What happened, who was affected, and what we can learn…
April had fewer headline-making breaches, but brought further regulatory commentary on high-risk data and cyber hygiene.
23andMe
Date Reported: 26th April, 2025 (Notice of intent).
No. of UK Individuals Affected: ~155,000 (breach from 2023).
Data Exposed or at Risk: Genetic, health, ancestry details.
ICO Response: Notice to impose £4.59 million fine; joint statement with Canadian regulator on data protection during insolvency.
Summary: ICO issued a provisional finding and warned any sale of 23andMe must maintain GDPR compliance and safeguard sensitive data.
Commentary: This underlines that sensitive data doesn’t lose protection in bankruptcy. Regulators expect continuity during corporate transitions and will enforce early.
Insights for UK Businesses
- Regulation can start with intent; alerts matter before monetary penalties stack up.
- Transactional risk now includes data during M&A, sale, or insolvency.
- Sensitive data holders are under continuous scrutiny, regardless of business state.
Legislative Context
These actions came just before the Data (Use and Access) Act 2025. Their timing underscores the law’s focus on continuous compliance, including during organizational change.
Conclusion
April’s updates highlight that regulatory momentum isn’t just retrospective; it’s real‑time. Be prepared before monthly headlines become compliance issues.
Disclaimer
This report is based on public disclosures, media reports, and ICO updates available at the time of writing. Figures for affected individuals may be estimated where not officially disclosed. This post is intended for informational purposes only and does not constitute legal advice.
