Data Protection in 2026: The Issues Businesses Cannot Afford to Ignore

Data protection remains one of the fastest moving areas of business risk and this year has already brought in significant changes in the legal and regulatory landscape for UK organisations.

The most significant change is the implementation of the key provisions of the UK’s Data (Use and Access) Act 2025 (“DUAA”), which has been the largest reform to UK data protection law since the introduction of the UK GDPR. Many of its key changes came into force on 5 February 2026, which includes the amendments to lawful processing grounds, subject access request procedures, cookie compliance and automated decision-making.

Businesses should not assume these reforms lessen compliance obligations; rather, they require organisations to revisit privacy notices, internal polices and data handling procedures to ensure they remain fit for purpose.

The Information Commissioner’s Office (ICO) has published guidance reflecting the changes introduced by DUAA as regards to the UK GDPR. These include:

• New guidance on recognised legitimate interest – this is a new lawful basis which lists “recognised legitimate interests” including processing for certain purposes relating to security, defence, emergencies, crime and safeguarding vulnerable individuals, as well as responding to public body requests.
• Updated guidance on the existing legitimate interest lawful basis to reflect amendments introduced by DUAA. The legislation introduces an expanded range of processing purposes that are more likely to qualify as “legitimate interests”, including processing for the purposes of direct marketing, intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and network and IT system security.
• Updated guidance on the purpose limitation principle to reflect amendments introduced by DUAA, which introduces clearer safeguards for when information can be reused for a new purpose.
• Accompanying guidance on the reuse of personal information for a purpose other than that for which it was originally collected.
• Updates to automated decision making which reflects the reliance on algorithms. Under DUAA organisations will now gain access to a broader scope to use automated systems so long as they implement suitable safeguards, regular review and accountability measures. Some of these include, for example, providing individuals with information about any use of automated decision making, the right to request a human review of any automated decision making.

A second major area of focus is the increased regulatory scrutiny surrounding AI and data protection. The guidance updated by the ICO aims to align with DUAA to support organisations in adopting new technologies whilst ensuring the protection of individuals. The ICO has made clear that organisations using AI tools involving personal data must be able to demonstrate transparency, fairness and accountability throughout their decision-making.

Finally, cyber security and data breach continue to be another important focus. Regulators expect organisations to maintain technical protections and extends this to evidence based testing response plans, regular processor oversight and breach escalation plans.  Where there is a cyber incident, this is now viewed as not only an IT issue but one that carries governance and reputational significance with potentially data protection consequences.

In light of the new legislative changes and new ICO guidelines, business risk as regards to new technologies is an evolving risk management function rather than a discrete policy exercise. Organisations should take this time to review their operational functions, procedures and documentation to ensure that they are fully aligned with the new landscape.

Taken together, these developments underline a common theme: data protection compliance is no longer a “one size fits all” exercise. It is an active and evolving risk management function. Organisations that treat privacy compliance as a one-off policy exercise may find themselves exposed both operationally and regulatorily.

Now is the time for businesses to review their data mapping, privacy documentation, third party contracts and internal breach response procedures to ensure they are aligned with the current legal landscape.