Data Protection Quarterly News Roundup (January to March 2026)
As expected it has been a busy start to the year. What we perhaps didn’t expect was that the Government would give us just two days’ notice before the majority of the DUAA changes to data protection law came into effect on 5 February. The reforms now in effect include changes to the ICO’s investigation and enforcement powers, changes to cookies rules and increased PECR penalties and a relaxation of automated decision making rules.
Aside from that, here are our top picks of the UK data protection news in the first quarter of 2026.
1. Abusive DSARs (although this is actually an EU case, Brillen Rottler, it’s interesting for the UK too). The Court of Justice confirmed a first request for access may be considered excessive and therefore abusive and validly refused if its sole purpose is to artificially create a situation whereby the data subject can subsequently claim compensation for an alleged infringement of the GDPR. This is because the true purpose of a DSAR is to allow a data subject to be made aware of the processing of their personal data and verify the lawfulness of that processing.
2. Data protection complaints. Organisations need to have a data protection complaints process (note the explicit requirement is to have a process not an external / published policy) in place from 19 June 2026 and the ICO have published guidance to assist organisations comply with this new DUAA requirement. You can read more in our article here.
3. Updated guidance. The ICO has updated its legitimate interests guidance, data protection by design and by default guidance (includes the ‘children’s higher protection matters’ duty for organisations that provide online services likely to be accessed by children), international transfers guidance and purpose limitation principle guidance.
4. New guidance – There has been a lot of new guidance from the ICO including guidance on how the ICO handles and assesses complaints and guidance on the new recognised legitimate interest lawful basis. The ICO has also published a report setting out its expectations for organisations using ADM to make hiring decisions.
5. Guidance consultations. The ICO opened a consultation on updates to its guidance on the Research, Archiving and Statistics and also its automated decision-making (including profiling) guidance, both due to DUAA.
6. Children’s data. The ICO (like Ofcom which is the regulator for the Online Safety Act) has been focused for some time now on protecting children online, and rightly so, the online world is a worrying place especially for children and their parents/carergivers. Until now the ICO’s focus has been on more traditional enforcement action against big tech and ‘encouragement’ to do better via open letters etc (especially when it comes to age assurance). In February the ICO fined MediaLab AI, Inc. (owner of Imgur which is an image sharing and hosting platform) for failing to implement measures to check the age of users, failing to carry out a DPIA to identify / reduce risks to children and processing personal data of children under the age of 13 without parental consent / any other lawful basis. They also fined Reddit for failing to process children’s data lawfully (in particular, failing to implement robust age assurance mechanisms). In early April the ICO launched something different called ‘Switched on to privacy’ which they explain is about “giving children the tools to make sense of the digital world, and their parents and carers the confidence to support them along the way”. This initiative is centred around a web hub of advice aimed at supporting parents and carers of children aged 11 and under so that children can be safe online.
After a busy start to the year, we’re sure there’s plenty more to come.
________________________________________________________________________________________
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
