In September 2024, a UK tribunal concluded that 5.6 million stolen card records might not constitute personal data. The argument was structural, not frivolous. Hackers who cannot identify individuals from card numbers alone are not, the Upper Tribunal suggested, processing personal data.

The Court of Appeal corrected that in February 2026. Lord Justice Warby's ruling establishes a clean and reusable test: you assess whether data is personal from the controller's perspective, not the attacker's.

I want to explain exactly why that matters, what "jigsaw identification" means in practice, and the five steps your business should take before the end of this month.

France banned Zoom and Teams from government. Germany is migrating 30,000 workstations to open source and saving €15 million a year. The Dutch Parliament demanded exit strategies from US cloud. Switzerland declared US cloud unsuitable for government data.

The UK has produced no sovereign cloud strategy, no government migration programme, no regulatory enforcement on CLOUD Act exposure, and no explicit guidance for commercial organisations.

Noel Bradford, with 40-odd years of watching the UK IT establishment make the same mistakes on repeat, asks the question nobody in Whitehall wants to answer: when did we decide that digital independence was somebody else's problem?

The Data (Use and Access) Act just went live on 5 February, and if you're only hearing about it now, you're not alone. The commencement regulations were published two days before the provisions kicked in. That's the government's idea of adequate notice. Guest contributor Kathryn Renaud cuts through the panic with something actually useful: four repeatable workflows for DSARs, complaints, cookies, and automated decisions that any UK SMB can build this week with tools they already own. No expensive software. No consultant fees. Just structure, ownership, and documented processes. Read this before the ICO comes knocking.

The UK Government is to implements personal director accountability for cyber risk in public sector. So logically Private sector is next. What directors need to know now.

BREAKING: Another SOC 2 certified company just suffered a massive data breach. Shocked? You shouldn't be. While they were busy documenting their security procedures in triplicate, hackers walked through the front door they forgot to lock. This is compliance theatre in action: expensive certificates that impress auditors but don't stop criminals. Today's reality check exposes why governance frameworks fail against real threats and what UK SMBs should learn from this latest security disaster