An early Christmas present for the tech sector from the CMA?

The Court of Appeal has recently handed down an important decision in respect of data protection law considerations in Farley & Others v Paymaster (trading as Equiniti) [2025] EWCA Civ 1117, providing clarity on the scope of infringement and compensation data protection claims under the UK GDPR and Data Protection Act 2018 (“DPA”). The judgment will be of particular interest to any service provider dealing with and processing large volumes of customer personal data.  

In tech, the law often arrives after something has gone wrong. Here are three cautionary tales* and the lessons every founder, CTO and in-house counsel should take away.

The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework — particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).

The recent cyberattacks on major UK retailers have put cybersecurity back in the spotlight. But a more significant development for data protection practitioners has been flying under the radar: the Information Commissioner’s Office (ICO) has issued a notable fine directly against a data processor for breaching UK GDPR security obligations - an important shift in enforcement focus.

On 6 April 2025, the first wave of consumer protection provisions under the Digital Markets, Competition and Consumers Act 2024 (“DMCC Act”) came into force, marking the most significant overhaul of UK consumer protection law in over a decade. 

In the wake of recent high-profile cyber-attacks on major retailers like Marks & Spencer and Co-op, the UK government has launched a new voluntary Code of Practice for software vendors at its flagship cyber security event, CyberUK 2025. This initiative sets a dynamic baseline for software security and resilience, aiming to help prevent such breaches in the future.

The Office of Communications, commonly known as ‘Ofcom’ (the regulator for communication services) is calling on tech firms to make ‘the online world safer for women and girls’. 

Last week, I had the pleasure of hosting an insightful roundtable dinner at The Ivy in Covent Garden, London, bringing together thought leaders, industry experts, and business owners to discuss one of the most pressing topics of our time - AI regulation. Co-hosted by the brilliant Fred Becker, CAO of Unlikely AI, the conversation was rich with diverse perspectives, practical concerns and strategic insights.

The EU Data Act is set to reshape the data landscape, and while its full impact will unfold over time, some key provisions are coming into effect this September that SaaS providers need to be aware of now. Specifically, we're talking about the rules around data switching, and how they'll likely require you to update your standard terms and existing customer agreements.

On 12 October 2023, the UK-US Data Bridge (the “Data Bridge”) came into force, transforming the way both nations handle the flow of information across their borders. In this blog we explore the position before and after the introduction of the Data Bridge, looking at the key implications, benefits and challenges associated with the transatlantic data-sharing initiative.

The Online Safety Bill recently received Royal Assent and became law in October this year (the “Act”), at which point the Office of Communications (“Ofcom”) was granted broad powers to regulate online service providers. Essential detail concerning the legislative framework within the Act will be disclosed in the course of consultation and stakeholder engagement concerning the secondary legislation, codes of practice and guidance which will underpin the Act.

The rescue of SVB  showed that the UK government not only acted decisively in relation to a critical sector for the UK economy, but in the process showed that its newest policy Framework can involve meaningful action as well as words

In our recent blog, we explored why a Framework Agreement structure is typically the most appropriate customer contracting model for IT managed services providers (“MSPs”) and IT consultancies which offer a diverse product and service offering. Whilst our initial blog focussed on the purpose and terms of the Framework Agreement itself, that document is merely the starting point, given that a Work Order is also needed to document specific terms relating to each product or service offered by an MSP or IT consultancy. A typical service offering is a dedicated software support helpdesk, usually provided to support each of the software products offered by the MSP or IT consultancy to its customers. This blog considers a handful of the key issues to bear in mind when documenting the terms of a Work Order relating to the supply of a software support helpdesk service.

Many businesses lack comprehensive in-house IT expertise and resources to fully implement and manage all of their IT infrastructure requirements. IT managed services providers (“MSPs”) and IT consultancies plug the gaps by typically offering a diverse range of IT services and products to lighten the burden on their customers’ in-house IT teams (or to even remove the need to have an in-house IT team). 

In this blog series, we will review the key proposals for reform of data protection law within the Government’s consultation paper ‘Data: A New Direction’. We will consider how far the Government will stray from the current path and signpost some potential pitfalls and practicalities for consideration along the way.

Potential reforms to UK data privacy laws will change the way that cookies work on websites - businesses need to prepare now.

In the last instalment we talked about the ways in which the founders of KNow Wear Limited could protect the intellectual property in their business. Since then, the business has been progressing well and our founders have been working on developing a prototype.  

In our last instalment our founders, Sarah and Chris, considered the basics in establishing their tech startup and they incorporated a company under the registered name ‘KNow Wear Limited’. 

Many companies in the tech sector will be aware of the new immigration system and Skilled Worker category opening in a couple of weeks on 1 December. For those companies without a sponsor licence, they will need to apply for one in order to recruit both non-EU and EU citizens. EU citizens resident in the UK before 11pm on 31 December 2020 can apply to the EU Settlement Scheme.

Welcome back to the blog series covering the lifecycle of a tech startup, from a legal perspective.