Executive Summary
This case study documents a third, independent application of the Data Continuity and Sovereignty Test, conducted against a UK-based technology and compliance consultancy. Using a lawful UK GDPR Article 15 Subject Access Request (SAR), the test examined whether an organisation whose core business includes IT governance, compliance, and Microsoft cloud services can demonstrate continuity and completeness of personal data records relating to a client interaction.
The findings reveal a distinct failure mode: ephemeral operational data with no durable continuity record. Despite a confirmed Microsoft Teams meeting and multiple follow-up interactions, the organisation was unable to produce a coherent, auditable record of the engagement, including meeting artefacts that would ordinarily be expected to exist. The outcome further validates the test by showing that continuity failure can arise even in organisations that actively teach compliance.
1. Purpose of the Test
The objective was not to force recording of meetings or to dispute individual recollections. The objective was to determine whether personal data generated during a professional engagement can be reliably reconstructed when subject to a lawful access request.
Research questions:
- Does the organisation retain sufficient metadata to evidence that a meeting occurred?
- Can it reconstruct the decision and communication chain surrounding that meeting?
- Is personal data continuity maintained beyond CRM snapshots?
1.1 What This Test Is Not
This study is not:
- an allegation of wrongdoing
- a demand that all meetings be recorded
- a claim that policies were unlawful
- a criticism of named individuals
It is a continuity test of organisational record-keeping under real-world conditions.
2. Definition Framework
2.1 Linguistic Baseline (Oxford Languages)
Continuity is defined as "the unbroken and consistent existence or operation of something over time."
2.2 Operational Extension (This Study)
Operational Continuity: The ability to demonstrate, after the fact, that an interaction occurred, how it was arranged, what data was generated, and how that data is retained or disposed of.
Data Sovereignty: The ability of the data subject to obtain a complete, coherent copy of personal data generated through an interaction, without reliance on memory or informal explanations.
3. Methodology
3.1 Instrument
A formal UK GDPR Article 15 SAR served on ANS Group, requesting all personal data relating to:
- meeting invitations and calendar entries
- Microsoft Teams artefacts (invites, participant logs, chat)
- internal emails or messages referencing the data subject
- CRM entries and marketing data
3.2 Rationale
ANS positions itself as a compliance-led Microsoft partner. This made it a suitable test subject for whether compliance principles translate into continuity practice.
3.3 Evidence Handling
All correspondence with the organisation's Data Protection Officer was retained. Responses were assessed for completeness, internal consistency, and auditability.
4. Case Background
A Microsoft Teams meeting took place on 21 November 2025, arranged by ANS staff, following prior discussion in which a transcript was requested. Post-meeting follow-up did not occur, and no transcript or summary was provided.
When the SAR was served, the organisation provided:
- a CRM contact record
- an email marketing log
- a screenshot of a meeting invite
No Teams transcript, meeting record, or internal coordination artefact was produced.
5. Observed Continuity Failures
5.1 Missing Meeting Artefacts
Despite acknowledgement that the meeting occurred, there was no durable system record demonstrating:
- how the meeting was scheduled internally
- who attended beyond recollection
- whether chat or notes existed
5.2 Reliance on Human Explanation
The absence of records was explained as "human error" and absence of recording, placing reliance on narrative rather than auditable metadata.
5.3 CRM Substitution
CRM screenshots were used as a proxy for interaction continuity, despite not capturing the substance or structure of the meeting itself.
6. Governance Position
The organisation stated there is no obligation to record meetings and emphasised GDPR risk in over-recording. This position is accurate but orthogonal to the continuity issue being tested.
Key point: Continuity does not require recording everything; it requires being able to evidence what did happen.
7. Findings
7.1 Containers vs Continuity (Consultancy Variant)
ANS held fragments of data, but not a reconstructable continuity record.
7.2 Absence of Interaction-Level Metadata
There was no end-to-end metadata trail linking:
- pre-meeting communications
- the meeting itself
- post-meeting actions
7.3 Ephemeral Practice Risk
Where meetings are treated as transient events without durable artefacts, continuity fails by design.
8. Interpretation
This case demonstrates that compliance expertise does not guarantee continuity. Even organisations advising on governance can lack practical continuity mechanisms.
- Policy ≠ evidence
- Explanation ≠ audit
- CRM ≠ continuity
9. Implications
9.1 For Clients
- Critical discussions may leave no durable trace
- Governance obligations may rely on memory
9.2 For Compliance Consultancies
- Teaching compliance requires practising continuity
- Ephemeral collaboration tools need continuity scaffolding
9.3 For Regulators
- Informal interaction data remains a blind spot
- Article 15 tests reveal practical, not theoretical, gaps
10. Design Response
This case reinforces the need for interaction-level continuity:
- lightweight metadata capture for meetings
- explicit continuity expectations in professional engagements
- user-held continuity copies independent of vendor tooling
11. Conclusion
The ANS case completes a three-part validation of the Data Continuity and Sovereignty Test.
Across a cloud vendor, a local authority, and a compliance consultancy, the same result emerges: Where metadata is incomplete, ephemeral, or narrative-based, continuity fails.
This is a systems design issue, not a compliance attitude problem.
Appendices
Appendix A — Evidence Index
- SAR correspondence with ANS DPO
- CRM and marketing logs provided under SAR
Appendix B — Reproducibility
This test can be reproduced against any professional-services organisation using Article 15 to examine interaction-level continuity.