Data protection round up – what can we learn from 2025?

To coincide with International Data Protection Day on 28 January, Rhiannon Hastings, data protection paralegal, reviews some of the key trends and topics discussed during 2025 and how your organisation can take those learnings into 2026.

New legislation

As you may have seen from our previous articles, we have talked about the key changes and amendments the Data (Use and Access) Act (DUAA) 2025 makes to the existing data protection regime.

The DUAA received royal assent on 19 June 2025 and is the latest development to modernise the UK data protection legislation (which includes the Data Protection Act 2018 and the UK GDPR). Key changes your organisation may need to consider include:

• being aware of the new ‘recognised legitimate interest’ lawful basis;
• implementing a complaints procedure to manage complaints relating to data protection rights requests;
• using analytical website cookies without having to obtain consent; and
• if your organisation is a charity, understanding the direct marketing rules under the Privacy and Electronic Communications Regulations 2003 when relying on the ‘soft opt-in’.

The key changes listed above are not yet in force at the time of writing. However, all provisions are due to be in force no later than 19 June 2026 so we recommend reviewing your organisation’s current data protection framework and identifying any gaps that will need to be addressed to comply with the changes proposed by the DUAA.

Increase in cyber attacks

In 2024, the UK was the most targeted country in Europe for cyber attacks, with over 40% of UK businesses experiencing cyber attacks. Whilst some cyber attacks and other security breaches can be minor and simple to rectify, others can have devastating consequences on a business, from financial loss to reputational damage.

To mitigate incurring a cyber attack, or reduce the severity of the impact a cyber attack may cause, you should consider putting in the following suggestions in place to safeguard your organisation:

• regular staff training to identify, detect and manage cyber attacks and other security breaches;
• clear and concise policies and procedures for staff to refer to when managing a cyber attack or other security breach; and
• appropriate technical and organisational measures to safeguard the personal data and confidential information your organisation stores.

AI-generated subject access requests

As Artificial Intelligence (AI) has become more accessible and user friendly, we have seen a rise in AI-generated subject access requests (SARs). Although a useful tool for data subjects, they can be burdensome on organisations when they can be as long as 30 pages. So, what can you do to manage this?

The UK data protection legislation is clear that a data subject can make a SAR verbally or in writing. As long as it is clear that they are requesting copies of their personal data, their SAR is valid. However, in circumstances where it is unclear whether the data subject is making a SAR, or it is unclear as to what is being requested (which is a common issue with AI-generated SARs), organisations are entitled to seek clarification from the data subject before responding to the SAR.

Seeking clarification provides organisations with an opportunity to narrow the scope. For example, an organisation can ask the data subject to reduce the scope of their SAR to a specific time period or to a particular subject matter.

Between the time the organisation seeks clarification and the data subject responds, the time pauses, meaning the organisation does not have to comply with the SAR until the data subject has confirmed the personal data they wish to receive.

However, it is important to note that organisations cannot seek clarification on a blanket basis and cannot force a data subject to narrow the scope as it is their right to obtain copies of all their personal data.

Public guidance and resources

Over the last year, the Information Commissioner’s Office (ICO) has published more guidance and resources on different aspects of data protection to support organisations of all sizes. 

Just in case you missed it, please see below some of the ICO’s guidance and resources it published in 2025:

• direct marketing advice generator (published on 5 February 2025);
• tools to help FOI practitioners stay ahead of challenges (published on 31 March 2025);
• guidance to help smart product manufacturers get data protection right (published on 16 June 2025); and
• guidance on disclosing documents to the public securely (published on 31 July 2025).

In addition to the above, the ICO is currently going through its consultation process concerning new guidance bespoke to the changes proposed by the DUAA, for example putting in place a complaints procedure to manage complaints relating to data protection rights. To ensure your organisation is equipped with the resources needed to comply with the DUAA, we recommend regularly visiting the ICO’s website here for useful resources.

Need further support?

For more information on what we have discussed in this article, or if you require any assistance in dealing with the above, please contact Rhiannon Hastings by emailing: [email protected].