Contributors

Related

The UK’s data protection landscape shifted again on 5 February 2026 with the arrival of a major implementation milestone under the Data (Use and Access) Act 2025 (DUAA). The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 are now in force, bringing with them the majority of changes related to data protection.

While this step was expected during the first half of 2026, the regulations have attracted surprisingly little attention and many organisations may not yet realise that DUAA’s principal data protection reforms are now live.

What has changed?

The Commencement No. 6 Regulations activate the bulk of DUAA provisions that amend or supplement the UK GDPR, PECR and the Data Protection Act 2018. Key changes now in force include:

  • Section 67 – definition of “research and statistical purposes”
  • Section 70 – updates to the lawfulness of processing
  • Section 80 – new framework for automated decision‑making
  • Section 85 – rules governing international transfers
  • Section 86 – safeguards for processing for research‑related purposes
  • Section 112 – rules governing the use of cookies
  • Section 115 – expanded ICO enforcement powers
  • Schedule 4 – the new list of “recognised legitimate interests”

This is not an exhaustive list; it focuses on areas most likely to affect everyday compliance.

As a starter for ten, our article has a good overview of the changes that DUAA will bring in relating to data protection.

Businesses also need to be aware that the changes relating to complaints by data subjects don't come into force until 19 June 2026 and the changes to ICO governance will be later still.

Where are we with ICO guidance?

In short: we do not yet have the full picture. The ICO hasn’t yet published all the guidance businesses need to fully understand some of these changes.

Some ICO guidance has already been updated to reflect DUAA — for example, in relation to data subject access requests.

However, several other areas remain in flux:

  • Guidance under consultation:
    • Data protection enforcement procedural guidance – consultation closed 23 January 2026.
    • Storage and access technologies (cookies and similar technologies) – consultation closed; final guidance expected Spring 2026.
  • Consultations yet to be launched:
    • Automated Decision‑Making (ADM) and Profiling – consultation expected Spring 2026.
    • Anonymisation and pseudonymisation for research purposes – expected Summer 2026.

The ICO’s plans for new and updated guidance can be tracked on the ICO website.

What does this mean for enforcement?

The ICO has clarified that it will apply the law as it stands at the time an infringement took place. It will take into account the guidance available to organisations at the time of any alleged non‑compliance when assessing enforcement action under the new provisions.

This suggests a measured approach during the transition period — particularly for areas where guidance is not yet finalised, such as automated decision‑making. More detail is available in the ICO's enforcement statement.

What should businesses do next?

The bottom line is that the changes are now live. Businesses should stay alert as further ICO guidance emerges throughout Spring and Summer 2026. Compliance with the DUAA changes will be an ongoing transition throughout 2026.

Our article details a number of practical steps businesses can be taking to prepare for DUAA. These additional steps also apply:

  • Read the ICO's statement on the commencement of DUAA and on ICO enforcement.
  • Monitor the DSIT plans for commencement, now updated with the Commencement No. 6 Regulations changes.
  • Monitor the ICO website for progress of consultations and guidance and track guidance closely. The guidance will inform your preparations.
  • Update internal compliance teams so they are aware that the new provisions have commenced.
  • Review areas impacted by DUAA, particularly around lawful bases, international transfers, cookies, and automated decision‑making.
  • Consider whether policies, training, DPIAs or governance structures may need revision in light of DUAA.

Do you want to know more about DUAA and how it might impact on your business? Or want support with updates to your privacy programme and DUAA implementation?

Simply reach out to Andrew Kimble, Katie Simmonds or Sheilah Mackie.

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.

Recommended