24/01/2026
As we move into 2026, it’s tempting to look for the big new data protection law that will change everything overnight. In reality, that isn’t how this year is shaping up.
Instead, 2026 looks set to be a year of consolidation, scrutiny and expectation‑raising. The rules themselves are largely familiar. What’s changing is what regulators, auditors and the public expect organisations to be able to show.
This isn’t about perfection. It’s about being able to explain, evidence and defend the decisions you make about personal data.
From “Do We Need a Policy?” to “Can We Defend This?”
Most organisations should now have the basics in place: privacy notices, breach procedures, retention schedules, DPIA templates. The compliance conversation in 2026 is less about whether these documents exist, and more about whether they actually reflect how the organisation operates. Remember the privacy notice for a small UK children’s party entertainment business that somehow managed to reference Californian privacy law?
We are seeing a clear shift away from box‑ticking towards defensibility. Can you demonstrate:
- why a particular approach was chosen
- how risks were identified and mitigated
- who made the decision, and on what basis
- what was considered and discounted
Having a policy is no longer the end point. It’s the starting evidence.
AI Use: Governance Is Catching Up With Reality
Artificial intelligence is no longer an abstract future risk. Staff are already using AI tools to summarise documents, draft content and speed up routine tasks.
In recognition of this, even the ICO has published its own internal AI use policy, explicitly intended as a practical starting point for organisations developing rules around staff use of AI.
In 2026, the governance gap is becoming harder to ignore. Organisations are increasingly expected to have:
- clear rules for internal AI use
- training for staff on appropriate and inappropriate use
- clarity on what data must never be input into AI tools
- DPIAs where AI use is likely to affect individuals
The uncomfortable truth is that banning AI outright rarely works. Sensible governance, transparency and boundaries are far more effective than pretending it isn’t happening.
Cyber Security Is a Leadership Issue, Not Just an IT One
Cyber incidents remain one of the most common causes of personal data breaches. What’s changing is how those incidents are viewed.
Security is no longer treated as a purely technical matter. Senior management and leadership teams are increasingly expected to understand:
- what their biggest information risks actually are
- how prepared the organisation is to respond to an incident
- who takes decisions in the first 24–48 hours
- whether those decisions would stand up to external scrutiny
In 2026, the absence of senior ownership is itself becoming a risk.
International Transfers: Stable for Now, But Not Static
The renewal of adequacy arrangements has provided welcome stability for organisations transferring personal data internationally. However, this is not a “set and forget” area.
Transfer risk assessments, supplier oversight and awareness of where data flows remain relevant, particularly as UK data protection law continues to evolve.
For most organisations, the key challenge in 2026 is less about complex legal mechanics and more about simply knowing where data goes and why…and whether their customers are aware too…
Enforcement: Process, Evidence and Cooperation Matter
2025 saw continued ICO enforcement for failures to comply with data protection and privacy law, a trend that is clearly continuing into 2026. Significant fines, including £14 million against Capita and £1.2 million against LastPass UK Ltd, alongside multiple penalties against SMEs for unlawful direct marketing, underline the regulator’s ongoing focus on security and marketing compliance.
Regulatory enforcement is often portrayed as sudden and punitive. In practice, much of it turns on how organisations respond when something goes wrong.
Increasingly, the organisations that fare best are those that can show:
- early identification of issues
- proportionate mitigation
- clear internal records of decisions
- openness and cooperation with regulators
Silence, confusion or a lack of audit trail tend to create more problems than the original incident.
The Theme for 2026: Maturity
If there is a single word that captures where data protection is heading in 2026, it is maturity.
That means moving beyond treating data protection as a hurdle to clear, and instead embedding it into everyday decision‑making. It means accepting that not all risk can be eliminated, but that it must be understood, owned and justified.
Organisations that invest in clarity, governance and practical understanding now will find themselves far better placed when questions are asked later.
And in 2026, those questions are coming more often.
JH Data Protection Limited 
Leave a comment