|
What I learnt at PDP’s Annual Conference
Yesterday I attended 24th PDP’s Annual Data Protection Compliance Conference in London. It was an excellent conference, with a great range of topics and some brilliant speakers! It was also lovely to meet and catch up with so many people in person.
Topics covered (by the engaging speakers from these organisations):
- ICO: How the ICO is supporting organisations with changes under the Data (Use and Access) Act 2025, and its transition to become the Information Commission. She also spoke about the ICO’s/IC’s three strategic priorities: children’s privacy, AI and biometrics, and online tracking.
- Linklaters: Cyber Incidents, and the importance of preparedness, including risk assessments and war games. She discussed how legal frameworks impact cybersecurity (including the UK Corporate Governance Code), and the role of legal and data protection teams, as well as CISOs. Also an interesting discussion on legal and ethical concerns for ransom payments.
- Bates Wells: A summary of the changes to data protection law under the Data (Use and Access) Act 2025, with many key changes expected to come into force in December this year (and some already in force). Some significant changes may be found in the finer detail of the wording, such as the removal of the word “independent” when referring to an authority which enforces data protection in a third country (in the context of international data transfers and the new “data protection test” for determining whether another country provides adequate protection). She also touched on the complex issue of retained EU law (including case law).
- Bristows: The world of AdTech, and the complex web of players with whom data may be shared. He covered the many challenges of compliance with data protection and e-privacy laws, including the “consent headache”. He raised the need for alternative solutions, potentially with the assistance of AI modelling, which could reduce the amount of personal data needed.
- Herbert Smith Freehills Kramer: A new perspective on joint controller relationships – should organisations be embracing them rather than steering away from them? The legal rules and decisions on what constitutes joint controllership potentially capture a wider scope of relationships than those categorised as such in practice, with organisations preferring to view themselves as independent controllers (or a controller to processor relationship).
- VWV: Detail of the changes to subject access request rules under the Data (Use and Access) Act 2025. Whilst a lot of changes reflect existing case law and guidance, they may give controllers more clarity and confidence in applying the rules and taking a proportionate approach. He also gave a tip on not getting sucked into endless chains of correspondence.
- White & Case: Negotiating data protection and AI clauses with suppliers. Data protection provisions in controller to processor contracts are now well-established, with many suppliers having (potentially inflexible) standard terms (including minimum requirements under UK GDPR). AI contract clauses are currently more like the Wild West and the laws are relatively untested. He took us through clauses customers may want to push back on or try to negotiate.
- Fieldfisher: The right to deletion, including its origins in the Costeja search results case (CJEU ruling in 2014), and the current right to erasure under Article 17 UK GDPR. Interestingly, she broke it down into erasure rights under Article 17(1) and the right to be forgotten under Article 17(2), under which controllers must take reasonable steps to inform other controllers using the data of the erasure request. She also highlighted some operational and technical challenges for data deletion.
- Panel discussion with representatives from the University of Sussex, National Gas, Durham County Council, Universities Superannuation Scheme and Brightwell (BT Pensions Scheme): Practical AI implementation. The panellists discussed the evolution of risk appetites in use of AI, and the governance measures which are being put in place.
What a great day!
Olivia Whitcroft, principal of OBEP, 18 September 2025
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details
