ARTICLE
6 February 2026

Lewis Silkin's Data, Privacy & Cyber Team Watch Outs For 2026

LS
Lewis Silkin

Contributor

Lewis Silkin logo
We have two things at our core: people – both ours and yours - and a focus on creativity, technology and innovation. Whether you are a fast growth start up or a large multinational business, we help you realise the potential in your people and navigate your strategic HR and legal issues, both nationally and internationally. Our award-winning employment team is one of the largest in the UK, with dedicated specialists in all areas of employment law and a track record of leading precedent setting cases on issues of the day. The team’s breadth of expertise is unrivalled and includes HR consultants as well as experts across specialisms including employment, immigration, data, tax and reward, health and safety, reputation management, dispute resolution, corporate and workplace environment.
Explore Firm Details
In the fast-paced, ever-changing world of data, privacy and cyber staying ahead of the curve is crucial.
United Kingdom Technology
Alexander Milner-Smith,Bryony Long,Zahra Laher
+1 Authors
 Your Author LinkedIn Connections
Alexander Milner-Smith’s articles from Lewis Silkin are most popular:
  • with Inhouse Counsel
  • with readers working within the Business & Consumer Services and Law Firm industries

In the fast-paced, ever-changing world of data, privacy and cyber staying ahead of the curve is crucial. To mark Data Protection Day last week, we've identified ten key themes that we believe will significantly impact our clients in the coming year.

1. Artificial Intelligence (AI)

AI Regulation

With no dedicated AI Bill on the horizon, and political signals suggesting that this is unlikely to change, the UK appears set to continue with a light touch innovation first model. This aligns with the approach taken in the US.

However, while light touch AI regulation might continue to exist, expect more regulatory guidance that will likely have an impact on how organisations deploy AI. For a start, the ICO is expected to refresh key technology guidance this year, including the automated decision making and profiling guidance expected this Spring, alongside sandboxing initiatives such as the AI Growth Labs and targeted obligations under the Data (Use and Access) Act 2025 (DUAA) including the government's report on AI and copyright due on 18 March 2026.

We are also likely to see regulators including the FCA, ICO, Ofcom and CMA co-ordinating and tightening their scrutiny, e.g. through their participation in the Digital Regulation Co-operation Forum (DRCF) on projects such as agentic AI and aligning regulatory understanding of new AI applications.

Across the Channel, it seems the EU AI Act continues to set the blueprint for AI regulation with more provisions coming into force throughout 2026 (see timeline). It will be interesting to see to what extent these provisions might be impacted by the Digital Omnibus proposals. (For more information see our article).

While there is some uncertainty around the level of regulation at EU level, it seems that certain Member States are ploughing on with their own agenda. For example Italy has become the first country to enact its own national AI legislation, building on its 2020 AI strategy. If EU level timelines slip further, more countries may follow suit. This could create a layered and multi-tier system in which EU rules, Omnibus driven amendments and national approaches interact simultaneously.

While there might be a delay in certain provisions of the EU AI Act, AI literacy is very much in force and therefore we will no doubt be seeing lots more businesses rolling out AI literacy programmes.

At Lewis Silkin, our AI literacy module is designed to support this shift offering practical training that helps teams understand not just the "what", but the "how" and "why" behind responsible AI use. For more on our AI literacy e-learning please speak to your usual LS contact or email us at ailiteracy@lewissilkin.com.

For more information on AI visit our AI hub here.

2. Data Reform in the UK

While several provisions of the DUAA have come into force since its enactment in July 2025, we will see the majority of the remaining legislation come into force over this year (see timeline). One of the biggest developments expected is the transition of the ICO to the Information Commission (IC). Although the shift may appear structural, it represents a significant move to a new governance model designed to provide clearer accountability, improved oversight and more consistent regulatory decision making. For organisations, this means keeping a close watch on how the IC sets its early priorities and how its new powers and structure translate into day-to-day supervision and enforcement.

We also expect to see a stream of regulatory updates. While the ICO has already updated some of its guidance, the remainder is likely to be revised over the course of the year. The key message for organisations is to track these developments closely.

We are now waiting for the commencement orders that will bring in the next two phases of provisions, with full implementation expected by 19 June 2026 (see timeline). Therefore, organisations will need to treat DUAA implementation as an ongoing transition.

It will be interesting to see the impact of other key changes around relaxation of Article 22 UK GDPR, introduction of the statutory right to complain, and proposed cookie changes (see further below).

3. International Data Transfers

The big, if expected news at the end of 2025 was the renewal of the EU's adequacy decisions for the UK, ensuring the continued free flow of personal data from the EEA to the UK. The new adequacy decisions are for a period of 6 years, lasting until 27 December 2031, unless the now familiar sunset clause is invoked. For more information read our article here.

Mid-2026 is to herald the end of the UK government's review of existing data bridges and signal the start of new data bridges. Will the UK follow the EU and find Brazil adequate next? It will be interesting to see if priorities have changed due to the shift in the geopolitical landscape – so definitely watch this space!

The ICO issued their updated streamlined guidance on international transfers and are hosting a webinar on 10 March 2026 – you can sign up here. Work is also ongoing in this area with Transfer Risk Assessments (TRAs) and guidance on the international data transfer agreement (IDTA) and cloud services on the agenda.

The Latombe challenge to the EU-US Data Privacy Framework (read more here) rumbles on but given the current backlog in the CJEU no decision is expected any time soon. Meanwhile data transfers to China continue to be under scrutiny, focussing minds on transparency obligations and clarity in privacy notices around where data is being transferred to.

4. Tracking technologies

Over the past year, the ICO has continued to prioritise online tracking emphasising fairness, transparency and user control across the ecosystem, e.g. it has continued with its cookie compliance enforcement work which has been very successful in ensuring more websites allow users to easily reject cookies. It has provided various guidance on "consent or pay" models and updated guidance on storage/access tech.

Updates to ICO guidance are expected in light of the changes to PECR contained in DUAA. (For more information see the 'e-Privacy' section of our article here.) There will be an opportunity to engage with the ICO to produce sectoral codes of conduct for PECR thanks to DUAA so, for those interested in engaging, this year should provide you the opportunity to help shape the guidance for your sector. Also, back to the money, for those that take a risk-based view on PECR requirements you may need to revisit your risk profile given the significant increase in fines for non-compliance in an area we know the ICO likes to enforce!

The EU Commission and EDPB consulted on joint guidelines on the interplay between the Digital Markets Act (DMA) and the GDPR. The final guidance is expected in 2026 and will be a must read for those in scope.

In January 2026, the long-running IAB Europe TCF litigation saw the Belgian Market Court hand down a final ruling on the merits of the case, annulling the Belgian DPA's decision validating IAB Europe's action plan and referring the case back to the DPA. Will 2026 finally see an end to the saga with the revised Belgian DPA decision? As ever time will tell...

We suspect the online ad tech ecosystem will remain a significant regulatory focus in the UK and EU particularly in light of various challenges around implementation of paywalls, e.g. noyb's challenge against Meta.

5. Online Tech Regulation

2026 marks a step‑change in online tech regulation across the EU and UK with enforcement intensifying and compliance expectations deepening across major platforms. The EU Commission continues to review and assess big tech to see which platforms are in scope, with WhatsApp being designated as a Very Large Online Platform (VOLP) under the Digital Services Act (DSA) on 26 January 2026.

As for enforcement, under the DSA information has been requested and proceedings have also been opened in relation to X, Facebook, Instagram, TikTok, AliExpress and Temu.

Regulatory activity signals close scrutiny of big tech and the need for mature risk, audit and transparency controls. Designations and scope will remain fluid, with continuing reassessment (including the DMA evaluation due by May 2026), so in‑scope status can shift and compliance programmes must be adaptable.

In the UK, Ofcom is moving from guidance to visible enforcement under the Online Safety Act (OSA), Global platforms should align EU DSA and UK OSA obligations and maintain robust documentation of risk assessments and mitigations to demonstrate their compliance.

Navigating this ever‑evolving landscape will remain challenging, and it will be important to keep up-to-date with developments, prioritise online safety, embed compliance by design, improve transparency and adopt ethical practices to avoid reputational and monetary consequences from regulatory action.

The EU Data Act is driving both cloud providers and connected device operators to make data access simpler, by design and by contract. (For more information see our article here.) For example, cloud providers should be considering what updates need to be made to their contracts to incorporate mandatory switching terms as well as ensure clearer transparency on data structures and fair, reasonable and non‑discriminatory conditions. They should also be mindful of the EU Commission's non‑binding model terms for data access/use and standard clauses for cloud when implementing such changes. In parallel, organisations caught by the requirements of the Data Act will need to consider what technical solutions and documentation should be implemented such as user dashboards and APIs for direct data access, export tools in commonly used formats, free and open interfaces and documentation to support interoperability when migrating workloads.

6. Children's Data

Children's data remains a global priority. There is a clear expectation that platforms popular with children will demonstrate end-to-end accountability by mapping child journeys, evidencing proportional age-assurance measures and aligning content safety controls with UK GDPR duties, OSA and DSA obligations.

In the UK, the OSA has intensified expectations for in-scope organisations, particularly around robust risk assessments, proportionate age-assurance and safer-by-design defaults. In parallel, the ICO continues to scrutinise child-facing sectors and product design choices, currently looking at how the mobile games sector protects children's privacy (read more in our article here) with the outcome expected in the coming months.

Despite speculation, children's data has not yet been added to the special category data list under the powers granted to the Secretary of State by DUAA. Many believe it is a case of when, rather than if this will happen but as ever it is a case of watch this space!

Following Australia's social media ban for under-16s, pressure has been mounting on the UK to follow suit. On 19 January 2026, the UK Government launched a consultation that seeks views on a social media ban (for more information see our article here). This is one of a number of measures aimed to ensure "a safer digital childhood".

The big news from the US in this area is the amendments to the Children's Online Privacy Protection Rule (COPPA), adding requirements such as a separate, verifiable parental opt‑in before disclosing children's data for third‑party advertising, strengthened limitations on data retention, enhanced transparency for Safe Harbor programmes and expectations for more robust safeguards around collection, use and disclosure of children's information. For those interested in finding out more please join us and our guest speaker Gary Kibel, Partner at David + Gilbert for our "Hot Topics in US privacy and AI law" to be held in London on 24 February 2026. You can register here.

7. Cyber

Cyber resilience will remain one of the UK's defining regulatory priorities for 2026. After a year in which multiple major retailers suffered high impact cyber attacks, the government has made clear that organisations should expect a more expansive cyber regime. To this end, the Cyber Security and Resilience Bill, published on 12 November 2025, is expected to reshape the UK's cyber framework (see our article here).

The UK government is also set to deepen its focus on national cyber resilience. Its recently launched Cyber Action Plan is backed by more than £210 million of investment. The plan will be phased in from April 2027 when a new model for government cyber operations will be introduced, and by April 2029 this model will be scaled and embedded across departments.

A similar trajectory is emerging across the EU. Policymakers have proposed a revised Cybersecurity Act with secure design principles for digital products, and reinforcing ENISA's role in supporting Member States' cyber resilience capabilities. Together, the UK and EU programmes point firmly toward stricter cybersecurity obligations, and deeper regulatory oversight ensuring cybersecurity becomes embedded into organisational design and not treated as an add on. For businesses, this means preparing for more rigorous controls across supply chains, higher assurance expectations and closer scrutiny of resilience measures in the year ahead.

8. Workplace data

As mentioned above, DUAA sees the introduction of a new right to complain. A likely consequence of this reform in the workplace is that we will see an increase in direct complaints, particularly around SAR handling. The ICO closed its consultation on complaints guidance for organisations, and the final version, expected later this year, will be critical in shaping best practice both for SARs and data complaints more generally.

We are also seeing a marked rise in individuals using generative AI to draft and amplify (20-page complaints drafted in the space of 20 minutes...) SAR challenges and data complaints particularly in the workplace (although this is not just a workplace issue). This trend is likely to force organisations to consider how best to deal with increased correspondence and more detailed (albeit not often valid) challenges that might arise in respect of their response. Might there need to be a strategic shift from a purely operational SAR workflow to an AI‑aware playbook that includes early triage for AI‑generated hallmarks, rapid identification of manifestly unfounded or excessive elements or indeed just plain wrong elements? Dealing with AI generated complaints, letters before action and claims will also likely require a shift in strategy and thinking.

Insider threat continues to pose a big risk for employers. This risk is expected to intensify as workplaces become increasingly digital. The accelerating use of AI in HR teams, particularly processing large amounts of personal and sensitive data, create more attractive targets for insider threats. To mitigate these risks, organisations will need to strengthen their internal defences, e.g. by implementing more granular access controls. Regulators are also increasingly attuned to the insider dimension of cyber risk, meaning boards and executive teams should treat insider risk governance as a strategic priority.

If you would like further insight into how these threats unfold in practice, join us at our next Data Academy in July 2026, where we will be running a live insider threat roleplay to demonstrate real life behaviours, organisational responses and prevention techniques. Email our events team to register your interest.

9. Litigation

We continue to see a rise in data litigation largely around alleged data breaches and misuse of private information. As courts are striking out speculative, low‑value cases that fail to show more than de minimis harm or concrete misuse, this has led to some creativity in framing claims by those supported by litigation funders.

With the proposed changes to automated decision-making (ADM) under the DUAA (for more information see the 'ADM' section of our article here), many believe this will fuel claims seeking to challenge ADM decisions, particularly those that arise in a workplace or financial services context.

Also, with the continued rapid adoption of AI by stakeholders across organisations, the risk of regulatory decisions and claims related to its misuse is all the greater. In 2026, we expect to see more claims in higher risk settings such as the workplace. These claims are likely to leverage the existing legal framework that has data protection at its heart. So, to mitigate this risk, it will be all the more important to step up AI governance efforts when it comes to using personal data with AI systems.

10. Anonymisation

Anonymisation remains complex in both the UK and the EU, particularly given the evolving technical landscape and the nuanced legal tests for when individuals are "identifiable". The ICO's guidance stresses a "spectrum of identifiability" and a risk-based assessment focused on the "means reasonably likely to be used", not theoretical possibilities, which can be difficult to apply consistently in practice. Complexity is compounded by the fact that effective anonymisation is not always possible while retaining utility, and what works today may not work tomorrow with new technological advances, e.g. quantum computing and the implications it has for encryption.

Part of the difficulty lies in tensions between regulatory guidance and case law, as well as divergences within the EU itself. In the UK, the ICO's approach is "effective anonymisation" and the "motivated intruder" test, while the EDPB's position is that it must be impossible to identify or re-identify an individual for the data to be considered anonymised. Add to this the CJEU case law, most recently EDPS v SRB (for more information see our article), which points towards a more pragmatic, context‑dependent interpretation of identifiability and you see the dilemma.

Looking ahead, will we see the EDPB update its guidance to reflect the CJEU's decision? If so, it would be welcomed and provide clarity and certainty...but again, only time will tell...

Conclusion

As ever in the world of data, privacy, cyber and AI, it is shaping up to be a busy year with lots of interesting developments so do keep an eye on our blog for updates and practical takeaways and always feel free to reach out to your usual LS contact if we can help in any way.

If you'd like more information about our training offerings, including our AI literacy e-learning or our specialised Data, AI or Consumer Academies, are interested in signing up for our In-House Data Club events, or would like a copy of our annual comprehensive Horizon Scanner please contact our wonderful events team here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Alexander Milner-Smith
Alexander Milner-Smith
Photo of Bryony Long
Bryony Long
Photo of Lee Ramsay
Lee Ramsay
Photo of Zahra Laher
Zahra Laher
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More