Data Protection update - October 2025
Welcome to the latest edition of the Stephenson Harwood Data Protection update, covering key developments in data regulation and cyber security law in October 2025.
In data regulation news, the European Data Protection Board (“EDPB”) focuses its coordinated enforcement framework on transparency and information obligations under the EU General Data Protection Regulation (“GDPR”); and the ICO launches a consultation on supporting charities to use the “charitable purpose soft opt-in”, introduced by the Data (Use and Access) Act 2025.
In cyber security news, Capita is fined £14 million for a data breach affecting over six million people; and UK nursery group Kido notifies the ICO of a personal data breach involving children’s data.
In enforcement and civil litigation news, the UK Upper Tribunal issues an important ruling on the scope of the UK GDPR, finding that it applied to Clearview AI Inc.; and an individual is awarded €50,000 in damages following an EU General Court ruling.
Data regulation
- EDPB’s coordinated enforcement framework to focus on GDPR transparency and information obligations
- ICO launches consultation on supporting charities in using “charitable purpose soft opt-in”
Cyber security
- Capita fined £14 million for data breach affecting over six million people
- UK nursery group Kido notifies the ICO of children’s data breach
Enforcement and civil litigation
- UK Upper Tribunal finds that UK GDPR applies to Clearview AI Inc.
- Individual awarded €50,000 in damages for non-material harm following publication of inaccurate data
Data regulation
EDPB’s coordinated enforcement framework to focus on GDPR transparency and information obligations
In 2020, the EDPB set up the Coordinated Enforcement Framework (“CEF”). The CEF aims to harmonise the enforcement and co-operation of the EU Data Protection Authorities (“DPAs”) on a national level. Each year, the EDPB selects a topic for DPAs to investigate – to understand overall compliance across the market. DPAs can do this by opening a new formal investigation, by conducting a fact-finding exercise, or both. The results are then analysed to generate a further understanding of the topic and enable targeted follow-up actions at both a national and European level. The EDPB has previously carried out coordinated actions on the designation and position of Data Protection Officers (2023) and the implementation of the right of access by controllers (2024), the results of which are available on the EDPB’s website.
For 2026, the EDPB announced that the coordinated action will address compliance with the transparency and information obligations under Articles 12, 13 and 14 of the GDPR. Participation by national DPAs is voluntary and those who wish to participate in the 2026 study are expected to join in the coming weeks. The coordinated action itself will begin during 2026.
Earlier this year, the EDPB began its coordinated research study on the right to erasure (or the “right to be forgotten”) under Article 17 of the GDPR. The results of this study are expected in the coming months.
ICO launches consultation on supporting charities in using “charitable purpose soft opt-in”
The ICO has launched a consultation on the upcoming ‘charitable purpose soft opt-in’ rules, set to take effect in January 2026 under the Data (Use and Access) Act (“DUAA”). These new rules will allow charities to send electronic marketing messages to individuals who have shown an interest in or supported a charity, in each case without obtaining prior consent – provided the necessary requirements are met.
This change aims to help charities strengthen relationships with supporters and boost fundraising, whilst ensuring that individuals retain control over their data by always offering them clear opt-out options. The soft opt-in will not apply to individuals already on charities’ existing databases.
The ICO has opened a consultation on its approach to the application of the soft opt-in rule to charities and will update its guidelines on direct marketing as required once the change takes effect. The consultation is open to charities and anyone with an interest in the topic until 27 November 2025.
This is one example of a change under the DUAA. You can visit our DUAA tracker here to see what else is on the horizon.
Cyber security
Capita fined £14 million for data breach affecting over six million people
The UK’s Information Commissioner’s Office (“ICO”) has imposed a £14 million fine on Capita for a data breach it suffered in March 2023. The breach involved an unknown threat actor gaining access to Capita’s systems following the inadvertent download of a malicious file onto an employee’s device, which ultimately led to the theft of the personal data of 6.6 million individuals, including highly sensitive data, such as financial information, criminal record data, data relating to children, and other ‘special category’ data.
The ICO’s press release about the fine confirms that 325 pension scheme organisations were impacted by the breach.
In its penalty notice, the ICO lays out Capita’s cyber security failings, including not acting quickly enough to quarantine the initially-compromised employee device (the delay was some 58 hours), despite it detecting the suspicious activity almost immediately after the initial file download. The ICO notice found that the delay in acting allowed the threat actor to gain wider access to Capita’s systems, including gaining administrator privileges, and allowed them to exfiltrate approximately 1TB of data. The threat actor then deployed ransomware onto Capita’s systems and reset user passwords, preventing Capita employees from accessing its systems.
The ICO found that Capita “failed to ensure the security of processing of personal data” and was “lacking the appropriate technical and organisational measures to effectively respond to the attack”.
The ICO sent an initial notice of intent to Capita in April 2025, in which it stated its intention to impose a £45 million fine. Capita made representations to the ICO, including submitting mitigating factors, and a voluntary settlement was agreed with a reduced fine of £14 million. Capita has accepted liability, acknowledged the ICO’s decision, and has agreed not to appeal.
In setting out its final decision, the ICO identified several proactive steps that Capita should have taken to reduce security risks. These steps are based on widely recognised industry standards and regulatory requirements, which are likely to be expected of other organisations in similar circumstances, including:
· following guidance issued by the National Cyber Security Centre (“NCSC”) on preventing “lateral movement” by threat actors within the organisation’s systems and networks – a crucial step in limiting the damage that can be done even if an attacker is initially successful in gaining unauthorised access to a particular device or component of the system;
· regularly monitoring for suspicious activity and responding to initial warnings and alerts in a timely manner;
· sharing the findings from penetration testing across the whole organisation so that risks can be universally addressed;
· prioritising investment in key security controls to ensure that they are operating effectively; and
· ensuring that agreements and responsibilities between controllers and processors are well understood by all stakeholders.
The penalty imposed by the ICO was intended to be effective, proportionate, and dissuasive, serving as a warning to other organisations about the importance of robust cybersecurity and prompt incident response. Capita has since taken steps to improve its security posture, but the ICO emphasises ongoing vigilance to ensure compliance with data protection law.
UK nursery group Kido notifies the ICO of children’s data breach
Nursery chain Kido International (“Kido”) has notified the ICO of a cyberattack involving highly sensitive data belonging to more than 8,000 children, including photos and addresses, some of which were published on the dark web (but have apparently since been removed). This cyberattack included a threat to publish more data unless Kido paid a ransom of around £600,000 in Bitcoin. The data was accessed via systems provided by nursery software supplier, Famly, who confirmed that the breach only affected Kido’s account and no other customers.
The NCSC condemned the targeting of children’s data and reminded nurseries of NCSC’s guidance on how to protect early years settings from cyberattacks.
The attack comes as the UK’s Cyber Security and Resilience Bill is being prepared, which is expected to strengthen the reporting of cybersecurity vulnerabilities. However, as the Bill is intended to focus on critical national infrastructure, it is unlikely that schools and nurseries will fall within its scope.
In parallel, the government has published a response to its consultation (the “response”) on ransomware, which proposes to ban all public sector bodies from paying ransoms. The response also proposes a new ransomware prevention regime, which, if adopted, would capture “all potential ransomware payments from the UK”. This could potentially capture businesses that face attacks similar to that launched against Kido.
Enforcement and Civil Litigation
UK Upper Tribunal finds that UK GDPR applies to Clearview AI Inc.
The Upper Tribunal delivered a significant judgment this month in Information Commissioner v Clearview AI Inc [2025] UKUT 319 (AAC); finding that the UK GDPR applied to the facial recognition company and overturning the previous decision made by the First-tier Tribunal in 2023 (we covered this in a blog post here). We have covered this judgment and its practical implications in detail here.
Individual awarded €50,000 in damages for non-material harm following publication of inaccurate data
On 1 October 2025, the European Union’s General Court (the “GC”) awarded a Greek scientist €50,000 in damages after the EU Commission’s anti-fraud office, the “OLAF”, published a press release that included inaccurate data about her, which made it possible for readers to identify her. The GC found that OLAF acted in breach of its obligations under Regulation 2018/1725 (“Regulation”), which governs the protection of personal data by EU institutions, bodies, offices, and agencies.
The dispute related to a press release published by the OLAF indicating potential fraud in the use of a research grant awarded by the European Research Council Executive Agency to a Greek university.
Although the OLAF’s press release did not explicitly name the scientist, it provided enough detail – her gender, age, role as lead researcher, the grant amount, and her father’s employment at the university – to make it possible for her to be identified by readers, especially within the scientific community. The press release was published in English, further amplifying its reach and impact. In a previous hearing on 7 March 2024, the European Court of Justice (“ECJ”) had already ruled that it was “reasonably likely” that the information in the press release, when combined with other available data, could lead to her identification. It could therefore be considered to be her personal data.
The scientist argued that the OLAF’s actions violated her privacy rights, the presumption of innocence, and EU data protection law.
The GC judgment found that publishing the press release was in breach of the Regulation, amongst other violations. As a result, the GC found that the scientist suffered: (i) non-material damage to her career; (ii) non-material damage to her honour and reputation; and (iii) damage to her health. While she had sought €1.1 million in damages, the court awarded her €50,000, recognising the significant impact.
The ruling is noteworthy for the award of significant damages for non-material harm such as mental distress and reputational damage arising from data protection obligations.
