For international organizations with no physical presence in the United Kingdom, the post-Brexit data landscape has shifted from a static set of rules to a diverging legal framework. As we approach 2026, the challenge is twofold: meeting the foundational requirement of appointing a UK GDPR Representative and adapting to the new, business-friendly but operationally complex requirements of the Data (Use and Access) Act (DUAA).

Key Takeaways

What is the "Accountability Gap" in 2026 Financial AI? In 2026, the Accountability Gap refers to the disconnect between autonomous AI actions and Senior Manager liability. Annie and Rob explain that under the UK Data Use and Access Act 2025, firms must bridge this gap using Human-in-the-Loop protocols and Algorithmic Explainability to satisfy FCA Consumer Duty.

• Agentic AI Risks: Why autonomous trading agents require a physical "Kill-Switch" audit.
• SM&CR Liability: How Rob defines the "Reasonable Steps" a Senior Manager must document to avoid personal fines in 2026.
• The AI-BOM: Using an "AI Bill of Materials" to identify "Shadow AI" within your infrastructure.
• The "Secret Weapon" "Reasonable Steps"In 2026, the FCA’s legal "test" for Senior Managers is whether they took "Reasonable Steps" to prevent AI failure.

2025 ended with a regulatory earthquake. While the EU and India solidified their strict enforcement regimes, the United States reversed course in December with a massive move toward deregulation and federal preemption. 2026 will be the year of "Conflict and Fragmentation." Organizations now face a dual challenge: complying with strict global standards (EU/Asia) while navigating a chaotic "Federal vs. State" legal battleground in the US.

For businesses operating in or targeting the European Economic Area (EEA), ignoring GCMv2 is no longer just a compliance risk; it is a direct threat to digital advertising performance, data visibility, and ultimately, return on ad spend (ROAS)

1: The Core Challenge: The Data & The Latency

2: Action Plan: A Strategic Roadmap

and a comprehensive Q & A Session

For global organizations, the comfortable silos of the past are gone. The Chief Privacy Officer (CPO) can no longer just look at personal data; they must now look at fundamental rights. The Chief Technology Officer (CTO) can no longer just ship code; they must now ship conformity assessments.

On November 14th, India ushered in a new era for digital privacy. The DPDP Rules set a strong, rights-based, and consent-driven framework, empowering individuals and realigning our business practices with global standards. Whether you're a startup founder, compliance officer, or simply passionate about data protection, this episode unpacks what the DPDP Rules mean for your organization—what’s changing, how to prepare, and why early action is your ticket to building trust and resilience in the digital age.

Join us as we explore actionable steps, expert insights, and real-world strategies to help you transition smoothly into this new legal landscape. If you're ready to move from confusion to clarity on privacy, compliance, and data trust, this episode is for you!

Stay tuned—your DPDP handbook starts right now.

The regulatory landscape for medical devices in Great Britain has just been fundamentally reshaped. Effective June 16, 2025, the Medical Devices (Post-market Surveillance Requirements) (Amendment) (Great Britain) Regulations 2024 introduce a mandate for manufacturers to intensify their monitoring efforts once devices are on the market. The goal is clear: faster detection of safety issues and better containment of risk.

However, this commitment to patient safety creates a complex challenge for data privacy and compliance teams. Increased monitoring means more data collection, heightened retention risks, and faster reporting requirements, all of which must be reconciled with the UK's stringent data protection laws (UK GDPR).

What We Cover in This Episode:

Your hosts Annie Garcia and Rob Healey Formiti Data International break down this critical compliance overlap, detailing how MedTech manufacturers must adapt to the new dual mandate:

• The New Regulatory Baseline: We explain the shift from guidance to mandatory law, focusing on the new requirement for a PMS Plan for every device placed on the GB market.
• Data Collection Intensifies: The new rules mandate manufacturers to actively collect a wider range of data, including patient feedback and data on "similar devices" (competitors' products). We discuss the privacy implications of this enhanced data scope.
• The Unique Data Risk of Wearables: Many modern devices (wearables, apps, continuous monitors) collect sensitive, identifiable personal data in real-time. We analyze how the new PMS obligations for trend reporting and serious incident notifications must be flawlessly integrated with UK GDPR's data minimization and breach notification rules.
• The Reporting Time Crunch: The regulations introduce shorter reporting timelines for serious incidents to the MHRA. We discuss the operational necessity of having a system that can immediately isolate, verify, and report data while maintaining compliance integrity.
• Compliance Action Plan: We conclude with a clear checklist for manufacturers on how to update their Technical Documentation and Privacy Notices to reflect the new, intensified PMS activities without violating patient data rights.

This episode is essential for any regulatory, legal, or compliance professional dealing with medical devices in the Great Britain market.

In this essential episode, your hosts Annie Garcia and Rob Healey introduce the concept of Dual-Compliance. We break down exactly why financial institutions, healthcare providers, and tech firms must answer to two masters—the national Data Protection Authority and powerful sectoral regulators like SAMA and the CBE. Ignoring these layers can lead to severe penalties and operational disruption.

🔑 Key Discussion Points & Dual-Compliance Checklist

We provide a roadmap for navigating the two major compliance environments:

• 1. Defining Dual-Compliance: Why compliance is a layered issue in the MENA region. The national PDPL/DPL is the baseline, but the sectoral regulator holds the veto power.
• 2. KSA’s Financial Gauntlet (SDAIA vs. SAMA): We detail how the Saudi Central Bank (SAMA) mandates strict Data Residency and rigorous Cloud Outsourcing requirements that go far beyond the general KSA PDPL.
• 3. The Egyptian Exemption (DPL vs. CBE): Learn about the critical carve-out in Egypt's Data Protection Law: entities regulated by the Central Bank of Egypt (CBE) are exempt from the DPL. Instead, they must comply solely with the stricter Banking Law No. 194 of 2020.
• 4. Cross-Border Hurdles: We discuss the complexity of moving data out of both nations, including Egypt's requirement for a mandatory PDPC permit or license for most transfers.

🛠️ Actionable Takeaways

1. Identify Your Regulator(s): Immediately determine which sectoral regulator (SAMA, CBE, MoH, etc.) has jurisdiction over your data in KSA and Egypt, in addition to the national DPA.
2. Layer Your Audit: Your next compliance audit must compare your practices against both the general data law and the specific sectoral rules.
3. Validate Third-Party Contracts: Scrutinize all cloud and outsourcing contracts for KSA/Egypt to ensure they meet the specific data residency and due diligence standards imposed by sectoral bodies like SAMA and the CBE.

🔗 Resources

• Read the Article: Are You Dual-Compliant? Why the PDPL Isn't the Only Data Law You Need to Follow in KSA & Egypt
• Book Your Dual-Compliance Consultation: Connect with Formiti experts who specialize in layered MENA data law. [Insert Link to Formiti Consultation Page]

🎧 Episode Summary

Vietnam is undergoing a major legislative shift in data privacy. The new Personal Data Protection Law (PDPL), effective January 1, 2026, replaces the foundational Decree 13/2023/ND-CP and elevates the country’s compliance requirements to a global standard, often mirroring GDPR.

In this essential episode, your hosts [Host 1 Name] and [Host 2 Name] break down this critical transition, explaining why this new law is a game-changer for any multinational organization operating in or engaging with the Vietnamese market. It’s no longer a minor compliance item—it's a critical financial risk.

🔑 Key Discussion Points & Compliance Checklist

We dive deep into the five areas that demand immediate executive-level attention:

• 1. The End of the Decree Era: Why the shift from a government Decree to a high-level National Law fundamentally changes Vietnam’s standing in the global privacy landscape. We highlight the urgent need for a proactive compliance strategy before the January 1, 2026, deadline.
• 2. The 5% Financial Risk: The hosts analyze the single biggest change: the introduction of revenue-based fines, which can reach up to 5% of annual revenue for severe violations. We discuss how this mirrors GDPR and demands C-suite engagement.
• 3. Expanding Data Scope: We explore the expanded definition of personal data, including the challenging new coverage of non-electronic data (like physical paper files) and the specific rules targeting sectors like HR (e.g., the obligation to delete non-hired candidate data).
• 4. Granular Consent Mandate: Learn about the PDPL’s strict ban on "bundled consent." Your current consent mechanisms must be updated to provide users with granular, explicit choice for every distinct data processing purpose.
• 5. The Compliance Roadmap: We provide actionable steps, including the necessity of a Gap Analysis and the surprising grace period available to small businesses regarding the Data Protection Officer (DPO) and Data Protection Impact Assessment (DPIA) requirements.

💡 Actionable Takeaways

1. Stop Relying on Decree 13: Assume your current compliance status is insufficient for 2026.
2. Conduct a Gap Analysis: Immediately compare your current Vietnamese data map against the 2026 PDPL requirements.
3. Review HR Policies: Ensure your candidate and employee data retention periods comply with the new sector-specific rules.

🔗 Resources

• Read the Article: Vietnam's Data Privacy Evolution: From Decree 13 (2023) to the Personal Data Protection Law (2026)
• Learn More About Privacy360: Find out how our platform manages complex global regulatory transitions, including the PDPL. [Insert Link to Privacy360 or Formiti Contact]

Today, we're not talking about your desktop or your smartphone. We’re talking about the most sophisticated, data-collecting device you probably own: your car."

We're dedicating a whole segment to the high-stakes issue of driver profiling for insurance purposes. How transparent are these algorithms? And more importantly: what rights does the driver actually have when their vehicle is constantly watching their every move? It’s a crucial question for anyone who drives a modern car.

Stay with us as we shift gears and drive deep into the global challenges of automotive data privacy, right here on The Formiti Privacy Pulse."