We recently joined Ashurt’s annual review of the data privacy landscape, in honor of International Data Privacy Day. Highlights from the event covering ICO regulatory updates and new legislation for 2025 are summarized below.

The ICO pipeline 2025

Anonymisation and pseudonymisation guidance

This is expected in spring 2025, is still pending, awaiting the Data (Use and Access) Bill’s enactment.

This guidance will provide a framework for organizations to use and share data responsibly while protecting individual’s privacy. It will also provide clarity and help organizations understand the difference between anonymisation and pseudonymization and how to use these techniques to comply with data protection laws. Pseudonymized data is still considered personal data and therefore subject to data protection laws.

There is more clarity on the European position with the recently published guidelines on pseudonymization. from the EDPB, that provide the legal and technical requirements necessary for pseudonymization, along with helpful, practical examples.

Profiling and behavior ID tools for online safety

The ICO is developing guidance on profiling and behavior ID tools for online safety and is currently in the drafting stage. This guidance will provide organizations with information to make automated and semi-automated decisions in a compliant manner.

Automated decision-making, often using profiling techniques, is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data. Examples of this include:

• an online decision to award a loan; and
• an aptitude test used for recruitment which uses pre-programmed algorithms and criteria.

Profiling is mentioned in Recital 38 to the GDPR as an area in which children merit specific protection with regard to the use of their personal data.

There are also specific rules at Article 22 of the GDPR about decisions (including profiling) which are based solely on the automated processing of personal data, and which have a legal or similarly significant effect on the data subject.

The guidance is expected Spring 2025.

Special category data

The UK GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection. The ICO refers to this as “special category data:”

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

Organizations must ensure their processing is generally lawful, fair and transparent, and complies with all of the other principles and requirements of the UK GDPR. Remember that in order for processing to be lawful, organizations should always identify an Article 6 basis for processing. In addition, organizations can only process special category data if they can meet one of the conditions in Article 9 of the UK GDPR, together with any associated DPA Schedule 1 conditions where required.

The new guidelines, expected spring 2025, will provide further clarity.

Substantial public interest conditions

The 23 conditions are set out in paragraphs 6 to 28 of Schedule 1 of the DPA 2018. The substantial public interest conditions give organizations the basis in UK law for relying on UK GDPR Article 9(2)(g) and allow organizations to process special category data for a variety of specific purposes.

The current guidance is available on the ICO website and is expected to be updated in winter 2025.

International transfers

In a letter to the government in January, the ICO said international transfers of data underpin around 40% of UK exports and 20% of imports, providing UK businesses with access to new markets “to boost trade and drive innovation, investment, competition and growth.”  To facilitate this, the ICO has said it will publish new and updated guidance on international data transfers, making it quicker and easier for businesses to transfer data safely.

The ICO will work through international bodies, including the G7 and the Global Privacy Assembly, “to build international agreement on increasing mechanisms for trusted free flows of data, and we will work with government to review adequacy assessments for key trading partners.”

The guidance is expected winter 2025.

The full list of the ICO’s plans for new and updated guidance for 2025 is on the ICO website.

Data predictions for 2025

Here are some of Ashurst’s predictions for the data landscape in 2025:

• Continued cyber security legislative developments in the UK and EU.
• Greater focus on supply chain responsibilities.
• Fracturing of regulatory environment between US, UK and EU.
• Heightened accountability documentation expectations.