Risk Radar | September 2025

Data protection updates

Overhaul of the UK's data governance framework begins as the Data Use and Access Bill receives Royal Assent

On 19 June 2025, the Data (Use and Access) Act 2025 (DUA) received Royal Assent, which has begun an overhaul of the UK's data governance framework. Notably, the DUA will increase the maximum fines issuable under the Privacy and Electronic Communications Regulations to bring them in line with UK GDPR powers (up to £17.5 million or 4% of global turnover). See more information about the changes in our article here.

ICO consultation on draft "recognised legitimate interest" guidance

Organisations will be able to rely on the new lawful basis of "recognised legitimate interest" (which will be added by the DUA) for processing activities that are necessary to prevent crime. Organisations should review the relevant draft guidance on the new lawful basis here and respond to the consultation here with any comments.  

New ICO guidance on disclosing documents to the public

The new ICO guidance provides organisations with practical steps to minimise the risk of accidental data breaches when documents are shared.  See guidance here.

ICO issue £2.31 million fine to online retailer

A genetic testing retailer has been fined £2.31 for failing to implement robust security measures to secure the data of users in the UK. See more information about the fine here.

Compliance updates

Failure to prevent fraud offence in force from 1 September 2025

The failure to prevent fraud offence is now in force. Organisations who meet the relevant threshold should ensure they have reasonable fraud prevention measures in place. See our article here.

Why organisations shouldn't forget about bribery and tax evasion

HMRC's first prosecution for the offence of failure to prevent the facilitation of tax evasion provides a timely reminder for retailers to ensure appropriate control measures are in place to mitigate against the risks of bribery and tax evasion. See our article here.

The Joint Committee on Human Rights makes recommendations to address forced labour in supply chains

Organisations should consider refreshing their approach to preventing forced labour in the supply chain in anticipation of a stronger legislative framework following the recommendations of the report. See our article here.

Upcoming deadline for large producers under Extended Producer Responsibility

Organisations who are large producers under the Extended Producer Responsibility for packaging must submit their data for the first half of 2025 by 1 October 2025. Check if you are required to submit here.

Refresh of the UK's product safety framework

The Product Metrology Bill received Royal Assent on 21 July 2025 and sets the framework to overhaul the existing product safety regulations. Organisations should look out for the secondary legislation setting out the substantive requirements which is expected to be introduced in the next 12 months.

Marketing updates

CMA consultation on the price transparency draft guidance

Organisations should review the draft guidance on price transparency (which includes how delivery charges will need to be displayed) and provide any comments via the consultation here. The consultation ends on 8 September.

Dynamic pricing guidance issued by CMA

The CMA has produced guidance to assist retailers in using dynamic pricing in a consumer friendly manner to ensure they are not in breach of the DMCCA. See guidance here.

Update on the brand exemption for High in Fat, Sugar or Salt ("HFSS")

Uncertainty over whether particular types of brand advertising are in scope of the HFSS restrictions is expected to be clarified in final guidance following a consultation on the current guidance which closed on 6 August 2025.

Dominos ad in breach of HFSS restrictions

The ASA ruled a Domino's paid for YouTube ad for a Crème Egg cookie seen during a Minecraft feature on a channel was in breach of the CAP Code rule that states that HFSS product ads must not be directed at people under 16 years of age through the selection of media or the context in which they appear. See ruling here.

Financial services updates

Supreme Court Motor Finance Judgment provides clarity on commission disclosures

On 1 August 2025, the UK Supreme Court issued its long-anticipated judgment in the motor finance commission which found that dealers were not acting as fiduciaries and that commissions paid by lenders to dealers did not constitute bribes. Organisations who receive commission or similar payments for credit broking activities, should consider if its disclosure practices are sufficient in the light of the judgment. See our article here.

Faster targets introduced for FCA authorisations

The FCA have pledged to speed up the process for firms and individuals seeking authorisations, in a bid to support UK growth and competitiveness whilst simultaneously maintaining their high standards of regulation.  These new targets and a statement by Sheree Howard, Executive Director of Authorisations at the FCA can be found here.