Data law | UK Regulatory Outlook November 2025

UK updates

ICO consultation on enforcement procedural guidance

The Information Commissioner's Office (ICO) is consulting on draft statutory guidance that will explain its process for investigations and enforcement under UK data protection legislation. Once finalised, the guidance will replace some of the existing guidance in the 2018 Regulatory Action Policy. (The ICO has already updated the fines guidance in the Regulatory Action Policy on fines - see this Regulatory Outlook).  

The draft incorporates the new and amended powers brought in by the Data (Use and Access) Act 2025 (DUA Act), including the ability to require individuals to answer questions and to require organisations to commission an approved person to prepare a report on specified matters. It explains the process the ICO will carry out when conducting investigations.

The aim is to promote greater transparency and predictability about the process and help organisations plan engagement strategies and better anticipate timelines.

The ICO proposes to use the approach set out in this guidance in relation to the Privacy and Electronic Communications Regulations 2003 (PECR) and the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016, and notes that separate fining guidance for PECR will be published "in due course".

Responses to the consultation are due by 23 January 2026.

ICO fines Capita £14m for data breach  

The ICO issued a £14m fine to outsourcing firm Capita for failing to ensure the security of personal data in connection with a major cyber attack in March 2023.

Capita plc has been fined £8 million and Capita Pension Solutions Limited £6 million, after attackers stole the personal information of approximately 6.6 million people, spanning pension scheme members, staff and customers of organisations that Capita supports, including sensitive and special category data.

The investigation found that Capita had failed to ensure the security of processing of personal data which left it at significant risk and did not maintain the appropriate technical and organisational measures to effectively respond to the attack. This included:

• A failure to prevent privilege escalation and unauthorised lateral movement within its IT environment.
• A failure to respond appropriately to security alerts.
• Inadequate penetration testing and risk assessment.  

While the ICO's provisional intention was to fine Capita £45m, this was reduced to a voluntary settlement of £14m following its consideration of Capita's representations and mitigating factors on this provisional decision, which included improvements made, support offered and engagement with other regulators. Capita offered those affected 12 months free Experian credit monitoring and a dedicated call centre, with over 260,000 people activating the service.

The ICO has emphasised the breach's preventability and the wider impact on public trust, and has highlighted broader lessons for industry, including applying least privilege access, timely alert response and monitoring, organisation-wide sharing of penetration test findings, investment in key controls and clarity over controller processor responsibilities.  

Cyber Security and Resilience (Network and Information Systems) Bill introduced to Parliament

See Cyber section.

EU updates

Digital Omnibus - Proposals for simplification of EU data laws

As part of its simplification drive, the European Commission has released its proposal to make significant changes to the General Data Protection Regulation (GDPR) and other data legislation. This is part of a wider proposed "Digital Omnibus Regulation" package, which also includes (among others) proposals for changes to the EU AI Act.  

Key proposals include:

GDPR

The definition of "personal data" to be amended to make clear that information is not to be considered personal data in respect of a particular entity:

• merely because a potential subsequent recipient has the means reasonably likely to be used to identify the data subject, nor
• when it does not have the means reasonably likely to be used to identify the data subject.  

There is also provision for the Commission and the European Data Protection Board (EDPB) to help controllers assess the position by specifying means and criteria relevant for an assessment, including the state of the art of available techniques and criteria to assess the risk of reidentification of pseudonymised data.

Additional exemptions from the prohibition on processing special category data in the following cases:  

• Processing of biometric data, when it is necessary for confirming the identity of the data subject and when the data and means for such verification are under the sole control of that data subject.
• Residual processing of special categories of personal data for development and operation of AI, subject to conditions, including appropriate organisational and technical measures to avoid collecting such data, and removing it after use.

Related to this, but included in the separate AI Omnibus, there would be an extension to the situations in which special category data can be processed for the purposes of detecting and correcting bias in AI systems (subject to strict safeguards). This is currently limited to providers of high-risk AI systems, but would also cover (i) deployers of high-risk systems, and (ii) to providers and deployers of non-high-risk systems and models where "reasonable and proportionate".

An amendment to make clear that organisations can rely on the GDPR's "legitimate interest" legal basis to use personal data for training or operating AI systems and models.  

Clarification of the requirements for automated decision-making in the context of entering into, or performance of, a contract between the data subject and a controller, in particular that the requirement of "necessity" applies regardless of whether the decision could be taken otherwise than by solely automated means.

A controller will not have to notify a data breach to the competent supervisory authority unless the breach is likely to result in a high risk to the data subject’s rights, aligning this threshold with that for notification to affected data subjects. In addition, the notification deadline for breach reporting would be extended from 72 to 96 hours. It is also proposed that controllers use a new "single-entry point" when they notify data breaches to the supervisory authority.  

Cookies

It is proposed that processing personal data via cookies and other tracking techniques would fall entirely under the GDPR, rather than the ePrivacy directive.

Consent will no longer be needed for some low-risk cookie uses including when providing services explicitly requested by the data subject, when creating aggregated audience measurements for the provider’s own online service, and certain security functions.  

Other data laws

Abolition of the Data Governance Act 2022, the Open Data Directive 2019 and the Free Flow of Non-Personal Data Regulation 2018. The Data Act would remain as the central law and would include essential elements retained from the other three acts, which would be repealed.  

Changes to definitions currently used in the Data Act. For example, the terms "data user", "data holder" and "public emergency" are to be harmonised and clarified.

Protection of trade secrets will be further strengthened by allowing data owners to refuse disclosure under the Data Act if this could result in sensitive information being transferred to third countries with an inadequate level of protection or which could compromise the EU's security interests.

Switching obligations under the Data Act will be amended. For example, customised services will be exempt from the interoperability requirements in existing contracts and small and mid-cap companies (up to 750 employees) will be exempt from additional obligations.

There are many other changes. The proposals will now be submitted to the European Parliament and the Council of the EU for adoption, but reports suggest that they are likely to face challenges from certain EU countries and political groups.

For details see Osborne Clarke's Digital Omnibus site and Insight.  

European Parliament adopts regulation on cross-border GDPR enforcement

The European Parliament has approved the text for the proposed EU Regulation on cross-border GDPR enforcement, which was delayed due to the European Parliamentary elections in June 2024. The regulation aims to clarify and speed up cross-border enforcement under the GDPR and encourage greater cooperation between Data Protection Authorities (DPAs). It also strengthens the rights of complainants. The new rules introduce the following changes:

• Early resolution – an early resolution procedure that can be used where a DPA can show that the infringement of the GDPR has ceased and the complainant does not object within four weeks.  
• Simplified cooperation procedure – where the scope of an investigation by a DPA is clear, that DPA has handled similar cases before, and no other DPAs raise objections, the deadline for investigations can be shortened to 12 months (with scope for extension where required by national law).
• Quicker deadlines – once a DPA has been established as the lead supervisory authority, the investigation must be completed and a draft decision submitted within 15 months (with a possible maximum 12-month extension for complex cases).
• Complainants' rights – complainants can make their views heard before a decision on their complaint is made. A complainant's access to information throughout the procedure has also been enhanced and there is scope for member states to provide even greater access.

See Osborne Clarke's Digital Regulatory Timeline for more information. The next step is for the Council of the EU to formally adopt the new rules. They will then apply 15 months after publication in the EU Official Journal.  

EDPB adopts opinions on draft UK adequacy decisions

 The EDPB has adopted opinions on the European Commission's two draft implementing decisions on the adequacy of the UK's data protection legal framework in respect of the EU's GDPR and Law Enforcement Directive (LED) respectively, which will amend the current 2021 adequacy decisions and extend them until December 2031.  

The 2021 adequacy decisions are currently due to expire on 27 December 2025, having been extended for six months back in May 2025 to allow the legislative process on the DUA bill (as it was then) to conclude. The bill became the DUA Act on 19 June 2025 and the Commission published its draft implementing decisions on adequacy in July 2025.

In its opinions, the EDPB welcomes the continuing alignment between the UK and EU data protection frameworks, noting that many of the UK's recent legislative changes (contained in the DUA Act) are aimed at clarifying and facilitating compliance with data protection law.

However, the EDPB calls for additional clarification by the Commission in certain areas, as well as ongoing monitoring of the UK's implementation of the changes contained in the DUA Act in case of divergence with the EU framework. In the GDPR opinion, the EDPB asks the Commission to:

• Monitor changes to the UK's Retained EU Law (Revocation and Reform) Act 2023 (REUL Act), in particular the removal of the principle of primacy of EU law and the direct application of the principles of EU law.
• Elaborate on its assessment, and monitor the implementation, of the new adequacy test under the DUA Act, which applies to transfers of personal data to third countries and transfers for law enforcement purposes. The EDPB considers that the level of this test is now diminished, and is concerned that the new test does not refer to the risk of government access to personal data, the fact that individuals have rights of redress or the need for an independent supervisory authority.
• Address possible risks of divergence by highlighting in its final adequacy decision the areas that it will monitor in respect of the expanded powers given to the UK secretary of state to make secondary legislation to introduce amendments in relation to international transfers, automated decision-making and governance of the ICO.
• Further assess and monitor changes to the structure of the ICO and the exercise of its enforcement powers.

In the LED opinion, the EDPB asks the Commission to:

• Expand on its assessment of and carefully monitor the UK's national security exemptions for law enforcement authorities and be vigilant of divergence from the principles of proportionality and the legitimate purpose requirements for processing.
• Analyse the new adequacy test (as requested in the GDPR opinion).
• Clarify and monitor any UK exemption from the right of data subjects to human intervention in relation to automated decision making.
• Closely monitor the UK's application of enforcement powers and remedies of data subjects generally.

The Commission will now consider the EDPB's recommendations before seeking approval of its implementing decisions from a committee of Member State representatives. The European Parliament also has a right of scrutiny over the decisions. Once those steps are completed, the Commission can formally adopt the final implementing decisions.

EDPB consults on templates to help with GDPR compliance

The EDPB has opened a consultation to inform the development of ready-to-use templates to support organisations with GDPR compliance. It is inviting views on which templates would be most useful, such as a template for privacy notices and records of processing activities, and has confirmed that it is already preparing templates for data protection impact assessments and data breach notifications.

The consultation closes on 3 December 2025.

EDPS publishes updated guidelines on use of generative AI

See AI section.

Interplay between the AI Act and the EU digital legislative framework

See AI section.