Last year, 2025, revealed a shift in enforcement approach by the Information Commissioner’s Office (ICO) when compared to the previous year. We saw a decrease in overall enforcement action, but a much higher proportion of those actions taken against organisations in the private sector and a significant focus on cyber and data security failings. This comes amid high-profile cyber-attacks against major UK retailers and manufacturers including M&S, Co-op and JLR, increased engagement by the government on cyber-resilience in corporate Britain as well as recent signs of renewed follow-on claims after breaches. It is clearer than ever that organisations must ensure robust security measures are in place and adapt their data handling, broader cyber-resilience, and management of contractual risk allocation accordingly.