Artificial intelligence is just one of many data related issues and challenges that marketers need to be mindful of during 2026, writes Steven Roberts.
Data protection is a priority for marketers in 2026. Consumer awareness remains high. A recent public attitudes survey by the Data Protection Commission indicated two-thirds of respondents would lose trust in an organisation if it misused personal data. Alongside this, our profession is currently exploring the transformative potential of various artificial intelligence (AI) tools, many of which are heavy processors of personal data. In this short article, I look at some of the key data privacy themes for the coming year, areas that I expand on in detail in my new book Data Protection for Business: Compliance, Governance, Reputation and Trust.
Artificial intelligence
AI technologies are changing the landscape of marketing. They provide opportunities for substantial productivity and efficiency gains for teams of all sizes, in areas such as content generation, graphic design, personalization and automation. At the same time, it is a complex, opaque technology with significant data privacy risks. For example, in adhering to key principles such as accuracy and transparency.
Marketing teams considering introducing new AI platforms should first identify if personal data will be processed. If so, then the GDPR applies. In order to meet the Regulation’s requirement for data protection by design and default, marketers should consider using mechanisms such as a Data Protection Impact Assessment (DPIA). This is a compliance tool that enables a business to ascertain the data privacy risks posed by a project and to put in place mitigating measures to offset them. Identifying issues early prevents delays and costly rollbacks at later stages in the project’s lifecycle.
Adjacent Legislation
Though less directly affected than compliance and legal teams, marketers should be aware of the range of adjacent legislation being introduced by the EU as part of its Digital Decade initiative. New laws in areas such as data governance and artificial intelligence have compliance implications across the business. One of the challenges for companies over the next 3 to 5 years will be finding ways to effectively resource and upskill frontline teams dealing with this complexity.
A key new law is the Artificial Intelligence (AI) Act. Whilst primarily intended as product safety legislation, protecting the rights of EU citizens, it also contains substantial areas of overlap with data protection. For example, in areas such as transparency and having a human-in-the-loop where automated decision making is taking place. The Act adopts a risk-based categorisation, depending on the type of AI technology and the purposes for which it is being used. Marketers are recommended to liaise closely with legal and compliance colleagues to understand the potential implications when deploying new AI tools.
Highlighting the interplay of EU laws, Article 50 of the AI Act requires transparency where AI generated content is provided to the public. Marketing teams meet this need through effective labelling where AI has generated or assisted in the creation of content. This is separate from the GDPR’s requirement for transparency under Article 5(1), which obliges organisations to explain in clear, easily understood language how an individual’s personal data is processed.
Digital Omnibus
There is an increasing divergence in the regulatory approach of the USA and to a lesser extent the UK, when compared to the EU. The Trump Administration and the British government have sought to reduce the regulatory burden on companies to promote economic growth. In response, the EU commissioned the 2024 Draghi Report, which highlighted the impact of recent increased regulation on European innovation. The Commission’s proposed remedy is the Digital Omnibus; a package of measures intended to simplify compliance for small and mid-sized businesses. The initiative includes simplification of aspects of the GDPR and AI. Marketers should keep a close eye on the Omnibus’s progress; it is unlikely to be finalised until late 2026 or early 2027.
UK Adequacy
Marketers trading into the UK breathed a sigh of relief on 19th December last year when the European Commission renewed its adequacy decision for a period of six years, up to 27th December 2031. Under this decision, the Commission views the UK as having a data protection regime that is essentially equivalent to that provided under GDPR. For marketing professionals, it avoids the requirement for additional data transfer mechanisms such as Standard Contractual Clauses (SCCs).
Marketers should, however, continue to keep track of legislative developments within the UK. For example, the Data (Use and Access) Act 2025 initiated a number of relatively minor data protection changes. This included areas such as streamlined subject access requests, and cookie consent where companies can provide website analytics cookies on an opt-out basis.
What Steps Can Marketers Take?
In such a complex, fast-moving environment, there are practical steps marketing teams can take to ensure compliance. These include:
- Regular data protection training for new and existing staff;
- Undertaking a DPIA for any projects that involve processing of personal data;
- Regularly auditing the personal data processed and held by the organisation;
- Ongoing monitoring of the regulatory environment, working with colleagues in data protection, legal and compliance;
- Keeping data privacy as a standing agenda item for team and departmental meetings;
- Paying particular attention to the privacy risks associated with AI technologies, to ensure these tools are used in a way that is compliant with the AI Act and GDPR.
Steven Roberts is group head of marketing with Griffith College and vice-chair of the Compliance Institute’s Data Protection and Information Security Working Group. He is a Chartered Director, Certified Data Protection Officer and a Fellow of the Chartered Institute of Marketing. His new book, Data Protection for Business: Compliance, Governance, Reputation and Trust will be published in February by Clarus Press. Readers who wish to purchase a copy of the new book can avail of a discount on the Clarus Press website by using the code Datapro26.
