Data, Privacy And Cyber In The UK And EU: Ten Watchouts For 2026

In the fast-paced, ever-changing world of data, privacy and cyber, staying ahead of the curve is crucial. With developments in AI, online safety, tracking technologies and international data transfers, organisations in the EU and UK face an increasingly complex landscape. Following Data Protection Day last month, our UK firm has identified ten key themes they believe will significantly impact businesses in the year ahead.

1. Artificial Intelligence (AI) and regulation

With no dedicated AI Bill on the horizon in the UK, and political signals suggesting that this is unlikely to change, the UK appears set to continue with a light touch, innovation first model. This aligns with the US administration's push for a national, centralised pro-AI framework.

However, while light touch AI regulation might continue to exist, expect more regulatory guidance that will likely have an impact on how organisations deploy AI. For a start, the UK's Data Protection Authority, the Information Commissioner's Office (ICO), is expected to refresh key technology guidance this year, including the automated decision making and profiling guidance expected this Spring. Also expected are sandboxing initiatives such as the 'AI Growth Labs' and targeted obligations under the Data (Use and Access) Act 2025 (DUAA), including the government's report on AI and copyright due on 18 March 2026.

We are also likely to see regulators including the Financial Conduct Authority, ICO, Ofcom and Competition and Markets Authority co-ordinating and tightening their scrutiny. This is anticipated, for example, through their participation in the Digital Regulation Co-operation Forum on projects such as agentic AI and aligning regulatory understanding of new AI applications.

Across the Channel, it seems the EU AI Act continues to set the blueprint for AI regulation with more provisions coming into force throughout 2026. It will be interesting to see to what extent these provisions might be impacted by the Digital Omnibus proposals.

While there is some uncertainty around the level of regulation at EU level, it seems that certain Member States are ploughing on with their own agenda. For example, Italy has become the first country to enact its own national AI legislation, building on its 2020 AI strategy. If EU-level timelines slip further, more countries may follow suit. This could create a layered and multi-tier system in which EU rules, Omnibus driven amendments and national approaches interact simultaneously.

While there might be a delay in certain provisions of the EU AI Act, AI literacy is very much in force and therefore we will no doubt be seeing lots more businesses rolling out AI literacy programmes.

2. Data Reform in the UK

While several provisions of the DUAA have come into force since its enactment in July 2025, we will see the majority of the remaining legislation come into force over this year. One of the biggest developments expected is the transition of the ICO to the Information Commission (IC). Although the shift may appear structural, it represents a significant move to a new governance model designed to provide clearer accountability, improved oversight and more consistent regulatory decision making. For organisations, this means keeping a close watch on how the IC sets its early priorities and how its new powers and structure translate into day-to-day supervision and enforcement.

We also expect to see a stream of regulatory updates. While the ICO has already updated some of its guidance, the remainder is likely to be revised over the course of the year. The key message for organisations is to track these developments closely.

We are now waiting for the commencement orders that will bring in the next two phases of provisions, with full implementation expected by 19 June 2026. Therefore, organisations will need to treat DUAA implementation as an ongoing transition.

It will be interesting to see the impact of other key changes around relaxation of Article 22 UK GDPR, introduction of the statutory right to complain, and proposed cookie changes (see further below).

3. International Data Transfers

The big, if expected news at the end of 2025 was the renewal of the EU's adequacy decisions for the UK, ensuring the continued free flow of personal data from the EEA to the UK. The new adequacy decisions are for a period of six years, lasting until 27 December 2031, unless the now familiar sunset clause is invoked.

Mid-2026 is to herald the end of the UK government's review of existing data bridges and signal the start of new data bridges. Will the UK follow the EU and find Brazil adequate next? It will be interesting to see if priorities have changed due to the shift in the geopolitical landscape – so definitely watch this space!

The ICO issued their updated streamlined guidance on international transfers. Work is also ongoing in this area with Transfer Risk Assessments and guidance on the international data transfer agreement and cloud services on the agenda.

The Latombe challenge to the EU-US Data Privacy Framework rumbles on but given the current backlog in the European Court of Justice, no decision is expected any time soon. Meanwhile data transfers to China continue to be under scrutiny, focusing minds on transparency obligations and clarity in privacy notices around where data is being transferred to.

4. Tracking technologies

Over the past year, the ICO has continued to prioritise online tracking emphasising fairness, transparency and user control across the ecosystem. For example, it has continued with its cookie compliance enforcement work which has been very successful in ensuring more websites allow users to easily reject cookies. It has provided various guidance on "consent or pay" models and updated guidance on storage/access tech.

Updates to ICO guidance are expected in light of the changes to the UK's Privacy and Electronic Communications Regulations 2003 (PECR) contained in DUAA. There will be an opportunity to engage with the ICO to produce sectoral codes of conduct for PECR thanks to DUAA so, for those interested in engaging, this year should provide you the opportunity to help shape the guidance for your sector. Also, back to the money, for those that take a risk-based view on PECR requirements you may need to revisit your risk profile given the significant increase in fines for non-compliance in an area we know the ICO likes to enforce.

The EU Commission and European Data Protection Board (EDPB) consulted on joint guidelines on the interplay between the EU Digital Markets Act (DMA) and the GDPR. The final guidance is expected in 2026 and will be a must read for those in scope.

In January 2026, the long-running IAB Europe TCF litigation saw the Belgian Market Court hand down a final ruling on the merits of the case, annulling the Belgian Data Protection Authority's decision validating IAB Europe's action plan and referring the case back to the DPA. Will 2026 finally see an end to the saga with the revised Belgian DPA decision? As ever time will tell.

We suspect the online ad-tech ecosystem will remain a significant regulatory focus in the UK and EU particularly in light of various challenges around implementation of paywalls, such as noyb's (the Austrian privacy advocacy group) challenge against Meta.

5. Online Tech Regulation

2026 marks a step‑change in online tech regulation across the EU and UK with enforcement intensifying and compliance expectations deepening across major platforms. The EU Commission continues to review and assess big tech to see which platforms are in scope, with WhatsApp being designated as a Very Large Online Platform under the EU Digital Services Act (DSA) on 26 January 2026.

As for enforcement, under the DSA information has been requested and proceedings have also been opened in relation to X, Facebook, Instagram, TikTok, AliExpress and Temu.

Regulatory activity signals close scrutiny of big tech and the need for mature risk, audit and transparency controls. Designations and scope will remain fluid, with continuing reassessment (including the DMA evaluation due by May 2026), so in‑scope status can shift and compliance programmes must be adaptable.

In the UK, Ofcom is moving from guidance to visible enforcement under the Online Safety Act (OSA). Global platforms should align EU DSA and UK OSA obligations and maintain robust documentation of risk assessments and mitigations to demonstrate their compliance.

Navigating this ever‑evolving landscape will remain challenging, and it will be important to keep up-to-date with developments, prioritise online safety, embed compliance by design, improve transparency and adopt ethical practices to avoid reputational and monetary consequences from regulatory action.

The EU Data Act is driving both cloud providers and connected device operators to make data access simpler, by design and by contract. For example, cloud providers should be considering what updates need to be made to their contracts to incorporate mandatory switching terms as well as ensure clearer transparency on data structures and fair, reasonable and non‑discriminatory conditions. They should also be mindful of the EU Commission's non‑binding model terms for data access/use and standard clauses for cloud when implementing such changes. In parallel, organisations caught by the requirements of the Data Act will need to consider what technical solutions and documentation should be implemented such as user dashboards and APIs for direct data access, export tools in commonly used formats, free and open interfaces and documentation to support interoperability when migrating workloads.

6. Children's Data

Children's data remains a global priority. There is a clear expectation that platforms popular with children will demonstrate end-to-end accountability by mapping child journeys, evidencing proportional age-assurance measures and aligning content safety controls with UK GDPR duties, OSA and DSA obligations.

In the UK, the OSA has intensified expectations for in-scope organisations, particularly around robust risk assessments, proportionate age-assurance and safer-by-design defaults. In parallel, the ICO continues to scrutinise child-facing sectors and product design choices, currently looking at how the mobile games sector protects children's privacy with the outcome expected in the coming months.

Despite speculation, children's data has not yet been added to the special category data list under the powers granted to the Secretary of State by DUAA. Many believe it is a case of when, rather than if this will happen but as ever it is a case of watch this space.

Following Australia's social media ban for under-16s, pressure has been mounting on the UK to follow suit. On 19 January 2026, the UK Government launched a consultation that seeks views on a social media ban. This is one of a number of measures aimed to ensure "a safer digital childhood".

The big news from the US in this area is the amendments to the Children's Online Privacy Protection Rule, adding requirements such as a separate, verifiable parental opt‑in before disclosing children's data for third‑party advertising, strengthened limitations on data retention, enhanced transparency for Safe Harbor programmes and expectations for more robust safeguards around collection, use and disclosure of children's information.

7. Cyber

Cyber resilience will remain one of the UK's defining regulatory priorities for 2026. After a year in which multiple major retailers suffered high impact cyber attacks, the government has made clear that organisations should expect a more expansive cyber regime. To this end, the Cyber Security and Resilience Bill, published on 12 November 2025, is expected to reshape the UK's cyber framework.

The UK government is also set to deepen its focus on national cyber resilience. Its recently launched Cyber Action Plan is backed by more than GBP 210 million of investment. The plan will be phased in from April 2027 when a new model for government cyber operations will be introduced, and by April 2029 this model will be scaled and embedded across departments.

A similar trajectory is emerging across the EU. Policymakers have proposed a revised Cybersecurity Act with secure design principles for digital products, and reinforcing the European Union Agency for Cybersecurity's role in supporting Member States' cyber resilience capabilities. Together, the UK and EU programmes point firmly toward stricter cybersecurity obligations, and deeper regulatory oversight ensuring cybersecurity becomes embedded into organisational design and not treated as an add on. For businesses, this means preparing for more rigorous controls across supply chains, higher assurance expectations and closer scrutiny of resilience measures in the year ahead.

8. Workplace data

As mentioned above, DUAA sees the introduction of a new right to complain. A likely consequence of this reform in the workplace is that we will see an increase in direct complaints, particularly around subject access request (SAR) handling. The ICO closed its consultation on complaints guidance for organisations, and the final version, expected later this year, will be critical in shaping best practice both for SARs and data complaints more generally.

We are also seeing a marked rise in individuals using generative AI to draft and amplify SAR challenges and data complaints particularly in the workplace (although this is not just a workplace issue). This trend is likely to force organisations to consider how best to deal with increased correspondence and more detailed (albeit not often valid) challenges that might arise in respect of their response. Might there need to be a strategic shift from a purely operational SAR workflow to an AI‑aware playbook that includes early triage for AI‑generated hallmarks, rapid identification of manifestly unfounded or excessive elements or indeed just plain wrong elements? Dealing with AI generated complaints, letters before action and claims will also likely require a shift in strategy and thinking.

Insider threat continues to pose a big risk for employers. This risk is expected to intensify as workplaces become increasingly digital. The accelerating use of AI in HR teams, particularly processing large amounts of personal and sensitive data, create more attractive targets for insider threats. To mitigate these risks, organisations will need to strengthen their internal defences, e.g. by implementing more granular access controls. Regulators are also increasingly attuned to the insider dimension of cyber risk, meaning boards and executive teams should treat insider risk governance as a strategic priority.

9. Litigation

We continue to see a rise in data litigation largely around alleged data breaches and misuse of private information. As courts are striking out speculative, low‑value cases that fail to show more than de minimis harm or concrete misuse, this has led to some creativity in framing claims by those supported by litigation funders.

With the proposed changes to automated decision-making (ADM) under the DUAA, many believe this will fuel claims seeking to challenge ADM decisions, particularly those that arise in a workplace or financial services context.

Also, with the continued rapid adoption of AI by stakeholders across organisations, the risk of regulatory decisions and claims related to its misuse is all the greater. In 2026, we expect to see more claims in higher risk settings such as the workplace. These claims are likely to leverage the existing legal framework that has data protection at its heart. So, to mitigate this risk, it will be all the more important to step up AI governance efforts when it comes to using personal data with AI systems.

10. Anonymisation

Anonymisation remains complex in both the UK and the EU, particularly given the evolving technical landscape and the nuanced legal tests for when individuals are "identifiable". The ICO's guidance stresses a "spectrum of identifiability" and a risk-based assessment focused on the "means reasonably likely to be used", not theoretical possibilities, which can be difficult to apply consistently in practice. Complexity is compounded by the fact that effective anonymisation is not always possible while retaining utility, and what works today may not work tomorrow with new technological advances, e.g. quantum computing and the implications it has for encryption.

Part of the difficulty lies in tensions between regulatory guidance and case law, as well as divergences within the EU itself. In the UK, the ICO's approach is "effective anonymisation" and the "motivated intruder" test, while the EDPB's position is that it must be impossible to identify or re-identify an individual for the data to be considered anonymised. Add to this the CJEU case law, most recently EDPS v SRB, which points towards a more pragmatic, context‑dependent interpretation of identifiability and you see the dilemma.

Looking ahead, will we see the EDPB update its guidance to reflect the CJEU's decision? If so, it would be welcomed and provide clarity and certainty, but again, only time will tell.

Takeaway for employers

As ever in the world of data, privacy, cyber and AI, it is shaping up to be a busy year with lots of interesting developments. From the above watchouts, some of the key takeaways for employers with operations in the UK and EU can be summarised as follows:

Prepare for increased regulatory scrutiny and guidance on AI –With regulators in the UK and EU refreshing guidance on automated decision making, profiling and broader AI use – as well as more provisions of the EU AI Act coming into force – employers should ensure that they have good governance frameworks in place and are prepared for any forthcoming obligations.

Treat data reform and international transfers as an ongoing transition – DUAA implementation in the UK continues throughout 2026, requiring updates to policies, processes and privacy notices. While the EU-UK adequacy renewal ensures the continued free flow of data ex-EEA to UK, data transfers to other jurisdictions, in particular China, are in the regulatory spotlight. Evolving UK data-bridge frameworks may mean some data flows become easier but it is essential for employers to maintain robust, up‑to‑date processes for managing cross‑border data flows.

Handle workplace data carefully – DUAA's new right to complain enters into force on 19 June 2026 so employers must ensure they are ready for the likely uptick in complaints, particularly (but not limited to) the handling of SARs. Employers should also update their strategy to address the increase of AI generated complaints, letters before action and claims.

Expect intensified enforcement in online tech regulation and tracking technologies– The EU Digital Markets Act and Digital Services Act, together with the UK Online Safety Act (among other developments), signal deeper scrutiny of platforms, cookies, tracking and online ad-tech models. Employers should prioritise transparency, risk assessments and compliance-by-design.

Strengthen cyber resilience as obligations tighten – The UK's Cyber Security and Resilience Bill, the EU's revised Cybersecurity Act proposals and increased government focus mean employers need more rigorous, embedded cyber controls across operations and supply chains, as well as ensuring insider threats are effectively mitigated.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.