For more updates follow Grant Thornton Bharat on WhatsApp
As data management regulations and privacy policies undergo sweeping changes worldwide, organisations must navigate a rapidly evolving compliance landscape. From India’s phased rollout of the Digital Personal Data Protection Act to the EU’s Digital Omnibus revisions and the US AI transparency mandates, 2025–2026 marks a transformative period for data governance. These updates redefine personal data, consent frameworks, and AI development rules while introducing new obligations around interoperability, risk reporting, and cross-border transfers. For businesses, understanding these developments - both in India and globally - is critical to building agile compliance strategies that turn regulatory challenges into opportunities for trust, resilience and growth.
The ensuing year will redefine data governance as organisations shift from collecting data to building confidence in decisions. Businesses will demand real-time, high-quality data to power AI and analytics, embedding governance into technology ecosystems for seamless compliance and interoperability. Global regulations like GDPR updates, India’s DPDPA, and AI transparency mandates will drive accountability, making governance a strategic advantage rather than a compliance checkbox.
The Digital Personal Data Protection Act’s operational rules, notified in November 2025, set clear standards for consent management, breach reporting within 72 hours, and protection of children’s data. They also define obligations for Significant Data Fiduciaries, including annual audits and data protection impact assessments. Compliance will roll out in phases over 12 to 18 months - starting with core provisions and the Data Protection Board, followed by consent manager requirements, and culminating in full implementation. The framework introduces a consent-centric model that empowers individuals to control their data, formalises the role of Data Fiduciaries with stricter governance responsibilities, and offers targeted exemptions for certain outsourcing arrangements to ease compliance for businesses. Together, these changes mark a decisive shift toward accountability and privacy-by-design in India’s digital ecosystem.
In 2026, regulators will push for stronger alignment of digital laws across the EU through the Digital Omnibus initiative. This effort will streamline overlapping rules like GDPR, DSA, and DMA, and improve cross-border enforcement. Organisations operating in multiple jurisdictions must maintain harmonised compliance frameworks and prepare for faster investigations and coordinated regulatory actions.
The UK will begin implementing the Data Use and Access Act (DUAA), which updates UK GDPR and the Data Protection Act. These changes introduce new requirements for automated decision-making, complaint handling, lawful bases, and international data transfers. Businesses must adapt governance structures to meet these standards and ensure they maintain EU-UK adequacy for cross-border data flows.
Regulators will also intensify scrutiny of AI systems. They expect organisations to demonstrate accountability through documented decision logic, bias monitoring, and human oversight for high-risk automated decisions. Clear governance and auditability will be essential to comply with these expectations.
Consent practices will face closer examination, with authorities targeting manipulative “dark patterns.” Companies must provide transparent, user-friendly consent flows, plain-language notices, and easy withdrawal options to meet compliance standards.
Overall, 2026 will bring faster enforcement, stricter oversight of AI, and higher expectations for transparency and ethical data practices. Organisations should update policies, strengthen governance, and embed accountability to stay ahead of regulatory demands.
The EU Data Act introduces a comprehensive framework to govern access, sharing, and use of data generated by connected devices and related services. It mandates businesses to grant users and third parties access to data they generate, ensuring fairness and transparency in contractual terms. The Act also prohibits unfair contractual clauses, especially those imposed on SMEs, and requires interoperability standards for data sharing across platforms. It sets clear rules for data portability, cloud switching, and public sector access during emergencies, while imposing obligations to protect trade secrets and personal data during sharing.
For businesses, this means they must review data-sharing agreements, implement technical measures for secure and interoperable data transfers, and update governance frameworks to comply with transparency and fairness requirements. Companies should prepare for stricter oversight on cloud portability, embed privacy and IP safeguards in data-sharing processes, and align internal policies with EU standards to avoid penalties and maintain trust. Global organisations operating in the EU must harmonise compliance strategies across jurisdictions, as the Act sets a precedent for similar regulations worldwide.
Regulators have reinforced BCBS 239 (Basel Committee on Banking Supervision – Principles for Effective Risk Data Aggregation and Risk Reporting) by emphasising governance, resilience, and accountability. Boards now play a central role in overseeing risk data aggregation and reporting through structured governance frameworks, while supervisors demand accurate, auditable data architecture and granular data lineage. Compliance has evolved from periodic checks to continuous monitoring and real-time remediation, extending beyond G-SIBs (Global Systemically Important Banks) to include D-SIBs (Domestic Systemically Important Banks) and mid-sized banks. Enforcement is rigorous, with maturity assessments, on-site inspections, and penalties for non-compliance. For businesses, this means elevating board-level accountability, upgrading legacy systems for high-quality, auditable data flows, and maintaining robust governance. Operational discipline is critical—risk data processes must be ongoing, supported by scalable, modular architectures to adapt quickly to regulatory changes. Strong risk data aggregation enables rapid risk response during market disruptions, while non-compliance invites scrutiny, fines, and restrictions. High-quality governed data also unlocks advanced analytics and AI capabilities, giving proactive institutions a competitive edge in resilience and agility.
Recent changes to Brazil’s LGPD (Lei Geral de Proteção de Dados Pessoais) strengthen compliance by clarifying roles, tightening consent requirements, and expanding enforcement. The ANPD guidelines redefine the Data Protection Officer (DPO) as a facilitator rather than personally liable, shifting responsibility to data controllers and exempting small processing agents from mandatory DPO appointments. LGPD applies to any processing of Brazilian residents’ data, regardless of business location, and mandates transparency, purpose limitation, data minimisation, and secure handling. It introduces ten legal bases for processing, stricter rules for sensitive and children’s data, and obligations for record-keeping, Data Protection Impact Assessments (DPIAs), breach notifications, and cross-border transfer safeguards. For businesses, this means embedding clear consent mechanisms, maintaining documented processing inventories, assessing risks continuously, and ensuring international transfers meet adequacy or contractual standards. These updates raise compliance expectations, align with global norms, and empower consumers, while offering operational flexibility for smaller entities.
The U.S. is rapidly advancing AI regulation through a mix of federal and state-level initiatives, focusing on transparency, accountability, and risk mitigation. At the federal level, the AI Bill of Rights and Executive Order on Safe, Secure, and Trustworthy AI set guiding principles for fairness, privacy, and algorithmic accountability. Agencies like the FTC and EEOC are enforcing rules against bias and deceptive AI practices, while sector-specific guidance covers healthcare, finance, and employment. States such as California, Colorado, and Illinois have introduced laws requiring impact assessments, disclosure of automated decision-making, and consumer rights to opt out of AI-driven profiling. Emerging trends include mandatory risk classification frameworks, data governance standards, and audit trails for high-risk AI systems, aligning with global norms like the EU AI Act.
For businesses worldwide, these developments signal a shift toward proactive compliance. Companies must implement robust governance, document AI decision-making, and ensure fairness and privacy by design. Global firms operating in or with U.S. entities need to harmonise compliance strategies across jurisdictions, as U.S. rules increasingly influence international standards. Beyond risk mitigation, early adoption of ethical AI practices can enhance trust, reduce litigation exposure, and create competitive advantage in markets prioritising responsible innovation.
In 2025–26, businesses will transform data governance from a back-office compliance task into a strategic driver of trust, resilience, and innovation. Companies that embed privacy-by-design, enforce AI accountability, and implement robust risk frameworks will meet regulatory expectations and unlock competitive advantages in analytics, automation, and global interoperability. Organisations that treat governance as a continuous, technology-driven discipline will turn regulatory complexity into an opportunity to build stakeholder confidence and lead in a data-driven economy.
