dpas bulletin - September 2025
Welcome back to our monthly DPAS bulletin, where we cover the latest data protection news and developments from around the world.
Who’s really accountable when directors dodge data duties? Can regulators still keep big tech in check? Will new UK laws and Google’s £5bn AI bet change the digital landscape? Are cookie pop-ups and targeted ads on their way out? And after major breaches at Harrods and JLR, how ready are businesses for cyberattacks?
Read about all this and more in our latest DPAS Data Protection Bulletin.
dodging data duties? directors face fines and disqualifictaion

The ICO has shared that a care home director was fined £1,100 and additional costs of £5,440 after being found guilty of refusing to reply to a subject access request (SAR). The director of Bridlington Lodge Care Home was found to have blocked, erased or concealed records to prevent the information in them being disclosed.
This reinforces the message from earlier in the year when the former directors of Posh Windows UK Ltd, who fell afoul of PECR in 2022, were disqualified under the Company Directors Disqualification Act 1986 in July. Despite the company entering voluntary liquidation in the same year it received the fine, the Insolvency Service pursued the matter against the former directors into 2025. If directors fail to comply with data protection laws, then they can be found personally liable.
Read more about this here.
us ‘big tech’ firms to continue getting away with it

The Irish Data Protection Commission (DPC) will be getting a new commissioner. The lead privacy regulator for big tech firms in the EU will let the mask slip in October when Meta lobbyist Niamh Sweeney takes the wheel. The DPC has fined big US tech companies €3.26bn over the years, generating sensational headlines. However, upon closer inspection the DPC has only collected €19.9m of those fines.
Much has been in the UK about the revolving door between the ICO and big tech companies. The DPC has decided to kick down the door and give big tech the keys to the castle. Niamh Sweeney is known for defending Meta during the “Cambridge Analytica” scandal, as well as during appeals against fines of €390m and €1.2bn issued by the DPC for not collecting consent and illegally transferring data. In a refreshing display of transparency, the new commissioner will lead the regulator who is ‘chasing’ that enforcement.
Read more about this here.
The Data Use and Access Act 2025: online safety and security act

The UK government is continuing to implement the Data Use and Access Act 2025, with new regulations now in force. From September 30th, senior coroners will be able to request Ofcom to issue “Data Preservation Notices” requiring online platforms to retain information about a deceased child’s online activity, backed by potential criminal liability for non-compliance. Ofcom has launched a consultation, open until October 28th, on draft guidance for platforms on how these notices will operate.
Separately, further measures took effect on September 5th introducing new exemptions for law enforcement bodies under the Data Protection Act 2018, including provisions around legal professional privilege and national security. Additional rules, commencing on November 17th, will enable certain authorities to act jointly with intelligence services where required to safeguard national security.
Read more about this here.
google invests £5 billion in uk ai sector

In a significant move to bolster the United Kingdom’s position in the global AI landscape, Google has announced a £5bn investment over the next two years. A cornerstone of this investment is the opening of Google’s first UK data centre in Waltham Cross, Hertfordshire. This state-of-the-art facility is designed to meet the growing demand for AI-powered services such as Google Cloud, Search, Maps, and Workspace
Hopefully, some of that £5bn will be used to offset the estimated half a million tonnes of carbon dioxide that each new data centre will be emitting. To some small comfort, Google has announced a partnership with Shell to manage its renewable energy supply in the UK. I for one look forward to using the improved Google Maps to find higher ground.
Read more about this here.
cookie consent sprouts brussels review

The EU is looking to scrap one of its most annoying tech rules: the law behind all those cookie pop-ups. Since 2009, websites have had to ask for consent every time they use cookies, but most people just click “accept” without reading. Now, the European Commission wants to cut the clutter by letting users set their cookie preferences once, like in their browser, instead of every time they visit a site. Denmark and other countries are backing ideas to drop pop-ups for strictly necessary cookies. A bigger plan to reduce digital red tape is expected in December.
Still, not everyone is on board. Tech companies say cookie rules should fall under the EU’s broader GDPR privacy law, which takes a more flexible, risk-based approach. Privacy advocates warn this could quietly expand tracking for advertising, which they see as a major threat. With Brussels also working on a new “Digital Fairness Act” to protect consumers from manipulative online practices, it looks like Santa Claus won’t be the only party concerned with cookies as we end the year.
Read more about this here.
meta to stop targeted advertising…for a price

Meta is introducing an ad free subscription for Facebook and Instagram users in the UK. People will soon be able to pay a monthly fee of £2.99 on the web and £3.99 on iOS and Android or keep using the platforms for free with ads. The move follows concerns from the ICO about how social media platforms use personal data for advertising and mirrors similar offerings in the EU.
The ad free subscription means users won’t see ads and their data won’t be used for advertising. Meta says it gives people more control while still keeping free services available. The change reflects a wider trend as regulators push tech companies to respect privacy, with Apple and Google also making updates. Since ads brought in 98 percent of Meta’s £164.5bn revenue last year, finding the right balance between privacy and profits will be a big challenge.
Read more about this here.
harrods data breach highlights hidden dangers of third-party providers

Harrods has confirmed a data breach affecting around 430,000 online customers. The breach resulted from unauthorised access to a third‑party service provider, not Harrods’ own systems. Stolen data includes names, email addresses, telephone numbers and postal addresses. Payment details and passwords were not affected. Harrods says the breach is separate from a previous incident in May and is working with the authorities to address it.
The company has notified affected customers and urges them to be vigilant for suspicious activity and phishing attempts. Harrods emphasised the breach was contained and limited to the third‑party provider. This incident highlights the risks associated with third‑party suppliers. Customers can find further information and guidance on Harrods’ official website.
Read more about this here (requires subscription).
Cyberattack cripples jaguar landrover production

On 31 August 2025, Jaguar Land Rover (JLR) suffered a major cyberattack that halted production across its UK factories. The breach, attributed to the hacker group Scattered Lapsus$ Hunters, disrupted key systems including those managing parts supply and vehicle wholesaling. This resulted in a complete shutdown of manufacturing and losses estimated at over £50m per week. Around 33,000 employees were affected, with production of about 1,000 vehicles per day paused. The UK government has pledged a £1.5bn loan guarantee to support JLR and its supply chain during recovery.
JLR has begun a phased restart of operations, with some manufacturing expected to resume in the coming days, starting with the Wolverhampton engine plant. The company is working with cybersecurity experts and national security officials to resolve the incident. This attack highlights the vulnerability of complex supply chains in the automotive sector. Customers, suppliers, and stakeholders are advised to monitor updates from JLR’s official channels for further information.
Read more about this here.
home office and ncsc begin the fight back post-jlr

The Home Office has published a speech by Security Minister Dan Jarvis to the City of London Police Authority Board outlining the government’s response to cybercrime and fraud. The latest Cyber Security Breaches Survey shows 20 percent of UK businesses and 14 percent of charities suffered at least one cyberattack last year. The government is developing a new fraud strategy and a national cyber strategy, along with legislative reforms planned for the coming year to protect UK businesses from ransomware and prevent proceeds being used to support organised crime. These will form part of the forthcoming Cyber Security and Resilience Bill.
The National Cyber Security Centre has issued a statement and guidance following the recent Jaguar Land Rover cyberattack. It highlights that supply chain cyber risk runs in both directions and urges businesses to plan for upstream and downstream risks as well as third party risk. The guidance advises clear recovery plans, communication routes and regular incident response exercises. The NCSC has also released Cyber Assessment Framework version 4.0 with new sections on attacker methods, secure software development, improved security monitoring and AI related cyber risks.
Read more about this here.
GET IN TOUCH WITH US!

If you need any support in ensuring your organisation is complying with the relevant legislation, or require training in the areas of data protection and information security, get in contact with us.
Either call us on 0203 3013384, email us at info@dataprivacyadvisory.com, or fill out our contact form. Our dedicated team will get back to you as soon as possible.