Data protection & AI governance 2025-2026

Data protection and AI governanceThe framework of policies, processes, and roles that ensure Artificial Intelligence (AI) is developed and used responsibly, ethically, and in compliance with applicable laws, societal expectations, and corporate values.  have become increasingly intertwined this year as organisations scale AI into core products and processes. Although AI systems have always relied on datasets, the deployment of more sophisticated models into business-critical processes has increased the volume, sensitivity, and impact of that data. This shift means issues such as lawful personal dataInformation which relates to an identified or identifiable natural person. use, transparency, fairness, and explainability have become crucial elements for effective AI governance.  

AI regulation has also accelerated. Organisations operating in the EU need to comply with the EU AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU., which introduces certain binding requirements on data quality, risk management and transparency. At the same time, global data protection and privacy legislation has continued to evolve, often in different or even conflicting directions. 

For multi-national organisations, the biggest challenge in 2026 will be managing data protection and AI governance across regions. Those investing in structured and adaptable frameworks will be better positioned to manage risk and maintain compliance, as well as building trust with regulators, partners, and customers. 

What we cover: 

• 2025 data protection and AI governance regional highlights: 
  • United Kingdom: DUAA & AI Opportunities Action plan 
  • European Union: GDPR developments, EU AI Act & EHDS 
  • Canada: Provincial updates 
  • United States: State privacy laws & America’s AI Action Plan 
• Privacy & AI forecast for 2026: What should organisations prepare for?

🇬🇧 United Kingdom: 2025 data protection & AI governance highlights

UK data protection 

The UK’s Data Use and Access Act (DUAA) received Royal Assent on 19 June 2025, introducing targeted updates to the UK General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU.) and Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories). (PECR). Some changes, such as adjustments to DSAR handling, are already in force. Other reforms, including changes to lawful bases for direct marketing, updated cookie and consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. rules, and provisions around AI and data sharing will likely come into force throughout the first half of 2026, following the Information Commissioner’s Office (ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).) and UK Government’s phased implementation plans. 

For organisations, the DUAA means reviewing existing frameworks and making targeted updates. As the core elements of the UK GDPR remain, this will bring a mix of continuity and adjustments in 2026.  

Read our early overview of the DUAA  

UK AI governance

On 13 January 2025, the UK’s Department for Science, Innovation & Technology published its AI Opportunities Action Plan, setting out the direction for AI oversight and innovation. Rather than introducing a specific AI law at this stage, the UK continues to rely on a non-statutory, principles-based framework covering transparency, fairness, safety, accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance., and governance. These are expectations rather than legal requirements and are applied through existing laws such as the UK GDPR and the DUAA. 

Supporting resources, including the ICO ’s Guidance on AI and data protection and the government’s AI playbook, provide practical direction but are not legally binding. 

Organisations operating in the UK should focus on strengthening AI governance and align systems with UK regulatory principles. Oversight may increase as regulators explore how to apply these expectations in the future. 

🇪🇺 European Union: 2025 data protection & AI governance highlights 

GDPR developments

This year brought welcome clarity on several GDPR concepts. The European Data Protection Board (EDPB) published its draft guidance on pseudonymisation, helping organisations understand how to apply this safeguarding measure effectively. The Court of Justice of the European Union (CJEU) then reinforced this direction with its judgement on 4 September 2025, clarifying that pseudonymised data is not automatically treated as ‘personal data’ for all recipients if they cannot identify the individual that it relates to. This means data controllers may be able to share pseudonymised datasets more confidently, provided safeguards are robust and reidentification is not realistically possible. 

The Commission also unveiled its proposed Digital Omnibus VII, aimed at reducing the administrative burden for businesses and streamlining the GDPR. Several of these proposed reforms have already proved contentious, sparking debate about whether simplification comes at the expense of existing protections. In some areas there are questions as to whether the proposals would deliver any simplification at all. 

For early thoughts on the Digital Omnibus and whether it risks diluting the GDPR’s gold standard status, watch The DPO Centre’s Privacy Puzzle webinar session on demand:

European Health Data Space

Alongside these GDPR developments, the phased implementation of the European Health Data Space (EHDS) began in March 2026. The EHDS introduces new obligations for organisations handling health data, including requirements for interoperability, access controlsA series of measures (either technical or physical) which allow personal data to be accessed on a need-to-know basis., and detailed logging of electronic health records. These changes will have significant impact on healthcare and Life Sciences organisations, as well as vendors supporting these sectors. 

EU-UK Adequacy 

The European CommissionOne of the core institutions of the European Union, responsible for lawmaking, policymaking and monitoring compliance with EU law. extended the UK’s adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has... until 27 December 2025, maintaining stability for UK-EU data transfers. Although the UK’s DUAA introduced some changes, the core principles of the GDPR remain intact. And while the European Data Protection Board (EDPB) has raised questions, a negative impact on adequacy still looks unlikely. Even so, organisation should keep a close eye on updates from both the Commission and the UK’s ICO to stay informed as 2026 approaches. 

EU AI governance

The EU progressed the implementation timeline of the EU AI Act, supported by the AI Continent Plan, which sets out Europe’s strategy to become a global leader in AI. 

Italy became the first Member State to enact national AI legislation, formally known as Law No. 132/2025. The law came into force on 10 October 2025 and promotes the ethical, transparent, and responsible use of artificial intelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc.. Together with the EU AI Act, it sets operational and governance requirements for organisations that provide products and services in the country. 

Businesses operating across the EU should review data and AI governance frameworks now, especially risk categories and data-sharing controls, to ensure readiness. Are you ready for the EU AI Act? 

🇨🇦 Canada: 2025 privacy & AI governance highlights 

Privacy in Canada 2025

Federal privacy reform under Bill C-27 stalled following the resignation of Prime Minister Trudeau, leaving national reform uncertain. In the meantime, several provinces have advanced their own updates:  

• Alberta replaced FOIP with the Protection of Privacy Act (POPA) and the Access to Information Act (ATIA), which came into force 11 June 2025 
• Ontario implemented amendments to the Freedom of Information and Protection of privacy Act (FIPPA) on 1 July 2025 
• Quebec continues enforcing Law 25, which exceeds federal law obligations 

This means organisations operating across provinces cannot rely solely on federal law. Your privacy programme must reflect the requirements of each province in which you operate. 

Canada’s AI updates

As part of Bill C-27, the proposed AI and Data Act (AIDA) is also now stalled. In its absence, AI governance is emerging through provincial initiatives and sector regulations. Organisations should monitor developing guidance around automated decision-making, AI use in public services, and any other provincial expectations. 

🇺🇸 United States: 2025 privacy & AI governance highlights 

US Privacy 2025

On 8 April 2025, the Department of Justice’s final rule under the Data Security Program (DSP) took effect. This final rule sets out the prohibitions and restrictions on transfers or access to sensitive personal data and government-related data by countries of concern (or ‘covered person’). 

Although the US still lacks a comprehensive federal privacy law, more than a dozen US states introduced or updated privacy laws in 2025, including Iowa Consumer Data Protection Act, New Jersey Data Protection Act, Minnesota Consumer Data Privacy Act. 

AI governance in the United States

America’s AI Action Plan sets out the federal government’s priorities for advancing safe and trustworthy AI. While a national law to regulate AI has yet to be adopted, state-level activity has accelerated, with more than 1,000 AI-related bills introduced across the US. Colorado has led the way with the Colorado AI Act, which will take effect in 2026. At the same time, the Trump administration has opposed a state-by-state regulatory approach. On 11 December 2025, Trump signed an executive order aimed at preventing states from introducing or enforcing their own AI laws, citing concerns about regulatory inconsistency and the potential impact on innovation. 

For organisations operating in the US, the focus for 2026 should be on balancing existing state law obligations with the likelihood of increased federal direction. While state variation may be curbed, AI governance frameworks should remain flexible enough to adapt to change. Organisations with global operations should also ensure alignment with broader international expectations.

Privacy & AI forecast for 2026: What should organisations prepare for?

As we move into 2026, organisations will need to act on any regulatory updates introduced in 2025, many of which will begin to take effect. 

Key areas to consider: 

• UK DUAA implementation: upcoming ICO guidance on cookie practices, marketing rules and data-sharing practices 
• EU regulatory updates: EU AI Act obligations, progression of the proposed Digital Omnibus, and new sector rules such as the European Health Data Space 
• Canadian provinces: keep pace with the differing provincial reforms, especially Quebec, Alberta, Ontario, and British Columbia 
• US state obligations: Colorado’s AI Act comes into effect mid-2026 with more states potentially advancing their own AI or privacy requirements 

To stay ahead, organisations should review AI and privacy frameworks, where these developments apply. Make sure data flows are mapped, documentation is up to date, and any governance processes are updated where relevant. 

If your organisation needs support assessing your AI readiness or strengthening your data protection governance, The DPO Centre offers a wide range of services to support your team, including:  

• EU AI Act Readiness Assessment 
• AI Governance Services 
• UK and EU Data Protection Services 
• Canadian Privacy Services 

In case you missed it…

• AI Officer vs DPO: Defining roles in AI governance 
• Pseudonymisation under the GDPR: What the latest EU ruling means for organisations 
• AI Impact Assessments: What are they and why do you need one?