In the March edition of Data & Privacy Matters, the Fieldfisher Tech and Data team round up key UK and EU developments across data protection, online safety, cybersecurity, and digital regulation. 

They begin with the ICO’s draft updated guidance on automated decision‑making and profiling, published following the Data Use and Access Act 2025. The guidance clarifies when automated decision‑making rules apply, what meaningful human involvement looks like, and signals a shift towards a more permissive “right to challenge” model.

Staying with the ICO, they discuss updated purpose limitation guidance, which tightens expectations around compatibility assessments and record‑keeping where personal data is reused, particularly where consent was the original lawful basis.

Children’s online safety remains a major focus this month. The team cover the joint ICO and Ofcom statement on age assurance under the Online Safety Act, alongside potential European Commission enforcement under the Digital Services Act, reflecting increased regulatory scrutiny of age assurance, default settings and systemic risk.

European developments continue with draft guidance on the Cyber Resilience Act, clarification on software scope, and the closure of the Digital Fitness Check consultation under the Commission’s Digital Omnibus initiative.

They conclude with enforcement and litigation updates, including the CJEU’s Brillen Rottler ruling on abusive DSARs and a cyber incident at UK Companies House.

Find the sources here.