Data Protection News Roundup - February - iSTORM® Privacy - Security

Welcome to February’s Data Protection Monthly Newsletter. This month, we’re sharing fresh insights, recent developments, and the latest updates from the iSTORM team. Dive in to discover what’s happening and how you can keep strengthening your approach to data protection in 2026.

iSTORM Updates & New Services

2026 has started with real momentum at iSTORM. We’re already delivering several large DSAR projects for clients through our new DSAR Managed service, which enables us to support you with the redaction, collation, and exemption of DSAR data. DSARs can place significant demands on time and internal resources, our team can remove this pressure from you.

January also saw our new ISO Implementor reach the near-final stages of delivering a full ISO27001 framework, built entirely from scratch for a new client. Alongside this, we now have employees qualified to provide support with the implementation and review of ISO9001 and ISO14001 standards. If you’re considering introducing new standards or reviewing existing ones, we can help!

In addition, January also saw the successful close of a large data retention project for a global iSTORM client, including the creation and implementation of an entire retention schedule.

Expanding Our Expertise

Finally, we’re delighted to celebrate a fantastic achievement within the team. Our newest member, Kielee, who joined the Data Protection team in August 2025, received their results from their Practitioners qualification in Data Protection, achieving a Distinction. A result that truly reflects the high standards and expertise across our team.

So, if you want a personable, highly knowledgeable, and approachable Data Protection Officer who becomes part of your team—not just an add-on—then iSTORM is your go-to partner. Talk to us today to find out how we can support your business.

Data Usage and Access Act 2025

Under the UK’s Data (Use and Access) Act 2025 (DUAA), organisations (data controllers) will face a significant change in how data-protection complaints are handled. Coming into force by June 2026, individuals must first raise their data-protection complaint with the organisation (the controller) before they can escalate it to the Information Commissioner’s Office.

In brief the change covers the below:

Individuals must first complain to the controller about how their data has been handled.
The controller must have a formal internal complaints process.
The controller must respond within a reasonable period.
Only after the controller has responded (or failed to respond) can the individual escalate to the ICO.
The ICO may refuse to investigate if the individual has not first complained to the controller.

As a business, you may also need to ensure that you have an internal policy specific to Data Protection Complaints or inclusion of a section on your Privacy Notices. You may need to ensure that staff are appropriately trained in recognising and handling complaints, and you may need to amend your contracts to include the need for processors to support in this requirement.

If you would like any more information about this, or anything covered in this month’s newsletter, please reach out to us!

News

UK Considers Social Media Limits for Under 16s

The UK government is considering potential restrictions on social media use by children under 16, following support in the House of Lords for an amendment to the Children’s Wellbeing and Schools Bill. The move reflects growing concern about data protection risks and online harms associated with age verification and profiling of minors. While ministers have stopped short of committing to a full ban, the consultation signals that stronger regulatory intervention, and related privacy and compliance challenges for platforms are firmly on the government’s agenda. Source: PDP

ICO levies £225,000 in fines for unlawful marketing under PECR

The Information Commissioner’s Office has issued fines totalling £225,000 to two UK-based firms for sending millions of unsolicited marketing messages in breach of the UK’s Privacy and Electronic Communications Regulations. Allay Claims Ltd was fined £120,000 for distributing over 4 million text messages without valid consent, and ZMLUK Ltd was fined £105,000 for sending more than 67 million emails sourced from third-party data where individuals lacked informed choices about receiving communications. Source: PDP

Training

Did you know it’s a legal requirement to ensure all employees and contractors are trained to handle personal data? From GDPR principles to breach response, data requests, and remote working, it’s your responsibility, and you must be able to evidence it.

iSTORM can help with bespoke training in any format: HR packs, team sessions, in-person workshops, or even voice-over training for your internal LLM. Don’t get caught out—proper training is the first thing regulators will ask for if something goes wrong.

Talk to us about what support we can provide!

Horizon Scan: Data Protection, Penetration testing & ISO27001

Read about what’s changing or coming up in the world of Data Protection, Pentesting and ISO27001.

Horizon Scan – 2026

Meet the Team…

Our friendly team of passionate Data Protection Specialists are here to help your team navigate your data protection challenges, and are happy to support you with all your queries.

We are really excited to welcome the newest member to our brilliant team of Data Protection Consultants! Kielee has a wide range of experience, working as a consultant for a high street building society for over 7 years and focusing on all aspects of account management.

Data Protection News Roundup – February