Setting the tone for the conference, UK Information Commissioner John Edwards opened the conference with a candid reflection on the pace and scale of change — from Brexit and Covid-19 to legislative reform, technological advances, and growing societal expectations — describing change as the defining constant of the ICO's recent journey. Against this backdrop, he emphasised the importance of deliberate prioritisation: with finite resources and endless demand, the ICO is focused on providing businesses and individuals with greater certainty, more practical guidance, and transparency about where it chooses to direct its attention. On enforcement, he stressed the value of choosing regulatory tools carefully and deploying them where they can make the most meaningful difference — highlighting AI, biometrics, and children's rights as key focus areas. Notably, he pointed to the ICO's work in driving behavioural change on platforms to protect children's privacy as a marker of real regulatory success.
Among a full agenda of compelling sessions, the following discussions particularly stood out.
For a Youth-Centric Digital Future: Multistakeholder Dialogue on Age Assurance
An engaging discussion brought together Jennifer Dolan (Data Protection Commission Ireland), Diana Schaffner (Google), Daniel Fitter (Ofcom), and Alison McNulty (WeProtect Global Alliance) to explore ongoing global efforts to develop effective age assurance approaches that protect children online while safeguarding privacy. Central to the conversation was the importance of multistakeholder dialogue in shaping a holistic and interoperable framework — one that is both risk-based and technologically neutral.
Panellists highlighted the complexity of the European regulatory landscape, where different frameworks, including data protection rules and online safety regulations, approach age verification from distinct angles. This fragmentation, they noted, underscores the urgency of closer collaboration across regulators and stakeholders to avoid inconsistent outcomes.
The discussion also turned to the practical challenges of implementation, touching on emerging technological approaches such as device-based solutions and age estimation techniques, as well as the need for workable technical standards to enable interoperability across systems.
Agentic AI: Autonomous Operatives Transforming Business
The session brought together Sunny Athwal (HCL Technologies), Jo Copping (Salesforce), Marco Moragón (Workday), and Bojana Bellamy (Centre for Information Policy Leadership) to explore how B2B agentic AI is reshaping business operations — with a clear framing that these systems should amplify human potential rather than replace it. A key theme was the importance of giving customers meaningful control within a shared responsibility framework, and the need for robust AI governance programmes that embed fundamental rights and safeguards directly into agentic processes.
The discussion also highlighted an opportunity to reframe the privacy narrative around agentic AI: rather than viewing these systems solely as a source of risk, panellists noted their potential to minimise human error, autonomously monitor compliance, flag regulatory gaps, and assist in handling data subject access requests. At the same time, the panel acknowledged that tensions between agentic AI deployment and core data protection principles remain and require careful, ongoing resolution.
Investigations Under Pressure: Navigating AI, Cybersecurity, Privacy and Platform Regulation
The panel moderated by Pilar Arzuaga (McDermott, Will & Schulte), with panellists Grainne Ní Ghuidhir (TikTok) and Jonathan Dunne (Google), set out a practical framework for handling regulatory investigations increasingly triggered by AI failures, cybersecurity incidents, and platform and data protection breaches. The discussion covered the full lifecycle of an investigation: from how they start in practice, through coordination and disclosures, to remediation and accountability, with a consistent emphasis on the importance of robust incident management, predefined roles, trained teams, and clear lines of communication.
A recurring theme was the need to build incident processes well before a crisis occurs, approaching issues from multiple angles while understanding the regulator's perspective and advocating for one's own position throughout. Panellists also reinforced the significance of engaging proactively with regulators as part of the process, rather than treating regulatory interaction as a reactive step.
The panel closed by linking crisis response to longer-term governance, stressing the importance of pursuing remediation in parallel with regulatory engagement — and flagging the growing need to prepare for multi-regulator oversight under an increasingly dense framework spanning the EU AI Act, GDPR, NIS2, DSA, and the UK Online Safety Act.
The Digital Compliance Matrix: Making Sense of the Overlapping Web of Data Laws
The panel brought together Jane Finlayson-Brown (A&O Shearman), Jas Johal (Hunter, Bright & Headman), Caroline Goulding (TikTok), and Ruth O'Toole (Pinterest), drawing on perspectives from private practice, in-house legal teams, and operational privacy leadership to address one of the most pressing questions for compliance teams today: how to navigate an increasingly dense and overlapping digital regulatory landscape.
The starting point was a clear observation: privacy teams are no longer dealing with the GDPR alone. Organisations must now navigate NIS2, DORA, the AI Act, the Data Act, the Data Governance Act, ePrivacy, the DMA, the DSA, and various UK-specific regimes — frameworks that intersect and influence each other without always aligning in scope, terminology, or enforcement models. The central message was therefore unambiguous: compliance cannot be managed one regulation at a time.
Rather than organising compliance strictly around individual statutes, the discussion encouraged companies to focus on the common foundations running through most digital laws – risk management, accountability, internal controls, and the ability to demonstrate responsible decision-making, as the basis for integrated governance models embedded into product development and business processes from the outset.
Finally, the panellists discussed high profile GDPR fines and increasing scrutiny under newer instruments such as the Digital Services Act, underlining that regulators expect effective governance in practice, beyond well-drafted policies only. The overall takeaway from this engaging session was that digital compliance is evolving into a strategic discipline – requiring a coordinated and scalable governance approach that can translate legal complexity into workable structures and that is resilient enough to adapt to continuous regulatory change.
UK Data Reform in Focus: Does the DUA Act Go Far Enough?
A vivid and practice-oriented exploration of UK data reform developed in the session featuring Bojana Bellamy (Centre for Information Policy Leadership), Owen Rowland (UK Department for Science, Information and Technology), Emily Keaney (UK Information Commissioner's Office), and Jörn Wittmann (Volkswagen AG). The panel mapped the Data Use and Access Act's practical impact on legitimate interests, automated decision-making, and research — and what this means for UK-based and cross-border organisations. Concrete examples drawn from AI-driven systems and mobility use cases underscored how thoughtful reform can remove unnecessary regulatory friction without constraining innovation.
Looking Ahead
Across every session, a common thread emerged: the regulatory landscape is growing more complex, more interconnected, and more demanding — and yet the path forward lies not in treating each new development in isolation, but in building governance approaches that are principled, adaptable, and genuinely embedded in how organisations operate.
For SCOPE Europe, the IAPP Intensive is always a highlight, and this year was no exception. We are grateful to the IAPP for the quality of dialogue it continues to foster, and we look forward to building on these conversations as we work together toward workable solutions to the complexity that defines today's regulatory landscape.
