Privacy Matters: What Compliance Teams Can Expect in 2026

By Phil Muncaster • 27 January 2026

January 28 is Global Privacy Day – an occasion to celebrate the right to data privacy and protection that many of us take for granted today. It wasn’t always this way, of course. Only on this date in 1981 did the Council of Europe finally sign Convention 108, “for the Protection of Individuals with Regard to Automatic Processing of Personal Data.”

Yet although it can be slow moving at times, data privacy law rarely stands still. This year, compliance professionals will have plenty to think about, as various provisions of the UK’s Data (Use and Access) Act (DUAA) come into force. They might consider turning to ISO 27701 to streamline their efforts.

Why Privacy Matters

Security and privacy are two sides of the same coin. Without the protections enabled by people, process and technology, no organisation would be able to fulfil its obligations to uphold customer and employee privacy rights. This is important for British companies in the context of the GDPR, which empowers regulators to levy potentially large fines (up to £17m or 4% of global turnover) for serious non-compliance. But there are other compelling business reasons why privacy should be a strategic priority:

Avoiding operational costs associated with serious breaches. These could include extra cash needed to pay IT overtime, third-party forensics experts, legal teams, and to notify customers and regulators
Avoiding potentially costly class action lawsuits following a major data breach
Burnishing customer trust and loyalty. A major breach can seriously impact long-term reputation. But conversely, organisations that prioritise customer privacy and transparency over data handling have a great opportunity to build closer relationships with their customers
Driving competitive advantage and expansion through adoption of best practice privacy standards like ISO 27701, which can help reassure regulators, partners and customers in new markets, and streamline regulatory compliance

What’s New with the DUAA in 2026?

According to the IO (formerly ISMS.online) study, The State of Information Security Report 2025, the share of US and UK firms that require suppliers to be GDPR compliant surged from 9% to 34% between 2024 and 2025. That illustrates both the business drivers behind compliance, and the fact that there’s still plenty of work to do before the regulation is fully embraced across the business community.

The new DUAA was partly devised as a response to concerns that GDPR compliance entailed too much red tape for firms. Yet one study claims that less than 2% of organisations are ready for the new law. Many (47%) cite updates to governance, training and vendor management as their biggest challenges. This will have to change. Among the expected changes to privacy law it will usher in this year are:

More permissive rules on automated decision making (ADM). These will allow organisations to rely on a wider range of lawful bases to make decisions about individuals as long as safeguards are in place
Relaxed laws which will expand the circumstances under which low-risk cookies can be used without explicit consent
Introduction of a “recognised legitimate interests” – a new legal basis for processing data for public interest purposes (eg crime prevention)
New requirements for handling data subject complaints, including electronic complaint forms and acknowledgement of complaints within 30 days
An increase in potential fines under the Privacy and Electronic Communications Regulations (governing cookies) to align with the GDPR (£17.5m or 4% of turnover)
A new requirement to follow the ICO’s Children’s code if online services are likely to be accessed by children

All of which will require updates to business processes for handling complaints, and assessing obligations to uphold children’s privacy rights. Given the potentially high fines involved, organisations with non-compliant cookie and electronic marketing practices should also prioritise PECR compliance.

Edward Machin, counsel in the data, privacy and cybersecurity group at Ropes & Gray, shares the following two dates for the diary in 2026:

January 2026 (approximately six months after Royal Assent): The main changes to data protection legislation, set out in Part 5 of DUAA, come into effect, excluding changes to the complaints procedure for data subjects.

TBC for 2026. Provisions that rely on technical infrastructure or need more lead time will take effect, including measures that depend on new technology (e.g., certain registers or services) and the data subjects complaints procedure.

“Organisations should split their DUAA preparations between the provisions that require them to take specific actions, such as implementing a data subject complaints procedure, and those that allow for more flexibility in relation to current practices, such as the rules around subject access requests, automated decision-making and cookies,” he tells IO.

“In any event, DUAA will in most cases require an evolution to organisations’ compliance programmes rather than wholesale changes. But organisations should in particular have a plan in place for addressing the Part 5 requirements to ensure that they don’t get lost in the new year shuffle.”

ISO 27701 Comes of Age

For compliance teams already wondering how they’re going to cope with another regulatory deluge this year, there is some good news. ISO 27701 is now a discrete standard, rather than an extension of ISO 27001. It means organisations have a lower cost, faster and more flexible way to achieve best practice data handling and processing.

ISO 27701 offers a structured framework for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). It includes actionable controls for:

Protecting personally identifiable information (PII) of the sort regulated by the GDPR (and DUAA)
Legal compliance, transparency, and data subject rights (for PII controllers)
Contractual compliance and processing (for PII processors)

Rob Rachwald, VP of brand and product marketing at Zero Networks describes ISO 27701 as “the ultimate cookbook” for tackling the DUAA’s requirements.

“While the DUAA makes UK GDPR more pragmatic, it demands stronger accountability and proof of governance, especially around managing Subject Access Requests and implementing safeguards for ADM,” he tells IO.

“ISO 27701 provides a globally recognised PIMS blueprint that already details the required processes for data subject rights, data mapping, and privacy by design, allowing organisations to demonstrate “reasonable and proportionate” compliance immediately, thus turning a regulatory burden into a something auditable.”

The standard therefore represents an increasingly important pillar of any effective risk management approach, alongside ISO 27001 and 42001. Increasingly privacy efforts are interlinked with those in the information security and AI management space. Organisations that look at all three holistically will be best placed to use compliance as a springboard for business success in 2026.

Phil Muncaster

Phil Muncaster has been an IT journalist for 20 years. He started out as a reporter on enterprise IT title IT Week in 2005 and progressed to the role of News Editor before leaving to pursue a freelance career. Since then, Phil has written for titles including The Register, where he worked as Asia correspondent whilst based in Hong Kong for over two years, MIT Technology Review, SC Magazine, Infosecurity Magazine and others.