- DUAA complaint handling guidance: the ICO has now published its guidance on complaint handling (as per the new provision in the Data (Use and Access) Act 2025 (DUAA). Essentially, Data Controllers will be expected to be the first port of call for data protection complaints (rather than the ICO), and have 30 days in which to acknowledge and respond to complaints. From the DUAA and ICO guidance, the expectation appears to be:
- Provide some form of messaging at the point of data collection about being able to complain and how – this also includes when responding to individuals rights (e.g. subject access requests)
- Provide a way for them to make a complaint (e.g. complaints form, complaints email, live chat, etc.)
- Consider putting in place a complaints procedure to include acknowledging receipt of complaint within 30 days, and how you’ll respond
- Make sure staff understand what data protection complaints are and what to do with them
- Keep a record of complaints and how they were dealt with (ICO have the right to ask for this)
- Recognised legitimate interests: the ICO’s Recognised Legitimate Interest (introduced in the DUAA) guidance provides five pre-approved public interest processing purposes (public task disclosure response, national security/public security/defence, emergencies, crime prevention/detection/investigation, and safeguarding) where the balancing test normally required under standard legitimate interests is disapplied by statute. Organisations must still satisfy themselves that processing is necessary and proportionate for the specific condition relied upon, must be transparent about which condition they’re using, must respect the right to object, and must meet additional requirements for special category or criminal offence data; public authorities cannot rely on RLI for their public tasks, and Article 22 automated decision-making is excluded.
- Use of ADM in recruitment: the ICO have published a report on the use of automatic decision-making in recruitment (e.g. the use of AI to pre-vet suitability for a position), which it will use to inform a future update to their draft guidance on recruitment and selection. The report highlighted a number of findings for compliance:
- Better transparency about the use of such tools is needed
- Human involvement needs to be consistent across all candidates
- There is a need for adoption of good practice in monitoring fairness and bias
ICO enforcement
- Reddit fined £14.47 million after the ICO found the platform processed children’s personal information unlawfully – they had no robust age assurance measures and therefore no lawful basis for processing data belonging to under-13s. Reddit has indicated it plans to appeal.
- Imgur/MediaLab fined £247,590 for failing to implement any age assurance measures on Imgur, processing children’s data without a lawful basis and without a DPIA
- Capita & LastPass: analysis published in early February highlighted that the ICO issued a combined £15 million in fines against Capita and LastPass UK in Q4 2025 for data breaches resulting from cyberattacks, with key takeaways being the ICO’s use of NCSC guidance as the benchmark for “appropriate” technical measures, and the use of group/holding company revenue for fine calculations
- ICO issues first monetary penalty relating to data minimisation and privacy by design: the ICO issued has fined Police Scotland £66,000. The case arose after an individual reported an alleged crime and the police force extracted the entire contents of the individual’s mobile phone, including highly sensitive information, despite only a small portion being relevant to the investigation. That full dataset was then disclosed to a third party during a misconduct investigation, and Police Scotland failed to report this incident to the ICO within the statutory timeframe.
EU updates
- Proposed amendments to EU GDPR: the European Commission’s Digital Package proposes amendments to the GDPR, ePrivacy Directive, NIS2 Directive and Data Act, with the stated aim of simplifying the EU’s data laws, reducing compliance costs, and unlocking high-quality data for AI innovation. The earliest realistic timeline for any practical impact is late 2026 or 2027 and will only apply (if adopted) when EU GDPR applies. The key GDPR changes proposed, include:
- Narrowing of the definition of personal data for pseudonymised data, so that data would not be considered personal for a given entity if that entity cannot identify the individual.
- Clarity around the use of personal data for AI training and relying on legitimate interest for AI development and deployment
- Possible increase in time limit for reporting data breaches
- Exemptions for using analytical cookies, and more browser-led cookie consent
- Ready-to-use templates for legitimate interest, records of processing activities and privacy policies, data breach notifications and Data Protection Impact Assessments (DPIA).
- EDPB publishes report on right to erasure enforcement: the EDPB has adopted a report under its Coordinated Enforcement Framework action on the right to be forgotten. The report highlights good practices identified across organisations, as well as recurring challenges they face when implementing the right to be forgotten, particularly noting the lack of appropriate internal procedures, reliance on ineffective anonymisation techniques, and difficulties in determining appropriate data retention period. National data protection authorities, including the French CNIL, have already issued formal notices following on-site inspections.
- French “ICO” (CNIL) fines Orange €50m for failure to obtain consent for electronic direct marketing under the French Post and Electronic Communications Code, and reading cookies after users had withdrawn consent. The CNIL also issued an order requiring ORANGE to stop reading cookies post-withdrawal within three months, subject to a daily fine of €100,000 for non-compliance
- Italy’s Garante fined an unnamed bank €100,000 for blocking a customer’s right of access (subject access request) to their own personal data contained in phone recordings. The Garante determined that customers are entitled to access recordings of their own telephone orders to the bank.
