Data Protection Quarterly News Roundup (October to December 2025)
It is hard to believe another year has passed and we are in 2026 but let’s have a look at our top picks from UK data protection news in the final quarter of 2025.
1. AI Use. The ICO published its internal AI use policy in the hope it may be a “helpful starter” for organisations trying to put such a policy in place to provide guidance for their staff in relation to appropriate use of AI for business purposes (but beware it is very long!).
2. Cookies. In early December the ICO published an update on its work enforcing cookie rules across some of the UK’s top websites. Whilst their ‘cookie sweep’ only directly impacted those top websites, the issues they were checking for apply to all organisations operating websites, particularly given the ICO said it will continue to test and pursue non-compliant websites. The non-compliances being checked for are:
- Websites storing non-essential advertising cookies on user devices before users are offered the choice of whether to accept or reject them.
- Rejecting non-essential advertising cookies being a more difficult process than to accept them.
- Cookies being placed on user devices where the user has not consented or has rejected cookies.
3. Cyber Security. The Cyber Security and Resilience Bill, which will amend and expand the UK NIS Regulations (to create our version of the EU NIS2) had its first reading in the House of Commons. Cyber security and resilience must remain a priority for all organisations as we have discussed in our recent article.
4. International transfers. The EU renewed its adequacy decisions for the UK just before they expired at the end of December and these new decisions are effective until 27 December 2031.
5. ICO enforcement powers. The ICO is consulting on new guidance about the process it follows when carrying out investigations and taking enforcement action under the UK GDPR and Data Protection Act.
6. ICO fines. Following its Capita fine in October, the year ended with two fines in November. A £1.2m fine was issued to LastPass for failing to implement sufficiently robust technical and security measures and a PECR fine of £30,000 was issued after Lead Pronto sent over 75,000 text messages without valid consent.
As ever, it is gearing up to be a busy year for data protection, particularly as we expect the DUAA data protection reforms to be fully rolled out before the end of 2026*.
*See the latest on the implementation of the DUAA reforms here.
