The ICO has kicked off 2026 with sharing its early thoughts on the data protection implications of agentic AI in its ICO tech futures: Agentic AI report. The report considers the novel data protection risks presented by agentic AI.
UK Cyber Security and Resilience Bill – new obligations for the data centre sector
This blog post includes headline points on new obligations for the data centre sector proposed under the Cyber Security and Resilience Bill, and existing obligations under the NIS Regulations.
NIS Regulations Keeling Schedule for the Cyber Security and Resilience Bill – changes to the UK’s cyber security law
The Cyber Security and Resilience Bill proposes changes to the UK’s NIS Regulations. Without a ‘Keeling Schedule’ marking up the amendments, these can be difficult to track. We have prepared a mark-up reflecting the proposed changes.
Changes to EU and UK data protection law – a tale of two GDPRs?
The EU Commission recently held a call for evidence on “simplification” of legislation in the data, cybersecurity, and AI space, ahead of a “Digital Omnibus” Act. These changes look to make the EU’s digital rulebook more innovation-friendly, supporting the Commission’s
Pseudonymised data could fall outside data protection law – introducing the “means reasonably likely” assessment
The Court of Justice of the European Union (CJEU) has delivered its judgment on case C 413/23 P European Data Protection Supervisor (EDPS) v Single Resolution Board (SRB). The CJEU has confirmed that pseudonymised
Explain yourself: The legal requirements governing explainability
Agentic AI brings the promise of AI making a range of decisions autonomously. It has been proposed as the way forward for some of the most impactful decisions in our lives: interacting with customers and actioning requests, triaging requests for
UK data protection reform – what you need to know and do
The Data (Use and Access) Act (DUAA) received Royal Assent on 19 June 2025. The DUAA enacts the changes to the UK’s data protection regime that have been contemplated since the Data: a new direction consultation in
AI literacy – the Commission’s pointers on building your programme
The EU AI Act’s AI literacy obligation applied from 2 February 2025. This applies to anyone doing anything with AI where there is some connection to the EU – to providers and deployers of any AI systems.
The AI Act
What do organisations need to disclose to individuals about AI and automated decisions?
Individuals have the right to receive meaningful information about solely automated decisions with significant effects under the General Data Protection Regulation (GDPR). This includes decisions that will impact an individual’s finances or employment. But how much information are
Prohibited practices under the AI Act: Answered and unanswered questions in the Commission’s guidelines
The EU AI Act’s prohibitions came into effect on 2 February 2025 and carry fines of 7% worldwide annual turnover for non-compliance. The prohibitions at Article 5 and accompanying recitals (particularly recitals 28-44) set out a complex set of provisions.