Data protection and cyber security go hand in hand

The astonishing cyber incident suffered by Marks & Spencer this spring immediately impacted consumers. While the company said it swiftly and proactively took steps to protect its systems, online shoppers experienced major disruption. Some personal data was breached, including contact details, dates of birth and online order history.

M&S said it reported the incident to relevant government authorities and law enforcement and continues to work closely with them. The M&S Chief Executive explained that the criminals had gained access to the retailer’s systems via one of M&S’s contractors, for example by posing as a staff member. Read an analysis of this cyber attack, including lessons for organisations, and an analysis of the forthcoming Cyber Security and Resilience Bill.

The Data (Use and Access) Act is now on the statute books. As we are going to print, Royal Assent has been granted and secondary legislation will follow. This was a long legislative process starting with the attempts made by the previous government.

We will report in future issues on the various aspects of this new law which builds on the existing framework rather than radically departs from it. Also look out for our one-day conference in London on the new law on 1 October. Before that, we’ll hear ICO and DSIT speakers talk about various aspects of the law, including how they will enforce it, at our 7-9 July conference in Cambridge. You may register for in-person or online attendance.

The UK may be on its own after Brexit but in the data protection world we still look at the EU to understand the reactions of EU DPAs, particularly on novel subjects such as AI. Read our correspondent’s analysis of the recent fine on a chatbot AI and the aspects that will be worth noting for UK-based data controllers.

Laura Linkomies
Editor, Privacy Laws & Business

July 2025