Big changes are landing. Right now, the UK’s data landscape is shifting under our feet, and if you're still relying on 2018-era GDPR tactics, you’re basically flying blind.
Honestly, the Information Commissioner’s Office (ICO) has been busy. Between a massive new Memorandum of Understanding (MOU) with the government and the rollout of the Data (Use and Access) Act 2025 (DUAA), the "wait and see" approach to compliance is officially dead.
The Government Gets a Reality Check
Just last week, on January 8, 2026, the ICO and the government signed a deal that sounds boring but is actually pretty explosive. After years of high-profile government data leaks—some that literally put lives at risk—the ICO is finally putting its foot down.
The new MOU isn't just a polite agreement. It’s a roadmap. The government now has to publish an Annual Assurance Statement. Think of it like a public report card on how they’re keeping our data safe. If they mess up, there’s now a clear "model action plan" they have to follow. It’s about time, right?
Public trust has been in the gutter. John Edwards, the Information Commissioner, has been vocal about this: innovation only works if people don't feel like their privacy is being auctioned off or lost in a spreadsheet.
What’s Happening with the Data (Use and Access) Act 2025?
This is the big one. As of January 2026, several key parts of this Act are officially live. If you run a business or handle data, your world just changed.
The DUAA isn't replacing the UK GDPR, but it’s "simplifying" it—which is often code for "making it more flexible for businesses but harder for privacy purists."
👉 See also: Progress Clearfield PA Obituaries Explained (Simply)
- Automated Decisions: It’s now easier for companies to use AI to make big decisions about you (like loan approvals) without a human in the loop, as long as there are safeguards.
- The "Stop the Clock" Rule: This is a godsend for overwhelmed HR departments. If someone files a Subject Access Request (SAR) and the company needs more info to find the data, they can now pause the statutory response timer.
- Recognised Legitimate Interests: You no longer have to do a massive "balancing test" for every single data use if it falls under certain categories like crime prevention or emergency response.
But don't get too comfortable. While the rules are "simpler," the penalties for getting them wrong just skyrocketed.
Fines are Getting Massive
If you thought the old £500,000 limit for nuisance calls and marketing emails was low, the ICO just got its wish.
Marketing breaches—those annoying "you’ve got a government boiler grant" texts—now carry the same weight as full GDPR breaches. We’re talking up to £17.5 million or 4% of global turnover.
Look at what happened with Capita. They got slapped with a combined £14 million fine late last year after a cyberattack exposed data on 6 million people. Or LastPass UK, which was fined over £1.2 million. The message is clear: if you’re a big fish and you’re lazy with security, the ICO is coming for your balance sheet.
Why You Should Care About the "Approved Person" Reports
This is a weird, nerdy detail that most people missed in the new legislation. The ICO can now force a company to hire an independent expert—an "approved person"—to go in and audit their systems at the company’s own expense.
It’s like being forced to pay for the police officer who gives you a speeding ticket.
The ICO is currently consulting on how they’ll use these powers. That consultation closes on January 23, 2026. If you’re in a sector like finance or tech, you should probably be paying attention to the draft guidance. It’s much more aggressive than the old 2018 policy.
The Human Side of Data
John Edwards has been surprisingly emotional lately. In December, he went after local authorities for failing people in the care system.
Some people have been waiting 16 years to see their own records. Edwards called it "cold bureaucracy" and "demoralising." It’s a reminder that data protection isn't just about hackers and encryption; it’s about people being able to access their own life stories.
The ICO is running a supervision pilot throughout 2026 to monitor 19 specific organisations on how they handle these sensitive requests. Expect more reprimands to follow.
What You Need to Do Right Now
Stop reading and actually look at your data protocols. Here is the reality check:
🔗 Read more: Why Did the Alamo Start: The Messy Truth About Santa Anna, Land, and a Lost Constitution
- Check your marketing consent. If you’re relying on "soft opt-ins" that are five years old, you’re sitting on a £17.5 million landmine.
- Update your SAR process. Are your staff ready for the new "stop the clock" rules? Do they know how to handle requests with "empathy" (a word the ICO is using a lot lately)?
- Prepare for June 2026. That’s when the new mandatory complaint handling rules kick in. You’ll need a formal process for people to complain about your data use, and you’ll have to acknowledge them within 30 days.
- Review your AI use. If you're using generative AI or automated tools to profile customers, you need to document the safeguards required by the DUAA immediately.
The "wild west" of post-Brexit data law is settling down, and the new rules favor those who are transparent. If you're hiding behind "unexplained redactions" or complex privacy policies, 2026 is going to be a very expensive year for you.
Keep an eye on the transition to the new Information Commission board. John Edwards’ term is nearing its end, and the shift from a single Commissioner to a board-led structure will likely change how the regulator moves. Expect a "business-friendly" but "compliance-strict" era to begin this summer.
Actionable Insight: Download the ICO’s new International Transfer Guidance (updated Jan 15) if you move data to the US or EU. The rules for Transfer Risk Assessments (TRAs) have been streamlined, which could save your legal team dozens of hours of work this month.