• 3 min read

Data Protection Quarterly News Roundup (April to June 2024)

dp qr

We have made it to Summer and the sun is finally shining, and it’s time for our next quarterly update looking at our data protection news highlights for the UK between April and June 2024.


The Information Commissioner’s Office (ICO) has published its children’s code strategy for 2024-2025, building upon the ICO’s work with online services, including websites, apps and games since the introduction of the children’s code of practice in 2021, which aims to provide better privacy protections for children.

ICO Conference

The ICO’s annual Data Protection Practitioners’ Conference will be held online on Tuesday 8 October and it is free to attend. You can book here

IoT and Consumer Protection

New regulations came in to force on 29 April 2024, mandating that certain internet-connected smart devices (speakers, phones, watches, TV’s, toys and so forth) meet minimum-security standards by law.

Special category data 

The ICO has updated their guidance on inferred special category data, so that it no longer focuses on the certainty of an inference as a relevant factor to decide whether it counts as special category data, clarifying their position on the matter.

Cyber Security

The ICO called for all organisations to boost their cyber security to protect the personal data they hold, as data revealed that more organisations than ever are experiencing cyber security breaches. A new report, “Learning from the mistakes of others” has analysed the data breach reports that the ICO has received. The report provides practical advice to help organisations understand common security mistakes and ways they can improve their own security.


On 1 May 2024, the ICO published Regulating AI: The ICO’s strategic approach; guidance to assist organisations mitigate risk in relation to, for example, AI and data protection, automated decision-making and profiling, explaining decisions made with AI, and its AI and data protection toolkit.

Data Protection Reform 

On 22 May 2024, the call for a General Election in July triggered a rush on ‘priority’ legislation being pushed through Parliament, but it did not include the UK’s reform of data protection law via the Data Protection and Digital Information Bill (DPDI Bill). So, data protection in the UK, at least for now, continues without change.


In May, the EU AI Act (the Act) was approved by the European Council. The Act is the world’s first comprehensive law regulating AI, however, the Act doesn’t have any immediate effect and most provisions will not come into force for two years. The Act takes a risk-based approach so riskier AI attracts a greater compliance burden; indeed the Act includes an “unacceptable risk” category and AI which falls within it is banned – this provision comes into effect 6 months after the Act enters into force. Whilst not directly applicable in the UK post Brexit, the Act (like the GDPR) has extra-territorial scope meaning UK companies may find themselves subject to the Act and its penalties for non-compliance, which are even higher than the GDPR (up to the higher of EUR 35 million or 7% of the company’s global annual turnover in the previous financial year). As well as companies that are based in the EU, the Act also applies to: providers placing AI systems or generative AI models on the market in the EU (irrespective of where they are based); and providers and deployers of AI systems that are based outside the EU, where the output produced by the AI system is used in the EU.

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team, you can get in touch here or call us on 0800 2800 421.

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please contact [email protected].

Answers are just a click away

Make an enquiry