Back to Blog

The UK Data (Use and Access) Act is Now Enforceable: Action Plan for the June 2026 Mandates

June 23, 2026

On June 19, 2026, the final transition period for the UK’s landmark Data (Use and Access) Act 2025 (DUAA) officially drew to a close. Marking one of the most significant overhauls to the UK data protection framework since the introduction of the UK GDPR, this new legislation is now fully enforceable.

The DUAA represents a deliberate pivot by the UK government. While it aims to reduce administrative friction and encourage data-driven innovation, it introduces new, highly structured duties that organizations must operationalize immediately. For IT, engineering, and compliance teams, "set-it-and-forget-it" privacy policies are no longer viable.

Here is a technical and operational breakdown of the major changes that went live on June 19, 2026, and the immediate steps your team must take to stay compliant.


1. The Mandatory Statutory Complaints Process

The most immediate operational change introduced by the DUAA is the creation of a formal, statutory complaints-handling workflow.

Historically, individuals who believed their data rights were violated could immediately escalate their complaint to the Information Commissioner's Office (ICO). Under the DUAA, this workflow is inverted.

The "Controller First" Requirement

Individuals are now legally required to raise data protection complaints directly with the data controller (your organization) before they can escalate the matter to the regulator.

While this shields regulators from early-stage disputes, it places a direct, binding operational burden on businesses. Your organization must now deploy a formal, public-facing mechanism to receive, track, and resolve these disputes.

Strict SLA and Investigation Mandates

To prevent organizations from ignoring or burying consumer concerns, the DUAA mandates that controllers:

  • Acknowledge Complaints: You must acknowledge receipt of a complaint within a specified timeframe (typically 30 days or less).
  • Conduct Diligent Investigations: You must investigate the complaint and provide a clear, reasoned decision or update to the complainant without undue delay.
  • Maintain Immutable Records: Compliance teams must log all complaints, investigation steps, and outcomes to prove to regulators that the complaints channel is functioning in good faith.

2. Re-Engineering Automated Decision-Making (ADM)

For engineering teams working with AI and automated algorithms, the DUAA significantly alters the rules governing Automated Decision-Making (ADM) under the UK GDPR.

Previously, Article 22 of the UK GDPR placed a broad, default prohibition on any automated decision-making that produced legal or similarly significant effects on individuals, unless specific exceptions applied.

The Special Category Distinction

The DUAA replaces this blanket prohibition with a targeted framework:

  • Special Category Data: The strict prohibition on automated decision-making remains in place if the processing involves special categories of personal data (such as health, biometric, or ethnic data) unless explicit consent or statutory exceptions apply.
  • Standard Personal Data: For standard, non-sensitive data, the default prohibition has been lifted. Organizations are now permitted to deploy automated decision-making systems.

The Safeguard Mandate

However, this flexibility is not a free pass. If your applications use automated systems to make significant decisions, you must build robust user safeguards into your product workflows:

  1. Transparency: Inform users clearly when they are subject to an automated decision.
  2. Contestability: Provide a simple, accessible mechanism for users to challenge the decision.
  3. Human Intervention: Ensure a qualified human operator is available to review and override automated outcomes.

3. Streamlined Data Subject Access Requests (DSARs)

The DUAA also updates the rules for Data Subject Access Requests (DSARs), providing some administrative relief while clarifying compliance boundaries.

"Stopping the Clock" on Verification

One common compliance headache for engineering teams is the strict one-month deadline to respond to a DSAR, even when the requester's identity is in doubt. The DUAA codifies a "stop the clock" rule: the statutory response window is officially paused while the controller waits for the requester to verify their identity or pay a permissible fee.

"Reasonable and Proportionate" Searches

Under previous standards, organizations were often expected to conduct exhaustive searches across every backup, database, and email server to find a requester's data. The DUAA clarifies that controllers are only required to conduct "reasonable and proportionate" searches to locate personal data. This reduces the risk of malicious or vexatious requests designed to overwhelm IT resources.


4. Compliance Action Plan for Mid-2026

To align your systems with the new DUAA requirements, your engineering and compliance teams should execute the following plan:

1. Launch a Dedicated Complaints Channel

Do not let data complaints get lost in generic support inboxes. Create a dedicated email address (e.g., privacy@yourcompany.com) or a secure web form. Ensure that this channel automatically routes submissions to your compliance team and triggers a tracking ticket with built-in SLA timers to guarantee a response within the 30-day window.

2. Audit Your AI and Automated Pipelines

If your product uses machine learning, automated scoring, or algorithmic workflows to make decisions about users (e.g., credit scoring, hiring filters, or dynamic pricing), review the data inputs. If special category data is processed, verify that explicit opt-in consent is actively enforced. For all other automated decisions, ensure your user interface includes clear notice and an easy "request human review" button.

3. Update Your Privacy Policy and Consent Banners

Ensure your public-facing privacy notice is updated to describe:

  • The new UK DUAA rights.
  • How users can submit a direct complaint.
  • The safeguards in place for automated decision-making.

Automate Your Global Compliance with Sigentra

Manually tracking data protection regulations across the UK, EU, and the US is an uphill battle. With the UK DUAA now fully enforceable, compliance requires continuous, automated oversight.

Sigentra puts your digital compliance on autopilot. Our platform automatically:

  • Scans Your Applications: Instantly detects unapproved trackers, scripts, and data flows that violate UK GDPR or EU laws.
  • Audits Consent Architectures: Verifies that your cookie consent banners and privacy settings are operating correctly across geographic jurisdictions.
  • Identifies Compliance Risks: Alerts your engineering and product teams to privacy and accessibility vulnerabilities before they reach production.

Start a free Sigentra scan today and ensure your digital products meet the latest global standards.