October 2025 – Newsletter Update

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.

This update includes Information Security, Environment and Health & Safety – click to jump to the relevant section. This update covers the period from mid-May 2025 to 9th October 2025.

Information Security

If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes

Published UK legislation

The Data Use and Access Act 2025 received Royal Assent and passed in to UK law in June 2025. We reported on this Act (then a Bill) in Q1’s report when it was scheduled for its second reading in the House of Lords. The Act amends a number of other Acts and Regulations including the Online Safety Act 2023 and the Privacy and Electronic Communications (EU Directive) Regulations 2003 (‘PECR’)Key provisions of the Act are listed below along with the few changes from the Bill.

  • New Lawful Grounds for data processing: The Act introduced a ‘recognised legitimate interests’ as legal grounds for processing data for crime prevention, public interest, and emergencies, streamlining processes for public bodies and related organisations by removing the need for legitimate interests impact assessments in these areas
  • Smart Data Schemes: A framework has been established to enable government creation of Smart Data schemes, facilitating data sharing in sectors like finance (e.g., Open Banking)
  • Digital Verification: Provisions are included to support the growth of digital verification services, allowing for electronic identity verification
  • Automated Decision-Making: Stricter controls on automated decision-making are eased, allowing its use in more circumstances if safeguards like human intervention and transparency are in place, particularly concerning special category data. In a change from the Bill, human intervention has been defined mean it requires a competent person to review automated decisions (‘meaningful human intervention’)
  • Artificial Intelligence (AI), Copyright and Deepfake Imagery: – The Act included provisions addressing the use of copyright material for AI training and transparency requirements. However, some controversial Lords’ amendments on these topics were dropped in the final Act, with the government committing to further study on the economic impact of AI and copyright. The Act amended other acts including the Online Safety Act 2023 by adding offences relating to AI-generated deepfakes of intimate images and child sexual abuse
  • Cookies and ePrivacy: The Act simplifies requirements for cookies and banners, potentially removing the need for user consent in some cases
  • Data Subject Access Requests (DSARs): In a change from the Bill, the Act clarified that the search principle for DSARs must be ‘reasonable and proportionate’
  • ICO Governance: The Act introduces reforms to the ICO’s governance structure
  • Increased Penalties: The maximum fines for breaches of e-privacy under the Privacy and Electronic Communications Regulations 2003 (PECR) are aligned to UK GDPR (up to £17.5 million or 4% of global turnover).

Proposed UK Legislation

We are not aware of any proposed UK Legislation relating to Information Security that we have not reported in previous newsletters. We reported on the proposed Cyber Security and Resilience Bill in the last newsletter.

Other

While not directly related to Information Security, the Product Regulation and Metrology Act 2025 that was enacted on 21st July 2025, grants powers to relevant authorities regarding product safety, metrology (measurement), marketing and enforcement. The act is an enabling Act for future regulations. The Act includes recognition of ‘intangibles’ including software.

It is possible that this is in anticipation of further acts to control aspects of software and the sale and marketing of software or devices containing software, such as Internet of Things (IoT) devices where obligations may be placed to ensure that the software elements are compliant, not just the hardware.

The act also mentions mobile applications and online marketplaces as areas that may include control elements (e.g. e-commerce platforms may face statutory obligations to ensure that products sold through them are safe and comply with relevant UK regulations).

In July, the California Privacy Protection Agency (CPPA) adopted updated regulations for the California Consumer Privacy Act (CCPA), expanding and revising its regulatory scaffolding.  While not as strong as the UK and EU GDPR regulations, the act is considered to be most comprehensive state-level privacy law in the US. The new rules are scheduled to take effect January 1, 2026 (subject to final administrative review) and are expected to include:-

  • Increased oversight of automated decision-making (ADMT), including via AI. Businesses will need to provide pre-use disclosures about the use of ADMT, allow opt-out and include mechanisms for human review or reconsideration. Risk assessments must be conducted during training and deployment of ADMT
  • Business above $50million annual revenue must undergo regular security audits and provide CPPA with certification evidence of those audits. Implementation will be staggered, starting with organisations with over $100million annual revenue in April 2028
  • High risk processing designations will be expanded. High risk designations trigger mandatory risk assessments. This will start with risk assessment attestations to CPPA in April 2028
  • Opt-out – businesses must provide a mechanism to confirm to consumers that opt-out decisions have been honoured, including opt-outs via Global Privacy Control signals, which must be treated as valid opt-out requests
  • Privacy policy information must be stated on any web page collecting personal information, not just on the home page
  • Businesses must provide a way for users to withdraw processing consent at any time and rules around discouraging opt-out will be tightened.
  • New disclosure obligations around connected devices and virtual/augmented reality devices etc.
  • The rules will clarify their applicability to insurance companies

The EU published its ‘General Purpose AI Code of Practice’ in July. The GPAI Code of Practice is a voluntary tool to help industry comply with the requirements of the EU AI Act.

International Standards

ISO published the 2025 version of ISO 27018 in August. ISO/IEC 27018:2025 Information security, cybersecurity and privacy protection — Guidelines for protection of personally identifiable information (PII) in public clouds acting as PII processors’ Key differences from the 2019 version are alignment with the ISO 27001 & ISO 27002:2022 standards that it complements bringing the ISO 27018 control set in line with ISO 27001 & ISO 27002.

Microsoft

SANS Internet Storm Centre published the following summaries of the patch Tuesday releases from :-

Apple

Details of Key apple updates and security fixes can be found on Apple’s security updates page

Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies

Categories Posts (click to view)
Awareness Raising Creating the right organisational culture for cyber security
Governance/Guidance/General Information Strengthening national cyber resilience through observability and threat hunting
Governance/Guidance/General Information External attack surface management (EASM) buyer’s guide
Governance/Guidance/General Information Cyber resilience matters as much as cyber defence
Governance/Guidance/General Information Cyber Assessment Framework v4.0 released in response to growing threat
Governance/Guidance/General Information Have you got what it takes to be a ‘Cyber Advisor’?
Governance/Guidance/General Information Trusting the tech: using password managers and passkeys to help you stay secure online
Governance/Guidance/General Information Sausages and incentives: rewarding a resilient technology future
Technical/Configuration Advice RFC 9794: a new standard for post-quantum terminology
Technical/Configuration Advice Understanding your OT environment: the first step to stronger cyber security
Technical/Configuration Advice From bugs to bypasses: adapting vulnerability disclosure for AI safeguards
Technical/Configuration Advice Getting your organisation ready for Windows 11 upgrade before Autumn 2025

The NCSC also publishes current cyber security reports and advisories here, and malware reports and analysis here

Information from the Information Commissioner’s Office and partner agencies

Noteworthy cyber incident and breach news reported since the last update

This information is provided to raise awareness of the causes of incidents and breaches, so preventative action can be taken to prevent similar breaches in your organisations. It may also be helpful to keep your awareness-raising materials up to date and build business cases for information security investment

  • In possibly the most widely-reported breach this year, Jaguar Land Rover Group (JLR) became the latest victims of a hack in August. Production at its plants in the UK, Slovakia, Brazil and India had to be suspended as the organisation shut down its IT systems following the attack by the Hellcat group. Production did not begin to restart until early October. The knock-on financial impact on their supply chain led to Government intervention as it stepped in to underwrite a £1.5billion bank loan to JLR to help clear its backlog of payments to its suppliers
  • In September Kido, a London-based nursery chain suffered a breach affecting approximately 8,000 children and their parents or carers. Photos of the children and personal data was initially released by the Radiant hacker group. Following concern about their reputation with other hacking groups, Radiant later blurred the images
  • Sports footwear and fashion brand Adidas confirmed a data breach in late May after hackers accessed a ‘third party customer service provider’. The company confirmed that customer data had been breached

Highlights of new and emerging malware, techniques and other vulnerabilities in the quarter

The NCSC publishes current cyber security reports and advisories here, and malware reports and analysis here

Environment

Legislative changes

The Waste Electrical and Electronic Equipment (Amendment, etc.) Regulations 2025 came into effect on 22nd July 2025. The regulations further amend the 2013 regulations. The most significant amendment is to the meaning of ‘Producer’ to now include ‘online marketplace operators’ where they supply EEE to private households in the UK from non’-UK suppliers’ regulations. Relevant amendments to the definition of ‘placing on the market’ have been made.

Health & Safety

Legislative changes

  • No new principal legislation and no other relevant legislation relevant to our customers was identified in this quarter.
  • New and revised HSE Bulletins and News
     New Working Minds online learning module – Risk assessment for stress
  • New easy read guides for disabled workers and workers with long-term health conditions
  • New Safety Climate Tool (SCT) 2.0 released to help organisations manage their safety culture
  • Refreshed Work Right campaigns website addressing topics including Asbestos and work-related stress
  • Work related fatal injuries report 2025 for 2024/25
    • Construction and agriculture/forestry and fishing continued to account for the highest number of fatalities at 35 and 23 respectively, but ‘admin and support services’ saw 13 fatal injuries
    • The biggest cause was falls from height with 35 fatalities, almost double the second biggest cause (struck by a moving object)
    • 92 members of the public were killed in work-related accidents
  • Safety notice for certain motorised height-adjustable display screen stands in schools and other education settings
  • Call for evidence. HSE has begun work to review the Lifting Operations and Lifting Equipment Regulations (LOLER) and Pressure Systems Safety Regulations (PSSR) and is looking for input from businesses to understand whether any aspects bring unnecessary burdens, or are out of date and whether improvements can be made to clarity or effectiveness of the regulations. More here LOLER and here PSSR

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

Here are some more helpful links which may be of use