Data breaches, sanctions and enforcement

FORTHCOMING CHANGE: On 19 June 2025, the Data (Use and Access) Bill received Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025) and coming partly into force on that date. Parts 5 and 6 serve to amend aspects of data protection and ePrivacy law in the UK, including the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426. Certain provisions of DUAA 2025, concerning matters such as responding to data subject access requests and the conferring of power to make further regulations, came into force immediately on 19 June 2025. Other provisions, concerning notices from the Information Commissioner and some aspects of law enforcement processing, come into effect on 19 August 2025 (being two months from the date of Royal Assent). The majority of DUAA 2025’s provisions require further regulations (in the form of statutory instruments) to be made to bring them into force. For further information on DUAA 2025 generally, see Practice Note: The Data (Use and Access) Act 2025

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest Information Law News

DSIT launches evaluation survey for Software Security Code of Practice implementation

The Department for Science, Innovation and Technology (DSIT) has opened a formal evaluation process for the Software Security Code of Practice, seeking feedback from both software providers and customers on implementation experiences. The evaluation encompasses organisations' access to and understanding of the code, National Cyber Security Centre's Implementation Guidance, and self-attestation requirements. Participation is open to organisations regardless of their implementation status, with responses intended to inform future policy development. The survey closes on 16 December 2026.

ICO secures convictions in largest ever nuisance call investigation

The Information Commissioner's Office (ICO) has secured guilty verdicts against eight individuals for data protection offences following its largest ever nuisance call investigation. On 26 June 2025, Craig Cornick was found guilty at Bolton Crown Court of conspiracy to unlawfully obtain personal data contrary to the Data Protection Act, joining seven others who had previously pleaded guilty to various offences under the Data Protection Act and Computer Misuse Act. The investigation uncovered approximately one million illegally accessed vehicle repair records between 2014-2017. The defendants are scheduled to return to court on 11 July 2025 for Proceeds of Crime Act proceedings, with sentencing to follow. The ICO has indicated a second phase of investigation is ongoing, targeting insurance companies and claims management firms.

Information Law weekly highlights—26 June 2025

Welcome to this week’s edition of the Information Law weekly highlights: a hand-picked summary of news analysis, updates and new content related to laws governing the use and dissemination of information and personal data. Each week these highlights focus on developments in key topics such as data protection, ePrivacy, cybersecurity, breach of confidence, misuse of private information, and defamation.

Commission extends UK data adequacy decisions by six months

The European Commission has extended the UK’s data adequacy decisions under Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)) and Directive (EU) 2016/680 (Law Enforcement Directive (LED)) for six months from 24 June 2025. The extension allows continued free and safe personal data transfers while the Commission assesses whether the UK’s new Data (Use and Access) Act 2025 maintains an adequate level of protection.

View Information Law by content type :

News