Reddit’s £14.47m ICO fine — what UK businesses need to do as child protection enforcement ramps up
We break down what the ICO found and outline three key steps that UK businesses should take now.
Data Protection Day — DUA and other legal developments coming in 2025
AuthorsEleanore Beard
4 min read
Today is Data Protection Day. Intended to raise awareness of individuals’ rights under data protection and privacy legislation, it’s the perfect opportunity to assess your compliance and the changes that could lie ahead in the year to come.
We know that data protection compliance is likely to have been on many ‘to do’ lists for some time. Today is a great time to get started and ensure that you’re not the subject of an ICO investigation or reputation crisis.
Remember — prevention is always better than cure. Acting now can save yourself significant time, stress and money in the future.
Global strengthening of data protection policies
Over the past 12 months, we’ve seen a general global strengthening of data protection and cyber security frameworks as the world seeks to address the increased use of AI and protect against increased cyber threats.
2024 saw a number of significant legislative developments as well as some high-profile data breaches and regulatory actions which have reinforced the importance of data protection and the need to comply with legislation.
Of particular note is the EU’s AI Act, which came into force in August 2024. While this applies staggered deadlines for implementation, the Act will be fully functioning by August 2026. The Act will provide a legal framework for AI and affect both companies that are creating AI systems in the EU as well as those in the UK that seek to sell AI products into the EU or where such a product’s uses will affect EU residents.
Data protection law changes in 2025
We expect to see the same pattern of strengthening data protection and cyber security frameworks throughout 2025 as the UK awaits the new Data (Use and Access) Bill (DUA) and the Cyber Security and Resilience Bill.
Such developments mean that it’s crucial for businesses to stay informed and understand how your business — and its collection and processing of personal data — will be affected.
The recent progress of the DUA signifies a commitment to modernise the UK’s data practices. Introduced in the House of Lords on 23 October 2024, it’s likely to come into force during 2025 — hopefully in time for the EU’s review of the UK’s ‘adequacy decision’.
As DUA is making its way through the legislative stages, we could have new rules by May 2025 — or in the words of Dua Lipa: “I got new rules, I count 'em, I got new rules…”
Echoing Dua Lipa’s sentiment — "Did a full 180, crazy" — the UK's approach to data protection will be undergoing a transformation. The proposed ‘new rules’ will provide a new data protection framework based on the GDPR principles and the Data Protection Act 2018 while featuring some changes that the ICO says “maintains the high standards of data protection and protects people’s rights and freedoms, whilst also providing greater regulatory certainty for organisations and promoting growth and innovation in the UK economy”.
DUA — new data protection proposals
The proposals for DUA include:
- New frameworks to cover the use of ‘smart data’.
- New guidelines to streamline digital identity verification processes.
- Introducing information standards for health and social care.
- Using data to enhance the efficiency and effectiveness of public services.
- Clarifying the meaning of ‘legitimate interests’ and proposing a list of recognised legitimate interests.
- Broadening the grounds of automated decision making.
DUA will also increase fines for breaches of marketing rules under PECR (the Privacy and Electronic Communications (EC Directive) Regulations 2003) to align with the GDPR’s fine levels.
Cyber security changes in 2025
As cyber threats grow more sophisticated, organisations, businesses and individuals must strive to be proactive in safeguarding personal data. The proposed Cyber Security and Resilience Bill seeks to strengthen and expand the protection of digital services and supply chains, impose stronger reporting requirements and introduce a cost recovery mechanism.
We also expect the EU’s Digital Fairness Act to come into force later this year. It’s expected to introduce measures to limit misleading commercial practices by influencers and make it easier to cancel online subscriptions.
How can I stay compliant?
To stay fully protected, you should review your current data protection and cyber security measures to ensure compliance with the current frameworks.
If you’re not sure where to start in terms of data protection, privacy and compliance, our specialist data protection solicitors can help. We offer bespoke data protection management and GDPR compliance training to help guide your journey to compliance.
Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form below.
Eleanore Beard
Eleanore is a Legal Director and Data Protection Practitioner in our commercial team.
Read more
Talk to us
Loading form...
Related insights
Am I a data controller? GDPR for social media users explained
We look at the UK GDPR and the Data Protection Act 2018 and outline how the GDPR can apply to both organisations and individuals as data controllers.
The Digital Omnibus — proposed key changes to EU data protection obligations
We break down the key proposed reforms in the Digital Omnibus Package and outline what businesses should do to prepare.
Data Protection FAQs
Find answers to our most frequently asked questions about data protection and privacy from our lawyers.
2026 horizon scan — key legal & regulatory changes ahead
We explore the key developments that in-house lawyers should have on their radar and what they mean for your organisation in the year ahead.
Jaguar Land Rover cyber‑attack — protecting your workforce during digital disruption
We explain the impact of the cyber-attack on JLR's workforce and outline what to do to protect your business and minimise the impact if an incident occurs.
Cyber-attacks — 8 essential steps to strengthen your response before it’s too late
We outline eight key steps to put your organisation in the strongest position for a prompt and effective response to any cyber-attack.
Data (Use and Access) Act 2025 — how opt-in rules are changing for charities
We explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.
Capita’s £14m data breach fine — a wake-up call for UK organisations
We explore how weak cybersecurity and slow responses can trigger major data breaches and resulting ICO fines.
The EU Data Act — a new era for data governance in Europe
The EU Data Act is a regulation designed to reshape the European data economy by establishing harmonised rules for data access, sharing and portability.
DUA — how to prepare for the UK’s new data privacy regime
Designed to amend the UK’s existing data privacy regime, the DUA Act will affect the UK GDPR, PECR and the Data Protection Act 2018.
M&S, Co-op & Harrods cyber-attacks — key cybersecurity lessons for retailers
We delve further into cyber attacks on three major retailers and outline five key steps to take in any cyber-attack preparedness and response plan.
Apple & Meta handed first EU Commission non-compliance decisions under the Digital Marketing Act
The EU Commission handed out fines of €500m and €200m to Apple and Meta respectively. We outline each fine and the legality of 'consent or pay' models.
Transgender athlete participation — navigating data protection laws when collecting sensitive personal data
Athletes might be asked to provide highly sensitive forms of personal data when competing. Here's eight steps to comply with data protection legislation.
Spotify Wrapped — 5 top tips for companies to ensure data privacy in viral marketing campaigns
We explore the evolution of Spotify Wrapped and present five top tips for companies looking to use personal data for viral marketing campaigns.
AI and GDPR — key compliance considerations when buying and using AI tools
The EU Artificial Intelligence Act is here and brings a number of considerations as to how businesses manage personal data, GDPR compliance and privacy policies.
AI at Paris 2024 — how the Olympic Games set the gold standard for sports technology
The use of AI and technology in sporting events is ever-growing — and the Paris 2024 Olympic Games were no exception.
Biometrics — TEN key steps for businesses to comply with data protection rules
Data protection specialist outlines the ten key steps that any organisation should follow when using biometrics.
Data Protection Day 2024 — How your business can keep up with evolving regulations
Organisations must regularly assess and prioritise their data protection practices to remain compliant with legislation.
Data protection – what’s in a dog’s name?
A previous ICO (Information Commissioners Office) case highlighted that a dog’s name could lead to an individual’s...
Meta fined by Data Protection Commission for breaches
Meta has received a significant fine from the Data Protection Commission in Ireland for breaches of GDPR regulations.
When can compensation be awarded as a result of data protection breaches?
An Austrian court ruled that compensation would not be awarded for emotional harm caused by data protection breaches.