2026 is shaping up to be the most consequential year for UK data protection enforcement since the introduction of the EU/UK GDPR regime. With record fines issued in late 2025, a new enforcement playbook on the horizon, and shifting legislative and regulatory expectations, the Information Commissioner’s Office (“ICO”) is signalling a marked transformation in how it supervises and sanctions organisations.
This blog explores what is changing, why it matters, and what businesses should be doing now. The point being that firms will need to carefully review their current practices and procedures and, in particular, re-think their compliance processes in respect of cybersecurity, incident response, supplier oversight, data governance, and contractual risk allocation to be properly and effectively prepared for the changing landscape.
1. A year of record penalties shows the ICO’s new enforcement crackdown policy taking action
The ICO’s enforcement strategy shifted in 2025, culminating in its largest‑ever fine of £14 million against Capita for cybersecurity failures exposing the data of millions of people. This sits alongside a growing list of high‑profile enforcement actions, including the game changing significant fine of £3.07 million against Advanced Computer Software Group Limited, a processor, for breaching UK GDPR security obligations (you can read more about Advanced’s enforcement here); a fine of £2.3 million against 23andMe for delayed breach response and inadequate safeguarding of highly sensitive genetic personal data; and a fine of £1.2 million against Lass Pass for internal security control failures contributing to a major breach.
Taken together, these show the ICO prioritising enforcement action and resolution in respect of serious cybersecurity deficiencies, delayed or ineffective incident response processes, and poor organisational controls — particularly where major suppliers are involved. This marks a clear move away from the previous pattern dominated by lower‑value PECR marketing fines.
2. The ICO’s draft enforcement procedural guidance
- Public naming of active investigations, increasing reputational exposure and accelerating board‑level engagement.
- Expanded investigatory powers, including warrants to enter into and inspect premises, compelled CEO and senior‑management interviews and to answer questions relevant to an investigation, and assessment notices.
- A formalised settlement procedure offering penalty discounts where organisations meaningfully cooperate to settle within a short window.
- A clearer investigative chronology and gatekeeping test for opening cases based on public interest, severity, precedent and resource.
3. DUAA 2025
4. A shift in regulatory focus: from guidance to intervention
5. What this could mean for service providers, outsourcing and contract negotiation
6. Practical Takeaways for 2026
- Strengthen incident response and breach readiness: rehearse cyber‑incident simulations, verify detection and response capabilities, and confirm clear internal and external escalation pathways.
- Rigorously assess supplier risk: enhance due diligence on vendor security controls, refresh data‑processing agreements, and secure robust rights to audit and access logs and relevant subcontractor information.
- Refresh governance frameworks: align policies and records with DUAA 2025 requirements, and ensure clear audit trails for automated decision‑making and AI systems.
- Enhance cookie and tracking compliance: ensure rejecting non‑essential cookies is as easy as accepting them; verify that tracking technologies comply with user choices. Also consider the application of the EU data protection cookies requirements which have an extra-territorial effect.
Conclusion
The UK data governance landscape is changing. The ICO is moving away from a guidance‑led approach toward a more public and interventionist enforcement strategy. Coupled with various new statutory requirements (such as those introduced by the DUAA), businesses face a materially heightened compliance burden.
Treat data governance as a board‑level strategic priority. Those who invest early in robust governance, stronger supplier oversight, enhanced cyber‑resilience and transparent data practices will be best placed to navigate the ICO’s new environment.
If you have any questions regarding this blog, please contact Caroline Sheldon in our Corporate, Commercial & Finance team.
About the author
Caroline Sheldon joined the Corporate, Commercial & Finance team in August 2022 as an associate and specialises in advising on commercial matters. She advises entrepreneurs, startups and established businesses across a variety of sectors, with a focus on those in the technology sector.
Join the conversation
Tags
KN_Newsletter
Join our mailing list to stay up to date with the latest insights, news and events.