On 5 February 2026, the majority of the data protection provisions under the Data (Use and Access) Act 2025 (DUAA) came into force. The exception to this is the complaints provisions which will come into force on 19 June 2026.
The changes cover a range of matters including:
- Cookies
- DSARs
- Automated decision making
- recognised legitimate interests
- ICO powers
- Scientific research
- Fines under PECR
- International transfers
- Children’s data
The ICO has also published some guidance on its approach to DUAA saying it will apply the law as it stands at the time an infringement took place, rather than the date that they receive any complaint or report, or when the infringement was detected.
The have also said that when considering regulatory action on DUAA’s new provisions, the ICO will consider its guidance available to organizations at the time of the alleged non-compliance.
You can find out more about the ICO’s approach to regulatory action in relation to the new legislation here.
If you would like any help updating your documentation and processes in line with the DUAA changes, please get in touch by emailing hello@hellodpo.com
