Data Protection News Roundup - October - iSTORM® Privacy - Security

Welcome to October’s edition of our Data Protection monthly news roundup. Read on to find out what’s new in the world of data protection, as well as updates on all things iSTORM.

Projects

September saw the continuation of several projects from the previous month, as well as a variety of new ones starting, including:

A complete overhaul of a business’s framework policies to support work towards compliance.
Gap analysis for a large accounting firm, highlighting any risk areas for review.
Multiple DSAR support projects including redactions, exemptions and response writing.
Work around our own internal ISMS to ensure we maintain the highest level of security for client data.
RoPA review for a housing provision company, ensuring their processes are recorded appropriately.
An ISO27001 Audit for a client on the ISMS Online platform.
Multiple ongoing Pentesting projects within the Pentesting Team.

If you would like any more information about the above services, or on anything covered in this month’s newsletter, or you have a query, please reach out to us anytime!

News

Kido Nursery Breach

Provisions in the EU’s Artificial Intelligence Act are now in effect, meaning that general-purpose AI providers must now meet transparency and copyright compliance rules under Article 53, and if their models are deemed to pose systemic risk, adhere to additional safety and security requirements under Article 55. To help guide implementation, the European Commission released a voluntary Code of Practice, urging organisations to document training processes, lawfully source training data, embed security-by-design, and conduct risk assessments. Enforcement of these obligations will be overseen by the new European AI Office, with full compliance expected by August 2027 for existing models.

Source: PDP

SAR Failures

The Information Commissioner’s Office has issued an enforcement notice to Bristol City Council for failing to comply with Subject Access Request obligations, following its finding that the council has allowed a backlog of outstanding requests (some dating from 2022) to persist with only limited progress despite repeated engagement. To comply, the council must contact all individuals with delayed requests, respond to the oldest outstanding SARs within 30 days, provide regular progress reports to the ICO, submit an action plan, and make systemic changes to ensure future compliance. ICO Head of Investigations, Sally-Anne Poole, warned that the council’s “poor organisational attitude” towards data rights must give way to legally sound policies.

Source: PDP

Record of Processing Activity

It’s a legal requirement to document your processing activities. Taking stock of what information you have, where it is, and what you do with it makes it much easier to improve your information governance and comply with other aspects of data protection law (such as creating a privacy notice and keeping personal data secure). It is a clear way to show what you are doing in line with the accountability principle. The ICO may require you to provide these records to them. Your processing won’t be lawful without a valid lawful basis so you must justify your choice appropriately.

Talk to us about what support we can provide!

Horizon Scan: Data Protection, Penetration testing & ISO27001

Read about what’s changing or coming up in the world of Data Protection, Pentesting and ISO27001.

Horizon Scan – Oct 2025

Meet the Team…

Our friendly team of passionate Data Protection Specialists are here to help your team navigate your data protection challenges, and are happy to support you with all your queries.

We are really excited to welcome the newest member to our brilliant team of Data Protection Consultants! Kielee has a wide range of experience, working as a consultant for a high street building society for over 7 years and focusing on all aspects of account management.

Data Protection News Roundup – October