The sixth commencement regulations for the Data (Use and Access) Act 2025 set 5 February 2026 for the bulk of Part 5 data protection and PECR reforms to commence, with a separate start of 19 June 2026 for the new statutory complaints duty on controllers. The Department for Science, Innovation and Technology and the ICO have consistently trailed a two‑, six‑ and twelve‑month phasing, with controllers expected to have compliant complaints processes in place by June 2026. (legislation.gov.uk)
The Act’s research provisions will now apply on a clearer statutory footing. Section 67 inserts definitions into Article 4 UK GDPR for scientific, historical and statistical research, while section 68 brings “broad consent” into the operative text for scientific research where purposes cannot be fully specified at the outset and recognised ethical standards are met. This codifies recital concepts and aims to provide legal certainty for research sponsors. (legislation.gov.uk)
Lawfulness is expanded via a new “recognised legitimate interests” gateway. Section 70 and Schedule 4 add Annex 1 to the UK GDPR, listing pre‑approved purposes such as public security, emergencies and disclosures to enable a public task, without requiring the traditional balancing test; direct marketing and intra‑group transfers are also signposted as examples under the standard legitimate interests basis. Organisations should still apply a necessity test. (legislation.gov.uk)
Time limits for data subject requests are recast. The one‑month deadline now runs from the latest of receipt of the request, receipt of identity information, or receipt of any fee for manifestly unfounded or excessive requests; controllers may extend by up to two months for complexity or multiple requests and may “stop the clock” while seeking clarification. These provisions mirror and consolidate existing ICO guidance across UK GDPR and Parts 3 and 4 of the DPA 2018. (legislation.gov.uk)
Saving provisions apply so that requests received before 5 February 2026 continue under the previous timeframe. Controllers should therefore run parallel timetables during February as legacy requests work through the system. (legislation.gov.uk)
Automated decision‑making rules are replaced. Article 22 is substituted with Articles 22A–22D, defining “meaningful human involvement”, setting safeguards that must include disclosure, an opportunity to make representations, human review and a right to contest, and restricting solely automated decisions using special category data unless explicit consent or a legal requirement applies. A decision cannot be taken solely on automation where the underlying processing relies on recognised legitimate interests. Legacy decisions taken before 5 February 2026 are unaffected. (legislation.gov.uk)
A new duty strengthens privacy by design for services likely to be accessed by children. When determining appropriate technical and organisational measures under Article 25 UK GDPR, controllers must take account of “children’s higher protection matters”, including how to support and protect children and their differing needs as they develop. This sits alongside the existing Age Appropriate Design Code regime. (legislation.gov.uk)
International transfers are reorganised. Schedule 7 introduces “transfers approved by regulations” (Article 45A) based on a “not materially lower” data protection standard, updates the safeguards route under Article 46 and includes transitional provisions preserving existing adequacy and standard clauses. Exporters gain a clearer statutory test when relying on alternative transfer mechanisms. (legislation.gov.uk)
PECR definitions are tightened and the cookies framework is reshaped. Section 110 clarifies terms such as “call”, “communication” and “direct marketing”, including treatment of attempts and items not received. Section 112 substitutes regulation 6 and inserts a new Schedule A1 of exceptions: consent remains the default, but analytics for statistical improvement and appearance/functionality preferences may proceed on an opt‑out basis where clear information is given and a simple objection route is offered. (legislation.gov.uk)
Charities gain a limited soft opt‑in for email marketing. Section 114 amends regulation 22 PECR to allow charitable direct marketing to individual subscribers where contact details were gathered during expressions of interest or support and an opt‑out was provided at collection and in each message. The change aligns charity fundraising more closely with the existing soft opt‑in for commercial organisations. (legislation.gov.uk)
Enforcement under PECR is overhauled and aligned with UK GDPR. Section 115 and Schedule 13 replace the previous regime, remove the “substantial damage or distress” threshold in key areas, empower the regulator to compel witnesses and commission technical reports, and raise maximum fines for specified PECR infringements to the higher of £17.5m or 4% of global turnover. (legislation.gov.uk)
Transitional enforcement is conduct‑based. The ICO has confirmed it applies the law as it stood when the infringement occurred, moving to the new PECR powers for conduct on or after commencement and continuing legacy cases under the pre‑commencement regime. Organisations should evidence decision‑making against the guidance available at the time of the alleged breach. (ico.org.uk)
The ICO’s DPA 2018 toolkit is also expanded. Section 98 enables assessment notices to require an approved person’s report; section 99 lifts the OFSTED restriction on assessment notices; section 100 introduces interview notices; and section 101 moves penalty notice timings to “six months or as soon as reasonably practicable” after a notice of intent, with a duty to confirm when no penalty will follow. (legislation.gov.uk)
From 19 June 2026, section 103 inserts section 164A DPA 2018, creating a statutory complaints route to controllers. Controllers must acknowledge within 30 days, take appropriate steps without undue delay, inform complainants of outcomes, and may be required by regulations to notify the ICO of complaint volumes. This is signposted throughout UK GDPR information duties. (legislation.gov.uk)
Trust services and standards receive targeted updates. Sections 130 and 133 facilitate recognition of EU conformity assessment bodies and cooperation with designated overseas authorities under eIDAS, while section 132 concerns recognition of overseas trust products. These measures are intended to support market interoperability as the UK updates its trust services framework. (legislation.gov.uk)
Information standards for health and adult social care in England are broadened so that IT and IT service providers can be brought within scope of standards made under section 250 of the Health and Social Care Act 2012. Providers of relevant technology used in the NHS and adult social care should expect clearer, and potentially mandatory, technical requirements. (legislation.gov.uk)