Fri 06 Feb 2026

Major provisions of the UK Data (Use and Access) Act 2025 take effect

The Information Commissioner’s Office (ICO) has announced that the majority of the remaining provisions of the Data (Use and Access) Act 2025 (DUAA) came into force on 5 February 2026.

These newly commenced provisions cover a wide range of areas, including:

  • the meaning of research and statistical purposes
  • consent requirements for scientific research
  • lawfulness of processing
  • purpose limitation
  • data subject rights
  • automated decision making
  • data protection by design for children
  • international transfers to third countries

Further provisions concerning data subject complaints are scheduled to commence on 19 June 2026 with certain ICO governance related provisions to follow at a later date.

Enforcement and guidance

To support organisations in implementing the reforms, the ICO has updated its suite of guidance materials. In particular, the ICO has revised its Data Protection by Design and by Default guidance to include a new subsection on the DUAA’s children’s higher protection matters duty, alongside updated guidance on subject access requests.

However, the ICO has not yet published all the guidance necessary for businesses to understand some of the changes introduced by the DUAA.

The DUAA confers significant new regulatory powers on the ICO. These include the ability to compel witnesses to attend interviews, require the production of technical reports and impose substantial penalties. Under the Privacy and Electronic Communications Regulations, fines may reach £17.5 million or 4% of global annual turnover, whichever is higher, aligning with the position under the UK GDPR.

The ICO has confirmed that it will apply the law as it stood at the time an infringement occurred. It will also take into account the guidance available at the relevant time when assessing potential non-compliance. This suggests a measured and proportionate approach during the early transition period, particularly in areas where guidance remains outstanding.

Next steps for organisations

Organisations should monitor further ICO guidance as it is released throughout spring and summer 2026. Compliance will require ongoing review and adjustment as the regulatory position continues to develop.

The commencement of these provisions also presents an opportunity for organisations to innovate and enhance products and services while maintaining robust standards of personal data protection.

Although the complaints requirements will not take effect until June 2026, organisations should consider preparing now.

For more information, read our earlier blogs on the DUAA:

This article was co-written by Eve Gunson, Trainee Solicitor in our Commercial team.

Related Insights

View All

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice