Data Protection Alert: Key UK Regulatory Changes and Emerging Risks

The UK data protection landscape is evolving rapidly, with regulators placing increased emphasis on cyber resilience, AI governance, lawful data sharing, and accountability. Recent developments include:

• ICO focus on AI-enabled threats and governance – The Information Commissioner’s Office (ICO) has issued new guidance addressing emerging AI-powered cyber threats, warning organisations to strengthen governance, monitoring, and incident response arrangements as AI-assisted attacks become more sophisticated.
• Data (Use and Access) Act 2025 reforms now taking effect – Significant changes are now being implemented, including revised lawful basis provisions, expanded ICO enforcement powers, increased PECR penalties, and changes relating to automated decision-making and cookies/tracking technologies.
• Increased ICO enforcement activity – Enforcement action has intensified, with notable fines issued against organisations following cyber incidents and failures in technical and organisational security measures. Recent cases continue to highlight regulator expectations around MFA deployment, vulnerability management, breach reporting, privacy by design, and data minimisation.
• Police Scotland enforcement case reinforces data minimisation principles – The ICO’s enforcement action against Police Scotland is being viewed as a landmark decision on excessive data extraction and disclosure practices. The case reinforces the requirement for proportionate collection, privacy by design, and strict limitation of personal data access and sharing.
• Growing scrutiny of children’s data and online safety – Regulators continue to prioritise children’s privacy, age assurance measures, and AI-generated imagery risks. Joint regulatory investigations into AI image manipulation tools and platform safety controls demonstrate increasing willingness to intervene where safeguarding concerns arise.
• Cyber resilience expectations rising across critical sectors – Proposed reforms under the forthcoming UK Cyber Security and Resilience Bill indicate substantially tougher incident reporting obligations and wider regulatory scope, including managed service providers and critical suppliers.

Actions:

Organisations are advised to review data security, minimisation practices, incident response, third-party supplier assurance, privacy notices, retention schedules and AI governance frameworks to ensure ongoing compliance.

Source: https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes

If you have any questions or require support, please contact your Data Protection Officer (DPO).