DUAA update: Key provisions now in force

On 5 February 2026, a significant number of provisions under the Data Use and Access Act (DUAA) 2025 entered into force. 

The DUAA was enacted on 19 June 2025 and is being implemented in stages. This latest phase, known as Commencement No. 6, brings into effect some of the most operational aspects of day-to-day data protection compliance. 

Key aspects include: 

• Lawfulness and purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected.
  A new lawful basis, recognised legitimate interests, allows processing in defined scenarios without a balancing test, alongside clearer rules on how and when personal dataInformation which relates to an identified or identifiable natural person. can be reused, including for research and compatible purposes.
• Automated decision-making
  Organisations can rely on a broader range of lawful bases for significant automated decisions provided appropriate safeguards are in place, opening the door to wider use of AI-driven decision-making in areas such as recruitment, lending, and service eligibility. 
• International data transfers
  The legal threshold for transfers has shifted to a ‘not materially lower’ standard of protection when assessed reasonably and proportionately, with new categories for transfers ‘approved by regulations’ or those ‘subject to appropriate safeguards’.
• Children’s data and Privacy by Design
  Online services likely to be accessed by children must actively account for children’s welfare, applying age-appropriate protections and recognising their limited ability to understand data-related risks. 
• Data subject rightsUnder UK and EU data protection regulation, data subjects have a number of rights available to them, including the right to be informed, access, rectification, erasure, restrict processing, data portability, to object and further rights in relation to automated decision making and profiling.
  Updated rules apply to requests received from 5 February 2026 onwards, including new flexibilities around response time limits and clearer handling of requests considered ‘manifestly unfounded or excessive’. 
• Direct marketing and PECR enforcement
  A lighter-touch consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. approach now applies to certain analytical and site-improvement cookiesData which tracks a visitor’s movement on a website and remembers their behaviour and preferences., charities benefit from new routes to electronic marketing, and the Information Commissioner’s enforcement powers have expanded. Maximum fines under the Privacy and Electronic Communications RegulationsPECR is the UK implementation of the ePrivacy Directive (Directive 2002/58/EC) providing certain rules on marketing, cookies, communication services security and customer privacy (in relation to traffic/location data, billing, line identification and caller directories). (PECR) now rise to £17.5M or 4% of global turnover, whichever is greater.  

What organisations should do now

With these provisions now in force, organisations should focus on translating legal change into practical action, whilst preparing for the new complaints handling requirements scheduled for June. 

Shane Gohil, Tech & Security Sector Lead and DPO at The DPO Centre, shares practical steps for businesses: 

‘My advice to any organisation navigating these changes is straightforward. Conduct an impact assessment across your processing activities and identify where you’re most exposed to the provisions coming into force and prioritise accordingly. Use the window before the June complaints handling requirements to build or strengthen your internal resolution processes.

‘Most importantly, don’t do this in isolation. Engage your processors, your technology partners, and your supply chain because many of these obligations cascade through contractual relationships.’

More DUAA provisions are expected to follow later in 2026, giving organisations a short but valuable window to move from policy alignment to operational readiness. 

If you need help understanding how the Data Use and Access Act 2025 could affect your organisation, contact your DPO or get in touch to speak to one of our experts.