As we mark Data Protection Day 2026, organisations are entering one of the most significant years of change since the implementation of GDPR in the UK. The phased rollout of the Data Use and Access Act (DUAA), major reforms to UK cyber law, new ICO guidance on AI and automated decision‑making, and evolving rules on digital verification and international transfers will all reshape how businesses manage data, risk and compliance. With so many developments landing at once, staying ahead is essential.

This article sets out the top five data protection and cyber developments to watch in 2026, highlighting what’s changing, why it matters and the practical steps organisations should take now to stay ahead.

1. UK data protection law changes: implementation and guidance

A host of changes were introduced to UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2023 (PECR) by the Data Use and Access Act 2025 (DUAA). As those are phased in via secondary legislation through 2026, and further guidance will follow, organisations should monitor developments to ensure data protection processes and policies remain compliant.

For online service providers, use of cookies and similar technologies (tracking pixels, web storage, fingerprinting techniques) will need review if providers want to take advantage of the widening of categories of cookie which no longer require an active consent. As these changes are UK specific, organisations will need to decide whether to make the changes for UK services and websites or continue to align with the stricter EU requirements. Updated ICO guidance on cookies will be finalised in spring 2026.

Refresh DSAR policy and processes to ensure they reflect the clarity brought by DUAA. DUAA codifies previous guidance that for the data subject access requests (DSARs) regime, organisations have to carry out a "reasonable and proportionate " search for personal data, rather than an exhaustive search. Other DSAR related clarifications (including the "stop the clock" mechanism for pausing the response deadline) are not yet in force. Changes are expected clarifying DSAR time limits and extensions for complex or voluminous requests. Whilst updated ICO guidance on DSARs was issued at the end of last year, there will an update in spring 2026.

There is also the brand new data protection complaints handling framework to get to grips with by the summer. The ICO has indicated that it aims to publish final guidance by June 2026, coinciding with when the requirement comes into force.

Throughout 2026 we will receive further new ICO guidance on: legitimate interests; recognised legitimate interests; automated decision-making (ADM) and profiling; enforcement procedure; storage and access technologies; and research, archiving and statistics.

The ICO (Office of the Information Commissioner) will be replaced at some point in 2026 by the Information Commission. It will have strengthened enforcement powers under DUAA and can now issue fines up to £17.5 million or 4% of turnover for PECR breaches as well as GDPR breaches.

2. UK cyber law reform

Amid rising geopolitical tension and a sharpened focus on national defence, the Cyber Security and Resilience (Network and Information Systems) Bill (CSRB) is advancing through parliament. The second reading took place on 6 January. If all goes to schedule, the bill will receive Royal Assent mid-2026.

The bill will reform the Network and Information Systems Regulations 2018 (UK NIS) to improve the cyber resilience of critical infrastructure, including by: bringing data centres, large load controllers and managed service providers into scope; clarifying which cloud computing services are in scope; enabling regulators to designate persons as critical suppliers to essential UK service providers; expanding incident reporting duties; and strengthening regulator enforcement powers.

Secondary legislation will be key for determining important elements of the new law, such as the criteria for assessing "significant impact" for incident reporting; security and resilience requirements; how to assess "critical suppliers" and determination of turnover for penalty measures. In 2026 we will likely see consultations begin in relation to these aspects, with those key regulations probably arriving from 2026 and into 2027.

There will not be a single regulator: the bill proposes a multi-regulator, sector-specific model spanning 12 regulators. The ICO will oversee managed service providers and 'relevant digital service providers' (cloud computing, online marketplaces, search engines). Regulators will have expanded ability to serve information notices, broader information sharing gateways between themselves and UK public authorities, powers to enforce registration failures and an expanded cost recovery power.

Once the law is settled, organisations will need to review incident response procedures to operate the same process across security incidents and data breaches, and decide whether to operate different or harmonised notification time periods.

The proliferation of increasingly sophisticated deepfake technology, coupled with the emergence of prompt injection attacks targeting artificial intelligence (AI) systems, is expanding the cyber threat landscape. Organisations now face novel and complex security challenges. Robust incident planning and reporting frameworks remain a top priority for the protection of data more broadly.

For organisations manufacturing, importing or distributing digital products in the EU, the Cyber Resilience Act (CRA)'s requirements for secure product design, data minimisation and vulnerability management intersect with and reinforce GDPR obligations. From 11 September 2026, CRA incident reporting obligations kick in. There are overlaps here with the UK's Product Security and Telecommunications Infrastructure Act 2022 which is already in force, but also differences.

These expanded security and incident reporting duties will have an onward impact on supply chains in 2026, as compliance obligations need reflecting in downstream contracts. Clear allocation of operational responsibility and liability, particularly vis-a-vis AI vendors, is key. ICO regulatory action taken last year reflects an expectation for robust security controls for prevention of personal data breaches. Processors, as well as controllers, can be liable. Read more in our recent article on the Capita data breach. Potential personal liability for directors deepens the risk landscape.

3. Even more AI

The ICO has adopted a pragmatic, risk-based approach to AI regulation and has produced extensive guidance on the topic for several years now. It positions data protection law as technology-neutral and adaptable to emerging AI technologies, including foundation models and gen AI. It prioritises accountability, transparency, and fairness through the AI lifecycle. Organisations using AI must continue to demonstrate compliance with UK GDPR principles – including lawful bases for processing, data minimisation and data protection impact assessments.

For 2026 the ICO will prioritise scrutiny of foundation model developers, automated decision making in recruitment and central government, use of facial recognition technology by police – and more broadly biometric recognition systems across various contexts. It plans to develop a statutory code of practice on AI and ADM to provide organisations with clear expectations on transparency, bias mitigation and individual rights.

Adoption of agentic AI – an emerging category of autonomous AI systems – is accelerating across sectors, bringing a new set of novel risks. This month the ICO published its Tech Futures report on agentic AI. The report explores the data protection risks posed by autonomous AI systems, including unclear controller/processor responsibilities in supply chains, purpose creep and transparency challenges, whilst highlighting opportunities for privacy enhancing agentic tools. For organisations considering deployment of agentic AI, mapping data flows and controller/processor relationships across AI supply chains is imperative and transparency measures should be embedded from the outset. Seek early legal advice to aid navigation in the evolving regulatory landscape (see AI, accountability and the GDPR's global reach).

The UK AI Growth Lab, announced last year with a call for evidence just closed, is a proposed cross-economy regulatory sandbox. It would allow companies to test AI products under time-limited regulatory exemptions, with priority sectors including healthcare, planning, professional services, transport and advanced manufacturing.

For a deeper look at how boards can navigate AI risks and opportunities, read more in our insight: Artificial Intelligence in business: a starter for boards.

4. Digital verification services

The DUAA creates a statutory basis for the UK digital identity attributes trust framework which governs digital verification services (DVS) and is currently operated by the Department for Science, Innovation and Technology (DSIT). To provide DVS, providers must obtain certification, meet security and interoperability standards and register on a statutory register before they can display a trust mark. For users of a DVS, this service offers the potential to streamline customer onboarding, identity verification and anti-money laundering checks. Benefits may include reduced fraud and more efficient digital customer journeys.

Several DVS developments are expected in 2026. The first statutory trust framework under DUAA has already been published. OfDIA (the Office for Digital Identities and Attributes) is currently developing the 1.0 publication. The information gateway provisions under the DUAA should commence, allowing public authorities to share information with registered DVS providers at an individual's request. Secondary legislation is being drafted to amend licencing rules so that DVS would be permitted for alcohol age verification. The Home Office is also expected to require that employers and landlords using DVS for right to work and right to rent checks must use providers certified against applicable supplementary codes. A public consultation on the government's wider digital identity proposals, originally planned for 2025, is now expected in 2026.

In addition to ensuring compliance with data protection laws, organisations considering using DVS need to navigate DVS compliance obligations, undertake due diligence on certified providers and ensure policies and contracts are updated.

5. International data transfers and adequacy decision

The international transfer landscape remains a critical focus for UK organisations in 2026. On 19 December 2025 the European Commission formally renewed the adequacy decisions permitting personal data to flow freely between the EEA and the UK, providing certainty until December 2031 with a mid-term review in 2029. Within the UK, DUAA made minor tweaks to the existing rules, including a name change for transfer risk assessment into the "data protection test" and requiring third country protections be "not materially lower" than those in the UK, rather than the previous "essentially equivalent" standard.

This month we’ve had new ICO guidance for international data transfers. Whilst the underlying legal requirements remain the same, we now have a more streamlined framework with a new "three-step test" to help determine a restricted transfer and much more detail on different transfer scenarios across controllers and processors in different jurisdictions. With the guidance, the ICO has published (or for some, is about to publish) new material on transfer risk assessments, international data transfer agreements and cloud services, with IDT tools and case studies.

Beyond the UK-EU relationship, broader questions of data sovereignty have acquired significant geopolitical importance. Meanwhile, the EU-US Data Privacy Framework continues to face uncertainty, with ongoing concerns about the framework's durability. Privacy advocates have indicated they may bring a further challenge.

For organisations, this means continuing to monitor developments closely, ensuring robust transfer mechanisms, such as standard contractual clauses, remain in place, and being prepared to adapt swiftly should the regulatory landscape shift.

As we look ahead to 2026, organisations are operating in a landscape shaped by legislative reform, rapid advances in AI and rising expectations around cyber resilience. With DUAA implementation underway, major changes to UK cyber law progressing and new ICO guidance expected throughout the year, staying proactive is essential to reduce risk and build long‑term resilience.

Looking for support to strengthen your data protection and cybersecurity approach? Get in touch with our Data Protection and Cybersecurity Team.

A cyber incident can occur without warning and preparation makes all the difference. Be sure to download our 24/7 Cyber Incident Response Hotline card and save it to your desktop so you can contact us immediately to help get you back to business.

Want to dive deeper into data protection fundamentals? Read our related articles on GDPR compliance and the seven core data protection principles.