UK Data Reform Becomes Reality: What This Means For You And What You Need To Do Next

Delayed from 19 December 2025 due to the festive season, commencement order number 6 for the Data (Use and Access) Act 2025 (DUAA) crept onto the statute books with little fanfare. In case you missed it, 5 February 2026, is the day when most of the remaining provisions of DUAA entered into force.

A swathe of provisions got the green light, including the new approach to ADM, which unless special category data is involved, moves to a permission but with safeguards regime, meaning certain decisions may no longer be subject to the more severe restrictions on automated decision-making. (For more information see the ADM section of our article  here).

The new UK test for data bridges (formerly known as "adequacy", pre-Brexit) also enters into force, meaning the test is now whether the standards of data protection will be "materially lower" than those applicable in the UK. (Previously the test was whether the standards were "essentially equivalent"). You may want to take advantage of the new test when completing your Transfer Risk Assessments (TRAs) for transfers from the UK but there is no urgency to review existing TRAs as they will remain fit for purpose. (For more information see the Data Transfers section in our article  here).

Also in force are the remaining amendments to the Privacy and Electronic Communications Regulations 2003 (PECR), including the headline grabbing UK GDPR level fines (i.e. maximum £17.5 million or 4% of global annual turnover, whichever is higher), the extension of the cookie consent rules to anyone who "instigates" the storage or access to stored data, wider enforcement powers for PECR breaches, soft opt-in for charities, the relaxation of exemptions for cookie consent where they pose a low risk to user privacy and the ICO's task of encouraging industry to produce codes of conduct. (For more information see our e-Privacy section in our article  here). We know the ICO is very active when it comes to PECR breaches so anyone taking a risk based view on PECR requirements particularly in respect of marketing campaigns should be reconsidering their risk profile given the stakes have become significantly higher for non-compliance!

The remaining data rights, bar one, are also commenced, clarifying time limits for responding to data subjects' requests, the information to be provided to data subjects and fees and reasons for responses to data subjects' requests about law enforcement processing. The remaining right, yet to be commenced, is the new "right to complain" to controllers regarding general UK GDPR compliance. (For more information see the Data Rights section of our article  here). This right will come into force on 19 June 2026 so if you haven't already reviewed your complaints process, worked out how to resource it given the likely increase in direct complaints and revised your privacy notices, the clock is ticking with little over 4 months to get your house in order. Keep an eye out for the ICO's  final guidance too, which is still expected Winter 2025/2026 (even if we are now, thank goodness, through the 2025 part of Winter!) .

All the new wide-ranging ICO powers are in force, bringing the ICO into line with other UK regulators. (For more information see the IC's new powers section of our article  here). Again, if you haven't already familiarised yourself with the powers, it would be prudent to do so as these will change how the ICO currently conducts its investigations.

Finally, both the new "recognised legitimate interests" lawful basis and the purpose limitation clarification are also brought into force. (For more information see the relevant sections of our article  here). We don't think either provision will have a huge impact on organisations, rather they provide welcome clarity and for most of us the legitimate interests assessment (LIA) will still be necessary, unless you fall within the narrow scope of the new "recognised legitimate interests". If this is the case and you seek to rely on this new lawful basis you will need to update your privacy notices and ROPAs to reflect this. 

We still await the changes to the ICO's structure. (For more information see the IC section of our article  here). It remains to be seen when the Information Commission will come into being but with appointments to the new Board well underway it might be sooner, rather than later. 

So what?

As it was third time lucky before data reform was enacted in the UK, many compliance teams preferred to wait until DUAA received Royal Assent and there was certainty about the road ahead. Now with the majority of provisions in force the direction of travel is clear, so if you haven't already refreshed your policies and privacy notices, considered your TRAs for transfers from the UK, discussed what the ADM changes mean for your organisation, what the new PECR reforms mean for your marketing strategy, how the new ICO powers will impact your approach to regulatory investigations etc. etc., now is the time to do so.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.