ICO on the fast track

The new DUA Act may not be radically different from the Data Protection Act 2018, yet it requires the ICO to conduct a full review of its existing guidance as the majority of the data protection provisions of the Act are expected to be in force just before the end of 2025. Updates are expected in a rapid fashion – ICO consultations are already underway on legitimate interests and complaints procedures. In the summer, the regulator was also seeking views on its data transfer guidance under the UK GDPR. This is a hot potato considering for example the recent Ireland DPC fine on TikTok’s transfers to China. When reading the response by law firm Hogan Lovells, I feel that many may join them in spirit in asking the ICO to adopt and promote a more streamlined approach to transfer risk assessments, especially when the data in question is not sensitive.

The regulator is now working on updating guidance for automated profiling tools to help users who use them to meet their obligations under the Online Safety Act 2023. SAR guidance will also be looked at in light of the DUAA – although much of it is already adopted by the ICO in its day-to-day work. However, organisations may wish to review their DSAR policies now to prepare for the new data subjects’ right of complaint.

The DUAA will enhance the ICO’s enforcement powers, and especially under PECR, where fines for breaches increase to UK GDPR levels – up to £17.5m or 4% of annual worldwide turnover.

I look forward to our half-day conference on 1 October to hear more about work on DUAA implementation and guidance by ICO and DSIT speakers. Before that, I am delighted to be able to attend the Global Privacy Assembly in South Korea later this month, and to report for our sister publication, PL&B International Report.

Laura Linkomies
Editor, Privacy Laws & Business

September 2025