On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.
The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms need to be commenced via regulations and secondary legislation before coming into effect. As a result, the Department for Science, Innovation and Technology published a staged commencement plan which sets out four stages for entry into force of the DUAA’s provisions. On 29 January 2026, the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 brought the majority of the key amendments to the UK’s data protection and e-privacy framework in Part 5 of the DUAA into force – commencing 5 February 2026.
The staggered commencement approach—and particularly the timing of the latest announcement, which gave organisations only a very short window before most of the DUAA provisions became operative—has drawn criticism from some commentators. This compressed timeline, combined with the fact that much of the supporting guidance from the Information Commissioner’s Office (“ICO”) is still outstanding, has left some organisations with limited time to prepare. Below we have set out some of the key changes in the DUAA which came into effect on 5 February. 2026:
- a statutory definition of scientific research to help clarify how the various provisions in the UK GDPR which refer to ‘research’ are intended to be applied;
- the concept of ‘recognised legitimate interests’ to provide a presumption of legitimacy to certain processing activities that a controller may wish to carry out under Article 6(1)(f) UK GDPR (legitimate interests). Examples of recognised legitimate interests include activities such as direct marketing, intra-group transmission of personal data for internal administration purposes and ensuring the security of network and information systems. Several public interest related legitimate interests are also included, such as crime prevention; public security; safeguarding; emergency response; and sharing personal data to help other organisations perform their public tasks. Controllers wishing to rely on this new basis do not need to carry out an additional balancing test to balance the benefits of this processing against the impact on the rights and freedom of the people whose personal information it is using. However, organisations should update policies to reflect the amendment, including UK privacy notices and records of processing.
The ICO has published a consultation on draft recognised legitimate interests guidance (which has now closed) aimed at providing practical examples and clarity as to how this basis differs from the existing “legitimate interests” basis. The draft guidance clarifies that where a recognised legitimate interest is relied upon, the controller must still assess whether the processing is necessary for the purpose pursued. The draft guidance also clarifies that the right to object will apply to recognised legitimate interests (although is not an absolute right). - amendments to Automated Decision Making (“ADM”) which aim to promote innovation and use of AI systems and remove the requirement to establish a qualifying lawful basis before conducting ADM (the requirement currently at Article 22(2) UK GDPR), except where special category data is used. Data subjects will still benefit from rights of objection and human intervention, and organisations will still need to carefully assess their use of ADM. The ADM changes are considered to be one of the more significant areas of reform and should help to ease the existing challenge where ADM is used in areas such as recruitment where the alternative legal bases of consent / contract necessity are problematic. However, organisations should review any use of ADM and ensure that safeguards are not only documented but operationalised – the ICO has indicated that enforcement action may be prioritised where ADM systems lack transparency or fail to offer meaningful human intervention. The ICO has also announced plans to consult on a significant update to its ADM and profiling guidance, with a statutory code of practice expected later this year.
The DUAA also grants the Secretary of State the authority to designate new special categories of personal data and additional processing activities that fall under the prohibition of processing special category data in Article 9(1) of the UK GDPR; - clarifications on dealing with data subject access requests (“DSAR“), which effectively codify existing practice and ICO guidance. In particular, the DUAA clarifies that searches in response to subject access requests are limited to “reasonable and proportionate” searches and codifies “stopping the clock” where further information is required. Controllers must be able to demonstrate that clarification is reasonably required in order to respond to a DSAR, and if a clarification is requested, the time limit is paused until the information is received. Organisations should update DSAR policies and procedures to reflect these changes. Although we have seen a sharp increase in DSARS referring to the mandatory complaints procedure set out in the DUAA – section 103 of the DUAA, requiring organisations to establish a complaints procedure, has not yet come into force and is due to commence in June 2026.
In December, the ICO published updated guidance on DSARs, which aims to interpret the changes introduced in the DUAA. The guidance confirms that controllers may ‘stop the clock’ on the one‑month response deadline where further clarification is reasonably required from the data subject to provide an effective response. The ICO also confirms that controllers cannot ask for clarification on a blanket basis, clarification may only be sought where it is reasonably required. The new guidance also aligns with the DUAA by clarifying the meaning of ‘manifestly unfounded’ and ‘manifestly excessive’; - changes to provisions in relation to purpose limitation, setting out when an organisation can consider a new use of personal information to be compatible with the original purpose it was collected it for;
- amendments designed to clarify the UK’s approach to the transfer of personal data internationally and the UK’s approach to adequacy assessments. The DUAA codifies the UK’s risk‑based, outcomes‑focused approach to adequacy and international transfers, retaining flexibility for the Secretary of State to make “data bridge” determinations more autonomously and introducing the data protection test, which replaces the test of essential equivalence (under the EU regime) with a new threshold that the third country offers safeguards that are “not materially lower than” the UK.
On 15 January 2026, the ICO published its updated guidance on international transfers . The guidance aims to consolidates previous guidance and provide clarity on the changes introduced in DUAA. The new guidance affirms a three-step test for determining if there’s a restricted transfer under the UK GDPR, asking: (1) does the UK GDPR apply to the the processing of personal data being transferred; (2) is the organisation initiating the transfer of personal information to an organisation outside the UK – the ICO confirms that this should follow contractual relationships, an organisation will not be initiating the transfer if it did not design the transfer structure or architecture, nor initially chose the receiver; and (3) is the transfer to a separate legal entity from the exporter?
Importantly, the updated guidance confirms that where a UK processor is transferring to its controller located outside the UK, the UK processor is “never making a restricted transfer“, as long as it is only handling the personal information as a processor under the instructions of the controller; and transferring the personal information to the same controller that instructed the processor to do the processing. This is because in this situation, the controller is initiating the transfer. It is also not a restricted transfer by the controller as the information is flowing to the controller itself, and not to a separate legal entity. The ICO confirms that the same principle applies when a sub-processor located in the UK transfers information to its processor located outside the UK.
Although the amendments to the UK’s approach to the transfer of personal data internationally signal a divergence from the EU position, notably, on 19 December 2025, the European Commission renewed the UK’s adequacy decision until 27 December 2031, signalling that the UK’s current legislative and regulatory direction is not, for now, considered to compromise the overall level of protection for personal data;
- Relaxation of consent requirements for certain cookies, such as those used only to collect information for statistical purposes and improve the functionality, provided an opt out is given. In practice, the cookie consent exemptions are relatively narrow and will likely be challenging for clients to adopt, particularly as an opt out is still required and organisations may not want to adopt differing approaches to those required in EU; and
- The DUAA also aligns the UK GDPR / DPA and PECR enforcement regimes – increasing regulatory exposure under the PECR to potential fines equivalent to the UK GDPR. Organisations should review marketing / advertising practices to ensure compliance. The ICO has indicated that cookie compliance will be a renewed area of enforcement, particularly where organisations fail to offer meaningful opt-outs or rely on ambiguous statistical purposes.
In addition to the commencement of the main data protection provisions in the DUAA, the ICO has published its updated by design and by default guidance, as well as updated guidance on Part 3 codes of conduct.
As the ICO continues to revise and update its guidance in the coming months, the impact of the changes under DUAA, and the need to manage any divergence between the UK GDPR and EU GDPR will become clearer.