The biggest news this quarter has to be the passing of the Data (Use and Access) Bill but there has been plenty more to keep us busy too.
1. Data protection reform
After a delay whilst suggested Bill amendments ping ponged between the House of Lords and the House of Commons, the Bill received Royal Assent on 19 June 2025. However we will need to watch this space for further information on when different aspects of the new Act will come into effect and an update from the EU on the continuation of UK adequacy.
2. Simplification of the (EU) GDPR
Given the concern within the UK over the last few years that reform of the UK GDPR may risk our EU adequacy, it is interesting that there are now proposals for the EU to make their own changes to the GDPR. The proposals include extending the current ROPA (record of processing activities) exemption so that it will apply to more small/medium organisations.
3. AI regulation
It has been revealed that government plans to regulate AI have been delayed by at least a year. Peter Kyle, the Technology Secretary, has been quoted as saying the government intends to introduce a “comprehensive” AI bill in the next parliamentary session to address concerns about issues including safety and copyright. It also looks like the coming into force of certain provisions of the EU AI Act may be delayed.
4. ICO guidance
The ICO has issued updated encryption guidance and breach reporting guidance and is consulting on new IoT products and services guidance too.
5. International Transfers
The Irish data protection authority issued TikTok with a €530 million fine in relation to its transfers to China. Whilst this decision relates to breaches of the (EU) GDPR, there are lessons here too for UK controllers making international transfers to non-adequate countries.
6. Cyber Security
The Government has set out the expected scope of the Cyber Security and Resilience Bill, which includes:
- Bringing more organisations into scope of the regulatory framework (currently the NIS Regulations), including managed service providers.
- Strengthening supply chain security and enabling regulators to designate ‘Critical Suppliers’.
- Empowering regulators and enhancing oversight, including improving incident reporting and delegating certain powers to the Secretary of State for the Department for Science, Innovation and Technology (DSIT).
The government has also published the final version of the Cyber Governance Code. This Code is designed to highlight relevant cyber governance responsibilities to boards and directors of medium and large organisations, but its principles will also be useful for small organisations. The Code sets out actions relating to risk management, cyber strategy, culture and people, incident planning, response and recovery and assurance and oversight.
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
