Change has arrived. The question now is; how to respond? In the year ahead, the data, privacy, and cybersecurity landscape will increasingly centre on the role of regulation in fostering innovation, while simultaneously addressing the need for data protection and responding to growing cyber threats. Our Data, Privacy and Cyber team have produced a comprehensive collection of thought leadership pieces, bringing together insightful articles, expert analysis and forward-thinking perspectives on the evolving world of data protection, privacy, and cybersecurity.
Designed to help organisations navigate and understand emerging challenges and opportunities, the document reflects our commitment to ensuring we are at the forefront of developments in these critical areas. We invite you to explore these articles and help shape the conversation on data, privacy, and cybersecurity in the year ahead. Download the full Perspectives on the Data, Privacy & Cyber Landscape 2026 document using the below link, or scroll down to read each individual article.
Download Perspectives on the Data, Privacy & Cyber Landscape
To prioritise innovation or regulation? Global tensions and pressures on regulatory models
This piece explores the shifting landscape of innovation and regulation, discussing how policymakers are currently dealing with the challenge of fostering technological progress while safeguarding against risk.
We highlight the ongoing debate surrounding regulatory approaches as artificial intelligence as a prime example of the tension between encouraging innovation and ensuring robust governance. Recent geopolitical developments have prompted governments to reconsider their regulatory priorities.
The article considers the impact and characterisation of the GDPR as a global benchmark and whether a similar 'Brussels effect' resulting from the EU AI Act will influence other jurisdictions on the regulation of AI. In the face of opinions arguing against over-regulation, is the pendulum now swinging towards a greater emphasis on innovation?
Unlocking the value of data: Navigating anonymisation, pseudonymisation & PETs
This piece explores the complex challenge of maximising the value of personal data while maintaining robust privacy compliance, drawing upon the latest regulatory guidance, case law, and the authors’ practical insights.
We examine the evolving landscape of anonymisation, pseudonymisation and Privacy-Enhancing Technologies (PETs), highlighting both their effectiveness and limitations. The article considers the balance between the economic need for data-driven innovation and the need for careful navigation of legal and contractual hurdles, with true anonymisation remaining difficult to achieve in practice.
The article discusses the keys to unlocking data utility responsibly, with context, governance, and strategic contracting all relevant. We reflect on legislative reforms and how advanced technical solutions such as PETs presented promising, yet imperfect, pathways to unlocking data utility.
PR and penalties: Behind the ICO regulatory strategy
This piece explores the evolving enforcement approach of the Information Commissioner's Office (ICO), highlighting the shift from heavy financial penalties to a more nuanced strategy of reprimands and engagement, especially within the public sector.
We examine recent ICO policies, noting that critics have accused the regulator of lacking teeth, with enforcement activity allegedly collapsing and leading to increased data breaches. The article scrutinises the ICO's rationale for issuing fines and perceived inconsistency, particularly when balancing reputational concerns and economic growth against data protection priorities.
Reflecting on recent regulatory outcomes, we consider whether the ICO's current strategies encourage data security, and the potential impact of upcoming legislative changes, with new reporting requirements for the ICO potentially influencing future enforcement.
Technology and data: Analysing the relationship between the power couple of AI-related research
This piece provides an examination of the dynamic relationship between technology and data in the context of AI research, the “power couple” at the heart of innovation.
The piece reflect on the legal and ethical complexities surrounding the use of personal data for AI-related research under UK law, noting challenges such as privacy, bias, transparency, and data ownership. We also highlight recent developments, including the Data (Use and Access) Act 2025 (DUAA), which introduces new flexibility and exemptions for scientific research.
Scrutinising the practical impact of UK GDPR and DPA 2018 provisions, as well as the ICO’s accountability framework, we provides critical insights into how organisations can meet legal requirements while fostering responsible research.
Contractual tensions are explored, with recommendations for analysing data roles, developing robust terms, and facilitating open discussions to enable innovation without compromising compliance.
From DSARs to data protection complaints: implementing the lessons from 2025
This piece offers a comprehensive analysis of key developments in Data Subject Access Requests (DSARs) throughout 2025, focusing on legal, regulatory and technological trends.
The piece reflects on landmark cases, such as Ashley v HMRC, and the impact of the Data (Use and Access) Act 2025, which has introduced important statutory changes to DSAR handling.
The increasing complexity and volume of DSARs, with the rise of AI-supported requests and mass DSARs following cyber incidents, will pose new challenges for organisations. We provide practical strategies for controllers, urging a holistic and proportionate approach, careful use of exemptions, and robust record-keeping.
The article also highlights the imperative for organisations to prepare for new statutory complaint handling requirements, including considerations for tailored complaints procedures and smart use of technology. Providing detailed guidance and actionable insight, the commentary underscores the need for proactive compliance and resilience in the face of evolving expectations in this area.
Post-breach – the discretion in assessing the risk of harm
This piece set out a comprehensive and expert analysis of the discretion involved in assessing the risk of harm following a personal data breach under UK data protection law.
The analysis explores the legal framework set out by the UK GDPR and the Data Protection Act 2018, highlighting the centrality of risk assessment in deciding whether to notify regulators or affected individuals. Drawing on guidance from the Information Commissioner’s Office, the European Data Protection Board, and the EU agency for cybersecurity ENISA, we consider both the established criteria and the formulaic methodologies available for evaluating breach severity.
The article examines the practical challenges organisations face, including the inherent subjectivity in determining what constitutes “high risk” and the balance between regulatory compliance and avoiding over-notification. We also consider the evolving landscape of data protection, the need for a nuanced approach tailored to the facts of each breach, and concluding with a discussion of alternative international approaches and reflects on the importance of flexibility, context, and justification in post-breach risk assessment decisions.
