June 23, 2026
On June 19, 2026, the final transition period for the UK’s landmark Data (Use and Access) Act 2025 (DUAA) officially drew to a close. Marking one of the most significant overhauls to the UK data protection framework since the introduction of the UK GDPR, this new legislation is now fully enforceable.
The DUAA represents a deliberate pivot by the UK government. While it aims to reduce administrative friction and encourage data-driven innovation, it introduces new, highly structured duties that organizations must operationalize immediately. For IT, engineering, and compliance teams, "set-it-and-forget-it" privacy policies are no longer viable.
Here is a technical and operational breakdown of the major changes that went live on June 19, 2026, and the immediate steps your team must take to stay compliant.
The most immediate operational change introduced by the DUAA is the creation of a formal, statutory complaints-handling workflow.
Historically, individuals who believed their data rights were violated could immediately escalate their complaint to the Information Commissioner's Office (ICO). Under the DUAA, this workflow is inverted.
Individuals are now legally required to raise data protection complaints directly with the data controller (your organization) before they can escalate the matter to the regulator.
While this shields regulators from early-stage disputes, it places a direct, binding operational burden on businesses. Your organization must now deploy a formal, public-facing mechanism to receive, track, and resolve these disputes.
To prevent organizations from ignoring or burying consumer concerns, the DUAA mandates that controllers:
For engineering teams working with AI and automated algorithms, the DUAA significantly alters the rules governing Automated Decision-Making (ADM) under the UK GDPR.
Previously, Article 22 of the UK GDPR placed a broad, default prohibition on any automated decision-making that produced legal or similarly significant effects on individuals, unless specific exceptions applied.
The DUAA replaces this blanket prohibition with a targeted framework:
However, this flexibility is not a free pass. If your applications use automated systems to make significant decisions, you must build robust user safeguards into your product workflows:
The DUAA also updates the rules for Data Subject Access Requests (DSARs), providing some administrative relief while clarifying compliance boundaries.
One common compliance headache for engineering teams is the strict one-month deadline to respond to a DSAR, even when the requester's identity is in doubt. The DUAA codifies a "stop the clock" rule: the statutory response window is officially paused while the controller waits for the requester to verify their identity or pay a permissible fee.
Under previous standards, organizations were often expected to conduct exhaustive searches across every backup, database, and email server to find a requester's data. The DUAA clarifies that controllers are only required to conduct "reasonable and proportionate" searches to locate personal data. This reduces the risk of malicious or vexatious requests designed to overwhelm IT resources.
To align your systems with the new DUAA requirements, your engineering and compliance teams should execute the following plan:
Do not let data complaints get lost in generic support inboxes. Create a dedicated email address (e.g., privacy@yourcompany.com) or a secure web form. Ensure that this channel automatically routes submissions to your compliance team and triggers a tracking ticket with built-in SLA timers to guarantee a response within the 30-day window.
If your product uses machine learning, automated scoring, or algorithmic workflows to make decisions about users (e.g., credit scoring, hiring filters, or dynamic pricing), review the data inputs. If special category data is processed, verify that explicit opt-in consent is actively enforced. For all other automated decisions, ensure your user interface includes clear notice and an easy "request human review" button.
Ensure your public-facing privacy notice is updated to describe:
Manually tracking data protection regulations across the UK, EU, and the US is an uphill battle. With the UK DUAA now fully enforceable, compliance requires continuous, automated oversight.
Sigentra puts your digital compliance on autopilot. Our platform automatically:
Start a free Sigentra scan today and ensure your digital products meet the latest global standards.