The Government has enacted the sixth set of commencement regulations under the Data (Use and Access) Act 2025, activating many of the Act’s most operationally significant reforms to the UK’s data‑protection and electronic‑communications regime from 5 February 2026.
The Commencement No. 6 and Transitional and Saving Provisions Regulations 2026 (SI 2026/82) (https://www.legislation.gov.uk/uksi/2026/82/made) were made on 29 January 2026 and bring into force substantial elements of the Act affecting scientific research, lawful bases, purpose limitation, automated decision‑making, children’s data, international transfers, PECR enforcement, and the Information Commissioner’s powers.
From 5 February, the following key areas of the 2025 Act take effect (where not already in force):
- Scientific research framework – including the meaning of research and statistical purposes (s.67), consent for scientific research (s.68), and safeguards for research processing (s.86–87).
- Lawfulness and purpose limitation – including new rules on lawful processing (s.70), purpose limitation (s.71), and compatibility assessments (Schedule 5).
- Automated decision‑making – section 80 and Schedule 6 introduce the new ADM regime.
- Children’s higher protection matters – strengthening design‑stage protections (s.81).
- International transfers – including new transfer mechanisms and consequential amendments (s.85; Schedules 7–9).
- Privacy and Electronic Communications Regulations 2003 (PECR) reforms – including storing information on terminal equipment (s.112; Schedule 12), direct marketing by charities (s.114), and expanded enforcement powers for the ICO (s.115; Schedule 13).
- ICO powers and governance – including penalty notices (s.101), assessment notices (s.99), interview notices (s.100), and the Commissioner’s power to require reports (s.98).
- Recognised legitimate interests – Schedule 4 comes into force, enabling processing for specified public‑interest purposes without a balancing test.
- Health and adult social care information standards – section 121 and Schedule 15.
However, the new statutory duties on controllers to handle complaints from data subjects (s.103 and Schedule 10) have been delayed and will not commence until 19 June 2026, exactly one year after Royal Assent.
Transitional and saving provisions
The regulations include a number of transitional arrangements to avoid retrospective application of new duties:
- The new Subject Access (s.76) time‑limit rules do not apply to requests received before 5 February 2026.
- The automated decision‑making (s.80 & Schedule 6) (ADM) regime applies only to decisions taken ‘on or after’ 5 February 2026.
- Where the ICO issued a notice of intent to apply a s101 penalty notices, before 5 February 2026, the previous penalty regime continues to apply.
- The new duties relating to complaints handling (s.103) will apply only to complaints received on or after 19 June 2026.
With regard to PECR enforcement, the ICO may use its new investigatory powers for conduct occurring before commencement, but cannot impose sanctions for pre‑commencement conduct under the new regime. Audits and enforcement actions already underway continue under the previous rules.
The new regime for handling complaints (due to come into force on 19 June 2026) and changes to the ICO’s governance structures.
The Information Commissioner’s statement on the commencement of the Act, which includes links to various resources for organisations, can be found here.
The changes introduced by the Data (Use and Access) Act 2025 amend the UK GDPR, the Data Protection Act 2018 and PECR, and are intended to “simplify compliance, support innovation and maintain high standards of privacy protection”.
Royal Assent was granted on 19 June 2025, with commencement to follow in phases between two and twelve months from that date.
One of the most consequential reforms is a new, more permissive framework for solely automated decision making (ADM) that has legal or similarly significant effects.
Organisations will be able to rely on ADM in a broader range of circumstances, provided they implement mandatory safeguards.
These include duties to inform individuals when significant automated decisions are made about them, to allow representations and challenges, and to ensure access to meaningful human review. For law enforcement processing, similar safeguards apply, though limited exemptions exist where human intervention would prejudice investigations or national security. In such cases, a human must review the decision “as soon as practicable”.
Subject access requests: ‘reasonable and proportionate’ searches
The Act introduces a statutory “stop the clock” mechanism for subject access requests (SARs), allowing controllers to pause the one month deadline while awaiting clarification from the requester. It also confirms that organisations are required to undertake reasonable and proportionate searches, a change expected to reduce the administrative burden on public authorities handling complex or voluminous requests.
Children’s data and online services
Online services “likely to be accessed by children” must now embed children’s privacy needs at the design stage. The Government says the reforms reinforce safety by design principles and align with wider online safety duties.
Scientific research: broader definition and clearer rules
The Act clarifies that commercial research may fall within the definition of “scientific research”, and permits broad consent for related research areas. Controllers must still apply appropriate safeguards, including data minimisation and transparency.
Recognised legitimate interests
A new lawful basis – recognised legitimate interests – allows organisations to process personal data for specified public interest purposes without undertaking a balancing test. These include safeguarding, crime prevention and responding to emergencies. The Government says the change will give organisations “greater confidence” in processing for socially beneficial activities.
International transfers and cookies
The Act also simplifies the rules governing international data transfers, aiming to reduce uncertainty while maintaining adequacy compatible protections.
Separately, consent requirements for cookies and similar technologies are relaxed in certain low risk scenarios, reducing friction for routine operational uses.
Law enforcement and intelligence services
Amendments to Parts 3 and 4 of the DPA 2018 align aspects of the law enforcement and intelligence services regimes with the updated UK GDPR framework. The Government says the changes will support more efficient processing and closer cooperation between agencies.
The key changes brought about by the Act can be found here:
https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes#data-use-and-access-act-factsheets-what-has-changed
