Sign up for Data Protection News and Trends

Stay informed and secure with our Data Protection newsletter. Subscribe below to receive the latest updates, insights, and best practices in safeguarding your data and privacy. Don't miss out on essential tips and industry news to keep your information safe.

Subscribe
Empty heading

Data Protection Updates

Data and AI rules are moving fast. This edition focuses on the UK’s Data Use and Access Act (DUAA), the EU–UK data adequacy path, recent ICO enforcement trends, and new guidance on the EU AI Act. We set out what has changed, what it means for you, and the steps to take now.

UK Data Use and Access Act

Now enacted, the DUAA updates UK GDPR, the Data Protection Act 2018 and PECR. Amongst other changes, it clarifies recognised legitimate interests, tightens DSAR handling, strengthens safeguards for children’s data, and widens exemptions for some cookies and tracking as well as reforming the ICO and increasing penalties. We explain the impact for UK organisations and the actions to prioritise. We also cover developments since Royal Assent in June 2025, including phased implementation, new guidance from the ICO, the key timelines, and what you should plan over the next twelve months.

The European Commission UK Adequacy Assessment

Cross-border data remains in focus. The European Commission has confirmed the UK’s framework is essentially equivalent to the EU’s, paving the way for a renewed adequacy decision and the continued free flow of personal data between the EEA and the UK. We summarise the assessment process, the implications for your transfers, and the next steps towards formal adoption expected by December 2025.

ICO Enforcement Actions

The ICO has continued to take robust enforcement action against organisations failing to meet their data protection obligations. Recent cases have focused on unlawful marketing practices, inappropriate information security, and poor data retention procedures. This update highlights key lessons for organisations, emphasising the importance of accountability, staff awareness, and secure data handling practices to avoid costly penalties and reputational damage.

Artificial intelligence (AI) Act

The European Commission has issued detailed guidance on the AI Act, clarifying the obligations for providers of general-purpose AI models. The update outlines the lifecycle responsibilities for such models, including continuous risk assessments, transparency requirements, and compliance with copyright laws. Exemptions for open-source models are also covered, alongside the enforcement role of the AI Office. Understanding these provisions will be essential for any organisation developing or deploying AI within the EU.

We outline the European Commission’s latest steps to maintain the free flow of personal data between the European Economic Area and the United Kingdom. We explain the background to the new draft adequacy decision, outline the procedure now progressing towards adoption, and consider what this means for organisations transferring personal data into the United Kingdom.

Read more

We explore the European Commission's guidelines on the AI Act, focusing on the obligations for providers of general-purpose AI models. Find out the importance of these models and the specific responsibilities for providers. This includes maintaining transparency, complying with copyright laws, and assessing systemic risks. We also discuss exemptions for open-source models and the enforcement framework - learn why understanding these guidelines is crucial for your organisation.

Read more

The UK Data Use and Access Act (DUAA) 2025 represents one of the most significant updates to the United Kingdom’s data protection framework in recent years. Building upon the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations, the DUAA introduces a series of reforms designed to modernise data governance and maintain alignment with EU standards. 

In this update:

  1. We outline the key legislative changes introduced by the DUAA - including recognised legitimate interests, revised rules for Data Subject Access Requests (DSARs), strengthened safeguards for children’s data, updates to automated decision-making, and reforms to the Information Commissioner’s Office (ICO). 
  2. We then explore how these changes are being phased in, the ICO’s implementation plans, forthcoming guidance, and the practical implications for your organisation.

Read more

The ICO issued several enforcement actions last year which point to a common issue around data protection awareness and that organisations are not providing adequate data protection training to employees. This article overviews the enforcement action, underscoring the importance of regular, comprehensive data protection training for employees to avoid costly penalties and reputational damage.

Read more

While AI enhances efficiency for employers in the recruitment process, it also creates potential risks around bias and discrimination. This article explores how employers use AI in hiring, the regulatory focus on these tools and key considerations for organisations to manage risk and compliance effectively.

Read more

Get an overview of the ICO’s enforcement actions from the last couple of months. We spotlight noteworthy trends across both private and public sector organisations alike, and give you details on why this is significant for your organisation. 

Read more

The EU recently adopted the Data Act, creating a new chapter in the block’s data governance approach. This article overviews the Data Act’s key provisions and its implications for businesses and consumers. 

Read more

The UK Parliament passed the Online Safety Act, which represents a major shift in regulating the use of the internet. The act seeks to control harmful online content to enhance the safety of UK internet users. 

Read more

The UK’s data protection reform draws nearer as the Data Protection and Digital Information Bill no. 2 continues to move its way through the parliamentary procedures. The bill proposes a number of changes for UK-based organisations, seeking to overhaul the existing data protection regime in several ways. 

Read more

In this update, we provide a refresher on what cookies and similar technologies are and review the ICO’s recent communication, warning organisations to ensure they are continuing to consider data protection law when using cookies or similar technologies to advertise to data subjects.  

Read more

The Irish Data Protection Commissioner (DPC) imposed a €1.2 billion fine on Meta Ireland for the failure to comply with the international data transfer rules contained in Chapter V of the GDPR. The decision provided clarity on important issues from standard contractual clauses to transfer impact assessments and Article 49 derogations and serves as a reminder of the importance of complying with international data transfer requirements.

Read more

The European Commission proposed the first-of-its-kind AI regulatory framework for the EU. The proposal, in the form of the draft AI Act, follows a risk-based approach: AI systems will be evaluated and categorised based on the level of risk they present to users, which will also determine the stringency of applicable regulatory requirements.

Read more

The last quarter saw significant developments in the international data transfer landscape. The EU-US Data Privacy Framework was implemented over the summer, paving the way for free flows of data between the jurisdictions. It was recently followed by the UK-US Data Bridge, an extension to the EU-US framework, allowing UK organisations to share data freely with US organisations that have self-certified with the framework.

Read more

In this update, we review ICO’s enforcement action in the last quarter, its areas of focus and/or concern. We highlight some of the key trends we noticed with respect to private and public sector organisations alike and also touch upon why this remains significant for your organisation. 

Read more.

In a historic move, the Irish Data Protection Commission (DPC) imposed a €345 million fine on TikTok Technology Limited (‘TikTok’) in September 2023. This decision arises from a TikTok breach of GDPR regulations, particularly concerning children's data. This fine follows a previous £12.7 million penalty by the UK's Information Commissioner. The DPC's in-depth investigation unveiled several significant findings, including public child profiles, security breaches, lack of transparency, and the use of 'dark patterns.' TikTok faces a substantial challenge to bring its practices in line with the law within three months, while maintaining their strong disagreement with the decision.

Read more

The ICO has a range of enforcement powers at its disposal, which can be used in the event of non-compliance with UK data protection regulation. In this update, we have analysed recent ICO enforcement action from October last year up to and including March this year, to identify any trends, areas of ICO focus and/or concern, and to highlight why this may be significant for your organisation.

Read more

Following the public consultation, in February 2023 the European Data Protection Board (EDPB) published finalised guidelines on the interplay between the territorial scope and GDPR’s international data transfer provisions. The guidelines set out a three-pronged approach for assessing whether a processing operation qualifies as an international transfer of personal data and provides illustrative examples of some of the most common international data transfer cases. UK businesses with an exposure to international data transfers caught by the EU GDPR should consider reviewing their arrangements in light of this document.

Read more

On March 15, 2023, the ICO updated its AI and Data Protection Guidance in response to the UK industry's request for clarity on AI fairness requirements. In this newsletter, we explore the updated AI Guidance, which will be an important starting point for any UK-based organisation’s data protection compliance journey when considering implementing AI solutions. We provide an overview of the key changes to the guidance, with a particular focus on the accountability and governance considerations in AI, the meaning of “Transparency”, “Lawfulness,” and “Fairness” in AI, and the highlighting of the key concepts to consider when implementing AI solutions.

Read more

In 2022, the UK announced a possible fine of £27m against TikTok for processing children's personal data without appropriate parental consent and failing to comply with the transparency principle and processing special category data without an appropriate lawful basis.

Read more

There were two key developments for international data transfers this year; the newly proposed data transfer framework between the EU and the US and the ICO’s new transfer risk assessment (TRA) tool and guidance.

In October 2022, the White House published an executive order implementing the EU-US Data Privacy Framework (DPF) into the US law. The EU Commission has initiated the process to adopt a final adequacy decision which is likely to take 6 months. While the decision does not directly affect UK-based organisations, the UK is likely to follow a similar approach so they should be aware of the outcome.

Read more

The ICO has released new guidance on direct marketing using electronic mail which explains the rules under the Privacy and Electronic Communications Regulations 2003 (PECR) and how companies should comply including by using consent and soft opt-in mechanisms.

Read more

If you have any queries or would like further information, please visit our data protection services section or Christopher Beveridge.

Related Insights

Authors

Contact us

Please refer to the Introduction to our Privacy Statement and the Contacts section, which tell you what we do with your personal information, your rights and other relevant information.