Rhiannon Hastings, data protection paralegal at Muckle LLP, reviews some of the key trends and topics discussed during 2025 and how your organisation can take those learnings into 2026.
New legislation
The Data (Use and Access) Act (DUAA) 2025 received royal assent on 19 June 2025 and is the latest development to modernise the UK data protection legislation (which includes the Data Protection Act 2018 and the UK GDPR). Key changes your organisation may need to consider include:
being aware of the new ‘recognised legitimate interest’ lawful basis;
implementing a complaints procedure to manage complaints relating to data protection rights requests;
using analytical website cookies without having to obtain consent; and
if your organisation is a charity, understanding the direct marketing rules under the Privacy and Electronic Communications Regulations 2003 when relying on the ‘soft opt-in’.
The key changes listed above are not yet in force at the time of writing. However, all provisions are due to be in force no later than 19 June 2026, so we recommend reviewing your organisation’s current data protection framework and identifying any gaps that will need to be addressed to comply with the changes proposed by the DUAA.
Increase in cyber attacks
In 2024, the UK was the most targeted country in Europe for cyber attacks, with over 40% of UK businesses experiencing cyber attacks. Whilst some cyber attacks and other security breaches can be minor and simple to rectify, others can have devastating consequences on a business, from financial loss to reputational damage.
To mitigate incurring a cyber attack, or reduce the severity of the impact a cyber attack may cause, you should consider putting the following suggestions in place to safeguard your organisation:
regular staff training to identify, detect and manage cyber attacks and other security breaches;
clear and concise policies and procedures for staff to refer to when managing a cyber attack or other security breach; and
appropriate technical and organisational measures to safeguard the personal data and confidential information your organisation stores.
AI-generated subject access requests
As Artificial Intelligence (AI) has become more accessible and user-friendly, we have seen a rise in AI-generated subject access requests (SARs). Although a useful tool for data subjects, they can be burdensome on organisations when they can be as long as 30 pages. So, what can you do to manage this?
The UK data protection legislation is clear that a data subject can make a SAR verbally or in writing. As long as it is clear that they are requesting copies of their personal data, their SAR is valid. However, in circumstances where it is unclear whether the data subject is making a SAR or what is being requested (a common issue with AI-generated SARs), organisations are entitled to seek clarification from the data subject before responding to the SAR.
Seeking clarification provides organisations with an opportunity to narrow the scope. For example, an organisation can ask the data subject to reduce the scope of their SAR to a specific time period or to a particular subject matter.
Between the time the organisation seeks clarification and the data subject responds, the time pauses, meaning the organisation does not have to comply with the SAR until the data subject has confirmed the personal data they wish to receive.
However, it is important to note that organisations cannot seek clarification on a blanket basis and cannot force a data subject to narrow the scope, as it is their right to obtain copies of all their personal data.
Need further support?
For more information on what we have discussed in this article, or if you require any assistance in dealing with the above, please contact Rhiannon Hastings by emailing: rhiannon.hastings@muckle-llp.com