Doing Business In... 2025

UK Law and Practice Contributed by: Paolo Palmigiano, Rachael Roberts, Helen Farr, Debbie Heywood and Louise Popple, Taylor Wessing LLP

9. Looking Forward 9.1 Upcoming Legal Reforms

the organisation’s location. The UK GDPR, for example, applies to any organisation processing the personal data of UK individuals where the processing relates to offering them goods or ser - vices, or to monitoring their behaviour. It applies to the processing of personal data by a controller or processor in the context of an establishment located in the UK, regardless of where the pro - cessing takes place. Note that there are strict rules around the export of personal data from the UK. 8.3 Role and Authority of the Data Protection Agency The Information Commission (IC) is the agency in charge of enforcing data protection and cyber - security rules, and also produces guidance and codes of practice (notably the Children’s Code, which covers the processing of children’s per - sonal data by online services). The IC has vari - ous powers. Under the UK GDPR, for example, it has a range of enforcement powers, including to impose fines of up to the higher of GBP17.5 million or 4% of annual global turnover for non- compliance. Data controllers are required to pay annual fees to the IC of between GBP52 and GBP3,763 depending on their size and subject to minor exceptions.

The UK commenced a process to review its design laws in 2025. This follows amendments to the EU design regime. The UK government is expected to update the cybersecurity regime, in particular to extend the scope of the NIS Regulations, broadly in line with the EU’s NIS2 Directive, which updated the origi - nal NIS Directive on which the UK’s current NIS Regulations are based. It is expected to intro - duce the Cyber Security and Resilience Bill in the second half of 2025. It is also worth noting the government’s plans to legislate on AI, although it is currently unclear exactly what this will cover.

874 CHAMBERS.COM

Powered by