Updated UK data laws take effect this week

The new rules are, among other things, relevant to using AI to make decisions; undertaking scientific research; circumstances where the purpose of data processing might change over time; and the enforcement of breaches of rules on ‘cookies’ and in relation to direct marketing

The changes are provided for under the Data (Use and Access) Act (DUAA), which received Royal Assent last June.

Among the changes taking effect on 5 February 2026 are updated rules on automated decision-making (ADM). Their effect will be to enable ADM in many circumstances, as long as the organisation using the relevant AI or other technology implements safeguards and allows individuals affected by those decisions to make representations, obtain meaningful human intervention and to challenge decisions made by solely automated means.

Data protection law expert Stephanie Lees of Pinsent Masons said: “An important consideration for controllers around this change is the requirement to provide ‘meaningful information’ to data subjects who request details on how the ADM system operates. Controllers that rely on technology provided by third parties will need to ensure their contracts enable them to call on those providers to explain how their system operates in the event a duty arises on the controller to do so.”

“Organisations operating AI systems solely in the UK will benefit from these relaxed rules and be able to rely on the ‘legitimate interests’ legal basis for processing – except where the AI system uses special category data. However, if the AI system is used within the EU and UK, organisations will have to navigate other legislative regimes governing the use of the AI system. These include the EU AI Act and EU GDPR. For example, ADM may be entailed in the operation of certain AI systems categorised as ‘high risk’ under the AI Act,” she said.

Other immediate changes concern scientific research.

The definition of ‘scientific research’ in the UK GDPR has been broadened, meaning the concept will now be able to be applied to certain commercial activities, unlike before. In tandem with this are changes to rules around consent and the purpose limitation principle.

Data protection law expert Malcolm Dowden of Pinsent Masons said: “Together, these measures promise to ease administrative burdens that can arise during a research project. Currently, if the direction of a project changes, researchers often have to pause their projects to get renewed consent to process personal data for a different purpose than was originally envisaged. The new rules envisage researchers being able to obtain a general consent at the outset that will cover changes of tack taken during the project – though researchers will need to give data subjects the option of opting out at every stage and need to document when they consider a new purpose is compatible with the one they set out pursuing.”

The Information Commissioner’s Office (ICO) will also have enhanced enforcement powers under the Privacy and Electronic Communications Regulations (PECR), from Thursday.

PECR is the framework that sets out rules regarding the placing of ‘cookies’ – and similar technologies – on devices. Website operators and advertisers often use cookies to track user behaviour online with a view to serving them personalised content that is considered to reflect the users’ interests. PECR is also the framework governing online direct marketing.

Dowden said: “At the moment, the ICO’s powers of enforcement under PECR are limited. In financial terms, the maximum fine it can issue for any breach is £500,000. From Thursday, the maximum penalties under PECR will align with those under the UK GDPR – being £17.5 million or 4% of an organisation’s annual global turnover, whichever is the highest. The ICO will also be able to exercise the full range of enforcement tools under the GDPR in respect of PECR case – including the issuing of information notices, which carry criminal penalties for non-compliance, and enforcement notices, under which organisations can be compelled to take action to remedy infringements. At the extreme end of its powers, the ICO will also be able to issue stop orders, which would require organisations to bring an immediate halt to infringing operations.”

Other DUAA provisions will not enter into force until later in the year. From 19 June 2026, a new mandatory regime will apply to data protection complaints-handling.

One DUAA change that has not been provided for under the new regulations is the transfer of the functions of the information commissioner into a new corporate structure.

While the ICO is recognised as the UK’s data protection authority, the current rules provide for all the power of the organisation to sit with the information commissioner himself. This will change when the relevant provisions of the DUAA are brought into effect, when the commissioner’s functions will transfer to a board that could be comprised of up to 13 different people. Dowden said the change is likely to result in increased specialisms across the ICO’s enforcement.