GDPR News » IAPP UK Intensive 2026 in London

Over two days at the IAPP UK Intensive 2026 in London, discussions across AI, cybersecurity and of course, DataProtection made one thing clear: governance maturity is a strategic differentiator.

Here are some of the points that stood out:

– Agentic AI requires stronger governance discipline:
Many AI agent projects are expected to fail due to unclear value or weak risk controls. Organisations must move beyond experimentation and implement AI inventories, lifecycle monitoring, clear accountability and measurable KPIs.

– AI risk is layered and cumulative:
Traditional AI risks such as accuracy and fairness now combine with generative risks like hallucination and prompt injection, and agentic risks such as misaligned actions and accountability gaps. These translate directly into operational, reputational and regulatory exposure.

– Cyber resilience remains foundational:
Basic controls such as multi-factor authentication, patching and asset inventory still prevent a large share of ransomware attacks. Cybersecurity is firmly a board-level responsibility, not only a CISO issue.

– Enforcement strategies are evolving:
Early engagement between companies and law enforcement was repeatedly emphasized as critical.

– AI is lowering the barrier for attackers:
Large language models are enabling less sophisticated actors to scale attacks. One of the concerns for 2026 is the industrialisation of cybercrime through automation.

– The UK Data Use and Access Act 2025 is reshaping practice:
Legitimate interest now plays a clearer role in automated decision making and cybersecurity monitoring. The Act also clarifies proportionality in the handling of DSARs and introduces an internal complaint stage which may reduce ICO escalations.

– DSARs are increasingly strategic:
Organisations face AI-generated and litigation-driven requests. Documentation, structured SAR platforms and disciplined decision-making are essential to manage risk.

– Age assurance and children’s data take the central stage:
Risk-based, privacy-by-design models and interoperable age verification frameworks are emerging globally, alongside growing regulatory expectations. This topic gained even more relevance with the timing of the ICO’s Reddit fine of £14.47m for children’s privacy failures

– Regulatory divergence is accelerating:
India’s Digital Personal Data Protection Act introduces new governance definitions such as Data Fiduciaries, with tight compliance timelines. Multinationals must reassess cross-border data strategies accordingly.

It was great to be back in London for another year. Next year looks set to bring something new, with the Dublin IAPP AI Governance Global Europe joining forces with the London conference in a larger venue.