Data Matters In Cybersecurity

On 15 April 2026, the European Data Protection Board (“EDPB”) published its long-awaited draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (the “Guidelines”), marking the most comprehensive regulatory statement to date on how the GDPR applies to scientific research activities. The post Scientific Research and the GDPR: EDPB Issues Long-Awaited Guidelines appeared first on Data Matters Privacy Blog.

The Data (Use and Access) Act 2025 (“DUAA”) has made a number of changes to the UK’s data protection regime, many of which have already come into force. From 19 June 2026, organisations will need to implement or update their data protection complaints procedure to align with the new DUAA requirements which provide a mechanism for complaints made directly to a controller. This new requirement is supported by recent guidance from the UK Information Commissioner’s Office (“ICO”). This marks a shift towards a more formalised, controller-led complaints-handling framework, requiring organisations to treat certain expressions of dissatisfaction as regulated complaints with defined procedural obligations. The post Preparing for the UK’s New Data Protection Complaints Regime: Key Steps Before June 2026 appeared first on Data Matters Privacy Blog.

The U.S. Securities and Exchange Commission has issued amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, which became effective on August 2, 2024 (the Final Amendments). For smaller entities, including registered investment advisers with less than $1.5 billion in assets under management, as well as certain broker-dealers and other SEC-regulated entities, the compliance deadline is June 3, 2026. The compliance deadline for larger entities was December 3, 2025. For a full list of entities required to comply, please see June 4, 2024 Sidley Update. The post U.S. SEC Regulation S-P: Compliance Deadline Approaching for Smaller Entities appeared first on Data Matters Privacy Blog.

On 12 March 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a Joint Opinion (the “Joint Opinion”) on the proposed European Biotech Act I (the “Biotech Act”). The Joint Opinion broadly supports the EU’s ambition to strengthen its biotechnology sector. However, it emphasises that data protection safeguards must be tightened, particularly where health data is involved. The recommendations signal forthcoming scrutiny during the legislative process and highlight key compliance considerations for organisations involved in clinical trials. The post European Biotech Act I: Navigating the EDPB/EDPS Vision for the Future of Clinical Trials appeared first on Data Matters Privacy Blog.

On April 13, 2026, the staff of the Division of Trading and Markets (Staff) of the U.S. Securities and Exchange Commission (SEC or the Commission) issued a statement (Statement) that it would not object to certain technology providers — referred to as “Covered User Interface Providers” — creating, offering, and/or operating software interfaces that allow users to prepare and submit transactions in crypto asset securities without registering as broker-dealers. The post U.S. SEC Clears Path for Decentralized Crypto Asset Security Trading With Broker Registration Exception for User Interfaces appeared first on Data Matters Privacy Blog.

The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also published PS7/26 alongside Supervisory Statement SS1/26 and an update to SS2/21. PS26/2 and PS7/26 introduce a new UK framework for reporting serious operational incidents and material third-party arrangements. The framework was developed by the FCA, PRA, and the Bank of England and is intended to give the regulators better visibility of operational disruption and third-party dependencies and to support a more data-driven supervisory approach. The post UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now appeared first on Data Matters Privacy Blog.

The Chambers Global Practice Guide for Cybersecurity 2026 has been published. The guide provides the latest legal information on cybersecurity law and regulation, including in relation to critical infrastructure, financial sector operation resilience, cyber-resilience, and ICT certification. The guide also covers the intersection of cybersecurity with data protection law, developments in AI and healthcare regulation. The post Chambers 2026 Global Practice Guide for Cybersecurity appeared first on Data Matters Privacy Blog.

The National Association of Insurance Commissioners (NAIC) held its Spring 2026 National Meeting (Spring Meeting) March 22–25, 2026. This blog post summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include progress on addressing regulatory concerns related to indexed annuity illustrations, establishment of a new working group on market conduct modernization, exposure of a risk-based capital (RBC) adjustment framework for collateral loans, a Securities Valuation Office (SVO) report on resource strain caused by increased Private Letter Rating filings, multiple revisions to statements of statutory accounting principles (including guidance on sale-leasebacks, repurchase agreements and residential mortgage loans held in statutory trusts, and proposed disclosures for funding agreement-backed financing programs), and updates on the pilot phase of the AI Systems Evaluation Tool. The post Regulatory Update: National Association of Insurance Commissioners Spring 2026 National Meeting appeared first on Data Matters Privacy Blog.

On March 31, 2026, the Office of the United States Trade Representative (“USTR”) furnished its annual National Trade Estimate Report, which identifies foreign trade barriers affecting U.S. companies, including several developments relating to India’s digital regulatory frameworks. The Report arrives at a time when India is assuming an increasingly central role in the global strategies of U.S. companies, reflecting sustained growth in its digital economy, a rapidly expanding middle class, and deeper U.S.-India trade engagement. At the same time, India’s regulatory framework governing digital platforms, data, and content is evolving in ways that are increasingly consequential for companies operating in the market. The Report highlights several of these developments, including content moderation requirements, data governance measures affecting cross-border flows, and ongoing concerns regarding intellectual property protection. The post India’s Digital Regulation in Focus: Implications of the 2026 United States Trade Representative Report for American Companies appeared first on Data Matters Privacy Blog.

Last week, the Seventh Circuit issued a critical opinion for companies facing lawsuits under the Illinois Biometric Information Privacy Act (“BIPA”). In Clay v. Union Pacific Railroad Co., No. 25-2185, 2026 WL 891902 (7th Cir. Apr. 1, 2026), the court held that a 2024 amendment to BIPA that limited damages to one recovery per person and not “per-scan” (each time a biometric identifier is collected) applies retroactively to cases pending at the time the amendment was enacted. The post Seventh Circuit Limits Potential Damages Under BIPA, Holds 2024 Amendment Applies Retroactively appeared first on Data Matters Privacy Blog.