ICO issues fine for unsolicited direct marketing
The ICO has recently fined Energy Prices Direct £160,000 for engaging in unsolicited marketing. The fine itself is not particularly notable (and falls under the
June 29, 2026
Claire Saunders
UK data protection complaints handling for organisations
From 19 June 2026 all controllers processing personal data under UK GDPR must comply with new data protection complaints handling requirements. This mandate, driven by
June 29, 2026
ICO issues report on consent and online advertising
The ICO has set out the results of its consideration of whether exceptions could be made to the consent requirements in PECR in relation to
June 20, 2026
New UK data protection complaints regime now in force
Controllers processing personal data under the UK GDPR need to comply with the new data protection complaints regime which entered into force on 19 June
June 19, 2026
Digital Omnibus on AI is agreed
The European Parliament and the Council of the European Union have now reached agreement on the Digital Omnibus on AI. Some of the key points
May 21, 2026
ICO publishes final guidance on storage and access technologies
On 29 April 2026 the ICO published its final guidance on storage and access technologies. Two new subchapters have been added as follows: What does
April 29, 2026
Updates to the European Data Protection Seal
On 15 April 2026, the EDPB adopted updates to the Europrivacy certification (the European Data Protection Seal). The European Data Protection Seal is a certification
April 15, 2026
ICO releases report on automated decision making in recruitment
As part of its AI and Biometrics strategy, the ICO has recently released a report relating to the use of automated decision making for significant
April 10, 2026
EDPB publishes draft DPIA template
The EDPB has issued a proposed DPIA template along with an explainer document for public consultation. The EDPB states that its template “is one way
April 5, 2026
ICO issues final Recognised Legitimate Interest guidance
On 23 March 2026 the ICO issued its final guidance on Recognised Legitimate Interests. The lawful basis section of the general guide has been updated
March 26, 2026
CJEU issues judgment in relation to rejecting DSARs
The CJEU has recently released a judgment in relation to rejecting a DSAR, adding further guidance on when it might be possible to reject a
March 25, 2026
ICO issues updated guidance on purpose limitation
On 23 March 2026, the ICO updated its guidance on purpose limitation to reflect the changes brought in by the Data (Use and Access) Act
March 24, 2026
Council of the European Union position on the Digital Omnibus on AI.
On 13 March 2026, the Council of the European Union agreed its position on the Digital Omnibus on AI. The Council’s draft notably deals with
March 13, 2026
ICO releases interactive transfer assessment tool
On 3 March 2026, the ICO released an interactive transfer assessment tool. The tool is part of the ICO’s wider guidance on international transfers and
March 5, 2026
Court of Appeal upholds ICO’s appeal in DSG Retail Limited case
The Court of Appeal has upheld the ICO’s appeal in the case of DSG Retail Limited v Information Commissioner’s Office [2026] EWCA Civ 140. This case concerns
February 26, 2026
ICO finalises data protection complaints guidance
The ICO has finalised its data protection complaints guidance ahead of the new Data (Use and Access) Act 2025 complaints handling requirements which will be
February 26, 2026
ICO fines Reddit £14.47 million for failures in processing children’s data
On 24 February 2026, the ICO confirmed a fine against Reddit Inc (Reddit) for £14.47 million for failures in processing children’s data. The ICO found
February 25, 2026
Preparing for the Digital Omnibus: Navigating privacy with global regulatory divergence
The Digital Omnibus announced by the EU Commission aims to help harmonise and simplify the EU digital regulatory framework. In this webinar, you’ll hear an
February 25, 2026
EDPB publishes its 2025 Coordinated Enforcement Framework report
On 18 February 2026, the EDPB published its report on the Coordinated Enforcement Framework (CEF) on the right to erasure. The right to erasure was
February 20, 2026
EDPB adopts 2026-2027 work programme
Earlier this month, the EDPB adopted its 2026-2027 work programme which is part of its broader strategy for 2024-2027. In terms of practical guidance and
February 19, 2026
CJEU confirms that EDPB rulings can be challenged
On 10 February 2026, the CJEU ruled that WhatsApp Ireland Limited can challenge the EDPB’s ruling settling the dispute between data protection authorities over a
February 17, 2026
EDPB and EDPS publish joint opinion on Digital Omnibus Regulation
On 10 February 2026, the EDPB and the European Data Protection Supervisor (EDPS) published a joint opinion on the Digital Omnibus Regulation. While the EDPB
February 12, 2026
ICO updates Privacy by Design and Default guidance
On 5 February 2026, the ICO updated its guidance on Data Protection by Design and Default, in light of the Data (Use and Access) Act
February 9, 2026
ICO fines MediaLab.AI Inc for failures in handling children’s data
On 5 February 2026, the ICO fined MediaLab.AI Inc. (MediaLab), who own the social media platform Imgur £247,590, for failing to implement appropriate safeguards to
February 7, 2026
EU Commission proposes new cyber security package
On 20 January 2026, the EU Commission proposed a new package of cyber security measures. The package includes a proposal to revise the Cyber Security
January 20, 2026
EDPB and EDPS adopt joint opinion on the AI provisions in the Digital Omnibus
On 20 January 2026, the EDPB and EDPS issued a joint opinion on the AI provisions in the Digital Omnibus, which details recommendations in relation
January 20, 2026
The ICO updates guidance on international transfers
On 15 January 2026, the ICO released updated guidance on international transfers which aims to reduce complexity and support responsible data transfers. The guidance includes:
January 15, 2026
The CNIL has fined NEXPUBLICA FRANCE EUR 1.7 million
The CNIL has fined NEXPUBLICA FRANCE EUR 1.7 million for failing to implement adequate security measures for its Public CRM (PCRM) software, a user relationship
January 7, 2026
ICO welcomes the Cyber Security and Resilience Bill
The ICO has formally welcomed the Cyber Security and Resilience Bill (the Bill) as a “meaningful and necessary update” to the UK’s existing Network and
January 6, 2026
UK adequacy decision renewed
On 19 December 2025, the EU confirmed the renewal of the UK adequacy decision, meaning that personal data can continue to be sent from the
December 19, 2025
CJEU rules on transparency in relation to body worn cameras
On 18 December 2025, the CJEU handed down judgment in case C-422/24 which relates to the use of body worn cameras by a Swedish public
December 18, 2025
EU GDPR Enforcement Rules Regulation published
On 12 December 2025, the EU Commission published the GDPR Enforcement Rules Regulation. The regulation “aims to deliver faster and more effective enforcement of the GDPR
December 12, 2025
EDPB issues recommendation in relation to legal basis for e-commerce user accounts
On 4 December 2025, the EDPB issued recommendations on the legal basis for requiring the creation of user accounts on e-commerce sites. It has asked
December 4, 2025
European Commission publishes digital omnibus regulation
On 19 November 2025 the EU Commission published its draft digital omnibus regulation. The regulation proposes changes to a number of existing EU regulations, including
December 2, 2025
Commercial Court in Madrid fines Meta EUR 497 million
On 19 November 2025 the commercial court in Madrid ordered Meta to pay compensation for anti competitive behaviour, using unlawful data processing to give it
November 24, 2025
ICO fines password manager provider £1.23 million for security failings
On 20 November 2025, the ICO fined Last Pass UK Ltd. (Last Pass) £1.23 million in relation to a data breach which occurred when a
November 20, 2025
Completing your Article 30 Record of Processing Activities (ROPA) under UK GDPR
A Record of Processing Activities (ROPA) is a cornerstone of UK GDPR compliance. Knowing what personal data you process, why you process it, and how
November 18, 2025
Polish data protection authority fines telecommunications operator EUR 4.5 million
On 14 November 2025 the Polish data protection authority fined a telecommunications operator EUR 4.5 million in relation to several compliance failures. The operator: failed
November 17, 2025
EDPB issues opinion on draft adequacy decision in favour of Brazil
On 5 November 2025 the EDPB issued its opinion on the draft adequacy decision in favour of Brazil. The opinion was generally positive with the
November 6, 2025
ICO issues draft guidance on enforcement
On 31 October 2025 the ICO published draft guidance on enforcement. The guidance covers: Investigation process: how the ICO decides whether to investigate, what organisations
November 3, 2025
Outsourcing your way to compliance confidence
UK organisations are navigating an ever evolving data protection regulatory landscape. Staying compliant can feel like steering through fog, especially without the right expertise on
October 14, 2025
ICO consults on guidance on Data (Use and Access) Act 2025
The ICO has issued 2 sets of draft guidance for consultation. The first set of guidance relates to recognised legitimate interests and covers: What the
October 8, 2025
A route to DSAR success: Best practice insights and AI innovations
Alison Deighton and Mark Anderson from CDS discuss DSAR best practice and how to leverage AI.
October 1, 2025
DSAR Responses: What to include and how to share it
So you are finally putting together your response to the Data Subject Access Request (DSAR), but what does it need to cover? Supplementary information As
September 24, 2025
UK DPA Exemptions: What are they and when are they relevant?
The right to access personal data is not absolute and there are situations where a controller will not need to comply/fully comply with a Data
September 16, 2025
Question of the month: what do we need to think about when responding to an employment related DSAR?
When an employee asks for a copy of their information, there are a few points we need to think about in addition to the usual
September 11, 2025
How do I perform a search for information and what do I do about third party data?
Once the preliminary steps are out of the way for handling a Data Subject Access Request (DSAR) and you are ready for action, how do
September 9, 2025
What to do when you receive a DSAR
If receiving a Data Subject Access Request (DSAR) is not a common occurrence for you, then the best initial piece of advice is to take
September 3, 2025
How do regulators decide what fine to issue under GDPR?
You would have to have been living under a rock not to have seen some of the significant fines issued since GDPR came into force
August 27, 2025
UK government announces planned commencement dates for Data (Use and Access) Act 2025
On 21 July 2025 the UK Government issued its first commencement regulations in relation to the Data (Use and Access) Act 2025 (the Act). Following
August 25, 2025
Understanding the Data (Use and Access) Act 2025
In this webinar, we cover key insights for businesses. Including the key impacts on UK data regime and what business leaders need to do and
July 12, 2025
EDPB and European Data Protection Supervisor issue joint statement on GDPR reform
On 8 July 2025 the EDPB and the European Data Protection Supervisor (EDPS) issued a joint statement on the proposal for a regulation on simplification
July 10, 2025
Getting it right: handling complex DSARs and how AI can help
Wondering how AI could help with complex DSARs? Click here to read our article for Privacy Laws & Business and find out more.
July 9, 2025
German regulator issues significant fine to Vodafone in relation to monitoring partner agencies
In a press release earlier this month, the German data protection regulator confirmed that it had issued two fines totalling €45million against Vodafone GmbH. The
June 20, 2025
ICO fines 23andMe £2.31 million
On 17 June 2025, the ICO finalised their fine against 23andMe in relation to a cyber attack which led to unauthorised access to the personal
June 18, 2025
AI deployment and transparency: A practical perspective
Looking for a practical perspective on how to tackle transparency when deploying AI? Read our Privacy Laws & Business article and find out more!
March 25, 2025
The power of good data protection policies and procedures
Policies have a reputation for being dull, long documents, but that doesn’t have to be the case. Putting in place tailored, practical data protection policies
January 14, 2025
What rights do individuals have under UK GPDR?
You may have heard of “individuals’ rights” or maybe “data subject rights”, which data controllers must facilitate (and which processors must assist the controller with
October 10, 2024
Privacy Enhancing Technologies – what are they?
Have you heard of PETs? Not the fluffy kind, but the privacy kind? In the world of privacy, PETs are Privacy Enhancing Technologies (PETs). The
September 11, 2024
5 practical tips when responding to a data subject rights request
Receiving a data subject rights request can be unnerving if you don’t know where to start, so we have put together 5 handy tips to
August 22, 2024
When can I rely on the soft opt-in exemption for direct marketing?
The soft opt-in exemption under the Privacy and Electronic Communications Regulation 2003 can be a really useful tool to boost your electronic mail (e.g. email,
August 20, 2024
What are the Data Protection Principles?
Understanding the principles which underpin the UK GDPR can help you to develop a better understanding of the legislation. As the ICO says, the principles
August 7, 2024
How does the ICO decide on what fines to issue?
The maximum fine under UK GDPR and the Data Protection Act 2018 is £17.5m or 4% of an organisation’s total worldwide annual turnover in the
August 6, 2024
What’s the difference between a service email and a marketing email?
Have you ever wondered what the difference is between service emails and marketing emails and why it is important? If the answer is yes, then
July 31, 2024
5 tips on disposing of personal data safely
We spend a lot of time thinking about “active” processing when we are using personal data to achieve our goals, but we must not neglect
July 30, 2024
Legal Basis Myth Buster
Choosing a legal basis for processing can sometimes be a confusing business and, over time, a few myths have developed, so let’s distinguish fact from
July 24, 2024
What makes a good privacy notice?
How do you make sure your privacy notice gets the job done, conveying privacy information in a concise, clear, easy-to-understand way? Read on for some
July 8, 2024
5 top tips for dealing with hard copy documents which hold personal data
Although for many of us, life is now very much digital, we must not forget that hard copy documents containing personal data which are or
June 25, 2024
The data protection risks of sending group email messages
Recently the ICO fined the YMCA £7,500 for sending an email to over 150 identifiable addressees, using Cc rather than Bcc and therefore revealing the
June 19, 2024
Why are data protection audits so important?
Are you concerned that there may be areas of non-compliance in your organisation, but are not sure where to start in establishing what these are
June 12, 2024
Why is data protection training so important?
It is essential for organisations to have a training programme in place which provides staff with sufficient knowledge and understanding of its approach to data
June 4, 2024
Transparency in health and social care
On 15 April 2024 the ICO published guidance to improve transparency in health and social care. The guidance looks at what is meant by transparency,
May 28, 2024
ICO issues fining guidance
The ICO has issued guidance on how it decides when to issue fines and how the amount of these fines is decided. Some of the
May 23, 2024
What can we do to help prevent data breaches?
A personal data breach under GDPR (sometimes referred to as a “data breach”) is a breach of security where personal data is accidentally or unlawfully
May 16, 2024
The power of data protection policies and procedures
Policies have a reputation for being dull, long documents, but that doesn’t have to be the case. Putting in place tailored, practical data protection policies
May 16, 2024
What is a data protection impact assessment (DPIA) and when should we complete one?
So you are thinking about starting a new data processing project or making changes to existing processing. Before you start to process the personal data,
May 9, 2024
5 practical data compliance steps for small businesses
Starting to address data protection can seem like a daunting task. In these situations, a back-to-basics approach is needed to separate the wood from the
April 23, 2024
ICO finalises biometric data guidance
ICO finalises biometric data guidance. The guidance covers key data protection concepts, biometric recognition, how to demonstrate compliance with data protection obligations, consideration of lawfulness,
March 28, 2024
EDPB provides clarification on “main establishment”
EDPB provides clarification on “main establishment” The EDPB has issued some guidance on the meaning of “main establishment” for the purposes of the one-stop-shop mechanism
March 28, 2024
Question of the month – What can go wrong where manual systems are used to change data?
Not often a high billing topic in the list of ICO enforcements, but one which has been the subject of a recent reprimand, is data
January 28, 2024
ICO publishes guidance on UK BCR addendum
The ICO has now released its UK addendum to the EU BCRs with accompanying guidance. The guidance walks through the application process (which can be
January 28, 2024
The European Court of Justice (CJEU) holds that credit scoring can be an automated decision under GDPR
On 7 December 2023, the CJEU issued judgment in the case of C-634/21|SCHUFA Holding (Scoring). SCHUFA is a company which provides information on creditworthiness to
December 14, 2023
Top tip – time to check your cookie compliance
The ICO has reiterated its position in relation to organisations who do not allow individuals to reject all cookies on their cookie banners. At the
October 28, 2023
ICO guidance on bulk emailing
Continuing a theme from last month’s digest (see “Question of the month – Help! We have used To/CC rather than BCC in an email and
September 28, 2023
Are the names of employees who have viewed an individual’s personal data, personal data of that individual?
The CJEU has recently ruled on a matter where an individual (who worked for and was a customer of a Finnish bank) made a subject
August 28, 2023
Question of the month – Help! We have used To/CC rather than BCC in an email and it has revealed sensitive personal data– what should we do now?
There have been a couple of recent reprimands issued by the ICO in situations where individuals’ email addresses were inadvertently disclosed to other recipients of
August 12, 2023
Question of the month – how are fines under the GDPR calculated?
The EDPB has issued guidance on how fines under the GDPR are calculated. Whilst it may not be your first choice in terms of reading
July 28, 2023
Question of the month – What will happen to the UK GDPR at the end of 2023?
In late 2022, the Government announced its intention, as part of Brexit, to remove EU laws from the statute books.
June 28, 2023
Court of Justice of the European Union (CJEU) rules on the scope of the right to obtain a copy of personal data
Examination of what constitutes a “copy” of personal data under Article 15(3) EU GDPR, whether this extends to a copy of, extracts of or even entire documents or extracts from data bases?
June 24, 2023
Top tips on disclosing data recipients during data subject access requests
Earlier this year the Court of Justice of the European Union (CJEU) weighed in on the question of disclosing the recipients of personal data in the context of data subject access requests.
June 23, 2023
Question of the month – Can provision of information required by a regulator ever be direct marketing?
Let us guide you on if the provision of information required by a regulator ever be direct marketing.
May 31, 2023
Top tips for app developers in light of the new code of practice for app store operators and developers
The Department for Culture, Media and Sport (DCMS) and National Cyber Security Centre have collaborated to produce a voluntary code of practice for app store operators and developers.
March 30, 2023
How should you approach data sharing?
We set out the key steps which you should consider when embarking on a data sharing project.
January 18, 2023
Resource Library
Data protection is a fluid terrain. Data protection legislation and the approach by regulators are constantly changing, so it is vital to stay up to date. In this resource library, you’ll find some expert insight and information to help you navigate a path of compliance.
All items are available to download as pdf files. To view a document, please ensure you have installed Adobe Acrobat Reader on your device.
Description
Do you want to hear from us?
Please complete the fields below to stay up-to-date with the latest HelloDPO news.
Our experience...
Speaks for itself through collaboration with leading global brands such as…
- Tech giants
- Health tech start-ups
- Forward-thinking financial institutions
- Global dating app
- One of the largest entertainment record labels globally
- Shopping meccas
- National broadcasters
- Professional services firms and regulators
0
+
Sector specialisms and in-depth experience
0
%
Client retention rate and long lasting relationships
0
s
Learners who complete our data protection training each year
Don't just take our word for it
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma Witham
Director of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Don't just take our word for it
“We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them.”
Serena May
Director, Southern HR Ltd
Don't just take our word for it
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time.”
Craig Saunders
Head of International Privacy, Aetna Global Benefits (UK) Ltd
Don't just take our word for it
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
Don't just take our word for it
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth Hidalgo
Director, Chartered Accountants Worldwide
Don't just take our word for it
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay Patel
Finance Director, Cadogan Group Limited
Don't just take our word for it
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica Cozzani
Senior Legal Counsel, Compre Group
Don't just take our word for it
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua Anton
CEO, Outlogic
Don't just take our word for it
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!”
Clare Russell
Interim Head of Legal, Vue UK and Ireland
Don't just take our word for it
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team.”
Josh Towb
Head of Business Transformation, Jigsaw
Don't just take our word for it
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them.”
Rebecca Miller
Channel 4
Let’s chat
Book a free 30 min discovery call with our expert team and we’ll advise how we can help.