Contact | Search |

Tag: Amy-Bradbury

The AI-enabled threat landscape: real world lessons from lawyers, PR and cybersecurity experts

Posted on by Deborah King

In collaboration with Sodali & Co and LevelBlue, we have produced a new report offering vital insights into AI-driven cybercrime. Designed for non-technical executives and board members, it highlights key threats, practical talking points, and actionable steps to support discussions with risk, legal, and cyber security teams.

AI is transforming the cyber threat landscape, enabling faster, cheaper and more personalised attacks while lowering the entry barrier for malicious actors. These risks pose significant financial, operational and reputational challenges for businesses.

Download the full report here

The Data (Use and Access) Act receives Royal Assent, bringing change to the UK’s data protection regime

Posted on by Dea Dragashi

On 19 June 2025, the UK’s Data (Use and Access) Act 2025 (the “DUA Act”) received Royal Assent.

This new legislation updates the UK’s current data protection regime which comprises of the UK General Data Protection Regulation (the “UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (the “PECR”). The DUA Act will come into force in phases, expected to commence at two, six and twelve months after Royal Assent, giving you time to implement the necessary data protection related changes to your organisation.

What does the DUA Act change and how does it impact organisations?

New ‘recognised legitimate interests’ lawful basis: when you use personal data for legitimate interests, you need to balance the impact on the people whose personal data you use, against the benefits arising from that use – this is commonly done by way of a legitimate interest assessment (“LIA”). However, the DUA Act now includes a list of recognised legitimate interests which means for such interests you don’t need to complete an LIA. This list will be in Schedule 4 to the DUA Act which inserts a new annex to the UK GDPR and includes interests such as:

  1. Sharing personal data if a public authority confirms it’s needed for their public task
  2. Using personal data to safeguard national security, public security, or defence
  3. Using personal data to respond to emergencies under the Civil Contingencies Act 2004
  4. Using personal data to detect, investigate, prevent crime, or prosecute offenders
  5. Using personal data to protect vulnerable individuals from physical, mental and emotional harm or neglect and support their well-being

A new ‘assumption of compatibility’: under the purpose limitation principle, if you re-use personal data you have already collected for a different purpose, you must ensure the new purpose is compatible with the purpose you initially collected it for. However, the DUA Act now includes a list of reuses of personal data that are assumed compatible with the original purpose. This list will be in Schedule 5 to the DUA Act which inserts a new annex to the UK GDPR. You can reuse previously consented personal data for a new purpose if necessary for one of the reasons below, but only if it’s not reasonable to obtain fresh consent, such as using personal data to:

  1. assess or collect taxes or duties; or
  2. comply with legal requirements.

‘Soft opt in’ for charities: if you’re a charity, it allows you to send electronic mail and SMS marketing to people whose personal data you collect when they support, or offer support or express an interest in, your work – providing you offered them a chance to opt out when you collected their personal data and you provide them with a chance to opt out in every electronic communication thereafter.

New cookie exemptions: the DUA Act allows you to set some types of cookies without having to get consent. Currently, you must get consent for all non-strictly necessary cookies. The list of exemptions will be in Schedule 12 to the DUA Act which inserts a new schedule to PECR, so you won’t need consent where the cookie or similar technology is for:

  1. the sole purpose of carrying out transmission of a communication over an electronic communications network;
  2. the non-exhaustive examples of strictly necessary purposes listed in the schedule, including security, fraud prevention, fault detection and authentication;
  3. the sole purpose of enabling a service provider to collect information for statistical purposes about how their online service is used;
  4. the sole purpose of enabling a service to adapt its appearance or functions in accordance with someone’s preferences; and
  5. the sole purpose of working out the subscriber or user’s geographical location when they request emergency assistance.

Reasonable and proportional search under data subject access requests (DSARs): it makes it clear that you only have to make reasonable and proportionate searches when someone asks for access to their personal data.

Complaints: individuals have certain rights such as the right to be informed, access, object, erase, restrict and rectify their personal data. The DUA Act introduces a right for people to complain to organisations and competent authorities if they think that they’ve used their personal information in a way that doesn’t comply with the law. This is similar to the complaints procedure under Freedom of Information Requests under FOIR. It places an obligation on organisations and competent authorities to:

  1. help people to make complaints, requiring them to take steps such as providing an electronic complaints form; and
  2. acknowledge complaints within 30 days and advise the complainant of the outcome without undue delay.

They must also take appropriate steps in the meantime, such as making enquiries into the subject matter of the complaint and keeping the complainant informed about progress.

Using personal data for scientific research: the DUA Act makes it clearer when you can use personal data for the purposes of scientific research, including commercial scientific research. It makes the following clarifications:

  1. People can give “broad consent” to an “area of scientific research” rather than “specific” consent – as long as: the exact purpose was unknown at the time of consent, the consent aligns with recognised ethical standards for the research area, and individuals are given the option to consent to only part of the processing.
  2. You can re-use people’s personal data for scientific research without giving them a privacy notice, if that would involve a disproportionate effort, so long as you protect their rights in other ways and still explain what you’re doing by publishing the notice on your website.  

Automated decision making – personal data: previously, decisions based solely on automated processing of personal data were restricted unless they were necessary for a contract between you and the individual, permitted by UK law or done with consent from the individual. Now, the DUA Act removes this restriction and allows an organisation to make solely automated decisions in a wider range of situations as long as it has appropriate safeguards in place – such safeguards include:

  1. providing the individual with information about the decision;
  2. allowing that person to make representations about the decision;
  3. enabling that person to obtain human intervention about the decision; and
  4. enabling that person to contest the decision.

There is no change to the restrictions around decision based solely on automated processing of special categories of personal data – they are still restricted unless you have consent from the individual or it was necessary for substantial public interest under the Data Protection Act 2018.

International transfers: various changes have been made to help make transferring personal data internationally easier. For example:

  1. The protection standard for transferring data now requires that it “is not materially lower” than UK GDPR and Data Protection Act 2018 standards (previously, it required that “the protection of natural persons guaranteed by the UK GDPR is not undermined”). This is referred to as the data protection test.
  2. Schedule 7 of the DUA Act form formalises the requirement for an organisation to do a transfer risk assessment for transfers subject to appropriate safeguards (such as standard contractual clauses). It does this by saying that an organisation must meet the data protection test “reasonably and proportionately”.

There are some operational and terminology changes such as: adequacy decisions are now called “transfers approved by regulations”, with the Secretary of State required to consider specific factors for the data protection test, implement ongoing monitoring instead of a four-year review period, gain new powers to recognise and introduce other transfer mechanisms, and make minor adjustments and restructuring to existing transfer requirements.

PECR breaches and enforcement: there are changes to the rules under PECR, including:

  1. the time period within which communications providers need to inform the ICO of a personal data breach from without undue delay or within 24 hours, to ”without undue delay and where feasible, not later than 72 hours after having become aware of it”, aligning it with the UK GDPR requirement to report a personal data breach;
  2. removing the requirement to establish that a contravention under PECR has caused substantial damage and distress; and
  3. allowing the ICO to impose monetary penalties up to a maximum of £17.5m for certain failures to comply, aligning it with the UK GDPR monetary penalty cap.

Changes to the ICO: there are multiple changes around the structure and powers of the UK’s data protection regulator, the Information Commissioner’s Office, such as:

  1. The ICO can compel individuals working for or on behalf of organisations to attend interviews and answer questions if there is suspected non-compliance or an offence under data protection law.
  2. An extension to the time for the ICO to issue penalty notices after a notice of intent from six months to six months or as soon as reasonably practicable.

Are there any new compliance requirements you have to meet?

Yes:

  1. If you provide an online service that is likely to be used by children, the DUA Act explicitly requires you to take their needs into account when you decide how to use their personal information. You should already satisfy this requirement if you conform to the ICO’s Age Appropriate Design Code.
  2. If you don’t already do so, the DUA Act requires you to take steps to help people who want to make complaints about how you use their personal data, such as providing an electronic complaints form. You must to acknowledge complaints within 30 days and respond to them ‘without undue delay’.   

Next steps

  1. Familiarise yourself with the changes that the DUA Act makes to data protection laws.
  2. Map out how the DUA Act can make your organisations compliance with data protection laws easier – such as “should do” and “must do” lists.
  3. Introduce a complaints escalation mechanism to allow individuals to complain to your organisation if they feel that the organisation has not complied with data protection laws.
  4. Implement a data protection compliance programme accordingly.

If you would like more information, please feel free to reach out to one of our dedicated data protection lawyers, or if you would like keep up to date on the latest in data protection, please subscribe to our quarterly newsletter, The Data Download.

The UK’s data protection regulator publishes a new code of conduct for UK private investigators and litigation services

Posted on by Nikhita Kalsi

On 13 November, the Information Commissioner’s Office (ICO) approved and published a new sector-owned code of conduct – the Association of British Investigators Limited (ABI) UK GDPR Code of Conduct for Investigative and Litigation Support Services (Code).

What is the Code?

The Code seeks to address key challenges faced by investigators and enable code members to demonstrate compliance with specific areas of data protection law in the provision of investigative and litigation support services.

It aims to provide sector-specific guidance and to increase accountability in handling personal data. As such, by complying with the Code, you are complying with data protection laws in the UK.

The Code includes advice, guidance, and practical examples in relation to:

  • the roles and responsibilities of investigators;
  • how to conduct Data Protection Impact Assessments;
  • identification of the lawful basis for processing personal data;
  • Legitimate Interests Assessments including for invisible processing such as covert surveillance, tracking devices, background checks and social media monitoring; and
  • consent to share when tracing and locating individuals in certain cases.

How does the Code help your private investigation or litigation service?

  • Public confidence: Verified adherence to the Code is intended to give confidence to users and subjects of investigative and litigation support services. It demonstrates that Code members comply with key aspects of data protection law and operate to a high standard in key areas.
  • Reduce risk and enforcement action: Showing compliance with the Code reduces the risks of enforcement action from the ICO. This means you are less likely to receive fines, reprimands or other regulatory action in the event of a breach of data protection laws.
  • Due diligence carried out by users: Users of investigation and litigation services (particularly other businesses who are controllers) should be carrying out diligence on service providers. Your prospective clients may check whether you adhere to the Code when they are carrying out due diligence prior to instructing you.

Can I sign up to the Code? If so, how?

Investigators and litigation services can voluntarily sign up for the Code and Code membership is managed by an independent ICO approved and UKAS accredited monitoring body. Code members must satisfy the monitoring body with the requirements explained in Appendix I to the Code. Such requirements include:

  • Administrative evidence: Such as registration with the ICO, basic DBS disclosure, two references, finance checks and CV.
  • Training: Satisfactory completion and maintenance of data protection training to the level comparable to the ABI UK GDPR compliance workshop, or training to an equivalent standard on the areas covered by the Code – including data protection impact assessments, lawful bases and more.
  • Roles and responsibilities: Evidence that the Code member has documented and communicated to its client the roles and responsibilities in respect of the data processing undertaken in the delivery of Code services. This could be evidenced for example by providing a copy of the client engagement letter and/or contract.
  • Case extracts: Samples of Data Protection Impact Assessments, lawful bases relied on, Legitimate Interest Assessments. In particular for children and the Code notes that Code members must not maintain a register of criminal convictions.
  • Complaints: Evidence of any complaints received by the Code member from individuals in relation to data protection and the steps the Code member took to respond to the complaint and where relevant, evidence that in relation to monitoring body investigations of alleged breaches of the Code, the Code member has communicated with the monitoring body in accordance with the Code and the cooperation criteria in this Code.

The Code builds on the existing standards and criteria required for ABI membership however, Code members are not required to be ABI members and Code membership is available to any sector agency that meets the Code member criteria as at Appendix I to the Code, whether affiliated to the ABI or not.

What to do next?

We can assist you with your data protection compliance programme ahead of signing up to the Code. The following checklist describes the compliance steps that we suggest to cover:

  • Registration with the ICO: As a data controller you are obliged to pay a fee to the ICO depending on your size.
  • Records of processing activity: This document explains what data you process, how, who it is shared with and why. This is a legal requirement under GDPR (in most cases) but in any case will be a necessary exercise in order to satisfy the other requirements below.
  • Privacy policies: Such as website privacy policy, employees privacy policy, recruitment privacy policy, privacy policy for users and third parties subject to the services – this is to comply with transparency requirements.
  • Cookie audit: Policy and mechanism cookie banner – this is the consent mechanism that allows you to drop cookies. A good cookie banner will be tailored to your needs and allow users to decide what type of cookies they want. This is a requirement under the electronic marketing rules.
  • Assessments: Such as Data Protection Impact Assessments, Legitimate Interests Assessments and Transfer Risk Assessments – this is to demonstrate your compliance and prove accountability.
  • Supplier onboarding checklist and procedure and template data sharing clauses: To ensure you have carried out due diligence on any third parties you choose to use to help fulfil your services.
  • Data protection rights procedure: This document sets out how to manage DSARs and other requests in relation to an individual’s data. Dealing with these requests is a legal requirement, getting it wrong can lead to fines and to reputational damage.
  • Security incident management policy: This document sets out what each team needs to do in the event of a data breach. Dealing with these requests is a legal requirement, getting it wrong can lead to fines and to reputational damage.
  • Regular privacy training: We can provide introductory or further training sessions depending on what your staff have already received. In order to comply with your security obligations you must train people to ensure that human error is avoided to the extent possible and that they understand what the GDPR requirements are.
  • Data handling policy: This policy contains an explanation on why data protection is important and how you and your staff and comply with data protections laws on a day to day basis.
  • BYOD and acceptable use policy: This policy would contain rules on how employees are allowed to use their personal devices including acceptable use practices.
  • Data security policy: This policy documents how you keep data safe from an organisational and technical perspective.
  • Data retention policy: This document explains how long you keep each type of data.

If you would like more information, please feel free to reach out to one of our dedicated data protection lawyers, or if you would like keep up to date on the latest in data protection, please subscribe to our newsletter, The Data Download here.

Further details about the Code can be found here.