Headlines...

On 19 December 2025, the European Commission renewed its two 2021 UK adequacy decisions, confirming that personal data can continue to flow freely from the European Economic Area (EEA) to the UK until 27 December 2031.

The adequacy decisions had previously been granted a six-month technical extension while the Commission assessed the UK’s evolving data protection regime — including reforms introduced through the Data (Use and Access) Act 2025. Following that review, the Commission concluded that the UK’s legal framework continues to offer protections that are “essentially equivalent” to those in the EU.

In a statement accompanying the renewal, the Commission said the decisions “ensure that personal data can continue flowing freely and safely” between the EEA and the UK, because the UK framework contains safeguards that remain essentially equivalent to those provided under EU law.

Why this matters for organisations

For organisations operating across both jurisdictions, the renewal provides much-needed certainty at a time of broader regulatory and legislative change. It confirms that EEA-to-UK transfers can continue without additional transfer tools such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or supplementary technical measures — reducing friction, cost and compliance complexity for cross-border operations.

This is particularly significant for organisations reliant on UK-based processing or shared service models, including:

• centralised HR and payroll systems
• customer support operations
• group-level data analytics and marketing platforms
• cross-border vendor and cloud arrangements

The Information Commissioner’s Office has continued to evolve its enforcement strategy, moving away from a purely punitive model towards one that prioritises accountability and corrective action. This reflects a broader regulatory shift intended to support responsible data use while still protecting individuals’ rights. Rather than focusing solely on large fines, the ICO is increasingly interested in whether organisations can demonstrate meaningful compliance in practice.

This change has been particularly noticeable in cases involving smaller organisations and first-time incidents. Where businesses can show that they had appropriate governance in place, identified risks early, and acted quickly to mitigate harm, the ICO has shown greater willingness to resolve matters through engagement rather than enforcement. This has encouraged organisations to be more transparent when things go wrong.

However, this softer tone should not be mistaken for leniency across the board. The ICO remains firm where it identifies systemic failures, disregard for guidance, or repeated non-compliance. Organisations that fail to learn from past incidents or ignore known risks continue to face significant regulatory consequences.

For businesses, the message is clear: compliance is no longer just about avoiding fines, but about being able to evidence good decision-making. Policies, risk assessments, training, and records of action are becoming just as important as technical controls when demonstrating compliance to the regulator.

Headline fines often dominate public discussion about data protection enforcement, but they tell only a small part of the story. The majority of the ICO’s regulatory activity takes place away from the spotlight, focusing on investigations, reprimands, and corrective measures rather than financial penalties. By looking beyond press releases, clearer patterns emerge about what the regulator actually prioritises.

A consistent theme is that enforcement action rarely arises from a single isolated mistake. Instead, cases typically involve a combination of weak governance, poor oversight, and a failure to act on known risks. Organisations that lack clear accountability structures, training programmes, or documented decision-making are far more likely to attract sustained regulatory attention.

Another important pattern is the ICO’s focus on preventability. Where incidents could reasonably have been avoided through basic controls—such as access management, staff awareness, or routine risk assessments—the regulator is far less sympathetic. Claims that breaches were the result of “human error” carry little weight where systems and processes failed to anticipate predictable risks.

For organisations seeking to reduce enforcement risk, the lesson is clear. Compliance is not about perfection, but about foresight, structure, and responsiveness. Investing in foundational governance and demonstrating a willingness to learn from mistakes is far more effective than reacting defensively once an investigation has begun.

On 19 November 2025, the European Commission announced its Digital Omnibus Regulation Proposal — a major package intended to modernise and streamline several core EU digital and data laws. The Commission says the reforms are designed to reduce administrative burden, improve legal clarity, and support EU competitiveness, while maintaining high standards of protection.

Although the UK now has its own reform agenda under the Data (Use and Access) Act 2025, the EU’s Digital Omnibus remains highly relevant for UK organisations. Many UK businesses continue to handle EU personal data — whether through EU customers, employees, suppliers, group entities, or cloud and outsourcing arrangements — and must comply with EU rules where the GDPR (and related digital laws) apply extraterritorially. The Omnibus could therefore affect compliance expectations for UK-based processing, cookie and online tracking practices, AI deployment and governance, and cybersecurity reporting — particularly for organisations operating across both jurisdictions or supporting EU-facing services.

The proposal spans reforms to key frameworks governing personal data protection, AI regulation, cookie consent, cybersecurity incident reporting, and data access rules. It also forms part of a broader “simplification” agenda aimed at reducing duplication across overlapping laws.

Key changes proposed in the Digital Omnibus

The Commission’s package would:

• Amend selected parts of the GDPR, including definitions, research processing, and DPIA thresholds
• Adjust the EU AI Act timeline and compliance approach, including stronger central oversight for general-purpose AI models and proposed delays for parts of the regime
• Reduce cookie banner fatigue, shifting toward more user-friendly consent signals via browsers and operating systems
• Simplify cybersecurity incident reporting, reducing duplicative reporting across regimes such as NIS2
• Harmonise overlapping requirements across EU digital laws (including GDPR, the Data Act and ePrivacy rules) to improve consistency

Why is the EU proposing changes now?

The Commission’s central case is that EU compliance has become increasingly complex — particularly for SMEs and fast-growth businesses — due to repeated obligations across the GDPR, NIS2, the Data Act, the EU AI Act, and related digital legislation. The Commission believes simplifying and aligning these frameworks could reduce costs while supporting innovation.

A second driver is technology shift. The GDPR was drafted before the rapid rise of modern AI models and data-intensive services. The Omnibus package aims to refine how data protection rules operate alongside AI development and deployment, and to reduce uncertainty in areas such as anonymisation and AI training.

Snapshot of what could change (by law)

GDPR – Proposed amendments would clarify or adjust areas including the definition of personal data; anonymisation and pseudonymisation; scientific research processing; use of personal data in AI systems; access rights; automated decision-making; breach notification triggers; and “high-risk” thresholds (including when a DPIA is required).

EU AI Act – The Commission proposes targeted changes aimed at easing compliance burden (especially for smaller organisations) and shifting toward more central oversight of general-purpose AI models. It has also proposed delaying full application of certain “high-risk” requirements to allow time for guidance and templates.

Cookie consent – The proposal would aim to reduce repetitive banner prompts and support browser/OS-level consent settings, allowing more persistent and user-friendly preference management.

Data Act and related rules – The Omnibus also seeks to reduce duplication and improve coherence across data-access and sharing obligations, making the framework clearer for organisations that access, share or reuse data.

The Data (Use and Access) Act has introduced significant changes aimed at making data protection compliance more proportionate and outcomes-focused. For many organisations, this has meant rethinking how compliance is embedded rather than simply updating policies.

One notable shift is the increased emphasis on accountability over prescriptive documentation. While some record-keeping obligations have been relaxed, organisations must still be able to demonstrate how and why decisions were made, particularly where risks to individuals exist.

This creates both opportunity and risk. Organisations with mature governance frameworks may benefit from greater flexibility, while those that relied heavily on templates and minimal engagement may struggle to evidence compliance when challenged.

In practice, successful compliance under the new regime depends on understanding risk, training staff, and maintaining clear oversight of data use. The focus is less on paperwork and more on practical, defensible decision-making.

The Data (Use and Access) Act 2025 (DUAA) has now received Royal Assent. This new legislation updates key aspects of data protection law, making it easier for UK businesses to protect people’s personal information while growing and innovating their products and services. The Act will replace the previous data protection regime and formally establish a new framework for how data can be used and accessed in the UK.

At a Glance – Key Points about the Data (Use and Access) Act (DUAA)

• The DUAA is a new Act of Parliament that updates legislation on digital information.

• It reforms data protection laws to encourage innovation and economic growth.

• The Act aims to simplify processes for organisations while still protecting individual rights.

• Most changes are optional shifts in approach, not compulsory

•  compliance measures.

• Implementation will be phased in from June 2025 to June 2026.

In Day-to-Day Use

In practical terms, many professionals and organisations may still refer to “UK GDPR” for a period of time, especially when explaining the transition or making comparisons with the EU system. However, as the new legislation becomes established and its provisions become widely understood, it’s likely that new shorthand terms like “the Data Act” or “the 2025 Act” or ‘DUAA’ will emerge and become the norm.

Summary

While the GDPR label may linger in conversation and documentation for a while, the UK’s legal framework will be defined by the Data (Use and Access) Act 2025, which is set to shape the future of data regulation in the UK. Over time, the new terminology will naturally take its place in common usage.

Implication Going Forward For DSAR’s…

Under the Data (Use and Access) Act 2025, the process for Data Subject Access Requests (DSARs) in the UK is expected to become simpler and more manageable for organisations, while retaining key rights for individuals. Here are the main implications going forward:

1. Easier Grounds for Refusal

The DUAA aligns the UK GDPR’s subject access provisions with existing guidance from the Information Commissioner’s Office (ICO).

• In addition, the DUAA clarifies that controllers are only required to conduct a “reasonable and proportionate” search for information and personal data when responding to a subject access request. This reflects current case law, although the legislation does not define what constitutes a “reasonable and proportionate” search.
• Notably, the DUAA does not adopt the DPDI Bill’s proposal to permit controllers to refuse subject access requests on the grounds of vexatiousness. Controllers must still demonstrate that a request is manifestly unfounded or excessive to justify refusal.

2. Streamlined Identity Verification

The new Act introduces clearer rules around verifying the identity of a requester.

• It formalises the “stop the clock” mechanism, allowing controllers to pause the response timeframe when additional information is needed from the data subject or to verify their identity.

3. Clarified Response Timelines

While the one-month deadline for responding remains, the rules now allow for more structured extensions in complex cases.

• There’s an emphasis on practicality and proportionality, reducing pressure on organisations with limited resources.

4. Broader Exemptions

The legislation expands certain exemptions from providing data in response to DSARs, particularly:

• Where disclosure would prejudice crime prevention, legal proceedings, or certain regulatory functions.

• This gives more flexibility to sectors handling sensitive or investigatory data (e.g., finance, health, law enforcement).

5. Business-Friendlier Framing

The overall framing of DSAR provisions now leans toward balancing individual rights with operational burden.

• This shift is designed to support innovation and efficiency in data handling, particularly for SMEs and digital services.

Summary

The Act preserves the right for individuals to access their personal data but makes it easier for organisations to manage the volume and complexity of DSARs. It reduces compliance strain without removing accountability, aiming to create a more practical and proportionate approach.

Stay tuned. We’ll be keeping all our clients well informed…

As global sport accelerates into the digital age, data is becoming its most valuable asset. With the rise of AI-powered analytics, wearable technology, biometric monitoring, and interconnected devices (IoT), the sports industry is undergoing a seismic shift. But at the heart of this transformation lies a critical consideration: data privacy. Enter the General Data Protection Regulation (GDPR) — a legal framework that is reshaping how global sport must operate.

What is GDPR?

The GDPR is the European Union’s comprehensive data protection law that governs how personal data is collected, processed, and stored. It applies to any organisation — regardless of location — that handles the data of UK/EU citizens. This has direct implications for international sporting bodies, leagues, teams, tech companies, and broadcasters who deal with athlete and fan data.

AI, IoT, and Sport: A Data Goldmine

From AI-driven talent scouting and performance prediction to smart stadiums and biometric fan experiences, data flows constantly in modern sport. Wearables and sensors can track every heartbeat, sprint, or fatigue level of an athlete. AI algorithms use that data to optimise training or even detect injuries before they occur. Meanwhile, fans engage via personalised experiences delivered through IoT-enabled platforms.

Where GDPR Comes In

GDPR mandates explicit consent, transparency, minimal data use, and the right to be forgotten. This creates several challenges — and opportunities:

• Athlete Data Management: Teams and tech companies must get clear consent before collecting biometric or health data. Data must be securely stored and used only for agreed purposes.

• Fan Engagement: Personalised marketing and tracking technologies need opt-in consent. IoT devices in stadiums or apps must clearly disclose what data is collected and why.

• Global Compliance: Even non-EU organisations must comply with GDPR if they handle UK/EU citizen data. This forces sports entities to adopt universal data governance standards, potentially improving trust globally.

The Road Ahead

GDPR is not a barrier to innovation — it’s a framework for responsible innovation. As AI and IoT become the backbone of modern sport, those who embed data privacy into their infrastructure will build deeper trust with fans and athletes alike. Forward-thinking organisations will not just comply with GDPR — they’ll see it as a blueprint for ethical leadership in a tech-driven sports future.

In a world where every step, heartbeat, and click is data, GDPR ensures that sport remains not just smart — but fair, secure, and human.

For more on how CCS are helping Sports Organisations Click Here

The Data Use and Access Act 2025 (DUAA) received Royal Assent on 19 June 2025 and will be implemented in phases over the following year. Key provisions are scheduled to take effect at intervals of approximately two, six, and twelve months after assent. This staggered timetable is designed to give organisations sufficient time to prepare for the changes, including updates to data protection obligations under UK GDPR, the Data Protection Act 2018, and related regulations. Organisations are expected to maintain compliance with existing laws until the relevant DUAA provisions come into force.

The ICO as of 5th July 2025 have the following on the website ‘Our guidance is designed to help and support you to comply with the laws we regulate, and to help people understand their information rights.

As well as detailed formal guidance and Codes of Practice, we also produce checklists, toolkits and position papers. We create all our guidance with you in mind, making it as simple as possible for you to use.

Grouped by the topics below, you’ll find information about all the guidance that we’re working on. You’ll see what we’re developing and when we expect to publish. We’ll update this information regularly so that you can confidently track a product as it develops.’

They also have banners on most pages saying ‘Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen. ‘

So for the timebeing its carry on as normal and keep an eye on the ICO’s website. We’ll be doing that on behalf of all our clients. Stay tuned here for news.

Michael Ashley v Commissioners for His Majesty’s Revenue and Customs [2025] EWHC 134 (KB)

Mike Ashley’s recent High Court win against HMRC highlights the responsibilities organisations have when responding to data subject access requests (SARs) in the UK. Content Capture Services can help you understand the challenges and implement the solutions.

The Court addressed several issues in Mr. Ashley’s claim, including HMRC’s failure to:

• Properly interpret his SAR’s scope

• Conduct adequate searches

• Provide intelligible personal data

• Properly apply the tax exemption under the Data Protection Act 2018

• Correctly define “personal data”

This article focuses on the tax exemption and the definition of “personal data,” as well as the court’s ruling.

The Dispute

The dispute began over the sale of properties linked to Mr. Ashley, he later made a SAR requesting information about his tax enquiry, including data from HMRC’s Wealthy and Mid-Size Business Compliance department.

The Tax Exemption

Data access rights aren’t absolute; exemptions apply when personal data concerns tax assessment or collection. HMRC argued that disclosing certain data could reveal its settlement strategies, potentially helping taxpayers in future disputes. However, the Court found that no significant likelihood of prejudice existed, as the tax dispute was already resolved. The ruling emphasized that the potential for harm must be backed by evidence, not mere assertion.

What is “Personal Data”?

The UK GDPR defines personal data as information about an identified or identifiable person. HMRC initially withheld all of Mr. Ashley’s data, but after challenge, disclosed some. Mr. Ashley argued that the information regarding his tax liability should be included, even if it involved data from the Valuation Office Agency (VOA).

The Court ruled that information relating to tax liability was not automatically personal data, but could be if it met criteria like content, purpose, or effect. This means HMRC may need to reconsider its SAR response and potentially release more data.

Impact of the Decision

This case highlights the importance of robust data protection practices. The ruling clarifies that organizations must ensure SAR searches and exemption applications are conducted properly, with the “relating to” criterion applied appropriately. It also sets a precedent for future legal challenges, which could lead to more disputes over personal data rights.

For HMRC, the case may prompt changes in how data is managed during tax investigations, potentially slowing down the process. In the broader economic context, the ruling could influence perceptions of the UK as a business-friendly environment.

The case also emphasises the need for organisations to balance the cost of updating data systems with the challenges posed by SARs. With more businesses likely to face such requests, adopting more efficient and secure data systems will be crucial. Content Capture Services can help with all aspects.

CCS have found that Ai redaction software products over promise and under provide.

All the main options tested struggled with automatic redaction due to the complexity of understanding context and the nuanced nature of sensitive information. Redacting isn’t just about removing predefined keywords or patterns; it requires understanding the context in which a word or phrase is used. For example, Ai might redact a name in one document but miss the same person’s identity in a different context, such as through indirect references. Sensitive information can also be implied through surrounding text, making it hard for Ai to consistently recognise all privacy risks.

Additionally, Ai models were found to lack real-world comprehension, often failing to detect legal, ethical, or domain-specific nuances. Over-redaction, such as removing irrelevant data, and under-redaction, like missing hidden or implied sensitive information, were common pitfalls. Human oversight is still essential to ensure the appropriate balance between privacy protection and maintaining document integrity when redacting complex documents. So a helpful tool to reduce work but not a magic wand!

We’ve developed a state-of-the-art, secure internal video rendering farm that sets the industry standard for efficiently handling large video processing tasks. Leveraging the latest GPU (graphics processing unit) technology, our system can ingest, process, and deliver long-length video clips without the need to break them down into smaller segments. Click here for more Video Redaction Service Description

Harrison v Cameron: What This Case Means for Responding to Subject Access Requests (SARs)

A recent High Court ruling in Harrison v Cameron has clarified an important question in data protection law: when responding to a Subject Access Request (SAR), do you have to reveal the names of individuals who received the requester’s personal data?

The short answer? Sometimes—but not always.

Background

Mr. Harrison, a property investor, hired ACL, a landscaping company run by Mr. Cameron. Things turned sour, and after Harrison terminated the contract, Cameron recorded two phone calls and shared them with colleagues, friends, and family. Harrison claimed the recordings damaged his reputation and business and issued SARs demanding to know who had received them.

The Court’s Findings

The judge made a few key rulings that are particularly useful for data controllers:

• Named individuals—not just categories—may need to be disclosed. This includes employees of the controller.

• However, exemptions apply. If naming third parties would infringe on their rights or expose them to harm, controllers can withhold those names.

• A balancing test is required. Controllers must weigh the data subject’s right to access against risks to third parties. Content Capture Services know where this line and is!

• Controllers have discretion. The court emphasised that organisations responding to SARs have a “wide margin of discretion” when applying exemptions.

• The purpose of the SAR matters. Evidence showed Harrison used previous disclosures to send intimidating legal letters, which justified ACL’s refusal.

Why This Matters

This case confirms that while data subjects can expect transparency, their rights are not unlimited. If you’re responding to a SAR, particularly one involving internal communications or sensitive third-party data, this case is a helpful guide on when—and when not—to disclose. Content Capture Services can help you implement the best practice here.

We’ve assisted CERN, renowned for the Hadron Collider, in organising decades of unstructured video data with metadata. This valuable resource is now easily accessible.

With the Prime Minister calling a General Election for July 4, 2024, the UK Parliament has entered a ‘wash-up’ period to finalise any uncompleted legislation. Legislation that is not completed by the end of the ‘wash-up’ on May 24 will lapse and may be reintroduced in the next Parliament. The Data Protection and Digital Information (DPDI) Bill did not complete its passage by the end of the ‘wash-up’ and has therefore lapsed.

It is understood that the Bill’s failure was due to disagreements in the House of Lords over controversial late amendments introduced by the Department of Work and Pensions (DWP). These amendments aimed to facilitate data sharing between the DWP and private companies, primarily banks, to prevent fraud. However, they were controversial and faced significant opposition in the House of Lords.

The DPDI Bill was a significant step forward for the UK’s data protection framework, offering a range of opportunities. These included making the UK a more attractive place for AI technology research, development, and deployment, establishing new frameworks for Smart Data and Digital ID, and providing the UK with the flexibility to adapt to a rapidly changing global trade environment.

The failure of the DPDI Bill is therefore disappointing, especially given the broad support in Parliament for its wider reforms.

The UK tech industry will be frustrated by the Bill’s failure, particularly given the extensive consultation that took place. It will now be the responsibility of the next Government to resume these reforms following the election. Whichever political party wins the election should not miss this opportunity. Instead, they should build on the progress made in this Bill to create a pro-innovation and high-standard data protection regime for the UK. This should also include enabling smart data and digital ID schemes, allowing better management of data and interaction with public services.

One sentence changed the CCS mission overnight…

In 1996, Bill Gates famously declared that “content is king,” predicting that the internet would evolve into a dominant platform for the distribution and monetisation of content. He foresaw that, just as in traditional media, quality content would drive traffic, attract advertisers, and generate revenue online. Nearly three decades later, Gates’ statement has largely been proven right, and its relevance continues today, albeit in a more nuanced form.

The proliferation of digital platforms—websites, blogs, social media, and streaming services—confirms that content remains a primary driver of engagement. From written articles and videos to music, podcasts, and online courses, content is the backbone of the internet’s success. Successful platforms like YouTube, Netflix, and Spotify demonstrate that creating and distributing high-quality, engaging content is central to capturing and retaining users.

However, the landscape has evolved. While content is still king, distribution and discoverability have become equally important. The rise of search engine algorithms, social media, and recommendation systems means that even the best content can go unnoticed if not properly optimised or shared. Platforms like Google and Facebook prioritise content that aligns with user preferences, making it essential for creators to understand SEO, algorithms, and audience behavior.

Moreover, content marketing has emerged as a critical business strategy. Companies now focus on providing value through blogs, videos, and infographics to engage consumers and build brand trust. This reinforces the notion that relevant, targeted content is crucial for building relationships and driving business growth.

In today’s world, content is more accessible and diverse than ever. Gates’ prediction holds true, but it’s clear that alongside content, distribution, strategy, and adaptability are key to success. As long as people seek information, entertainment, and value online, content will remain a dominant force in shaping digital experiences.

The “right to be forgotten,” enshrined under Article 17 of the General Data Protection Regulation (GDPR), allows individuals to request the deletion of their personal data when it is no longer necessary, or if it has been unlawfully processed. This right empowers individuals to take control over their online privacy, particularly in a digital landscape where personal information is often stored and shared without clear consent.

Key scenarios for exercising the right to be forgotten include when the data is no longer needed for the original purpose, consent has been withdrawn, or the individual objects to the processing of their data for direct marketing. However, the right is not absolute and must be balanced against other factors, such as freedom of expression, public interest, or legal obligations. For instance, a news outlet may not be required to erase articles that contain personal data if it serves the public’s right to information.

The right to be forgotten is a crucial tool in the GDPR framework, allowing individuals to mitigate the long-term consequences of having their personal data widely available, especially in an age where digital footprints can be permanent and far-reaching.

But how do UK Organisations execute a request? CCS can help Click Here For More…

Artificial intelligence has moved rapidly from experimental use to operational deployment across many UK organisations. From recruitment tools to customer analytics and generative AI, these systems often rely on large volumes of personal data, sometimes without organisations fully understanding how that data is processed or reused.

One of the most common compliance failures arises from uncertainty around lawful basis. Organisations may rely on legitimate interests without conducting a proper balancing test, or assume that consent is implied where it is not. This is particularly risky where AI systems repurpose data in ways that individuals would not reasonably expect.

Transparency is another major challenge. Explaining complex AI processing in clear, accessible language is difficult, but still required under data protection law. Many privacy notices fail to adequately describe automated processing, leaving individuals unaware of how their data is being used or how decisions affecting them are made.

As regulatory scrutiny increases, organisations using AI will need to invest more time in governance, documentation, and human oversight. Those that treat AI as a purely technical tool, rather than a data protection risk area, are likely to face increasing compliance issues.

Responding to a Data Subject Access Request (DSAR) using tools like Microsoft Purview and eDiscovery presents several challenges. While these platforms offer powerful capabilities for searching across Microsoft 365 data, they are not specifically tailored for DSAR workflows, which can make the process cumbersome. CCS can help.

Our clients are having trouble with DSAR searches in Microsoft’s new Purview eDiscovery interface? So CCS have created a free, step-by-step PDF user guide to help you navigate the updated front end with ease. Simplify compliance and boost efficiency. Download your guide now and take control of eDiscovery challenges.

One major challenge is identifying all relevant data across multiple services—emails, Teams messages, SharePoint files, and OneDrive content. Purview’s search functionality can be broad, but filtering results to just those that are truly “personal data” within the scope of a DSAR often requires significant manual review and judgment.

Another difficulty lies in the granularity of the search. Data subjects often expect their full digital footprint, but DSARs typically require the extraction of only personal data about the requester—not about others. This makes redaction and context evaluation essential. While eDiscovery Premium offers review sets and redaction tools, they can be complex to configure and don’t always scale well for high-volume requests or non-standard data types.

Lastly, ensuring completeness and compliance within tight statutory timelines is stressful. Search limitations, complex permissions, and the need to manually validate results can delay responses and increase the risk of errors or omissions. As such, while Purview and eDiscovery are helpful starting points, many organizations find they need additional processes or tools to meet DSAR requirements effectively.

Despite ongoing reforms, international data transfers remain one of the most complex areas of UK data protection compliance. Many organisations continue to rely on global suppliers and cloud services, meaning personal data is routinely accessed or stored outside the UK.

While adequacy decisions simplify some transfers, many others require additional safeguards such as contractual clauses and transfer risk assessments. These assessments are no longer viewed as box-ticking exercises; regulators expect organisations to understand the legal and practical risks associated with foreign data access.

Geopolitical developments and differing surveillance laws have increased scrutiny on where data is processed and who can access it. Organisations that cannot clearly map data flows or justify their transfer decisions are increasingly exposed during audits and investigations.

To manage this risk, businesses must treat international transfers as an ongoing governance issue. Regular reviews, supplier engagement, and documented decision-making are essential to maintaining compliance in an increasingly fragmented regulatory landscape.

Deepfake technology has developed at an extraordinary pace, enabling the creation of highly realistic images, videos, and audio that can convincingly replicate real individuals. When these tools use personal data without consent, they raise serious data protection, privacy, and ethical concerns.

From a data protection perspective, the creation and dissemination of deepfakes often involves processing biometric data, images, and voice recordings. This data is frequently obtained without the individual’s knowledge, undermining principles of fairness, transparency, and lawful processing. The harm caused can extend far beyond privacy breaches, affecting reputation, employment, and personal safety.

Online platforms and content hosts face particular challenges in managing deepfake content. While not always responsible for creating the material, they may still be considered data controllers or processors depending on their role. Failure to act promptly when harmful content is reported can expose organisations to regulatory and legal risk.

For businesses, the rise of deepfakes highlights the need for robust content governance, clear reporting mechanisms, and staff training. As manipulated media becomes harder to detect, organisations must be proactive in addressing misuse rather than reacting after harm has already occurred.

Digital identity systems are increasingly used to verify individuals’ identities for accessing services, reducing fraud, and improving efficiency. These systems often process highly sensitive personal data, including identity documents and biometric information.

The key data protection challenge lies in ensuring that identity verification does not become excessive. Collecting more data than necessary, retaining it indefinitely, or reusing it for secondary purposes undermines fundamental data protection principles.

Public trust is critical to the success of digital identity schemes. Individuals must understand how their data will be used, who it will be shared with, and how long it will be retained. Any lack of transparency risks undermining adoption and inviting regulatory scrutiny.

Privacy by design is therefore essential. Organisations must embed safeguards from the outset, ensuring that systems are secure, proportionate, and respectful of individuals’ rights throughout the identity lifecycle.

Since leaving the EU, the UK has pursued a more flexible approach to data protection, seeking to reduce administrative burden while maintaining high standards. While the UK GDPR remains largely aligned with the EU version, subtle differences in interpretation and enforcement are emerging.

For organisations operating across both jurisdictions, even small divergences can create operational complexity. Policies, consent mechanisms, and rights management processes may need to account for different thresholds or expectations depending on where individuals are based.

There is also an ongoing concern about adequacy. Significant divergence could put the UK’s adequacy status at risk, potentially increasing compliance costs for businesses that rely on seamless data flows with the EU. This uncertainty makes long-term compliance planning more challenging.

As a result, many organisations are adopting a “highest common standard” approach, aligning practices with EU expectations while taking advantage of UK flexibility where appropriate. This strategy reduces risk but requires careful legal and operational coordination.

While ICO enforcement remains a central feature of the UK data protection landscape, individuals are increasingly turning to the courts to seek redress. Claims for distress, misuse of personal data, and breach of confidence are becoming more common.

This shift is partly driven by perceptions that regulatory enforcement alone does not always provide adequate remedies for individuals. Litigation allows claimants to pursue compensation directly, often alongside employment or contractual disputes.

For organisations, this means that compliance failures may result in parallel risks: regulatory investigation and private legal action. Even where fines are avoided, litigation costs, settlements, and reputational damage can be significant.

As a result, data protection risk must be viewed through both a regulatory and litigation lens. Strong governance, clear records, and fair processing are essential not just for regulators, but for defending claims in court.

Cyber security and data protection are increasingly inseparable. While data protection law focuses on rights and principles, many compliance failures arise from inadequate technical and organisational security measures.

Ransomware attacks, phishing incidents, and credential compromises continue to dominate breach statistics. In many cases, the underlying issue is not sophisticated hacking, but basic failures such as weak passwords, unpatched systems, or insufficient staff training.

Regulators now expect organisations to take a proactive approach to security. This includes regular risk assessments, incident response planning, and supplier due diligence. Simply reacting after a breach is no longer acceptable.

Effective data protection therefore requires close collaboration between legal, compliance, and IT teams. Treating cyber security as a purely technical issue creates blind spots that can quickly become regulatory liabilities.

The Information Commissioner’s Office has increasingly repositioned itself as a regulator focused on outcomes rather than punishment. In recent years, there has been a noticeable shift away from default financial penalties towards engagement, guidance, and corrective action, particularly where organisations demonstrate genuine accountability. This approach reflects a desire to encourage responsible data use without stifling innovation or placing disproportionate burdens on compliant businesses.

This change in tone places greater emphasis on organisational behaviour before, during, and after an incident. How quickly an organisation identifies an issue, whether it self-reports, and the quality of its remediation efforts now play a critical role in regulatory outcomes. The ICO is increasingly interested in whether compliance failures are isolated mistakes or symptoms of deeper governance problems.

That said, the regulator has been clear that this pragmatic approach has limits. Where organisations ignore guidance, fail to address known risks, or show repeated non-compliance, enforcement action remains robust. Large-scale breaches, misuse of personal data, and failures affecting vulnerable individuals continue to attract serious regulatory attention.

For organisations, this evolving regulatory tone reinforces the importance of demonstrable accountability. Compliance must be embedded into culture, decision-making, and governance structures, not treated as a box-ticking exercise. The ability to evidence thoughtful, proportionate decisions is becoming just as important as the decisions themselves.

The relaxation of mandatory record-keeping requirements for some organisations has been welcomed as a reduction in administrative burden. However, this change has also created uncertainty about what level of documentation is now expected to demonstrate compliance. The removal of prescriptive requirements does not remove the underlying accountability obligation.

In practice, organisations still need a clear understanding of what personal data they process, why they process it, and how long it is retained. Without this knowledge, responding to subject access requests, data breaches, or regulatory enquiries becomes significantly more difficult. Informal knowledge held by individuals is rarely sufficient or sustainable.

The challenge for organisations is to move away from static, overly detailed registers towards living records that reflect real operational risk. Documentation should be proportionate, accurate, and actively used to inform decision-making rather than maintained solely for compliance purposes.

Ultimately, effective accountability relies on meaningful records that support transparency and control. Organisations that interpret relaxed requirements as an excuse to abandon documentation altogether risk finding themselves unable to demonstrate compliance when it matters most.

Data Protection Impact Assessments were originally conceived as a mechanism to identify and mitigate privacy risks before harm occurs. While this principle remains unchanged, the way DPIAs are used in practice is evolving. Increasingly, they are being recognised as strategic tools rather than compliance formalities.

Too often, DPIAs are completed late in a project lifecycle, after key decisions have already been made. This limits their effectiveness and can result in costly redesigns or unresolved risks. Regulators expect DPIAs to influence design choices, not simply document them after the fact.

Another common issue is the failure to revisit DPIAs as systems or processing activities change. Technology, purposes, and risk profiles evolve over time, and assessments that are not reviewed quickly become outdated. This undermines their value and weakens an organisation’s accountability position.

When embedded properly, DPIAs help organisations anticipate regulatory concerns, improve transparency, and build trust with individuals. They are most effective when treated as part of ongoing governance rather than one-off documents completed to satisfy legal requirements.

Since leaving the EU, the UK has signalled its intention to take a more flexible, innovation-friendly approach to data protection. While the UK GDPR remains closely aligned with its EU counterpart, gradual divergence is becoming more visible in areas such as accountability, record-keeping, and regulatory interpretation.

For businesses operating internationally, even modest divergence creates complexity. Staff training, policies, and systems may need to account for different expectations depending on geography. This can increase costs and introduce operational risk, particularly where data flows span multiple jurisdictions.

There is also a broader strategic consideration around adequacy. Significant divergence could place the UK’s adequacy status under pressure, potentially complicating data transfers with the EU. This would have wide-ranging implications for UK organisations that rely on cross-border data flows.

As a result, many organisations are adopting a cautious approach, aligning their practices with the highest applicable standard. While this may limit the practical benefits of divergence, it provides greater legal certainty in an increasingly complex regulatory environment.

Public sector organisations increasingly rely on data sharing to deliver services efficiently and respond to complex social challenges. Whether in healthcare, local government, or social services, sharing personal data can improve outcomes but also introduces significant privacy risks.

Public trust is central to the legitimacy of these initiatives. Individuals are more likely to accept data sharing where they understand why it is happening, how their data will be protected, and what safeguards are in place. Lack of transparency or perceived overreach can quickly undermine confidence.

Public bodies also face heightened scrutiny due to the scale and sensitivity of the data they hold. Failures can have far-reaching consequences, affecting large populations and eroding trust not just in individual organisations but in public institutions more broadly.

Strong governance, clear legal bases, and ethical decision-making are therefore essential. Data sharing must be driven by necessity and proportionality, supported by robust safeguards and clear communication with the public.

The sourcing of training data remains one of the most legally and ethically complex aspects of artificial intelligence. Many AI systems rely on large datasets that include personal data, sometimes collected indirectly or repurposed from existing sources.

Organisations often rely on legitimate interests as a lawful basis for training AI models, but this is frequently done without sufficient balancing or transparency. Individuals may be unaware that their data is being used in this way, raising concerns about fairness and reasonable expectations.

Another challenge lies in compatibility. Data collected for one purpose may not be compatible with its use in training AI systems, particularly where outcomes affect individuals in new or unexpected ways. Compatibility assessments are often overlooked or poorly documented.

To mitigate risk, organisations must take greater responsibility for understanding where training data comes from and how it is used. Clear governance, documented assessments, and meaningful transparency are essential to lawful and ethical AI deployment.

Recent reforms have introduced greater flexibility around automated decision-making, but they have not removed the need for safeguards. Decisions that significantly affect individuals still require careful oversight, fairness, and accountability.

Many organisations struggle not with the technology itself, but with explaining how automated decisions are made. Complex models can be difficult to interpret, yet individuals retain the right to meaningful information about the logic involved and the consequences of processing.

Human oversight remains a critical requirement. Automated systems should not operate in isolation, particularly where errors or bias could cause harm. Clear escalation routes and the ability to challenge outcomes are essential components of compliant systems.

As automation becomes more widespread, organisations must ensure that efficiency gains do not come at the expense of individual rights. Investment in governance, documentation, and explainability is key to sustainable compliance.

Biometric technologies such as facial recognition and fingerprint scanning are increasingly used in workplaces to control access, monitor attendance, or enhance security. While these systems offer convenience, they involve processing highly sensitive personal data.

In many cases, the use of biometric data is disproportionate to the risk being addressed. Less intrusive alternatives may be available, and failure to consider these options can undermine compliance with data minimisation and necessity principles.

Consent is particularly problematic in employment contexts. Power imbalances mean that employees may feel unable to refuse, calling into question whether consent is truly freely given. Organisations often underestimate this risk.

Before deploying biometric systems, employers must carefully assess necessity, proportionality, and alternatives. Clear justification, transparency, and strong safeguards are essential to lawful and ethical use.

Synthetic data is often promoted as a way to reduce privacy risk by replacing real personal data with artificially generated datasets. When done well, it can support innovation while protecting individuals’ identities.

However, synthetic data is not inherently anonymous. Poorly generated datasets may still allow re-identification, particularly when combined with other information. Overconfidence in anonymisation can lead to compliance failures.

Organisations must therefore approach synthetic data with caution. Claims of anonymity should be tested rigorously, and assumptions documented. Simply labelling data as “synthetic” does not remove data protection obligations.

Used responsibly, synthetic data can be a valuable tool. Used carelessly, it can create a false sense of security that exposes organisations to significant risk.

Five years after its introduction, the Age-Appropriate Design Code has had a significant impact on how digital services treat children’s data. Expectations around default settings, transparency, and minimisation have become clearer.

Compliance across sectors remains uneven. Some organisations have embedded child-centric design principles, while others continue to rely on superficial changes that fail to address underlying risks.

Children’s data is inherently high risk due to vulnerability and long-term impact. Failures in this area can cause lasting harm and attract serious regulatory attention.

As enforcement increases, organisations must move beyond minimum compliance and focus on real-world outcomes. Protecting children’s data requires ongoing commitment, not one-off adjustments.

Ransomware attacks continue to be one of the most disruptive and complex threats facing UK organisations. Beyond operational downtime and financial loss, these incidents raise serious data protection issues relating to confidentiality, availability, and integrity of personal data. Regulators increasingly view ransomware as both a cyber security and governance failure.

One of the most challenging aspects of ransomware incidents is assessing notification obligations. Organisations must decide whether personal data has been accessed, exfiltrated, or rendered unavailable, often with limited information and under extreme time pressure. Delayed or poorly reasoned notification decisions can significantly worsen regulatory outcomes.

There is also a persistent misconception that paying a ransom resolves data protection risk. In reality, payment does not guarantee data deletion, nor does it remove the obligation to notify regulators or affected individuals. In some cases, payment may raise further questions about decision-making, risk assessment, and legal compliance.

Preparation is therefore critical. Organisations that have tested incident response plans, clear escalation routes, and cross-functional response teams are far better positioned to manage ransomware incidents effectively. Regulators consistently favour organisations that act decisively, transparently, and with a clear focus on mitigating harm to individuals.

Third-party suppliers remain one of the most persistent sources of data protection risk. Even organisations with strong internal controls are vulnerable where processors, sub-processors, or service providers fail to meet required standards. This risk has increased as supply chains become more complex and data-driven.

A common weakness is over-reliance on contracts. While data processing agreements are essential, they do not replace the need for ongoing oversight. Many organisations fail to monitor supplier compliance once onboarding is complete, assuming contractual assurances alone are sufficient.

Visibility is another major challenge. Organisations often underestimate how much personal data suppliers access, where it is stored, and who can access it. Without accurate data mapping and supplier engagement, accountability quickly breaks down when incidents occur.

Effective supply chain governance requires continuous effort. Due diligence, audits, risk-based monitoring, and clear escalation processes are essential. Ultimately, responsibility for compliance remains with the controller, regardless of how many third parties are involved.

Most organisations have incident response plans, yet real-world incidents frequently expose serious gaps. Plans may be outdated, overly technical, or unclear about roles and responsibilities. Under pressure, staff often struggle to translate written procedures into effective action.

One of the most common failures is lack of ownership. When it is unclear who leads decision-making, incidents quickly escalate. Delays in escalation, confusion over authority, and inconsistent communication can significantly worsen both operational and regulatory outcomes.

Testing is another critical weakness. Many plans are never exercised through simulations or tabletop exercises. Without testing, assumptions go unchallenged and weaknesses remain hidden until an actual incident occurs, when it is too late to address them calmly.

Regulators increasingly assess not just whether a plan exists, but whether it works. Organisations that regularly review, test, and refine their response plans are far better positioned to demonstrate accountability and reduce harm when incidents inevitably occur.

The shift to hybrid and remote working has led many organisations to adopt new monitoring technologies. Tools that track activity, communications, or system usage are often introduced quickly, without sufficient consideration of privacy implications. This creates significant compliance and trust risks.

A recurring issue is weak justification. Monitoring is frequently justified on vague grounds such as productivity or security, without clear evidence that intrusive measures are necessary or proportionate. Regulators expect organisations to demonstrate why less intrusive alternatives are insufficient.

Transparency is also frequently lacking. Employees may be unaware of the extent or nature of monitoring, or may receive information that is vague or misleading. This undermines fairness and can erode trust, even where monitoring is technically lawful.

Organisations must take a cautious and principled approach. Clear necessity assessments, strong governance, and open communication with staff are essential. Respecting employee privacy is not only a legal requirement, but a key factor in maintaining a healthy workplace culture.

Subject access requests have evolved from routine compliance tasks into strategic tools, particularly in employment disputes and litigation. Individuals increasingly use SARs to obtain information that may support grievances, claims, or negotiations. This has significantly increased both volume and complexity.

Many organisations underestimate the operational impact of SARs. Common failures include incomplete searches, missed deadlines, inconsistent redactions, and inadequate explanations. These issues frequently result in complaints and regulatory scrutiny.

Poor SAR handling often reveals deeper governance weaknesses. Lack of data mapping, unclear ownership, and inconsistent retention practices all become apparent when organisations attempt to locate and review personal data under time pressure.

Effective SAR management requires structured processes, trained staff, and clear escalation routes. When handled well, SARs can demonstrate transparency and accountability. When handled poorly, they can quickly escalate into regulatory and legal exposure.

Whistleblowing systems play a vital role in organisational governance, but they also involve processing highly sensitive personal data. Reports often contain allegations, special category data, and information about multiple individuals, creating complex compliance challenges.

Confidentiality is critical to protecting whistleblowers from retaliation and encouraging reporting. However, organisations must also balance this with fairness to those accused and transparency obligations under data protection law.

Retention is frequently overlooked. Whistleblowing data is often retained indefinitely without clear justification, increasing risk over time. Once investigations conclude, organisations must carefully assess what data needs to be retained and for how long.

Well-designed whistleblowing systems require clear governance, restricted access, and defined retention policies. Poor handling not only risks regulatory action, but can seriously undermine trust in the organisation’s ethical framework.

Marketing compliance has become increasingly demanding as regulators scrutinise how consent is obtained and relied upon. Practices that were once tolerated—such as bundled consent or unclear opt-ins—are now viewed as unacceptable.

Consent fatigue has also changed user behaviour. Individuals are more sceptical and less willing to engage with intrusive or manipulative consent mechanisms. Organisations that rely on dark patterns or ambiguity face both regulatory and reputational risk.

Legitimate interests are often used incorrectly as an alternative to consent, particularly for electronic marketing. Without careful assessment and clear opt-out mechanisms, reliance on legitimate interests can quickly become unlawful.

Effective marketing compliance focuses on clarity, choice, and respect for individuals’ preferences. Organisations that prioritise trust and transparency are better positioned to maintain long-term customer relationships.

Over-retention of personal data remains one of the most widespread compliance failures across all sectors. Organisations often keep data indefinitely due to uncertainty, convenience, or fear of deleting something that might be needed later.

Legacy systems and poor data ownership exacerbate the problem. Where responsibility for data is unclear, retention decisions are rarely reviewed, leading to unchecked accumulation of personal data over time.

Storage limitation is a core data protection principle, not an optional best practice. Regulators increasingly expect organisations to justify retention decisions and demonstrate active management of data lifecycles.

Clear retention schedules, automation where possible, and regular reviews are essential. Reducing data volumes not only improves compliance, but also lowers security and breach risk.

Privacy notices are often technically compliant but practically ineffective. Lengthy documents filled with legal jargon discourage engagement and fail to provide meaningful understanding of how personal data is used.

True transparency requires clarity, relevance, and accessibility. Individuals should be able to understand key information quickly, without wading through unnecessary detail. Layered approaches and plain language are increasingly expected.

Poor transparency frequently leads to complaints, SARs, and regulatory scrutiny. When individuals feel misled or confused, trust erodes and compliance risks increase.

Well-designed privacy notices are a strategic asset. They support informed decision-making, reduce friction, and demonstrate respect for individuals’ rights, strengthening both compliance and reputation.