2026 marks a turning point for data governance in the UK

Home Insights Blogs Corporate and Commercial Law Blog 2026 marks a turning point for data governance in the UK

2026 is shaping up to be the most consequential year for UK data protection enforcement since the introduction of the EU/UK GDPR regime. With record fines issued in late 2025, a new enforcement playbook on the horizon, and shifting legislative and regulatory expectations, the Information Commissioner’s Office (“ICO”) is signalling a marked transformation in how it supervises and sanctions organisations.

This blog explores what is changing, why it matters, and what businesses should be doing now. The point being that firms will need to carefully review their current practices and procedures and, in particular, re-think their compliance processes in respect of cybersecurity, incident response, supplier oversight, data governance, and contractual risk allocation to be properly and effectively prepared for the changing landscape.

1. A year of record penalties shows the ICO’s new enforcement crackdown policy taking action

The ICO’s enforcement strategy shifted in 2025, culminating in its largest‑ever fine of £14 million against Capita for cybersecurity failures exposing the data of millions of people. This sits alongside a growing list of high‑profile enforcement actions, including the game changing significant fine of £3.07 million against Advanced Computer Software Group Limited, a processor, for breaching UK GDPR security obligations (you can read more about Advanced’s enforcement here); a fine of £2.3 million against 23andMe for delayed breach response and inadequate safeguarding of highly sensitive genetic personal data; and a fine of £1.2 million against Lass Pass for internal security control failures contributing to a major breach.

Taken together, these show the ICO prioritising enforcement action and resolution in respect of serious cybersecurity deficiencies, delayed or ineffective incident response processes, and poor organisational controls — particularly where major suppliers are involved. This marks a clear move away from the previous pattern dominated by lower‑value PECR marketing fines.

2. The ICO’s draft enforcement procedural guidance

The ICO’s draft ‘Data Protection Enforcement Procedural Guidance’ is arguably the most significant rewrite of its enforcement policy since 2018 and proposes a more assertive and transparent regulatory model.

Key features include:

Public naming of active investigations, increasing reputational exposure and accelerating board‑level engagement.
Expanded investigatory powers, including warrants to enter into and inspect premises, compelled CEO and senior‑management interviews and to answer questions relevant to an investigation, and assessment notices.
A formalised settlement procedure offering penalty discounts where organisations meaningfully cooperate to settle within a short window.
A clearer investigative chronology and gatekeeping test for opening cases based on public interest, severity, precedent and resource.

This level of transparency and procedural assertiveness represents a culture shift within the ICO.

3. DUAA 2025

The Data (Use and Access) Act 2025 (“DUAA”) introduces further requirements that will shape enforcement strategy during 2026. Key changes include mandatory data protection complaint‑handling processes, revised lawful bases (including recognised legitimate interests), updated rules on automated decision‑making, and tougher PECR penalties aligned with UK GDPR levels. To read more about the DUAA and its implications please read our article here.

These changes create more enforceable obligations, and more opportunities for the ICO to intervene where organisations fall short. The ICO has signalled that organisations will now not only be expected to comply, but to demonstrate compliance through formalised, carefully thought-through and considered governance and documentation – in particular, bespoke and appropriate to the size of the firm and nature of the data processed.

4. A shift in regulatory focus: from guidance to intervention

The ICO has historically been cautious, often preferring education and soft guidance. Recent trends show a pivot toward targeted audits, such as the just concluded year-long review of the UK’s 1,000 most-visited websites to assess cookie compliance standards, which resulted in the ICO contacting hundreds of website owners and issuing preliminary enforcement notices to non-compliant website operators, as well as sector‑specific scrutiny, particularly in online services, AI and other data‑intensive businesses.

The regulator’s resource strategy also prioritises systemic issues over isolated minor infringements. Expect greater emphasis on large processors and service providers, widespread operational failures, and repeated or structural governance issues. Organisations handling complex, high‑volume personal data, especially in finance, health, education, and public services outsourcing should plan for heightened oversight.

5. What this could mean for service providers, outsourcing and contract negotiation

Major enforcement actions involving outsourcing providers (such as Capita) emphasise how supplier weaknesses can trigger regulatory and reputational fallout for clients. This will accelerate scrutiny of technical and organisational measures across supply chains, incident reporting timelines, subcontracting arrangements, and rights to audit and access logs.

Clients should expect tougher negotiations on indemnities for security failures, notification obligations, cyber‑insurance requirements, and governance clauses for automated decision‑making and AI. The ICO’s tougher stance is already resetting market expectations of what constitutes an adequate contractual risk framework.

6. Practical Takeaways for 2026

Prioritise the following actions as you prepare for a more assertive enforcement environment:

Strengthen incident response and breach readiness: rehearse cyber‑incident simulations, verify detection and response capabilities, and confirm clear internal and external escalation pathways.
Rigorously assess supplier risk: enhance due diligence on vendor security controls, refresh data‑processing agreements, and secure robust rights to audit and access logs and relevant subcontractor information.
Refresh governance frameworks: align policies and records with DUAA 2025 requirements, and ensure clear audit trails for automated decision‑making and AI systems.
Enhance cookie and tracking compliance: ensure rejecting non‑essential cookies is as easy as accepting them; verify that tracking technologies comply with user choices. Also consider the application of the EU data protection cookies requirements which have an extra-territorial effect.

Conclusion

The UK data governance landscape is changing. The ICO is moving away from a guidance‑led approach toward a more public and interventionist enforcement strategy. Coupled with various new statutory requirements (such as those introduced by the DUAA), businesses face a materially heightened compliance burden.

Treat data governance as a board‑level strategic priority. Those who invest early in robust governance, stronger supplier oversight, enhanced cyber‑resilience and transparent data practices will be best placed to navigate the ICO’s new environment.

If you have any questions regarding this blog, please contact Caroline Sheldon in our Corporate, Commercial & Finance team.

About the author

Caroline Sheldon joined the Corporate, Commercial & Finance team in August 2022 as an associate and specialises in advising on commercial matters. She advises entrepreneurs, startups and established businesses across a variety of sectors, with a focus on those in the technology sector.