A Blueprint for Efficient SRRs: Mastering Your Subject Rights Workflow
The provisions of the Data (Use and Access) Act 2025 (DUAA) have come into force gradually, via a phased introduction, in the months since the Act received Royal Assent on 19 June 2025. This briefing summarises key changes...more
With effect from 19 June 2026, data controllers (which normally include pension scheme trustees) must comply with new requirements for data protection complaints. The Information Commissioner's Office (ICO) has issued useful...more
A bite-sized summary of recent UK pension news Welcome to our latest update, in which we cover: Data protection: new data protection complaints requirements Data controllers, including pension scheme trustees, will need...more
GenAI answers questions. Agentic AI gets work done. For legal professionals running document reviews, DSARs, and litigation workflows, that distinction has real operational consequences. Aviator Agents reason through...more
Employers using AI-powered tools to screen, rank, or normalize job applicants face significant and growing litigation risk—particularly when they cannot explain how algorithmic decisions are made....more
Service providers often receive or access a customer’s personal information when performing contracted services. In the employment context, service providers may include payroll processors, Human Resource Information System...more
Real AI use cases, pricing models, and workflow demonstrations with live data for eDiscovery, investigations, data privacy, and more....more
By means of Provision No. 284 of April 17, 2026, the Italian Data Protection Authority (the “Garante”) has adopted guidelines on the use of so-called “tracking pixels” in email communications, intended for all entities, both...more
On March 20, Oklahoma became the twenty-first state to enact comprehensive consumer privacy legislation when Governor Kevin Stitt signed S.B. 546 into law. The Oklahoma Consumer Data Privacy Act (OCDPA) will take effect on...more
Internal investigations routinely involve processing personal data about identifiable individuals, including employees, witnesses, counterparties and customers. The use of AI tools to review, classify, summarise, prioritise...more
Article 15 of the EU General Data Protection Regulation (GDPR) grants users the right to access their data: this broadly requires that the data subject has the right to know whether their personal data is being processed and...more
On March 20, the governor of Oklahoma signed into law the Oklahoma Data Privacy Act, establishing comprehensive consumer data privacy protections for state residents. The law applies to controllers and processors that conduct...more
Eight years on from the introduction of the GDPR, both the United Kingdom and the European Union appear to be taking on board the calls from the business community for reform and for a fairer balance between individual data...more
Following Board approval in January 2026, the Joint Money Laundering Steering Group (JMLSG) revised Part I of its guidance on anti-money laundering (AML) and counter-terrorist financing (CTF)....more
On March 20, 2026, Oklahoma’s Governor signed Senate Bill (SB) 546, which establishes a consumer data privacy law for the state. Oklahoma’s law takes effect January 1, 2027....more
On March 20, 2026, Oklahoma Governor Kevin Stitt signed Senate Bill 546 into law, establishing Oklahoma’s Act Relating to Data Privacy (the “Oklahoma Privacy Law”). Oklahoma becomes the 21st state to enact a comprehensive...more
On 19 March 2026, the Court of Justice of the European Union (CJEU) in Case C-526/24 (Brillen Rottler) held that a data subject's first access request may, in certain circumstances, be refused as "excessive" under the EU...more
On 19 March 2026, the Court of Justice of the European Union (CJEU) handed down its judgment in Case C-526/24, Brillen Rottler, clarifying that a data subject’s first request for access to personal data under Article 15 of...more
How must employers respond when an employee seeks to access, delete, or control personal information the employer maintains about them? Since the introduction of the European General Data Protection Regulation (GDPR), an...more
A recent judgment from the Court of Justice of the European Union has provided important clarification on when the recipient of a Data Subject Access Request (DSAR) under the General Data Protection Regulation (GDPR) is...more
Whether submitted by a ‘cookie troll’ — an individual who systematically triggers consent mechanisms to generate compensation claims — or by someone using the process for what seems like collateral purposes, the phenomenon...more
Individuals’ awareness of their data protection rights, fuelled in part by high‑profile litigation, has contributed to a sustained rise in the number of data subject access requests (DSARs) that organisations are receiving....more
The ongoing progress of the Digital Omnibus legislative reform is beginning to show that while the EU is not seeking to radically rewrite the data management rulebook, the various selective adjustments proposed are likely to...more
Further to our update here, several significant provisions of the UK’s Data (Use and Access) Act 2025 (the “Act”) that are relevant for employers came into force on February 5, 2026, with further measures scheduled for June...more
The Data (Use and Access) Act 2025 (“DUAA”) represents a significant reform to the UK’s data protection framework. Most of the remaining data protection provisions came into force on 5 February 2026, bringing major changes to...more