Welcome to March’s Data Protection Monthly Newsletter. This month, we’re sharing fresh insights, recent developments, and the latest updates from the iSTORM team. Dive in to discover what’s happening and how you can keep strengthening your approach to data protection in 2026.
iSTORM Updates
February has been a busy month for iSTORM. We successfully completed our first full implementation of ISO27001, ISO14001 and ISO9001, breezing through the Phase 1 audit. In addition to our Cyber Essentials and Cyber Essentials Plus certification support, Data Protection consultancy, and Penetration Testing services, we can now guide your organisation through these certifications standards as well.
We have also taken on our first full Freedom of Information project, supporting a local authority in clearing a significant backlog of requests, and members of our Data Protection team are also delivering a large-scale data retention project, reviewing all business processing activities, assessing data security measures, and ensuring appropriate retention practices are in place.
Our team has also supported a client in the creation and ongoing management of their Record of Processing Activities, ensuring full documentation and traceability of data processing. Alongside this, we have assisted a national financial organisation with compliance relating to CCTV surveillance across multiple properties nationwide.
If you’re looking for expert support across compliance, certification, data protection, or information governance, talk to us today about how we can help.
Data Usage and Access Act 2025
Under the UK’s Data (Use and Access) Act 2025 (DUAA), organisations (data controllers) will face a significant change in how data-protection complaints are handled. Coming into force by June 2026, individuals must first raise their data-protection complaint with the organisation (the controller) before they can escalate it to the Information Commissioner’s Office.
In brief the change covers the below:
- Individuals must first complain to the controller about how their data has been handled.
- The controller must have a formal internal complaints process.
- The controller must respond within a reasonable period.
- Only after the controller has responded (or failed to respond) can the individual escalate to the ICO.
- The ICO may refuse to investigate if the individual has not first complained to the controller.
As a business, you may also need to ensure that you have an internal policy specific to Data Protection Complaints or inclusion of a section on your Privacy Notices. You may need to ensure that staff are appropriately trained in recognising and handling complaints, and you may need to amend your contracts to include the need for processors to support in this requirement.
If you would like any more information about this, or anything covered in this month’s newsletter, please reach out to us!
News
ICO Reprimands GP Surgery Over Data Breach
The UK Information Commissioner’s Office has formally reprimanded Staines Health Group after it sent 23 years of a terminally ill patient’s medical records to an insurer, despite only five years being requested. The ICO cited a lack of written procedures and insufficient staff training on handling sensitive data. The practice has since implemented updated processes, extra training, and supervisory measures. Source: PDP
Epstein Document Release Exposes Victims
Unredacted images, videos, and personal information from Jeffrey Epstein-related files have been publicly accessible, despite warnings to US authorities. Lawyers say the exposure has caused “irreparable” harm, with some material remaining online even after the DOJ removed thousands of documents. Victims’ groups are criticising the failures and questioning the adequacy of redaction processes. Source: PDP
Cyber Essentials Updates in 2026
Cyber Essentials is changing, with new assessment updates coming into effect on 27 April 2026. The five core controls remain the same, but stricter marking criteria, enhanced scope definitions, and more rigorous Cyber Essentials Plus testing will raise the bar for organisations seeking certification. Organisations starting the process with iSTORM before 27th April can still certify under the current version. Get in touch to find out how we can support your organisation.
Training
Did you know it’s a legal requirement to ensure all employees and contractors are trained to handle personal data? From GDPR principles to breach response, data requests, and remote working, it’s your responsibility, and you must be able to evidence it.
iSTORM can help with bespoke training in any format: HR packs, team sessions, in-person workshops, or even voice-over training for your internal LLM. Don’t get caught out—proper training is the first thing regulators will ask for if something goes wrong.
Talk to us about what support we can provide!
Horizon Scan: Data Protection, Penetration testing & ISO27001
Read about what’s changing or coming up in the world of Data Protection, Pentesting and ISO27001.
Meet the Team…
Our friendly team of passionate Data Protection Specialists are here to help your team navigate your data protection challenges, and are happy to support you with all your queries.
We are really excited to welcome the newest member to our brilliant team of Data Protection Consultants! Kielee has a wide range of experience, working as a consultant for a high street building society for over 7 years and focusing on all aspects of account management.
More from iSTORM?
We can offer services including:
- GDPR/ Data Protection gap analysis and maturity reviews
- Auditing
- GDPR framework implementation support
- Outsourced Data Protection Officer Services (DPO)
- Data Protection Impact Assessments (Review & Completion)
- Data Flow Mapping
- Supplier Assurance Frameworks
- Policy and procedure writing
- Training and awareness (online and face to face)
We hope you have enjoyed this months data protection news roundup. For more information on any of the above, please email us at info@istormsolutions.co.uk or call +44 (0) 1789 608708
