UK Data Use and Access Act 2025 Key Provisions Commence, Extending ICO Enforcement Powers, UK, February 2026

On February 5, 2026, the next phase of the UK Data (Use and Access) Act 2025 (DUAA) commenced, bringing into force most remaining data protection provisions of the Act. The commencement was confirmed by the UK Information Commissioner's Office (ICO) in a formal statement. The only provisions not yet commenced as of that date are the requirement for organisations to have a complaints procedure (due June 19, 2026) and certain ICO governance provisions at a later date. The commencement amends the UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

The DUAA amends the UK GDPR by reforming provisions governing data subject rights, lawful processing bases, and international transfers. Critically, the Act grants the ICO new enforcement powers under PECR: the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to 17.5 million GBP or 4% of global turnover for PECR violations — raising PECR fines to the same level as UK GDPR maximum penalties. The ICO simultaneously updated its "data protection by design and by default" guidance and its subject access request guidance to reflect the Act's changes.

Organisations processing personal data of UK residents must review their data protection practices against the DUAA amendments now in force. Operators of electronic communications services must reassess PECR compliance given the materially increased penalty exposure. Businesses with AI systems that rely on UK GDPR processing bases should review those bases under the amended Act. Law enforcement bodies must update Part 3 codes of conduct following the new legislative requirements. Organisations subject to PECR — including those engaged in electronic marketing, use of cookies, and telecommunications services — face direct exposure under the new ICO enforcement powers.

The complaints procedure requirement commences on June 19, 2026, giving organisations a further four months to implement compliant internal complaints processes. ICO governance provisions will commence at a later, unspecified date. The ICO has indicated that further updated guidance is forthcoming across multiple subject areas, with details of upcoming consultations set out in its guidance plans. Organisations using AI systems in processing personal data should note that the DUAA operates alongside the ICO's existing investigations into AI systems, including the Grok investigation opened in February 2026.

Our firm advises organisations on UK data protection law compliance, including DUAA implementation, and maintains a dedicated partner network for UK and EU data protection regulatory matters. We are available to assist with DUAA gap analysis, PECR compliance reviews, updated data protection impact assessments, and ICO enforcement response. Our work covers UK GDPR compliance, PECR and e-privacy regulation, DUAA implementation, AI Act data governance, ICO investigation response, and data subject rights management.

Source: ICO, "Statement on the commencement of the Data (Use and Access) Act (DUAA)," Statement, February 5, 2026, https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/statement-on-the-commencement-of-the-data-use-and-access-act-duaa/

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.