The Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, and the first commencement regulations have been rolling out in phases throughout late 2025 and into 2026. For compliance leads who built their data protection programmes around the 2018-era UK GDPR, the reforms are not cosmetic. Legitimate interests have been recalibrated, subject access request handling has shifted, automated decision-making rules have loosened, and the ICO itself has been restructured into the Information Commission.

The problem we keep seeing in client engagements is straightforward: firms have read the headlines about "lighter touch" data protection but have not updated their Records of Processing Activities (ROPAs), DPIA templates, or staff training. The DUA Act does not lower the bar for accountability. In several areas, it raises it — particularly around enforcement tools and the regulator's expanded powers.

This post sets out what has actually changed, what regulated firms need to do about it in 2026, and where the common implementation traps sit.

What the DUA Act actually changes

The Data (Use and Access) Act 2025 amends — not replaces — UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). The core obligations on lawful basis, security, and breach notification remain intact. What has shifted falls into five practical areas:

  • Recognised legitimate interests: A new statutory list of purposes (including safeguarding, crime prevention, and emergency response) where the balancing test is presumed satisfied. This is a genuine streamlining for controllers processing data for these specific purposes.
  • Subject access requests: Clarification of what counts as "manifestly unfounded or excessive" and a formal "stop the clock" mechanism when the controller needs clarification from the data subject. The 30-day response clock can now pause — but only if the controller proactively requests clarification.
  • Automated decision-making: Article 22 restrictions are relaxed for non-special-category data, with safeguards now framed around meaningful human review rather than outright prohibition. This is the most operationally significant change for firms using AI-driven processing.
  • International transfers: A new "data protection test" replaces the strict adequacy standard, giving the Secretary of State broader discretion on transfer mechanisms. This affects every UK firm transferring personal data outside the UK.
  • The regulator itself: The ICO becomes the Information Commission, with a board structure and expanded enforcement powers including statutory codes on AI and children's data. The new Commission has more resources and a clearer mandate to issue formal guidance.

PECR fines have also been brought into line with UK GDPR maxima — meaning the maximum penalty for nuisance calls and unlawful marketing is now substantially larger than under the previous PECR regime.

Why this matters now for regulated firms

Three pressures collide in 2026. First, the Information Commission has signalled that 2026 enforcement will focus on AI-driven processing, adtech, and SAR handling — three areas the DUA Act directly touches. Regulated firms in financial services, insurance, and healthcare are likely to be at the front of this enforcement wave.

Second, the EU is reviewing the UK's adequacy decision, currently extended to 27 December 2025 pending assessment of DUA Act changes. Losing adequacy would force EU-facing UK firms to implement Standard Contractual Clauses across every transfer route — a significant operational and contractual burden that most firms have not yet prepared for. The outcome of this review is one of the most consequential regulatory events for UK data protection in 2026.

Third, FCA-regulated firms remain bound by PS21/3 operational resilience requirements, which explicitly cover personal data processing dependencies. The DUA Act's changes to automated decision-making create a direct intersection: if your AI-driven credit scoring is an important business service under PS21/3, you must now also satisfy the DUA Act's revised Article 22 framework for meaningful human review.

For firms with EU operations, UK GDPR compliance 2026 does not get you off the hook for EU GDPR. The two regimes are diverging, and dual-track compliance is now the operating reality. Our consultants advise maintaining both frameworks with a clear mapping document that tracks divergence points.

Practical implementation steps

Our consultants are working through the same playbook with clients across financial services, health tech, and SaaS. Do these in order:

  1. Re-baseline your ROPA. Map every processing activity against the new recognised legitimate interests list. Where you previously relied on consent or a contested legitimate interests assessment, check whether the statutory route now applies. Document any areas where you continue to rely on consent despite the new statutory list — the Information Commission will expect a rationale.
  2. Update DPIA templates. Add explicit sections for automated decision-making under the revised Article 22 framework. Document what "meaningful human review" looks like operationally — not aspirationally. The Information Commission's forthcoming statutory code will set the standard, but firms should not wait for final publication.
  3. Rewrite SAR procedures. Train your first-line responders on the new clarification mechanism. Build a documented decision tree for "manifestly unfounded or excessive" determinations. The stop-the-clock provisions are useful but must be invoked correctly — simply ignoring a SAR is still a breach.
  4. Audit international transfers. List every third-country processor. Map each to its current transfer mechanism. Prepare a contingency position for the EU adequacy review outcome expected in 2026, including pre-negotiated SCCs with EU-based processors.
  5. Refresh privacy notices. The lawful basis text on most UK websites is now out of date. So is the regulator's name — the Information Commission, not the ICO. Update both references.

Common mistakes we see

The most damaging assumption is that "lighter touch" means "less work." It does not. The DUA Act expands the regulator's toolkit, formalises enforcement codes, and lifts PECR penalties to UK GDPR levels. The net effect for compliance teams is more work, not less.

The second mistake is treating recognised legitimate interests as a blanket exemption. The statutory list is narrow. Firms applying it to general marketing analytics or HR profiling will lose that argument at enforcement. The balancing test still applies — the statutory list merely creates a presumption that must still be evidenced.

The third is ignoring the AI dimension. The Information Commission's forthcoming statutory code on automated decision-making will set the standard for what "meaningful human review" must look like. Firms deploying AI-assisted hiring, credit scoring, or fraud detection should not wait for the final code — the direction of travel is already clear from the guidance issued through 2025.

The fourth is failing to document the DUA Act transition. Organisations that cannot show they have reviewed their processing activities against the new framework will face a harder conversation during any Information Commission investigation.

Frequently asked questions about UK GDPR compliance 2026

Do firms need to re-register with the Information Commission?

The ICO's restructuring into the Information Commission does not create a new registration requirement. Existing registrations under the Data Protection Act 2018 remain valid. However, your privacy notices and data protection documentation should be updated to reflect the new regulator name.

How does the DUA Act affect our EU GDPR obligations?

UK GDPR compliance does not satisfy EU GDPR requirements, and the two regimes are diverging under the DUA Act. If your firm processes EU resident data, you must maintain a parallel EU GDPR compliance programme. Our team recommends a dual-track ROPA that clearly separates UK and EU processing activities.

What should we do about the adequacy review risk?

Identify all personal data transfers from the EU to the UK and document their current transfer mechanism. If the UK loses adequacy, these transfers must be supported by alternative mechanisms (typically SCCs). Start negotiating SCCs with your EU-based data controllers now — the contractual discussions take longer than the paperwork.

How Pyralink helps

Pyralink Innovation Ltd is a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our team supports regulated firms through data protection regime change with three core services:

  • Fractional vCISO (from £497/month) — embedded oversight of your DUA Act transition programme, including ROPA refresh, DPIA governance, and Information Commission liaison readiness.
  • CloudAuditX — our multi-cloud auditing platform identifies personal data exposure across AWS, Azure, and GCP, including misconfigured storage, over-permissioned access, and cross-region transfer risks.
  • ISO 27001 and compliance programme management — aligning your information security management system with the revised UK data protection framework and FCA operational resilience requirements where relevant.

We carry £5M professional indemnity insurance and work with clients across financial services, healthcare technology, and B2B SaaS. No theoretical advice — our consultants have implemented these controls in production environments.

If you are unsure where your data protection programme stands against the 2026 baseline, start with a free assessment:

Run a free CloudAuditX scan →