Contact Us

February 26, 2026

DPO ADVISORS

UK โ€” Data Act: Key Changes in Force in 2026

UK Data (Use and Access) Act 2025 โ€” What DPOs Must Do Now | DPO Advisors
๐Ÿ‡ฌ๐Ÿ‡ง
๐Ÿ›ก๏ธ Regulatory Alert ยท February 2026

The Data (Use and Access) Act 2025
Is Now Law โ€” Here’s What Changes

The UK’s most significant data protection reform since GDPR came into force on 5 February 2026. Three obligations are already live. One hard deadline is coming fast.

๐Ÿ“… 5 Feb 2026 Most DUAA provisions entered into force
โณ 19 Jun 2026 Deadline for formal data protection complaints procedure
๐Ÿ”Ž 3 New Powers ICO can now compel witnesses, demand reports, require documents
๐Ÿ“… February 2026 โœ๏ธ DPO Advisors โฑ๏ธ 7 min read UK LAW DUAA ICO UK GDPR
โฐ
Hard deadline โ€” 19 June 2026. All UK data controllers must have a formal, documented data protection complaints procedure in place. Data subjects must first be able to complain to you before escalating to the ICO. This is a new legal requirement under Section 103 of the DUAA โ€” not guidance.
โœ… 19 Jun 2025 ยท Royal Assent โ€” DUAA becomes law
โœ… 19โ€“20 Aug 2025 ยท First provisions in force
โœ… 5 Feb 2026 ยท Main provisions in force
โณ 19 Jun 2026 ยท Complaints procedure deadline
01 โ€” Context

A Reform, Not a Revolution

The Data (Use and Access) Act 2025 is the UK’s most substantial update to data protection law since the original implementation of the GDPR. Importantly, it amends but does not replace the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). The underlying framework stays intact โ€” but several significant rules change.

๐Ÿ”‘ The DUAA’s stated purpose is to strike a new balance: promoting innovation and economic growth while maintaining robust protections for individuals. For DPOs, this means new flexibilities in some areas โ€” and new hard obligations in others.

2018
UK GDPR and Data Protection Act 2018 come into force, implementing EU GDPR post-Brexit.
2023โ€“2024
Multiple failed attempts to pass the Data Protection and Digital Information Bill. The government resets.
19 June 2025
DUAA receives Royal Assent. First provisions come into force 19โ€“20 August 2025.
5 February 2026
Main tranche of DUAA provisions enters force, including ICO enforcement powers, automated decision-making rules, and international transfer reforms.
19 June 2026 โ€” Deadline
Mandatory complaints procedure fully operational. All data controllers must have a documented, accessible complaints process with electronic submission, 30-day acknowledgement, and escalation rights.
02 โ€” Key Reforms

What the DUAA Actually Changes

The DUAA introduces changes across six major areas. Some are permissive โ€” giving organisations more flexibility. Others create new compliance obligations. Here’s what every DPO needs to understand.

๐Ÿ“‹
Data Protection Complaints
All organisations must implement a formal complaints procedure. Data subjects must complain to the controller first before going to the ICO โ€” creating a mandatory intermediate step.
โฐ Deadline: 19 June 2026
โš–๏ธ
Recognised Legitimate Interest
A new pre-approved lawful basis for specific public interest purposes: crime prevention, public security, safeguarding, and emergency response. Removes the need for a full LIA in these cases.
โœฆ New
๐ŸŒ
International Data Transfers
The adequacy test is reworded. The “not materially lower” standard for transfers outside the UK is updated. TRAs (Transfer Risk Assessments) replace TIAs and must be production-ready.
โ†‘ Updated
๐Ÿค–
Automated Decision-Making
New rules on solely automated decisions replace Article 22 UK GDPR. Broader permissions for automated processing balanced by new safeguard requirements and enhanced transparency obligations.
โ†‘ Updated
๐Ÿง’
Children & Online Services
Explicit statutory requirement to consider children’s needs when processing their data in online services. Aligns with the Age Appropriate Design Code (AADC).
โœฆ Explicit
๐Ÿ”ฌ
Research & Scientific Use
Clarifies when personal data can be repurposed for scientific research โ€” including commercial research. Privacy notices no longer need to mention re-use if individual notification would require disproportionate effort.
โ†‘ Clarified
03 โ€” Enforcement

The ICO Has New Teeth

The DUAA significantly strengthens the ICO’s investigatory and enforcement arsenal. These changes are already in force as of 5 February 2026. Organisations should update their internal incident response plans accordingly.

๐Ÿ›๏ธ ICO’s Expanded Powers โ€” In Force Now

Sections 96โ€“101 DUAA ยท Effective 5 February 2026

  • ๐Ÿ“„
    Information Notices โ€” Document Production
    Existing power clarified to explicitly include the production of documents. The ICO can now formally compel organisations to hand over records, files, and evidence as part of an investigation.
  • ๐Ÿ“Š
    Assessment Notices โ€” Commissioned Reports
    New power to require organisations to commission and pay for an independent forensic or technical report to assist the ICO’s investigation. The organisation bears the cost.
  • ๐Ÿ—ฃ๏ธ
    Interview Notices โ€” Compelled Witnesses
    Entirely new power. The ICO can require named individuals to attend a formal interview and answer questions under investigation. Non-compliance increases penalties and can result in prosecution.
  • โฑ๏ธ
    Tightened Penalty Timelines
    Final penalty notices must now be issued within 6 months of a notice of intent, or as soon as reasonably practicable. The ICO must also formally notify if it decides not to impose a penalty.

Separately, the DUAA restructures the ICO itself. The organisation will be renamed the Information Commission โ€” Paul Arnold was appointed its first CEO in June 2025. All internal documentation referencing “the ICO” as a legal entity should begin tracking this transition.

04 โ€” Priority Action

Building Your Complaints Procedure โ€” Before 19 June 2026

This is the most operationally complex new obligation. Under Section 103 DUAA (inserting Section 164A into the DPA 2018), every data controller must have a formal complaints procedure in place. The ICO’s draft guidance proposes outcomes be provided within 3 months in normal circumstances.

๐Ÿ“‹ What the Procedure Must Include

Based on ICO guidance and Mayer Brown analysis of Section 103 DUAA requirements

  1. Accessible submission channels โ€” An electronic complaints form is mandatory. Alternative routes (email, post) must also be available. The process must be open to anyone, not just customers or employees.
  2. Prominent placement โ€” The complaints process must be easy to find: prominently linked from your privacy notice, website footer, and any relevant service pages.
  3. 30-day acknowledgement โ€” All complaints must be acknowledged within 30 calendar days of receipt. This is a hard requirement, not a target.
  4. Meaningful investigation โ€” You must take “appropriate steps without undue delay”, make reasonable enquiries, and keep the complainant informed of progress throughout.
  5. Plain-language outcome โ€” Final decisions must be communicated clearly, in accessible language, within ~3 months (ICO draft guidance). Individuals must be told of their right to escalate to the ICO.
  6. Documented governance โ€” Maintain a central complaint log tracking: receipt date, actions taken, outcome, and escalation history. Report regularly to senior management.
  7. Staff training โ€” Train all customer-facing, HR, IT, and operations staff to recognise and correctly escalate data protection complaints.

๐Ÿ”„ UK vs EU โ€” Key Divergence Points

Area ๐Ÿ‡ฌ๐Ÿ‡ง UK (Post-DUAA) ๐Ÿ‡ช๐Ÿ‡บ EU (GDPR)
Lawful Basis New “Recognised Legitimate Interest” for pre-approved purposes Standard 6 bases โ€” no pre-approved shortcuts
Complaints Controller-first mandatory step before ICO escalation Data subjects can go direct to DPA
Transfers New TRA framework replaces TIA โ€” reworded adequacy test SCCs + TIA remain the standard mechanism
Auto. Decisions Replaces Article 22 โ€” broader permissions + new safeguards Article 22 prohibitions remain strict
Research re-use Notice exemption if disproportionate effort Generally requires individual notification
05 โ€” Action Plan

Three Things to Do Now

ACTION 01 ๐Ÿ“‹
Build your complaints procedure
Draft your policy, create an electronic submission form, set up a central complaints log, train relevant staff, and link the procedure from your privacy notice. This is a legal requirement, not a best practice.
โฐ By 19 June 2026
ACTION 02 ๐Ÿ“
Audit DPIAs and Transfer Assessments
Ensure all DPIAs are documented, current, and signed off. Replace any TIAs with TRAs under the new transfer framework. Both will be primary evidence if the ICO issues an assessment notice.
โฐ Now โ€” In force
ACTION 03 ๐Ÿ›๏ธ
Prepare for ICO interviews & notices
Map your internal response process: who receives an ICO notice, who is the designated legal lead, who controls document production. Update incident response plans to include the new interview notice scenario.
โฐ Now โ€” In force
ACTION 04 ๐Ÿ”„
Update documentation & privacy notices
References to “the ICO” as a legal entity should begin transitioning to “the Information Commission”. Review privacy notices, DPAs, and internal policies against all DUAA changes โ€” especially if you process children’s data or run automated decisions.
โฐ Ongoing in 2026
๐Ÿ›ก๏ธ

Need Help Building Your DUAA Compliance Programme?

DPO Advisors can assess your current posture against the DUAA requirements, draft your complaints procedure, and prepare your team for the new ICO enforcement landscape โ€” fast.

Talk to our experts โ†’
DPO Advisors Published February 2026 ยท dpoadvisors.com ยท contact@dpoadvisors.com