The UK’s Data (Use and Access) Act crossed from legislation into operational reality. The Commencement No. 6 Regulations brought the majority of the data protection and privacy provisions in Part 5 of the DUAA into force, ending a period where the Act existed on paper but imposed no active compliance requirements on most organizations. For companies handling UK personal data, the question shifted overnight from whether the DUAA applies to what it actually requires them to do differently.
The short answer is quite a lot, though the changes are more evolutionary than revolutionary for organizations that have been operating under the UK GDPR. The provisions now in force cover research and statistical purposes, consent to processing for scientific research, lawfulness of processing, purpose limitation, data subject requests, automated decision-making, data protection by design for children, and international data transfers, among others.
Several of these changes have practical bite that goes beyond technical housekeeping. The introduction of “recognised legitimate interests” creates a presumption of legitimacy for certain processing activities under Article 6(1)(f), which should reduce the burden of documentation and balancing assessments for a defined category of routine use cases. A statutory definition of scientific research arrives alongside it, giving organizations that rely on research exemptions a clearer legal foundation than the previous framework provided. On subject access requests, ICO guidance now confirms that controllers may stop the clock on the one-month response deadline where further clarification is reasonably required, though it cannot be sought on a blanket basis.
The ICO’s own powers have also expanded materially. The authority can now compel witnesses to attend interviews, require technical reports, and issue fines of up to £17.5 million or 4% of global turnover under the Privacy and Electronic Communications Regulations. That last point is significant: PECR enforcement has historically been regarded as toothless relative to UK GDPR, and the DUAA changes that calculus considerably for organizations running cookie-heavy digital operations or direct marketing programs.
Two significant pieces remain pending. Section 103, which requires organizations to have a formal complaints procedure, is due to commence on June 19, 2026, approximately twelve months after the DUAA received Royal Assent. ICO governance restructuring, which involves standing up a new Board for the Commission, will follow once appointments are made. The staggered approach has not been universally welcomed. The compressed timeline, combined with the fact that much of the ICO’s supporting guidance is still outstanding, has left some organizations with limited time to prepare, a tension that the DMA has also flagged publicly, noting that ICO guidance progress has been slower than the scale of the legislative changes warrants.
One data point that compliance teams should flag immediately: there has already been a sharp increase in DSARs citing the mandatory complaints procedure from Section 103, despite that section not yet being in force. Employees and consumers are aware the right is coming even if it has not formally arrived, which means organizations should treat June 19 as a real deadline rather than a distant one.
For companies with both UK and EU operations, the adequacy picture is stable for now. In January 2026, the European Commission renewed the UK’s adequacy decisions, meaning data can continue to flow freely between the UK and EU without additional transfer mechanisms. The DUAA’s reforms were designed to diverge from the UK GDPR carefully rather than radically, and that approach appears to have preserved the adequacy relationship for the near term at least.
The ICO has published updated guidance on data protection by design and by default, including a new subsection on the children’s higher protection duty introduced by the DUAA, as well as revised SAR guidance and updated Part 3 codes of conduct for law enforcement bodies. More guidance is expected in the coming months as the remaining provisions approach their own commencement dates.
