Profiling meaning

In this issue: Data protection ePrivacy Cybersecurity Daily and weekly news alerts New and updated content Data protection Data (Use and Access) Act 2025 (Consequential Amendments and Transitional Provision) Regulations 2026 SI 2026/386: These Regulations amend 39 pieces of UK primary legislation, 16 pieces of UK secondary legislation, and five pieces of assimilated direct legislation concerning data protection. They introduce a range of changes arising from sections 117, 118 and 119(1) of the Data (Use and Access) Act 2025 (DUAA 2025). Made under the DUAA 2025 in relation to assimilated law, they commence partly before DUAA 2025, s 119 is fully in force, and take full effect once DUAA 2025, s 119 (transfer of functions to the Information Commission) is wholly commenced. (Updated from draft on 31 March 2026.) See: LNB News 05/02/2026 22. EDPB publishes case digest on legitimate interest legal basis under EU GDPR The European Data Protection Board (EDPB) has issued a one-stop-shop...

In this issue: New technologies Internet Advertising, marketing and sponsorship LexTalk®TMT: a Lexis®Nexis community Daily and weekly news alerts New and updated content Dates for your diary Trackers Useful information New technologies General-purpose AI rules under EU AI Act start to apply on 2 August The European Commission has put the principal governance arrangements for the EU AI Act in place ahead of the 2 August 2025 implementation deadline. The European AI Board, made up of EU Member States, is now in operation. By 2 August, Member States must appoint national competent authorities to implement, oversee and enforce AI system requirements, investigate compliance, nominate notified bodies for pre-market approvals, and create regulatory sandboxes. The Commission has also set rules for a Scientific Panel of independent specialists and opened applications for both the Panel and the EU AI Act Advisory Forum. A dedicated webpage will list the designated national authorities. See: LNB News 01/08/2025 16...

Risk & Compliance weekly highlights—2 April 2026 In this issue: Data protection AML, CTF & counter-proliferation financing Sanctions Other Risk & Compliance updates LexTalk®Risk & Compliance: a Lexis®Nexis community Daily and weekly news alerts Trackers New and updated content Data protection ICO consults on updated guidance for automated decision-making and profiling The Information Commissioner’s Office (ICO) has opened a consultation on refreshed guidance covering automated decision-making (ADM), including profiling. Triggered by the Data (Use and Access) Act 2025 (DUAA 2025), the update concentrates on provisions specific to this topic. It is intended for data protection officers, compliance specialists and technical leads. The ICO indicates the guidance offers expanded detail on ADM as set out in Articles 22A–22D of the UK GDPR, where outcomes are determined solely by automated processing and have legal or similarly significant effects on individuals. It is designed to help organisations understand and fulfil their obligations in this setting, including where...

STOP PRESS: On 19 June 2025, Royal Assent was granted to the Data (Use and Access) Bill, which accordingly became the Data (Use and Access) Act 2025 (DUAA 2025), and coming partly into force on the same day. Selected elements of DUAA 2025—covering topics such as replies to data subject access requests, among matters, and the delegation of authority to create additional regulations—took effect straightaway on 19 June 2025, upon the Act’s passage. Further sections, addressing Information Commissioner notices and certain facets of law enforcement processing, commenced on 19 August 2025 (being two months from the date of Royal Assent). Most of DUAA 2025’s measures will not start until further regulations, in the form of statutory instruments, are made, before they can be brought into operation. Parts 5 and 6 modify components of UK data protection and ePrivacy law, notably the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI...

This Practice Note This Practice Note offers practical advice on direct marketing, with an emphasis on meeting the requirements of the United Kingdom General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003). It addresses telephone and postal marketing, email activity, and other forms of electronic mail marketing. It also clarifies when checks against the Mailing Preference Service (MPS) or the Telephone Preference Service (TPS) are necessary. Drawing on ICO direction, it considers service messages, refer-a-friend promotions, regulatory communications, market research (including ‘sugging’—selling under the guise of research), tracking pixels, marketing databases, suppression lists and preference centres. The core difficulty with direct marketing is working out how the UK GDPR and PECR 2003 interlock; what you may do depends on your chosen tactics and the audience you are targeting. For a quick guide to whether consent is needed, see: Direct marketing decision tree—email and other electronic mail marketing—data protection Direct marketing decision tree—live telephone calls—data protection...

STOP PRESS: On 19 June 2025, the Data (Use and Access) Bill obtained Royal Assent, becoming the Data (Use and Access) Act 2025 (DUAA 2025), with elements taking effect that day. Measures addressing, among other things, responses to data subject access requests and the grant of powers to make further regulations commenced immediately on 19 June 2025. Other elements, including notices issued by the Information Commissioner and certain facets of law enforcement processing, began on 19 August 2025, two months after Royal Assent. The bulk of DUAA 2025 requires additional regulations, in the form of statutory instruments, before those provisions can start. Part 5 of DUAA 2025 revises aspects of the UK’s data protection and ePrivacy framework, covering the United Kingdom General Data Protection Regulation, Assimilated Regulation (EU) 2016/679 (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, SI 2003/2426. Most of Part 5’s measures take effect on 5 February 2026 by virtue of the Data (Use and Access) Act 2025...

STOP PRESS This document is currently being revised to account for the introduction of the Data (Use and Access) Act 2025 (DUAA 2025), which alters the UK GDPR and the Data Protection Act 2018. For added guidance on the compliance effects of DUAA 2025, see Practice Note: Data (Use and Access) Act 2025—compliance implications. 1 Background information Name and position of person(s) conducting assessment [ Insert name ] Date of assessment [ Insert date ] Original purpose for processing [ Insert response ] 2 Proposed new purpose for processing Outline your intended new purpose for processing that is the subject of this compatibility assessment. Provide a concise summary of the proposed new purpose to which this assessment pertains. [ Insert response ] Your rationale for processing the data for a different purpose? You may wish to address: The benefit you anticipate achieving. Whether any third parties will benefit. Any broader advantages for the...

1 Project summary Project information Project name [ Insert name ] Project owner [ Insert name ] Project overview [ Outline the project, eg new CCTV system for a car park ] 2 Details of proposed surveillance camera system 2.1 Identify why your deployment of surveillance cameras requires a DPIA Systematic and extensive profiling Public monitoring Denial of service Data matching Tracking Risk of harm Automated decision-making Large-scale use of sensitive data Innovative technology Biometrics Invisible processing Targeting children/vulnerable adults Special category/criminal offence data Other [ Please specify ] 2.2 Timescale and status of surveillance camera deployment Is this a proposal for a fresh deployment or an enlargement of an existing surveillance camera system? New deployment Expansion of existing system Which data protection regime will you be processing under? UK...