News & Insight
UK data protection reform: the DUAA is now biting – 5 February and 19 June 2026 changes
The Data (Use and Access) Act 2025 (the “DUAA”) received Royal Assent in June 2025, but its provisions have been arriving in stages. We wrote about the shape of the reforms in Understanding and navigating the DUAA, and set out early action points in New UK data protection rules: top five things to now do.
The waiting is now largely over. On 5 February 2026, the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 brought a substantial tranche of the DUAA into force, making real changes to the UK GDPR, the Data Protection Act 2018 (the “DPA”) and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
It happened with remarkably little fanfare. The commencement regulations were published only days before they took effect, and many businesses may not yet have clocked that the UK’s principal data protection reforms are now live law rather than pending law.
One further change – a new right for individuals to complain directly to a controller – follows on 19 June 2026. (And, for completeness, new criminal offences relating to the creation of intimate-image ‘deepfakes’ without consent came into force on 6 February 2026 under a separate commencement instrument – a reminder that the DUAA ranges well beyond data protection.)
So, prudently, what needs now to be done?
Organisations should not wait for the dust to settle. The changes touch international transfers, the lawful bases for processing, automated decision-making, scientific research, cookies, subject access requests and complaint handling – and several carry immediate practical consequences, not least because the ICO’s fining powers under PECR have increased thirty-five-fold. As a first step, we would suggest:
- reviewing international transfer documentation against the new ‘data protection test’, and checking that a risk assessment has actually been carried out and documented for each transfer that relies on safeguards such as standard contractual clauses;
- identifying any processing that could rely on the new ‘recognised legitimate interests’ basis, and updating privacy notices and records of processing to reflect it;
- mapping automated decision-making systems, and taking advantage of the relaxed rules for processing that does not involve special category data – while checking that the required safeguards are actually in place and working;
- reassessing research and analytics activities in light of the broader statutory definition of ‘scientific research’;
- updating cookie notices, removing consent requests for the categories of cookie that now fall within the new exemptions, and remembering that tracking pixels and similar technologies are now squarely caught;
- reviewing DSAR handling procedures against the ‘reasonable and proportionate search’ standard and the new rules on pausing or extending the response period;
- preparing a data protection complaints procedure now, ready for 19 June 2026, and updating privacy notices accordingly; and
- refreshing precedent contracts and due diligence questionnaires – the DUAA changes what ‘good’ looks like on paper, not just in practice.
We look at each of these changes, and what lies behind them, below.
International data transfers
The most far-reaching change concerns the transfer of personal data outside the UK. Previously, a transfer was only lawful if the destination benefited from an adequacy determination, if ‘appropriate safeguards’ such as standard contractual clauses were in place, or if a specific exception applied – for example, the explicit consent of the data subject.
Chapter 5 of the UK GDPR, which governs international transfers, has been rewritten. A new Article 44A frames the general principles for transfers by reference to a new ‘data protection test’, and new Articles 45A to 45C set out how the Secretary of State will apply that test when approving transfers to a third country.
The test asks whether the standard of protection in the destination is ‘not materially lower’ than the standard in the UK – a modest change of wording from the EU’s ‘essentially equivalent’ benchmark, but one that tolerates a degree of divergence between regimes and may in time lead to more jurisdictions being approved.
The changes to Article 46 matter for any organisation relying on safeguards, such as standard contractual clauses, rather than an adequacy finding. It is no longer enough simply to have the safeguards in place: the transferor must, acting reasonably and proportionately, consider that the data protection test is met for the transfer in question. Existing transfer risk assessments will not generally need redoing – the new test is, if anything, more forgiving than the old one – but the assessment itself is now a statutory requirement, so businesses relying on standard contractual clauses should check that one has actually been carried out and documented for each transfer. The ICO updated its international transfers guidance on 15 January 2026 to reflect the new test.
That is the outbound picture. Inbound, there was a separate and welcome development shortly before commencement: on 19 December 2025 the European Commission renewed the UK’s two EU adequacy decisions through to 27 December 2031, so personal data can continue to flow freely from the EEA to the UK. The renewal is subject to a mid-point review, and the European Data Protection Board has made clear that it will be watching UK divergence – including the new data protection test itself – closely. UK businesses serving EU customers should treat adequacy less as a settled fact and more as a privilege that is periodically re-examined.
A new lawful basis: recognised legitimate interests
A new lawful basis has been added to Article 6 of the UK GDPR. Processing for a ‘recognised legitimate interest’ – a closed list in a new Annex 1 covering purposes such as national security, public security and defence, responding to emergencies, the detection, investigation and prevention of crime, safeguarding vulnerable individuals and responding to requests from bodies acting in the public interest – no longer requires the familiar legitimate interests balancing test.
Separately, the DUAA confirms on the face of the legislation that purposes such as direct marketing, intra-group transfers for internal administrative purposes and network security may constitute legitimate interests in the ordinary sense. The balancing test still applies to those – the change is one of comfort and clarity rather than exemption – but the clarification should make documenting the lawful basis for such processing more straightforward.
Where either change is relied upon, privacy notices and records of processing should be updated to match. And even where no balancing test is required, it remains prudent to record why the processing is necessary: this ground can easily become contentious.
Automated decision-making
Article 22 of the UK GDPR has been replaced with new Articles 22A to 22D. The old rule was, in effect, a prohibition on solely automated decisions with legal or similarly significant effects, subject to narrow exceptions. The new rule reverses the presumption for most personal data: significant automated decisions are permitted on any lawful basis (including legitimate interests), provided safeguards are in place – individuals must be given information about the decision, be able to make representations, obtain meaningful human intervention and contest the outcome.
The stricter regime is retained where special category data – health data, for example – is involved.
For businesses deploying AI-driven tools in recruitment, credit, pricing or customer decisioning, this is the green light many have been waiting for. But it is a green light with conditions: the ICO has signalled that its scrutiny will fall on systems where the safeguards exist on paper but not in practice, and further guidance (and, in time, a code of practice) on automated decision-making is on its way.
Subject access requests
A new Article 15(1A) confirms that a controller need only carry out a ‘reasonable and proportionate’ search of its records when responding to a data subject access request – largely codifying the position the ICO and the courts had already reached. More usefully for those on the receiving end of weaponised DSARs, a new Article 12A puts the rules on pausing the response clock (for example, while identity is verified or the scope of a request is clarified) and on extending the response period for complex requests onto a statutory footing, and a new statutory exemption protects legally privileged material. The ICO has updated its subject access guidance to match, and internal DSAR procedures should be updated in turn.
Purpose limitation and the re-use of data
The DUAA also clarifies when personal data may be re-used for a purpose different from the one for which it was collected. A new framework identifies purposes treated as compatible with the original purpose – including certain research, archiving and statistical purposes and crime prevention – and lists the factors to weigh in other cases. For tech businesses sitting on large datasets and wondering what else those datasets might lawfully be used for (product analytics and model development spring to mind), this part of the Act is worth a careful read.
Protecting children online
New ‘children’s higher protection matters’ have been added to the data protection by design duty in Article 25. Providers of online services likely to be accessed by children – websites, apps, search engines, social media and the like – must take into account how children can best be protected and supported when designing their processing. In practice, that means privacy by default rather than as an opt-in, collecting only the minimum personal data necessary, writing privacy notices in age-appropriate language, and taking reasonable steps to identify child users. The ICO’s Age Appropriate Design Code already pointed in this direction; the duty now has sharper statutory teeth, and the ICO’s data protection by design guidance has been updated accordingly.
Scientific research
‘Scientific research’ is now defined in the UK GDPR to include any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity. ‘Broad consent’ to an area of scientific research is expressly permitted where it is not possible to identify every purpose at the outset, and a new Chapter 8A sets out the safeguards that apply. Commercial R&D teams – long unsure how far the research provisions stretched beyond academia – are the clear winners here.
Cookies and e-marketing: PECR grows teeth
PECR has changed in both directions at once.
On the relaxation side, consent is no longer required for certain low-risk cookies: those collecting statistical information about the use of a service, those remembering user preferences as to the appearance of a service, and those used to locate a user who has requested emergency assistance. Clear information and a simple, free opt-out must still be provided for the statistical and appearance categories, and the ‘strictly necessary’ exemption now comes with statutory examples, including automatic authentication, security, fraud prevention and fault detection. Fewer banners, in short – but not a banner-free future.
The rules also now expressly catch anyone who ‘instigates’ the storage of, or access to, information on a user’s device. Tracking pixels, browser fingerprinting and similar technologies are squarely within scope – as are the advertisers and intermediaries who deploy them, not just the operator of the website on which they sit.
Charities gain a new ‘soft opt-in’ for electronic marketing to individuals who have previously shown an interest in their work, mirroring the long-standing commercial version.
And then the sting: the ICO’s enforcement powers under PECR have been aligned with those under the UK GDPR. The old £500,000 cap on PECR fines has been replaced with a maximum of £17.5 million or 4% of worldwide annual turnover, whichever is higher. Any business that has historically treated cookie and e-marketing compliance as a lower-order concern than its UK GDPR compliance should revisit that position without delay.
The ICO’s sharper enforcement toolkit
The regulator’s investigative powers have also been expanded. The ICO can now require a controller or processor to commission – and pay for – a technical report (for example, into how a data breach occurred), compel individuals to attend interviews (with criminal consequences for false statements), and use information notices to demand specific documents, such as a data protection impact assessment or a transfer risk assessment.
The ICO has said, plainly, that these powers are live and that it can and will use them in the most serious cases even while its procedural guidance is finalised. (The planned replacement of the ICO with a new ‘Information Commission’ comes later – a change likely to alter the letterhead more than the risk profile.)
A new right to complain – 19 June 2026
From 19 June 2026, data subjects will have a statutory right to complain directly to a controller about infringements of data protection law. Controllers must facilitate complaints – including by providing a complaint form that can be completed electronically – must acknowledge a complaint within 30 days, and must respond ‘without undue delay’.
Notably, this is a UK-only innovation: there is no equivalent in the EU GDPR, so groups that treat EU compliance as their high-water mark will need a UK-specific addition. The ICO already expects individuals to raise concerns with the controller before escalating to the regulator, so this is not a change to defer. The sensible course is to put the procedure in place now – many businesses will be able to adapt an existing complaints process, though some may prefer a dedicated data protection procedure – and to update privacy notices to explain how a complaint can be made and how it will be handled.
Contracts and the next deal
Compliance programmes aside, the DUAA also changes what ‘good’ looks like on paper. Data protection clauses are rarely the most heavily negotiated part of a commercial contract, but they are drafted against a statutory backdrop – and that backdrop has now shifted. A few pressure points are worth particular attention:
- data protection schedules drafted around the old law – for example, clauses assuming that a legitimate interests assessment is always required, or naming EU-derived transfer mechanisms and the ‘essentially equivalent’ standard – should be checked against the new framework, particularly in longer-term supply and outsourcing agreements;
- liability caps, indemnities and insurance requirements negotiated by reference to PECR’s old £500,000 ceiling may now understate the realistic downside of an e-marketing or cookies breach by a wide margin – a live point in any negotiation currently in progress, not just in new contracts;
- where a supplier’s AI or automated tool makes, or feeds into, decisions about individuals, procurement contracts should reflect the new safeguards, including a route to meaningful human review; and
- on transactions, due diligence questionnaires and disclosure schedules written before the DUAA will typically be silent on recognised legitimate interests, the data protection test and the higher PECR exposure. A target’s privacy notices, records of processing and transfer assessments should be reviewed against the new regime, not just the old one – gaps are now considerably more expensive to inherit than they were twelve months ago.
None of this requires renegotiating existing contracts wholesale. But precedent documents and diligence checklists are worth a specific refresh, and these points are better raised proactively than picked up as an afterthought.
Where this leaves things
The DUAA is intended to make compliance with the UK GDPR and PECR more straightforward, and in many respects it will. Getting there, though, means reviewing policies, notices, procedures and precedents against each of the changes above – and doing so against the backdrop of a regulator with substantially greater firepower and further ICO guidance landing throughout 2026.
This piece was written by Robert Humphreys. As ever, if you would like advice on the DUAA, or would like to understand what these changes mean for your organisation or your next transaction, please don’t hesitate to contact a member of the HLaw team.
All the thoughts and commentary that HLaw publishes on this website, including those set out above, are subject to the terms and conditions of use of this website. None of the above constitutes legal advice and is not to be relied upon. Much of the above will no doubt fall out of date and conflict with future law and practice one day. None of the above should be relied upon. Always seek your own independent professional advice.
Humphreys Law
If you would like to contact a member of our team, please get in touch by filling in the form below.
"*" indicates required fields
Humphreys Law