Linzi Penman

Subscribe to Linzi Penman's Posts

On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA) came into force.

The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms

Continue Reading UK: Commencement of the data protection provisions in the Data (Use and Access) Act

The Threat

Malware usage by adversaries has reportedly declined. Partly due to sophisticated detection methods commonly deployed by medium to large organisations.

Conversely, insider threats (cybersecurity risks originating from within an organisation) are increasing, posing complex and costly challenges for businesses. CrowdStrike’s 2025 Global Threat Report indicates that insider threat operations accounted for 40% of

Continue Reading Insider Threat: Client Considerations and Justifications

Visible cyber fallout is everywhere. Impact to business operations (and therefore revenue) including halted production lines, emptied supermarket shelves, online payment unavailability, and patient backlogs have all brought cyber into the media and the boardroom at an alarming rate in the last year. Last week, the NCSC’s Annual Review 2025[1] showed impact climbing fast

Continue Reading UK: It’s time to act – the UK National Cyber Security Centre’s wake-up call for business leaders

The European Data Protection Board (“EDPB“) adopted an opinion on 7 October 2024, providing guidance for data controllers relying on processors (and sub-processors) under the GDPR. The two key themes are:

  1. supply chain mapping;
  2. verifying compliance with flow-down obligations.

For many financial institutions, the emphasis on these obligations should not come as a

Continue Reading EU: Engaging vendors in the financial sector: EDPB clarifications mean more mapping and management

In the evolving legal landscape of data protection, several decisions by data protection regulators and courts across the EU and UK underscore the importance of proactive GDPR compliance from a contractual perspective. These issues are being scrutinised more closely in corporate due diligence transactions and by regulators in the event of a data breach or

Continue Reading EU and UK: The importance of data processing agreements