Lorna Cropper, Chloe Abbott and Sandra Ofili round up key data and privacy developments from May 2026.

They begin by highlighting a significant milestone: May marked ten years since the GDPR came into force and the two-year countdown to applicability started. The team reflects on the GDPR’s lasting influence on data protection legislation across the EU and beyond.

Continuing with European developments, the team discuss the European Parliament and Council's provisional political agreement on the Digital Omnibus reforms to the AI Act, as well as the European Commission's publication of draft, non‑binding guidelines on the classification of high-risk AI systems. 

The focus then shifts to the UK, where the team outlines key legal updates, including the deadline to inform individuals of their right to make a data protection complaint and to implement an appropriate complaints procedure. To support organisations in updating their policies and procedures, the team has prepared a practical one-page guide, available here.

Children’s online safety also remains a key priority this month. The team discusses the ICO’s statement on age assurance, Ofcom’s update following tech firms’ responses to its call for action to protect children, and the close of the UK Government’s consultation on children’s digital wellbeing.

The podcast concludes with recent enforcement developments, including the ICO’s decision to fine South Staffordshire Plc and South Staffordshire Water Plc following a major cyber incident, and the Irish Data Protection Commission’s formal inquiry into SHEIN’s Irish entity concerning the transfer of EU/EEA personal data to China.