PL&B 40th anniversary year coincides with new DP regime

As PL&B celebrates its 40th year in business, we are pleased to announce our 39th Annual International Conference, including confirmed speakers from the ICO and Data Protection Authorities from Ireland, Kenya, Singapore and the European Data Protection Board.

Part of the conference programme in Cambridge will discuss the changes that the Data (Use and Access) Act brings to organisations. Now that most of the remaining data protection provisions of the Act have come into force, the onus is on ensuring compliance and making the most of the simplifications. This also applies to SARs – our comprehensive guidance on how to manage SARs is important reading for everyone.

One remaining part of DUAA still to enter into force is the requirement for organisations to have a complaints procedure. While this will commence on 19 June 2026, the ICO has already issued guidance. This includes advice for organisations on how to manage their complaint processes but also confirms the ICO’s stance: it will prioritise cases that cause significant harm, affect large numbers of people, raise issues of wider public interest, or relate to vulnerable individuals.

A data breach can have a significant psychological effect on an individual. As our correspondent says, a breach triggers a cascade of emotions, fear, anger, and helplessness, which can persist long after the technical incident is resolved.

In its enforcement, the ICO is now placing a significant focus on cyber and data security failings. Our correspondents offer tips in this edition on how to handle an ICO investigation and look into 2026 trends.

This spring, look out for further announcements on the Privacy and Electronic Communications Regulations (PECR) as the ICO is committed to reviewing PECR consent requirements for advertising.

Laura Linkomies
Editor, Privacy Laws & Business

March 2026