Data Protection News Roundup – April

Welcome to April’s Data Protection Monthly Newsletter. This month, we’re sharing fresh insights, recent developments, and the latest updates from the iSTORM team. Dive in to discover what’s happening and how you can keep strengthening your approach to data protection in 2026.

iSTORM Updates

March was a busy and productive month for iSTORM. We launched our first FOIA support project for a large District Council, helping to significantly reduce their backlog, while also successfully completing two external ISO 27001 audits for clients.

These projects were delivered concurrently alongside our ongoing services, including Policy Reviews, DSAR support, RoPA updates, and Privacy Notice corrections. Our work continues to support multinational organisations, ensuring compliance with data protection laws across dozens of countries worldwide.

In addition to our Cyber Essentials and Cyber Essentials Plus certification support, we provide daily Data Protection consultancy and Penetration Testing services. We also assist organisations with the implementation of ISO 27001, ISO 14001, and ISO 9001 standards.

We offer comprehensive training solutions tailored to your organisation’s needs. This includes GDPR, Information Security, FOI, DSAR, DPIA, and Breach Management training. Whether delivered virtually or in person, we’re here to support you and your team.

Get in touch with us today to learn how iSTORM can support your business.

Data Usage and Access Act 2025

Under the UK’s Data (Use and Access) Act 2025 (DUAA), organisations (data controllers) will face a significant change in how data-protection complaints are handled. Coming into force by June 2026, individuals must first raise their data-protection complaint with the organisation (the controller) before they can escalate it to the Information Commissioner’s Office.

In brief the change covers the below:

  • Individuals must first complain to the controller about how their data has been handled.
  • The controller must have a formal internal complaints process.
  • The controller must respond within a reasonable period.
  • Only after the controller has responded (or failed to respond) can the individual escalate to the ICO.
  • The ICO may refuse to investigate if the individual has not first complained to the controller.

As a business, you may also need to ensure that you have an internal policy specific to Data Protection Complaints or inclusion of a section on your Privacy Notices. You may need to ensure that staff are appropriately trained in recognising and handling complaints, and you may need to amend your contracts to include the need for processors to support in this requirement.

If you would like any more information about this, or anything covered in this month’s newsletter, please reach out to us!

News

 

ICO emphasises necessity, proportionality and accountability in evolving police use of Facial Recognition Technology


The Information Commissioner’s Office (ICO) has reinforced that police use of facial recognition technology must be necessary, proportionate, and accountable. Emphasising the sensitivity of biometric data, the regulator highlights the need for lawful processing, strong governance, and transparency. As adoption grows, the ICO notes that existing legal frameworks remain applicable but require careful and consistent application to maintain public trust. Source: PDP

 

 

Senedd Ends Sale of Voter Data in Push for Stronger Privacy Protections

The Senedd Cymru has approved regulations to abolish the open electoral register, preventing the sale of voters’ personal data for commercial use. The reform limits access to electoral data to democratic purposes only, marking a shift towards stronger privacy protections. It forms part of wider electoral modernisation efforts in Wales, including moves toward automatic voter registration and updated electoral systems. Source: PDP

 

 

Cyber Essentials Updates in 2026

Cyber Essentials is changing, with new assessment updates coming into effect on 27 April 2026. The five core controls remain the same, but stricter marking criteria, enhanced scope definitions, and more rigorous Cyber Essentials Plus testing will raise the bar for organisations seeking certification. Organisations starting the process with iSTORM before 27th April can still certify under the current version. Get in touch to find out how we can support your organisation.

 

 

 

 

Training 

Did you know it’s a legal requirement to ensure all employees and contractors are trained to handle personal data? From GDPR principles to breach response, data requests, and remote working, it’s your responsibility, and you must be able to evidence it.

iSTORM can help with bespoke training in any format: HR packs, team sessions, in-person workshops, or even voice-over training for your internal LLM. Don’t get caught out—proper training is the first thing regulators will ask for if something goes wrong.

Talk to us about what support we can provide!

 

Horizon Scan: Data Protection, Penetration testing & ISO27001

Read about what’s changing or coming up in the world of Data Protection, Pentesting and ISO27001.

Horizon Scan – 2026

 

Meet the Team…

Our friendly team of passionate Data Protection Specialists are here to help your team navigate your data protection challenges, and are happy to support you with all your queries.

More from iSTORM?

We can offer services including:

  • GDPR/ Data Protection gap analysis and maturity reviews
  • Auditing
  • GDPR framework implementation support
  • Outsourced Data Protection Officer Services (DPO)
  • Data Protection Impact Assessments (Review & Completion)
  • Data Flow Mapping
  • Supplier Assurance Frameworks
  • Policy and procedure writing
  • Training and awareness (online and face to face)

We hope you have enjoyed this months data protection news roundup. For more information on any of the above, please email us at info@istormsolutions.co.uk or call +44 (0) 1789 608708

 

 

Verified by MonsterInsights