Data Protection Update | Autumn 2025

In this edition we look at:

• ICO consults on data protection enforcement procedural guidance
• EDPB adopts opinions on draft UK adequacy decisions
• Ministerial letter on cyber security sent to leading UK companies
• ICO publishes updated encryption guidance: what it means for your business
• General Court (EU) dismisses action for annulment of EU-US Data Privacy Framework
• DSIT publishes AI assurance roadmap: what businesses need to know

ICO consults on data protection enforcement procedural guidance

By Josh Day

Overview

The Information Commissioner’s Office (“ICO”) has launched a public consultation on its draft Data Protection Enforcement Procedural Guidance (“Guidance”), which sets out how the regulator intends to exercise its investigatory and enforcement powers under the UK GDPR and Data Protection Act 2018.

The consultation opened on 31 October 2025 and will run until 23 January 2026.

What’s behind the Guidance?

Recognising that it has gained significant traction in applying its statutory powers since the publication of the Regulatory Action Policy in 2018, the ICO released the Guidance with the aim of providing greater transparency and certainty for organisations processing personal data, outlining the steps taken during its investigations and enforcement actions.

The Guidance also references changes introduced by the Data (Use and Access) Act 2025 (“DUAA”), which further expands the ICO’s powers, including:

• requiring individuals to answer questions; and
• mandating organisations to arrange for an approved person to prepare a report on specified matters

The Guidance will replace existing sections of the Regulatory Action Policy (published in November 2018) and will sit alongside the Data Protection Fining Guidance, which governs the calculation of fines.

Scope and audience

The ICO have confirmed that the Guidance is primarily aimed at companies that process personal data but will be of wider interest to advisers and stakeholders seeking clarity on the ICO’s approach.

Whilst the Guidance touches on information-gathering powers relevant to infringements of data protection legislation and criminal offences, it does not cover criminal prosecutions in detail.

Key features of the Guidance

A comprehensive overview of the ICO’s enforcement process is set out in the Guidance, comprising 12 components including:

• Opening an investigation and what to expect: Criteria for initiating cases and alternative resolution methods
• Information gathering: Use of statutory powers such as information notices, assessment notices, and interview notices
• Limits on powers: Guidance on privileged communications, self-incrimination, and handling confidential information
• Outcome of investigations: Explanation of the ICO’s ability to conclude its investigations in several ways and the potential outcomes available to it
• Warnings, reprimands, enforcement notices and penalty notices: Procedures for issuing warnings, reprimands, enforcement notices, and penalty notices
• Settlement procedure: Proposed approach for resolving cases through settlement, based on previous experience with major organisations.
• Rights of appeal: Explanation of appeal mechanisms against statutory notices

What impact does the DUAA have?

The DUAA aligns enforcement powers under the Privacy and Electronic Communications Regulations 2003 (“PECR”) and the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (“EITSET”) in relation to infringements of UK eIDAS (the legal framework for the use of electronic trust services within the UK) with those under data protection legislation.

The ICO is seeking views on whether to consolidate guidance across these regimes or maintain them as separate, standalone documents.

Responding to the consultation

Stakeholders are able to respond to the consultation on the Guidance via the ICO’s online survey or by email to epg@ico.org.uk. The ICO has encourage detailed feedback, particularly on whether the proposed approach should extend to PECR, EITSET and UK eIDAS enforcement.

Once finalised, the Guidance will become statutory under sections 160(1) and 133 of the DPA 2018, providing updated rules on enforcement notices, penalty notices, and privileged communications.

---

EDPB adopts opinions on draft UK adequacy decisions

By Hema Singhal

What has happened?

The European Data Protection Board (EDPB) has reviewed and published its opinions on the European Commission’s draft decisions to keep the UK’s data adequacy status. This status allows personal data to flow freely from the EU to the UK without extra legal steps. The current adequacy decision, granted after Brexit, will expire in December 2025, and the Commission wants to extend it until 2031.

While the EDPB broadly supported the continuation of the UK’s adequacy status, it expressed serious reservations about recent legislative and regulatory developments that could weaken data protection guarantees. These include:

• The UK’s post-Brexit reforms, such as the Retained EU Law (Revocation and Reform) Act, have removed the primacy of EU law and allowed greater flexibility for domestic interpretation. This shift could lead to progressive divergence from EU standards, undermining the principle of “essential equivalence"
• The UK Secretary of State now holds broad authority to amend core data protection rules through secondary legislation. These powers cover critical areas like international transfers, automated decision-making, and oversight of the Information Commissioner’s Office (ICO). The EDPB warned that such discretion could introduce legal uncertainty and weaken safeguards without parliamentary scrutiny
• The UK’s revised adequacy framework for international data transfers omits explicit references to essential protections—such as government access limitations, individual redress mechanisms, and independent oversight—that were previously considered fundamental under EU law
• Changes to the ICO’s governance structure, including appointment processes and complaint-handling procedures, could compromise its independence

Key takeaways

The EU plans to extend the UK’s adequacy decision until 2031, but it’s not final yet.

• Watch for changes: UK reforms give the government more flexibility to alter data protection rules. Businesses should monitor updates
• Compliance still matters: Even with adequacy, companies must follow UK GDPR and EU standards when handling EU personal data
• Encryption and security: Concerns about government powers to weaken encryption could lead to future reviews. Strong security practices remain essential
• Stay informed: The European Commission will make the final decision soon. Businesses should keep an eye on announcements and prepare for any changes

Our views

If the UK loses its adequacy status, EU businesses would need to put in place complex contracts and safeguards before sharing data with UK companies. This would mean:

• Extra paperwork and costs for compliance
• Delays in data transfers, which could impact operations
• Risk of losing EU clients who prefer working with partners that have simple, compliant data flows

Keeping adequacy means UK businesses can continue trading and collaborating with EU partners without disruption.

---

Government calls on businesses to strengthen cyber resilience

By Jaskeerat Sanghera

Overview

The UK government has issued a letter to major organisations with urgent advice about the growing risk of cyber attacks. In a recent letter to FTSE100 and FTSE250 companies, as well as other large businesses, ministers urged boards to prioritise cyber security and adopt best practices to protect critical services and supply chains. The letter highlights the economic and national security risks posed by cyber attacks and sets out three immediate actions businesses should take to protect themselves and the wider economy.

The call to action comes amid increasing threats to the UK’s digital economy, with ransomware and supply chain vulnerabilities posing significant risks. Cyber resilience is now recognised as a critical enabler of growth and stability. Recent high-profile incidents demonstrate that organisations recover faster when they have planned and rehearsed their response to major cyber events.

Key takeaways

• Make cyber risk a board-level priority: Cyber risk should be treated as a strategic priority. The government recommends adopting the Cyber Governance Code of Practice so that cyber security is embedded into strategic decision making
• Early warning alerts: Businesses are encouraged to sign up for the NCSC Early Warning Service. This free service alerts organisations to potential cyber attacks, providing valuable time to detect and mitigate threats before they escalate
• Supply chain security: Supply chain attacks are rising, yet only 14% of UK businesses assess supplier cyber risk. Cyber Essentials certification significantly reduces vulnerability and is already mandated for most government suppliers. Organisations should require Cyber Essentials certification across their supply chains to ensure consistent security standards
• Assessment tools: Businesses are encouraged to use the Cyber Assessment Framework (CAF) to benchmark resilience and the Cyber Action Toolkit which offers practical steps for improving resilience.
• The government also flagged the forthcoming Cyber Security and Resilience Bill, which will increase protections for essential and digital services

Our views

This announcement reinforces the expectation that cyber security is not just an IT issue but a governance and compliance priority. Boards must take ownership of cyber risk and ensure robust measures are in place across their organisation and supply chain. Failure to implement robust measures could lead to regulatory scrutiny and reputational damage.

We recommend:

• Reviewing board-level engagement with cyber risk
• Assessing supply chain security obligations in contracts
• Considering certification schemes like Cyber Essentials as part of due diligence
• Using the CAF to benchmark resilience against best practice
• Monitoring developments on the Cyber Security and Resilience Bill and assessing potential impact on your business

Proactive steps now will reduce exposure, protect reputation, and demonstrate compliance with evolving regulatory expectations.

---

ICO’s refreshed encryption guidance: What it means for your business

By Alex O’Neill

Overview

The Information Commissioner’s Office (ICO) has published updated guidance on encryption as part of its Guide to Data Security, finalised in September 2025 following a summer consultation. This update clarifies the ICO’s expectations under the UK GDPR security principle and reinforces encryption as a key safeguard against data breaches.

The guidance is aimed at data controllers, processors, and anyone responsible for implementing encryption measures. It provides practical advice on how to comply with Articles 5(f) and 32 of the UK GDPR, which require organisations to adopt “appropriate technical and organisational measures” to protect personal data.

Key takeaways

In summary, the ICO’s guidance says that:

• Inadequate encryption has been a recurring factor in serious data incidents. Organisations are therefore expected to take a risk-based approach, assessing the sensitivity of the data they hold, the potential impact of a breach, and whether encryption is an appropriate safeguard
• Encryption should be considered across multiple contexts, including laptops, servers, removable media, mobile devices, and cloud storage. For data in transit, secure protocols such as HTTPS and TLS should be used, while outdated protocols like SSL should be avoided. Strong key management and certificate upkeep are essential to maintaining a robust security posture
• Encryption alone does not eliminate risk. It should be combined with other measures such as access controls, monitoring, and staff training. The ICO expects encryption solutions to conform to recognised standards such as FIPS 197 or FIPS 140-3, use strong algorithms and sufficiently large key sizes, and be documented in formal policies
• Organisations should review their encryption measures regularly to ensure they remain effective and reflect current best practice
• Documenting encryption decisions and policies is critical to demonstrating accountability under the UK GDPR

The ICO also sets out examples of where encryption should be applied, such as email communications, backups, physical media, CCTV systems, and IoT devices.

Our views

Encryption should now be treated as a baseline expectation rather than an optional extra. Given its low cost and widespread availability, organisations that fail to implement encryption risk being seen as negligent. However, simply deploying encryption is not enough. The ICO expects organisations to embed encryption within a formal security framework, supported by documented policies, regular reviews, and staff training.

We recommend that businesses update their risk registers to include encryption, adopt or refresh encryption policies, and ensure that legacy protocols such as SSL are replaced immediately. Key management processes should be robust, with regular rotation and audits. Finally, encryption should be part of a layered security strategy that includes access controls, monitoring, and incident response planning.

Although the ICO’s guidance is not legally binding, it is now central to demonstrating compliance with the UK GDPR. Organisations that take a proactive, structured approach to encryption will be better positioned to protect personal data, reduce regulatory risk, and maintain trust in an increasingly data-driven environment.

---

Dismissal of the action for annulment of the EU-US data privacy framework

By Shireen Eliyas

Overview

EU General Court delivers landmark ruling: EU-US Data Privacy Framework upheld, paving way for secure transatlantic data transfers.

Background of the case

The EU-US Data Privacy Framework (DPF) was established to enable transatlantic data transfers while ensuring appropriate protection of personal data, following the invalidation of prior arrangements such as Safe Harbour and the Privacy Shield. The DPF was intended to address concerns highlighted by the Court of Justice of the European Union (CJEU) regarding United States surveillance practices and the lack of effective legal remedies for EU citizens.

Upon its adoption, critics expressed doubts as to whether the DPF sufficiently protected individuals’ rights under the General Data Protection Regulation (GDPR) and the Charter of Fundamental Rights of the European Union. Such concerns led to legal action before the General Court of the European Union, seeking annulment of the Framework on the basis that it did not provide adequate safeguards for personal data transferred to the United States.

Outcome of the case

On 3 September 2025, the General Court of the European Union handed down its judgment, dismissing the action for annulment of the EU-US Data Privacy Framework. The Court found that the Framework offered sufficient guarantees for the protection of personal data and met the requirements set out by the CJEU in previous cases, notably Schrems I and Schrems II.

The Court emphasised the presence of new oversight mechanisms and enhanced legal remedies available to EU data subjects under the DPF. It concluded that the Framework was not manifestly inadequate and that the European Commission had appropriately assessed the level of protection provided by the United States.

Key takeaways

• Legal certainty for data transfers: The dismissal of the annulment action delivers essential legal certainty for businesses transferring personal data between the EU and the US under the DPF
• Enhanced safeguards: The Court’s decision underscores the DPF’s improvements over previous frameworks, including new mechanisms for independent oversight and individual redress
• Ongoing scrutiny: Despite the dismissal, the DPF will continue to be closely scrutinised by privacy advocates and regulatory bodies. Further legal challenges may emerge, particularly as US surveillance practices and data protection standards develop
• Impact on UK transfers: Although the United Kingdom is no longer an EU member, the decision may affect the UK’s approach to data transfers with the US, given its continued alignment with EU data protection principles
• Importance for multinational organisations: Organisations operating across the EU, US, and UK should monitor ongoing developments and ensure compliance with the latest requirements relating to data transfers

Our views

In summary, the General Court’s decision upholds the EU-US Data Privacy Framework as a valid mechanism for transatlantic data transfers. This represents a significant milestone in the continuing effort to balance international data flows with robust privacy protections, though it is clear that legal and regulatory debate in this area will persist.

---

UK government’s AI assurance roadmap – what businesses need to know

By Molly McCormick

Overview

On 3 September 2025, the UK Department for Science, Innovation and Technology (DSIT) published policy paper Trusted Third-Party AI Assurance Roadmap (Roadmap), setting out the government’s vision for developing a credible and scalable AI assurance market.

The UK aims to build a strong third-party assurance market to help ensure AI systems are trustworthy, safe, and used responsibly. By doing so, the government hopes to boost confidence in AI, drive economic growth, and make the UK a leading destination for AI adoption.

AI assurance refers to processes that measure, evaluate, and communicate the trustworthiness of AI systems. Third-party assurance providers are particularly important as they independently verify the trustworthiness of AI systems, especially for businesses that lack in-house expertise.

The UK’s AI assurance market is currently valued at £1.01 billion and the Roadmap projects that the market could grow substantially to reach £18.8 billion by 2035, provided barriers to adoption are addressed.

This Roadmap is therefore a key step in ensuring that AI systems are deployed responsibly and in compliance with legal and ethical standards.

Key government actions

The Roadmap outlines immediate government actions to support this emerging sector:

Professionalisation

• DSIT will establish a UK consortium of stakeholders to develop a future AI assurance profession
• The consortium will develop a code of ethics, a skills and competency framework, and eventually work towards certification/registration for assurance professionals

Skills development

• Create a detailed skills framework for AI assurance, mapping what professionals need to know
• Assess current training provision and whether further investment is needed to build a diverse and capable workforce

Information access

• Develop best-practice guidelines on how firms and auditors should share data, balancing transparency with confidentiality/security
• Explore technical solutions (e.g., secure environments) to allow auditors to examine AI systems safely

Innovation

• Launch an £11 million AI Assurance Innovation Fund in 2026 to support development of new assurance mechanisms
• Use the fund to pilot assurance solutions, especially in key industrial sectors, and encourage cross-sector collaboration

Key takeaways

1. Conduct an AI governance review

• Ensure policies cover transparency, accountability, and ethical compliance
• Map current assurance practices against anticipated standards

2. Prepare for assurance readiness

• Document AI system design, data sources, and decision-making processes
• Implement robust monitoring and audit trails

3. Engage early with stakeholder consultations

• Participate in DSIT’s consultations and industry forums to influence standards and ensure your business is represented

4. Monitor regulatory developments

• Track progress on UK and EU AI regulations to anticipate compliance obligations

5. Invest in skills

• Upskill internal teams or partner with emerging assurance providers
• Monitor developments in certification schemes

6. Consider contractual updates

• Include provisions for assurance obligations in supplier and customer agreements
• Address confidentiality and data-sharing protocols for audits

Our views

Businesses should act now to position themselves for compliance and competitive advantage. Early adoption of assurance practices will not only mitigate regulatory risk but also enhance trust with customers and stakeholders.

The government aim to drive collective action to boost the quality and growth of the UK’s third-party AI assurance market. To engage stakeholders can contact DSIT by email at ai-assurance@dsit.gov.uk.