Statement on the commencement of the Data (Use and Access) Act (DUAA)

The next phase of the Data (Use and Access) Act (DUAA) implementation has commenced today, 5 February 2026. This means that most of the remaining data protection provisions of the Act have come into force, except for the requirement for organisations to have a complaints procedure which is due to commence on 19 June 2026 and some ICO governance provisions which will follow at a later date. 

Businesses can take the opportunities the reforms offer to grow and innovate products and services whilst continuing to maintain good standards of protection for people’s personal information.

The Department for Science, Innovation and Technology (DSIT) have outlined the provisions on their website.

We’ve published our updated by design and by default guidance. Our guidance on subject access requests (SARs) is ready to use and for law enforcement bodies, Part 3 codes of conduct has been updated.

We are continuing to produce new and updated guidance to give organisations certainty. Details of upcoming consultations and final guidance timescales are set out in Our plans for new and updated guidance. 

The Act provides the ICO with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under the Privacy and Electronic Communications Regulations (PECR). We have published more information on those powers and how we are regulating as the DUAA comes into force.  

Organisations can find out more about the Act and what the changes mean for them on our website or sign up to the ICO newsletter and e-shots.