The Formiti Deep Dive: Your Weekly Global Data & Compliance Briefing

Join Annie Garcia and Rob Healey of Formiti Data International as they take a deep dive into UK GDPR EU Representative obligationsFor international organizations with no physical presence in the United Kingdom, the post-Brexit data landscape has shifted from a static set of rules to a diverging legal framework. As we approach 2026, the challenge is twofold: meeting the foundational requirement of appointing a UK GDPR Representative and adapting to the new, business-friendly but operationally complex requirements of the Data (Use and Access) Act (DUAA).

In this episode, Annie Garcia and Rob Healey break down the "Accountability Crisis" facing UK Financial Services in 2026. As the FCA moves from principles to aggressive enforcement, Annie and Rob explore why "the AI did it" is no longer a legal defense. They dive deep into Agentic AI governance, SM&CR personal liability, and how firms are using Formiti’s "Zero-Gap" audits to stay ahead of the February 2026 funding and compliance deadlines.Key TakeawaysWhat is the "Accountability Gap" in 2026 Financial AI? In 2026, the Accountability Gap refers to the disconnect between autonomous AI actions and Senior Manager liability. Annie and Rob explain that under the UK Data Use and Access Act 2025, firms must bridge this gap using Human-in-the-Loop protocols and Algorithmic Explainability to satisfy FCA Consumer Duty.Agentic AI Risks: Why autonomous trading agents require a physical "Kill-Switch" audit.SM&CR Liability: How Rob defines the "Reasonable Steps" a Senior Manager must document to avoid personal fines in 2026.The AI-BOM: Using an "AI Bill of Materials" to identify "Shadow AI" within your infrastructure.The "Secret Weapon" "Reasonable Steps"In 2026, the FCA’s legal "test" for Senior Managers is whether they took "Reasonable Steps" to prevent AI failure.

In 2026, the primary risk to your organization isn't just a rogue AI—it’s the AI you don’t know you’re using. With regulations now spanning over 120 jurisdictions, the era of "Shadow AI" must end. This first step in our series focuses on creating a Global AI Inventory using an AI Bill of Materials (AI-BOM). By cataloging every model, third-party API, and dataset across your global footprint, you shift from reactive troubleshooting to proactive institutional governance.

Join Annie Garcia and Rob Healey as they discuss Data privacy in Manufacturing. Episode 24 explores the digital evolution of the West Midlands manufacturing sector, specifically focusing on how the Silicon Canal and Industry 4.0 are driving the adoption of smart technologies. The author highlights that as factories integrate AI and the Internet of Things, they must navigate a complex dual transformation involving both technological advancement and strict new regulatory frameworks like the UK Data (Use and Access) Act and the EU AI Act. To remain competitive and secure within global supply chains, businesses are encouraged to bridge the gap between information and operational technology through robust governance and privacy-by-design. Ultimately, the text serves as a strategic guide for manufacturers to transform regulatory risks into resilience by partnering with experts to manage data transparency and ethical AI deployment.

Join Annie Garcia and Rob Healey from Formiti as they take a deep dive and discuss privacy compliance evolving from a business debt to a business enabler In the early 2020s, data privacy was often treated as a "legal tax"—a series of checkboxes to satisfy auditors and avoid the dreaded GDPR fines. But as we move through 2025, the landscape has shifted fundamentally. Privacy is no longer a static target or a back-office compliance hurdle; it is a core business differentiator.

Join Annie Garcia and Rob Healey Formiti Data International as they take a deep dive into Privacy 2025 and the Outlook for 2026. 2025 ended with a regulatory earthquake. While the EU and India solidified their strict enforcement regimes, the United States reversed course in December with a massive move toward deregulation and federal preemption. 2026 will be the year of "Conflict and Fragmentation." Organizations now face a dual challenge: complying with strict global standards (EU/Asia) while navigating a chaotic "Federal vs. State" legal battleground in the US.

In 2024, With the enforcement of the EU’s Digital Markets Act (DMA) and the subsequent rollout of Google Consent Mode v2 (GCMv2), privacy compliance ceased to be just a legal issue. It became a critical dependency for marketing revenue.For businesses operating in or targeting the European Economic Area (EEA), ignoring GCMv2 is no longer just a compliance risk; it is a direct threat to digital advertising performance, data visibility, and ultimately, return on ad spend (ROAS)

Join Annie Garcia and Rob Healey Formiti Data International as they take a deep dive to building a structured, step-by-step approach to managing a data breach, built on the principle of Preparation, Detection, Containment, Assessment, Notification, and Remediation (PDCNAR). Effective data breach management is a testament to an organization's commitment to data privacy and security

Join Annie Garcia and Rob Healey Formiti Data International as they discuss the topic of , the decision to appoint a Data Protection Officer (DPO) starts as a compliance necessity—a legal box that must be ticked under GDPR. However, forward-thinking leaders are realizing that the traditional model of hiring a single, internal DPO is becoming operationally inefficient and financially risky. As data privacy laws expand globally (from the EU’s AI Act to US State laws),

Join Annie Garcia and Rob Healey of Formiti Data International as they take a deep dive into the latest privacy and AI law changes. December 11, 2025, President Donald Trump signed a sweeping Executive Order (EO) designed to consolidate AI regulation at the federal level, effectively effectively aiming to block individual states from enforcing their own AI and data safety laws. This move marks a significant shift in the US regulatory landscape, prioritizing "innovation" and "national competitiveness" over the patchwork of state-by-state protections that currently exist.

In this deep dive episode Annie Garcia and Rob Healey of Formiti Data International Under GDPR Article 37, a DPO is mandatory if you are a public authority, your core activities involve large-scale monitoring of individuals, or you process special categories of sensitive data on a large scale.

The impact of AI on GDPR centers on the tension between AI's need for massive datasets and GDPR's principles of data minimization and purpose limitation. Key compliance risks include automated decision-making (Article 22), lack of explainability (Black Box algorithms), and the difficulty of ensuring the 'Right to be Forgotten' within trained machine learning models."

Listen to the concluding podcast episode on Hospitality Personal; Data Journey. Annie Garcia and Rob healey take a deep dive into data procesing challenges in health spa's The Latest topic addresses the highest-risk environment in the industry: Health Resorts, Spas, and Wellness Retreats. In this sector, the data collected isn't just about preferences; it is about physiology, mental health, and medical history. The trust placed in the operator is immense, and the regulatory burden is significantly higher.

Listen to our latest podcast unwrapping the personal data journey of diners in our restaurants and takeaways. Annie Garcia and Rob Healey of Formiti Data International take a deep dive into the risks of non compliance in an industry that extensively processes personal data on a huge scale.

In our first episode on data privacy in hospitality Annie Garcia and Rob Healey Formiti Data International unwrap the following .In the modern hotel, hospitality is no longer just about a warm welcome and a clean room; it is about the "customized experience." However, customization requires data. From the moment a guest browses a room to the post-stay survey, they leave a trail of digital footprints.

Join Annie Garcia Head of Legal and Privacy and Rob Healey CEO Formiti Data International as they take a deep dive into the growing question on everyones agenda With Artificial Intelligence (AI) moving from a niche experiment to a core operational engine, the "set it and forget it" approach to compliance is obsolete. Organizations are now facing a critical structural question: Do we stretch our current data protection roles, or do we build something entirely new?

Join Annie Garcia Head of Privacy and Legal and Rob Healey CEO Formiti Data International UK as they do a deep dive on the effects of the NIS 2 Directive and the Cyber Resilience Act (CRA). on Gaming Studios across the EU . Covering 1: The Core Challenge: The Data & The Latency2: Action Plan: A Strategic Roadmapand a comprehensive Q & A Session

Join Annie Garcia Head of Legal and Privacy and Rob Healey CEO of Formiti Data International discuss and unravel the significant move to streamline the European Union's complex digital regulatory landscape, the European Commission released the "Digital Omnibus" package in late November 2025. Prompted by the findings of the 2024 Draghi Report on European competitiveness, this legislative package aims to reduce administrative burdens, clarify overlapping rules, and boost innovation without dismantling fundamental rights.

In todays podcast Annie Garcia Head of Privacy and Legal and Rob Healey CEO at Formiti Data International discuss how AI procurement is changing the landscape of procurement. Traditional software procurement is binary: it works or it doesn't. AI procurement is probabilistic: it may work 95% of the time, hallucinate 4% of the time, and be biased 1% of the time. This playbook provides a structured framework to manage that uncertainty. It addresses the legal, security, and operational risks inherent in the AI supply chain, ensuring compliance with emerging global regulations like the EU AI Act, US Executive Order on AI, and APAC frameworks.

For the last three years, we have been warned that the "AI Regulation Wave" was coming. In late 2025, it is no longer coming—it has crashed over us.For global organizations, the comfortable silos of the past are gone. The Chief Privacy Officer (CPO) can no longer just look at personal data; they must now look at fundamental rights. The Chief Technology Officer (CTO) can no longer just ship code; they must now ship conformity assessments.

Join Annie Garcia and Rob Healey as they take a deeo dive into the latest update to Malaysia's PDPA Privacy Law. Following the full implementation of the PDPA Amendment Act 2024 in June 2025, Malaysia has aligned itself with global data protection standards. For international organizations operating in Kuala Lumpur or processing Malaysian data offshore, the regulatory risk profile has shifted significantly.

Annie Garcia Head of Legal and Privacy and Rob healey CEO discuss and take you on a deep dive on the subject of Navigating the Evolving UK Regulatory Landscape for AI in Healthcare. The UK does not yet have a single, AI‑specific health statute; instead, AI in healthcare is governed by a patchwork of existing laws, regulators, and guidance spanning healthcare services, medical devices, data protection, and professional standards. For organisations deploying or supplying AI solutions into health and social care, understanding how these regimes intersect is now a strategic and compliance imperative, not a theoretical legal question.​

Welcome to another episode of the Formiti Privacy Pulse Deep Dive with your hosts Annie Garcia and Rob Healey where we break down the biggest shifts shaping India’s digital future. Today, we dive into an historic milestone—the enactment of the Digital Personal Data Protection (DPDP) Rules 2025.On November 14th, India ushered in a new era for digital privacy. The DPDP Rules set a strong, rights-based, and consent-driven framework, empowering individuals and realigning our business practices with global standards. Whether you're a startup founder, compliance officer, or simply passionate about data protection, this episode unpacks what the DPDP Rules mean for your organization—what’s changing, how to prepare, and why early action is your ticket to building trust and resilience in the digital age.Join us as we explore actionable steps, expert insights, and real-world strategies to help you transition smoothly into this new legal landscape. If you're ready to move from confusion to clarity on privacy, compliance, and data trust, this episode is for you!Stay tuned—your DPDP handbook starts right now.

The Core Challenge: Post-Market Surveillance (PMS) vs. PrivacyThe regulatory landscape for medical devices in Great Britain has just been fundamentally reshaped. Effective June 16, 2025, the Medical Devices (Post-market Surveillance Requirements) (Amendment) (Great Britain) Regulations 2024 introduce a mandate for manufacturers to intensify their monitoring efforts once devices are on the market. The goal is clear: faster detection of safety issues and better containment of risk.However, this commitment to patient safety creates a complex challenge for data privacy and compliance teams. Increased monitoring means more data collection, heightened retention risks, and faster reporting requirements, all of which must be reconciled with the UK's stringent data protection laws (UK GDPR).What We Cover in This Episode:Your hosts Annie Garcia and Rob Healey Formiti Data International break down this critical compliance overlap, detailing how MedTech manufacturers must adapt to the new dual mandate:The New Regulatory Baseline: We explain the shift from guidance to mandatory law, focusing on the new requirement for a PMS Plan for every device placed on the GB market.Data Collection Intensifies: The new rules mandate manufacturers to actively collect a wider range of data, including patient feedback and data on "similar devices" (competitors' products). We discuss the privacy implications of this enhanced data scope.The Unique Data Risk of Wearables: Many modern devices (wearables, apps, continuous monitors) collect sensitive, identifiable personal data in real-time. We analyze how the new PMS obligations for trend reporting and serious incident notifications must be flawlessly integrated with UK GDPR's data minimization and breach notification rules.The Reporting Time Crunch: The regulations introduce shorter reporting timelines for serious incidents to the MHRA. We discuss the operational necessity of having a system that can immediately isolate, verify, and report data while maintaining compliance integrity.Compliance Action Plan: We conclude with a clear checklist for manufacturers on how to update their Technical Documentation and Privacy Notices to reflect the new, intensified PMS activities without violating patient data rights.This episode is essential for any regulatory, legal, or compliance professional dealing with medical devices in the Great Britain market.

The era of "one-size-fits-all" data compliance in the Middle East is over. Many organizations operating in key markets like Saudi Arabia (KSA) and Egypt are falling into a critical compliance gap by focusing only on the national data laws (KSA PDPL, Egypt DPL) and ignoring stricter, sector-specific regulations.In this essential episode, your hosts Annie Garcia and Rob Healey introduce the concept of Dual-Compliance. We break down exactly why financial institutions, healthcare providers, and tech firms must answer to two masters—the national Data Protection Authority and powerful sectoral regulators like SAMA and the CBE. Ignoring these layers can lead to severe penalties and operational disruption.🔑 Key Discussion Points & Dual-Compliance ChecklistWe provide a roadmap for navigating the two major compliance environments:1. Defining Dual-Compliance: Why compliance is a layered issue in the MENA region. The national PDPL/DPL is the baseline, but the sectoral regulator holds the veto power.2. KSA’s Financial Gauntlet (SDAIA vs. SAMA): We detail how the Saudi Central Bank (SAMA) mandates strict Data Residency and rigorous Cloud Outsourcing requirements that go far beyond the general KSA PDPL.3. The Egyptian Exemption (DPL vs. CBE): Learn about the critical carve-out in Egypt's Data Protection Law: entities regulated by the Central Bank of Egypt (CBE) are exempt from the DPL. Instead, they must comply solely with the stricter Banking Law No. 194 of 2020.4. Cross-Border Hurdles: We discuss the complexity of moving data out of both nations, including Egypt's requirement for a mandatory PDPC permit or license for most transfers.🛠️ Actionable TakeawaysIdentify Your Regulator(s): Immediately determine which sectoral regulator (SAMA, CBE, MoH, etc.) has jurisdiction over your data in KSA and Egypt, in addition to the national DPA.Layer Your Audit: Your next compliance audit must compare your practices against both the general data law and the specific sectoral rules.Validate Third-Party Contracts: Scrutinize all cloud and outsourcing contracts for KSA/Egypt to ensure they meet the specific data residency and due diligence standards imposed by sectoral bodies like SAMA and the CBE.🔗 ResourcesRead the Article: Are You Dual-Compliant? Why the PDPL Isn't the Only Data Law You Need to Follow in KSA & EgyptBook Your Dual-Compliance Consultation: Connect with Formiti experts who specialize in layered MENA data law. [Insert Link to Formiti Consultation Page]

S1 E2: Vietnam's Data Privacy Revolution: Navigating the 2026 Personal Data Protection Law🎧 Episode SummaryVietnam is undergoing a major legislative shift in data privacy. The new Personal Data Protection Law (PDPL), effective January 1, 2026, replaces the foundational Decree 13/2023/ND-CP and elevates the country’s compliance requirements to a global standard, often mirroring GDPR.In this essential episode, your hosts [Host 1 Name] and [Host 2 Name] break down this critical transition, explaining why this new law is a game-changer for any multinational organization operating in or engaging with the Vietnamese market. It’s no longer a minor compliance item—it's a critical financial risk.🔑 Key Discussion Points & Compliance ChecklistWe dive deep into the five areas that demand immediate executive-level attention:1. The End of the Decree Era: Why the shift from a government Decree to a high-level National Law fundamentally changes Vietnam’s standing in the global privacy landscape. We highlight the urgent need for a proactive compliance strategy before the January 1, 2026, deadline.2. The 5% Financial Risk: The hosts analyze the single biggest change: the introduction of revenue-based fines, which can reach up to 5% of annual revenue for severe violations. We discuss how this mirrors GDPR and demands C-suite engagement.3. Expanding Data Scope: We explore the expanded definition of personal data, including the challenging new coverage of non-electronic data (like physical paper files) and the specific rules targeting sectors like HR (e.g., the obligation to delete non-hired candidate data).4. Granular Consent Mandate: Learn about the PDPL’s strict ban on "bundled consent." Your current consent mechanisms must be updated to provide users with granular, explicit choice for every distinct data processing purpose.5. The Compliance Roadmap: We provide actionable steps, including the necessity of a Gap Analysis and the surprising grace period available to small businesses regarding the Data Protection Officer (DPO) and Data Protection Impact Assessment (DPIA) requirements.💡 Actionable TakeawaysStop Relying on Decree 13: Assume your current compliance status is insufficient for 2026.Conduct a Gap Analysis: Immediately compare your current Vietnamese data map against the 2026 PDPL requirements.Review HR Policies: Ensure your candidate and employee data retention periods comply with the new sector-specific rules.🔗 ResourcesRead the Article: Vietnam's Data Privacy Evolution: From Decree 13 (2023) to the Personal Data Protection Law (2026)Learn More About Privacy360: Find out how our platform manages complex global regulatory transitions, including the PDPL. [Insert Link to Privacy360 or Formiti Contact]

Welcome to The Formiti Privacy Pulse, your weekly deep dive into the world of global data law and compliance. Presented by Annie Garcia Head of Legal at Formiti Data International and Robert Healey CEO Formiti Data InternationalToday, we're not talking about your desktop or your smartphone. We’re talking about the most sophisticated, data-collecting device you probably own: your car."We're dedicating a whole segment to the high-stakes issue of driver profiling for insurance purposes. How transparent are these algorithms? And more importantly: what rights does the driver actually have when their vehicle is constantly watching their every move? It’s a crucial question for anyone who drives a modern car.Stay with us as we shift gears and drive deep into the global challenges of automotive data privacy, right here on The Formiti Privacy Pulse."