The Information Commissioner’s Office (ICO) has published draft guidance outlining its approach to investigations and enforcement action under the UK General Data Protection Regulation and Data Protection Act 2018. The guidance aims to increase transparency, providing more detail than previous versions on processes, decision-making factors, and the use of investigatory powers, including new powers under the Data (Use and Access) Act 2025. It also explains outcomes, enforcement measures, and settlement procedures. Once finalised, the guidance will sit alongside the Data Protection Fining Guidance and replace the existing Regulatory Action Policy. The ICO is inviting views from law firms, data protection officers, privacy professionals, and others until 23 January 2026.

Cyber_Bytes is a regular round-up of key developments in cyber, tech and evolving risks. Updates explored in our November include:

• UK government urges business leaders to prioritise cyber security amid rising threat
• ENISA Threat Landscape 2025: Ransomware, Phishing, and AI Shape Europe’s Cyber Risk
• ICO issues practical cyber security tips for small businesses
• Jaguar Land Rover: Government steps in with £1.5bn loan guarantee as supply chain reels
• Harrods shows incident response capability when it suffers second cyber incident in six months
• Surging demand for Generative AI insurance: Businesses seek protection as risks and adoption accelerate
• Capita fined £14 Million over 2023 cyber-attack that exposed data of 6.6 million people.

The UK Data (Use and Access) Act (DUAA) updates data protection legislation, aiming to harness the power of data to generate economic growth. It introduces pro-business changes, including a new Smart Data scheme, digital verification services, and restructuring of the ICO into the Information Commission. Key amendments include new “recognised legitimate interests” not requiring a balancing test, a more permissive framework for automated decision-making with safeguards, expanded definitions for research, and a new “data protection test” for international transfers. The DUAA also enhances children’s data protection, aligns PECR fines with GDPR standards, and mandates formal complaint procedures. Businesses should review current data processing activities to ensure compliance.

The Information Commissioner’s Office (ICO) has consulted on updated guidance regarding encryption for organisations subject to the UK GDPR. The draft guidance emphasises that encryption is a critical technical measure, but not mandatory, and must be proportionate to the nature of data processing. Organisations are expected to use risk-based, up-to-date encryption practices, supported by robust key management and regular reviews. The ICO highlights that encryption alone is insufficient; it should be combined with other security measures such as access controls and audits. The guidance provides practical scenarios and recommends ongoing adaptation to technological developments, reinforcing the need for accountability and transparent security practices in line with evolving regulatory expectations.