GDPR Is Not Protecting Survivors. Misinterpretation Is Protecting Perpetrators

Deniz Erdem
Feb 17
4 min read

There is a persistent narrative across safeguarding, policing, healthcare, and family justice that “GDPR prevents us from sharing information.” It is repeated so often that it has become accepted as fact.

It is not fact.

The law does not prohibit proportionate information sharing to protect victims or children. The UK GDPR and the Data Protection Act 2018 explicitly allow data to be shared where safeguarding is concerned. This is not controversial. It is confirmed in guidance from the Information Commissioner's Office, which is clear that data protection law is a framework to enable lawful sharing, not a barrier to it.

Yet in practice, GDPR is routinely cited as a reason not to record, not to share, and not to join the dots.

The consequence is not neutral. It is dangerous.

The Reality: A Culture of Defensive Practice

What we are seeing is not a legal barrier but a culture of defensive practice. Professionals are afraid of getting it wrong, afraid of complaints, and afraid of breaching confidentiality rules. The safest option, institutionally, becomes silence.

That silence protects systems. It does not protect victims.

Research repeatedly shows that agencies hold fragments of the same risk picture but fail to connect them. The NHS often has the most contact with both victims and perpetrators of domestic abuse, yet multi-agency reviews consistently find failures to document or share concerns. Without that documentation, no professional has the full picture. Without the full picture, no one escalates risk.

This is not hypothetical. It is a documented pattern across domestic homicide reviews, safeguarding adult reviews, and serious case reviews. The same theme emerges repeatedly: information existed, but it was siloed.

The result is predictable. Escalation is missed. Patterns of coercive control remain invisible.

Intervention comes too late.

Structural Problems That Go Beyond Individual Decisions

This issue is not only about professional caution. There are also structural failures in how systems record and interpret abuse.

The principal crime rule, for example, records only the most serious offence rather than the course of conduct. Coercive control is a pattern crime. When incidents are reduced to isolated events, the abuse itself becomes statistically invisible.

Similarly, fragmented data systems across policing and safeguarding agencies mean that building a picture of repetition requires manual extraction from multiple platforms. The Safeguarding Network has highlighted how different systems record victims, perpetrators, and incidents separately, making pattern recognition extremely difficult in practice.

These are not failures of individual professionals. They are failures of system design. And when systems are designed to see incidents rather than patterns, coercive control remains hidden by default.

The GP Records Dilemma

There is also a genuine tension in healthcare that deserves acknowledgement. GPs must balance a patient’s right to access their own records with the risk that a perpetrator within the household may also see them. Professionals describe real anxiety about what to record, how to redact, and when documentation could increase risk.

This complexity is real. But complexity is not the same as prohibition. It requires professional judgement, not blanket non-recording.

Avoiding documentation entirely does not eliminate risk. It transfers risk onto the victim.

This Problem Existed Before GDPR

It is also important to be honest about history. Information sharing failures did not begin with GDPR. Reviews by the Independent Police Complaints Commission long pre-date GDPR and identified the same recurring issues: failure to record intelligence, failure to reassess risk, and failure to recognise escalation.

GDPR did not create these problems. It gave them a convenient label.

The Danger in Post-Separation Abuse

Post-separation abuse is where these information silos become most dangerous. At this stage, perpetrators may be engaging simultaneously with family courts, police, housing, and children’s services. Each agency may see a different presentation: a cooperative parent in one setting, a victim narrative in another, and intimidation or harassment reported elsewhere. When those fragments are not joined together, the pattern of ongoing coercive control disappears. This is not only passive benefit from system gaps. It allows perpetrators to actively curate how they are perceived across agencies, exploiting fragmentation to maintain credibility while continuing the abuse.

Naming the Real Issue

The issue is not that GDPR favours abusers. The issue is that misinterpretation of GDPR enables institutional risk aversion. It allows professionals to default to non-disclosure under the belief they are legally constrained, when in reality they are legally permitted to act.

That distinction matters. Because when information is not shared, the person who benefits is rarely the victim.

A Necessary Nuance

This is not an argument for indiscriminate data sharing. In some cases, sharing information can increase risk, particularly if it triggers retaliation from the perpetrator. Safeguarding decisions must always be based on risk assessment, proportionality, and professional judgement.

But the current default is not careful risk assessment. It is blanket caution driven by fear of breaching data protection rules.

That is not what the law requires. And it is not what victim safety requires.

The Conclusion We Cannot Avoid

We do not have a legal barrier. We have a cultural one.

Until systems move from incident-based recording to pattern recognition, until professionals feel supported rather than punished for proportionate safeguarding disclosure, and until agencies accept that silence carries its own risk, perpetrators will continue to operate between organisational gaps.