Get in touch

Data

The UK data protection framework changed in 2026 (although not that much, really). The Data Use and Access Act 2025 brought in a rewritten set of rules on automated decision-making, new ICO powers, and changes to how subject access requests are handled — alongside a shift in the ICO’s stated objectives to include economic growth alongside enforcement.

For most UK organisations, the framework is UK GDPR and the Data Protection Act 2018. Understanding what changed and what stayed the same is now part of staying compliant.

The work I do in data protection is advisory and practical. I help organisations understand what applies to them, identify where the gaps are, and put the right documentation and processes in place.

And hopefully, I help them focus on what really matters here – protecting our personal data, but also using it safely in ways that improve our lives – just not baseline surveillance capitalism (sorry).

What this covers:

  • Data protection audits and gap analysis — mapping what you process, why, and whether your documentation reflects reality.
  • DPIAs — when they are required, how to run them, and what regulators expect to see. ICO is focusing in 2026 on DPIAs for AI systems: specificity on bias risks, updating as systems evolve.
  • Policy drafting — privacy notices, retention policies, data processing agreements, staff guidance.
  • Subject access requests — advising on handling, the new stop-the-clock mechanism (clarification requests now available, but must be demonstrably necessary), and escalating ICO complaints.
  • Automated decision-making — post-DUAA, the rules have shifted from a default prohibition to a permission-based model for ordinary personal data. Special category data retains the older, stricter approach. Understanding which applies, and building the required safeguards, is now a live compliance question for any organisation using AI tools.
  • AI and data protection — training data obligations, data subject rights in AI systems, the ICO’s incoming guidance on AI and automated decision-making.

For law firms: I also provide specialist support on data protection, data governance and AI, including training, train the trainer, resource materials, precedents and consultancy support (including “phone a friend”) for firms advising clients or managing their own compliance obligations.

Ready to get started?

Let’s have a conversation — no jargon, no pressure.

Get in touch