without creating a new risk.

People are often uncomfortable sending passports, driving licences, or birth certificates through the post.

Yet many still send scans or photographs of those same documents by standard email.

That is where a rights process can accidentally become a data exposure problem.

Sending the Response Is Part of the Risk

The risk does not end once identity is verified.

If the organisation is sending a SAR response, it may be disclosing a large amount of sensitive personal data.

That response needs to reach the right person, in a format they can access, through a channel that adds appropriate safeguards.

This is why the delivery channel matters just as much as the request itself.

A strong SAR process should cover both ends of the journey: verifying the requester and protecting the disclosure.

Why Standard Email Creates Gaps

Email is familiar, convenient, and widely used.

That is why it is still one of the default channels for sensitive customer communication across regulated sectors.

But familiarity can hide the risk.

The Postcard Analogy Still Helps

The postcard analogy remains useful: sending sensitive information by standard email can be like sending it on a postcard.

Standard email gives senders limited control over who opens the content, how access is authenticated, or what happens after delivery.

The ICO’s encryption guidance currently notes that encrypting personal information in transit provides protection against interception while information moves from one device to another.

For sensitive communications, organisations also need to think about secure email features such as recipient authentication, access control, tracking, expiry, and secure replies.

Small Pieces of Data Can Become Bigger Risks

One isolated piece of data may not look dangerous on its own.

But when combined with other information, it can help someone build a picture of an individual and impersonate them more convincingly.

The ICO’s data security guidance highlights how compromised personal data can contribute to harms such as identity fraud and more convincing targeting by fraudsters.

Secure communication also reduces weak points across the wider customer journey.

What Leaders Should Prioritise

Leadership teams should start with the highest-risk journeys and give the final mile of communication proper attention.

The aim is to build a clear, reviewable approach that connects compliance, operations, customer experience, and information security.

Train Teams on the Everyday Risks

Training should cover the everyday points where identity checks, data minimisation, secure communication, and retention affect customer journeys.

If teams understand why those controls matter, they are more likely to spot weak points before they become incidents.

This is especially important for customer-facing teams handling documents, forms, SARs, letters of authority, or vulnerable customer information.

Match Verification to the Job

Verification should be adequate for the task, but not heavier than it needs to be.

A regulated financial process may need robust identity and authority checks.

A lower-risk interaction may not justify collecting copies of identity documents.

That distinction helps organisations meet safety and compliance needs while keeping data collection proportionate.

Review Retention and Communication Channels

Leaders should also review how long sensitive data is kept, where it sits, and how it moves.

Retention schedules matter because data that no longer serves a purpose can still create risk.

Communication channels matter because even a well-designed process can fail if the final disclosure is sent through an unsuitable route.

The Future of Digital Identity

Digital identity and verification technologies are becoming easier to use, more accessible, and better suited to everyday customer journeys.

Privacy-Preserving Identity Is the Direction of Travel

The future is likely to involve a mix of signals, checks, and consent-led proofs that help organisations answer specific questions without oversharing.

For example, a service may need to know that someone is over 18, but not their full identity.

A financial adviser may need authority to act, but not unnecessary supporting documents.

A customer may need to prove they are the right person to receive sensitive information through a safer route than repeatedly sending identity documents by email.

Trust Can Become More Portable

Trusted digital interactions can also support future trust decisions.

This connects to Beyond Encryption’s work around AssureScore, a trust indicator based on identity-authenticated secure digital communications behaviour.

The principle is simple: if people can carry useful trust signals from one interaction to another, they may not need to keep oversharing the same sensitive information.

That could make digital journeys smoother for customers and more manageable for organisations.

The Takeaway

The Online Safety Act and data protection law both aim to reduce harm.

Together, they ask organisations to hold two ideas in tension.

Know enough to protect people.

Collect no more than you need.

For regulated organisations, the practical answer is to make identity checks, age assurance, and digital communication proportionate, privacy-aware, and secure from request to response.

FAQs

What Is the Main Difference Between the Online Safety Act and UK GDPR?

The Online Safety Act focuses on reducing harm online, especially for children and users exposed to illegal or harmful content.

UK GDPR focuses on how personal data is collected, used, protected, retained, and shared.

Are Age Checks Compatible With Data Protection?

Yes, but the method needs to be proportionate.

Organisations should choose age assurance methods that meet their legal duties while limiting unnecessary collection or disclosure of personal data.

What Should Organisations Consider Before Asking for ID?

They should ask what risk they are managing, what level of confidence is needed, and whether a less intrusive check could achieve the same purpose.

They should also consider how the evidence will be sent, stored, verified, and deleted.

Why Is Standard Email Risky for Sensitive Requests?

Standard email can be convenient, but it may not provide the sender with enough control over recipient authentication, secure access, message expiry, tracking, or secure replies.

For sensitive information, organisations should consider channels that add appropriate safeguards.

How Should Leaders Prioritise This Work?

Start with the journeys where sensitive data is requested, sent, or returned.

Then review identity checks, retention schedules, staff training, and the final communication channel used to send information to customers.

References

Online Safety Act: explainer, GOV.UK, 2025

Age checks, Ofcom, 2025

Joint statement, ICO and Ofcom, 2026

Data minimisation, ICO

Data security, ICO

Subject access, ICO

Encryption guidance, ICO

Reviewed by

Sam Kendall, 30.04.26