Data Protection Update | Summer 2025

In this edition we look at: 

• Navigating Compliance: European Commission finalises the GPAI Code of Practice under the EU AI Act
• New Guidance on Disclosing Documents to Public Securely
• EDPB and EDPS Opinion: GDPR Simplification for SMEs and SMCs
• ICO Opens Second Consultation on Storage and Access Technologies Guidance
• FCA and ICO outline future areas of focus on open finance and smart data

---

Navigating Compliance: European Commission finalises the GPAI Code of Practice under the EU AI Act

By Joshua Day

Overview

The European Commission has now finalised its General-Purpose AI Code of Practice - a collaborative code to help general-purpose AI providers align with the EU’s vision for safe, transparent, and rights-respecting technology.

Published on 10 July 2025, the European Commission’s General-Purpose AI (GPAI) Code of Practice (the Code) marks a pivotal step in aligning industry innovation with the legal obligations of the EU AI Act.

Developed through a multi-stakeholder process led by independent experts across four Working Groups, the Code offers a voluntary framework for providers of general-purpose AI models to demonstrate compliance with key regulatory requirements - particularly around transparency, copyright, and systemic safety and security risks.

Key points

Why the Code matters

The EU AI Act introduces stringent obligations for providers of GPAI models, particularly those with systemic risk. The Code provides a structured, European Commission-endorsed pathway to meet these obligations, reducing administrative burdens and enhancing legal certainty for signatories.

Providers of AI model who voluntarily sign up to the Code will be able to demonstrate their compliance with the EU AI Act by adhering to the Code. This, in turn, will reduce AI model providers’ administrative burdens (subsequently offering greater legal certainty) than if they were to demonstrate compliance with the EU AI Act via other methods.

Structure of the Code

The Code is set out in three distinctive chapters, each addressing a core area of compliance:

• Transparency: Includes a user-friendly ‘Model Documentation Form’ to assist providers with meeting Article 53 obligations on transparency
• Copyright: Offers practical guidance for implementing policies that comply with EU copyright law
• Safety and Security: Targets providers of the most advanced models, detailing state-of-the-art practices for managing systemic risks under Article 55

Signatories to the Code

Providers of AI models have the option to voluntarily sign up to the Code by submitting a completed signatory form to the EU AI Office. All signatories to the Code benefit from a recognised compliance pathway and are listed publicly, with updates made regularly.

Major players such as Amazon, Anthropic, Google, IBM, Microsoft, and OpenAI have already signed up to the Code, and it is expected that other organisations will follow in due course.

Our views

For legal professionals and data protection officers, the Code offers a valuable benchmark for assessing AI model compliance. It reinforces the EU’s commitment to trustworthy AI, balancing innovation with the protection of fundamental rights.

---

New ICO Guidance on Disclosing Documents to Public Securely

By Paul Wiggins

Overview

The Information Commissioner’s Office (ICO) (soon to be Information Commission as proposed the under Data (Use and Access) Act 2025) has recently published new guidance to help organisations disclosure documents to the public securely, and, hopefully, minimise the risk of accidental personal data breaches.

The ICO guidance (Disclosing documents to the public securely: hidden personal information and how to avoid an accidental breach | ICO) contains practical steps to help organisation to identify hidden personal information and to educate them on when to remove or redact such information.

The guidance will be particularly relevant to organisations handling sensitive personal data under the UK GDPR, the Data Protection Act 2018, and the Freedom of Information Act 2000 (FOIA).

Key points

Whether publishing reports, responding to Subject Access Requests (SARs), or sharing documents externally, companies must:

• Conduct thorough reviews of all documents before disclosure
• Use reliable redaction tools and techniques
• Maintain clear records of disclosure decisions
• Seek expert advice in complex cases

Accidental data breaches often occur when personal information is unintentionally revealed —commonly through hidden metadata, overlooked spreadsheet cells, or incomplete redaction. Such errors can lead to reputational damage, regulatory scrutiny, and financial penalties.

The guidance includes helpful checklists with steps that organisations must take, should take, and / or could take when working with hidden data and/or redacting documents. The guidance and checklists are well worth considering or familiarising yourself with. As you may be aware, there is an obligation on organisations to:

• Minimise personal information captured and / or retained
• Ensure disclosures are lawful, fair, and transparent
• Respect individual rights
• Develop internal policies and procedures for secure disclosure
• Train staff on data protection responsibilities
• Follow the Data Sharing Code of Practice and other relevant ICO guidance

Our views

Freeths LLP is regularly instructed in relation to such breaches, and has seen a sharp rise in both the frequency of such incidents, and the willingness of individuals to bring claims off the back of them. With individuals more informed and empowered about their personal rights, the onus on organisations handling personal data is the greatest it has ever been with the consequences of mismanaging personal data severe.

---

EDPB and EDPS Opinion: GDPR Simplification for SMEs and SMCs

By Hema Singhal

Overview

On 8 July 2025, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a joint opinion on the European Commission’s proposal to simplify certain EU GDPR obligations for small and medium-sized enterprises (SMEs) and small mid-cap companies (SMCs). The aim is to reduce administrative burden for smaller organisations without weakening data protection rights.

Key points

What is being proposed?

The proposal would add formal definitions of SMEs and SMCs into the EU GDPR and would relax some record‑keeping duties. In particular, organisations with fewer than 750 employees may not need to maintain a Record of Processing Activities (ROPA), provided their processing is not likely to result in a high risk to individuals’ rights and freedoms. Currently, this derogation only applies to organisations under 250 employees, except in certain cases.

The initiative would also make sure that the EU GDPR’s tools for practical compliance—industry codes of conduct and independent certification schemes—explicitly cater to SMCs, aiming to give mid‑sized organisations clearer, proportionate routes to demonstrate that they comply.

What do the regulators say?

The EDPB and EDPS broadly support targeted simplification as long as accountability and fundamental rights remain intact. They stress that high‑risk processing—especially activities involving sensitive data or criminal‑offence data—must still trigger full documentation and controls, including ROPAs where appropriate. The regulators also ask lawmakers to justify the 750‑employee threshold with evidence and to refine the legal text so there is no doubt about when the ROPA derogation does not apply.

Why this matters to UK based businesses

Although this is an EU law initiative, many UK organisations are still directly affected by the EU GDPR because they have EU establishments, sell into the EU, or monitor behaviour of individuals in the EU. If the proposal passes, some EU facing operations may be able to streamline record keeping for non‑high‑risk processing. However, the proposal is not yet law and will still go through the EU legislative process, so there are no immediate changes to EU requirements.

UK law has not changed. The UK GDPR and Data Protection Act 2018 still require robust accountability, and the ICO expects a comprehensive, accurate ROPA that is regularly reviewed and supported by proper data mapping. Even if the EU widens the derogation, UK‑only processing should continue to meet ICO expectations.

Our views

The proposal is not yet law, so current EU GDPR duties continue to apply in full. If the changes pass, some SMEs and SMCs may see more flexibility around ROPAs, however, the core duties around risk assessment, DPIAs, security and transparency would not change. Any processing that is likely to create high risk will still require comprehensive governance and record‑keeping. Codes of conduct and certification schemes are intended to give SMEs and SMCs practical, sector‑ready pathways to demonstrate compliance, not to lower the bar. The safest course of action now is to maintain your existing records, strengthen your risk assessment for high‑risk processing, and keep an eye on sector codes or certifications that could simplify how you evidence compliance once the rules are finalised.

UK law remains unchanged and therefore you must continue to maintain a robust ROPA for UK processing in line with ICO guidance.

---

ICO Opens Second Consultation on Storage and Access Technologies Guidance

By Alex O’Neill

Overview

The Information Commissioner's Office (ICO) has initiated a second consultation on its draft updated guidance for storage and access technologies (SAT) - a framework that governs how organisations store or access information on users’ devices. This guidance, formerly known as the “detailed cookies guidance,” is undergoing revision to reflect the legislative changes introduced by the Data (Use and Access) Act 2025 (DUA Bill), which came into force on 19 June 2025. The consultation is open until 26 September 2025, and the ICO intends to finalise the guidance shortly thereafter.

The proposed revisions aim to align the SAT guidance with the Privacy and Electronic Communications Regulations (PECR), as amended by the DUA Bill. These changes are designed to modernise the UK’s digital privacy framework and clarify when organisations must obtain user consent for technologies such as cookies, tracking pixels, device fingerprinting, and web storage.

Under the previous SAT guidance, the ICO took a strict approach to user consent. Key principles included:

• Prior consent was required for most cookies and similar technologies
• The definition of “strictly necessary” was interpreted narrowly, limiting its application
• There was little flexibility for organisations using analytics or preference-based tools

This approach placed a heavy compliance burden on businesses, particularly those relying on digital analytics and personalisation technologies.

Key points

The new draft guidance introduces a more balanced framework, offering greater clarity and flexibility. Key updates include:

• Expanded exceptions: a new chapter titled “What are the exceptions?” outlines five scenarios where consent is not required
• Improved alignment with GDPR: the guidance clarifies how PECR and the UK GDPR interact, especially regarding lawful bases for processing
• Support for privacy-preserving technologies: the ICO now accommodates anonymous analytics and other tools that do not identify individuals

This marks a significant shift in the ICO’s regulatory stance - one that better balances privacy protection with operational practicality.

The newly added chapter “What are the exceptions?” identifies specific cases where organisations may store or access information on users’ devices without consent:

• Communication exception – technologies essential for transmitting a communication
• Strictly necessary exception – tools required to deliver a service explicitly requested by the user
• Statistical purposes exception – anonymous analytics that do not identify individuals
• Appearance exception – settings such as dark mode or font size preferences
• Emergency assistance exception – technologies used for emergency alerts or services

These exceptions provide businesses with clearer guidance on when consent is not required, helping reduce compliance risks while maintaining user trust.

Our views

To prepare for the finalised guidance, organisations should:

• Audit their current use of SATs to identify technologies that may qualify for an exception
• Update privacy notices and consent mechanisms to reflect the new rules
• Engage with the consultation process to ensure sector-specific concerns are considered

If you need support reviewing your organisation’s SAT practices or submitting a response to the consultation, our data protection team is here to help.

---

FCA and ICO outline future areas of focus on open finance and smart data

By Jaskeerat Sanghera

Overview

On 17 July 2025, the Digital Regulation Cooperation Forum (DRCF) published a joint article by the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO), outlining their shared vision for the future of open finance. This collaboration, part of the DRCF’s Horizon Scanning and Emerging Technology (HSET) project, aims to support innovation in financial services while ensuring robust data protection and consumer trust. This marks a significant step in aligning financial innovation with data protection, as regulators respond to the rapid evolution of data-driven services.

The FCA and ICO are focusing on how financial institutions can responsibly harness technologies such as APIs, artificial intelligence (AI), distributed ledger technologies (DLT), smart contracts, and digital identity tools. Their goal is to ensure that the UK’s evolving financial ecosystem remains secure, transparent, and centred on the rights of individuals.

Key points

• Smart data as a foundation: Open finance is underpinned by the concept of smart data—consent-based sharing of customer data with authorised third parties. This model requires a strong legal and ethical framework to ensure trust and compliance
• Regulatory collaboration: The FCA and ICO are working together to balance innovation with data protection. Their joint efforts aim to empower consumers and businesses while safeguarding information rights
• Emerging technologies: Key technologies identified include:
  
  • APIs for secure data sharing
  • AI for personalised financial services
  • DLT and smart contracts for transparency and automation
  • Digital identity verification to enhance security and user control
• Regulatory questions for exploration:
  
  • What lawful bases are appropriate for data sharing in open finance?
  • How can data minimisation be effectively implemented?
  • What role can privacy-enhancing technologies play?
  • How can AI use be made transparent and understandable to consumers?
  • Should regulators help develop common standards for interoperability?
• DRCF Workplan Commitment: The DRCF has committed to reviewing the role of regulators in a data-led economy as part of its 2025/26 workplan

Our views

The FCA and ICO’s initiative signals a clear direction: open finance is not just a technological evolution but a regulatory and ethical one. For organisations operating in this space, the message is clear—innovation must go hand-in-hand with accountability.

Steps to consider:

1. Review Data Sharing Practices: Ensure that data sharing is based on a clear lawful basis and that consent mechanisms are robust and transparent
2. Invest in Privacy-Enhancing Technologies: These tools can help achieve compliance while enabling new data-driven services
3. Prioritise Consumer Understanding: Especially where AI is used, firms should focus on explainability and education to build trust
4. Engage with Standards Development: Participate in industry and regulatory initiatives to shape interoperable and ethical frameworks
5. Stay Ahead of Regulatory Trends: Monitor developments from the DRCF, FCA, and ICO to anticipate compliance expectations and opportunities for innovation

Open finance presents a transformative opportunity—but only if trust, transparency, and data protection are placed at its core.