Data Protection News Roundup - May - iSTORM® Privacy - Security

Welcome to May’s Data Protection Monthly Newsletter. This month, we’re sharing fresh insights, recent developments, and the latest updates from the iSTORM team. Dive in to discover what’s happening and how you can keep strengthening your approach to data protection in 2026.

iSTORM Updates

April saw iSTORM continue its FOIA support project for a large District Council, helping reduce backlog, while also securing new agreements to support organisations with ISO implementations and audits.

At the same time, our Data Protection team took on a major global retention schedule project, researching, designing and developing a retention schedule covering multiple departments across 60 countries. This was delivered alongside our ongoing services, including Policy Reviews, DSAR support, RoPA updates, and Privacy Notice corrections for multinational organisations.

On 23rd April, we hosted our first Privacy Space event in Manchester. This event featured excellent exhibitors and speakers, including the ICO.

We continue to provide Cyber Essentials and Cyber Essentials Plus certification support, Data Protection consultancy and Penetration Testing, and assistance with ISO 27001, ISO 14001, and ISO 9001 implementations. We also deliver training on GDPR, Information Security, FOI, DSARs, DPIAs, and breach management, either virtually or in person.

Finally, it is nearly the time again to get your DSPT submissions complete should these be relevant to you. With the DSPT deadline approaching on 30 June 2026, organisations handling NHS patient data must ensure compliance. We’ve successfully guided clients through this process in previous years and are ready to deliver the same results for you.

Talk to us today about all the different services we can provide you.

Data Usage and Access Act 2025 changes effective April 2026:

Most remaining DUAA data‑protection provisions activated (the major implementation phase began Feb–Apr 2026).
New ICO enforcement powers live, including compelling witnesses, requesting technical reports, and issuing higher PECR fines (up to £17.5m or 4% global turnover).
Updated rules on automated decision‑making now in force, creating a more permissive framework with required safeguards.
New definition and safeguards for research processing active, including clarified “research and statistical purposes”.
Updated lawful bases rules (Section 70) now operational.
International transfer framework changes (Section 85) commenced.
New cookie rules allowing certain cookies without consent (e.g., analytics/statistical) now active.
Recognised Legitimate Interests list (Schedule 4) now in force.
Most DUAA amendments to UK GDPR, DPA 2018 and PECR are now live following the April 2026 commencement window.

As a business, you may also need to ensure that you have an internal policy specific to Data Protection Complaints or inclusion of a section on your Privacy Notices. You may need to ensure that staff are appropriately trained in recognising and handling complaints, and you may need to amend your contracts to include the need for processors to support in this requirement.

If you would like any more information about anything covered in this month’s newsletter, please reach out to us!

News

UK Court Confirms Objective Standard for Valid Consent

The UK Court of Appeal has ruled that consent under the UK GDPR and Privacy and Electronic Communications Regulations must be assessed objectively, rejecting a High Court approach which introduced a subjective assessment based on vulnerability and mental state. The ruling involved a claimant with a gambling addiction who argued that his consent to cookies and targeted advertising was not valid. The Court rejected a subjective approach, reinforcing that consent is determined by outward, recorded user behaviour. This provides organisations with greater legal certainty by confirming that consent validity is assessed objectively based on outward user actions and recorded interactions. Source: PDP

EDPB adopts new guidelines on scientific research

The European Data Protection Board has adopted new Guidelines on the processing of personal data for scientific research. This marks a significant step toward harmonising GDPR interpretation across the EU after years of fragmented national approaches. The guidelines clarify key concepts such as what qualifies as ‘scientific research’, confirming that processing for research is generally presumed compatible with original purposes, and set out conditions under which broad consent, public interest, and legitimate interest may be used as lawful bases. Although the guidelines are not directly enforceable in the UK, they are still highly persuasive and often predictive of ICO thinking. Source: PDP

Training

Did you know it’s a legal requirement to ensure all employees and contractors are trained to handle personal data? From GDPR principles to breach response, data requests, and remote working, it’s your responsibility, and you must be able to evidence it.

iSTORM can help with bespoke training in any format: HR packs, team sessions, in-person workshops, or even voice-over training for your internal LLM. Don’t get caught out—proper training is the first thing regulators will ask for if something goes wrong.

Talk to us about what support we can provide!

Horizon Scan: Data Protection, Penetration testing & ISO27001

Read about what’s changing or coming up in the world of Data Protection, Pentesting and ISO27001.

Horizon Scan – 2026

Meet the Team…

Our friendly team of passionate Data Protection Specialists are here to help your team navigate your data protection challenges, and are happy to support you with all your queries.

Data Protection News Roundup – May