The UK has confirmed the next tranche of its data reforms. On 29 January 2026, the Secretary of State signed the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026. They bring a wide set of provisions into force on 5 February 2026, with a second commencement on 19 June 2026. The instrument is published on legislation.gov.uk.

For day‑to‑day operations, the changes matter in four places: how quickly organisations must answer people’s data rights requests, when electronic mail may be used for charity fundraising, what’s expected on cookies and other terminal equipment, and how automated decisions are governed. There are also updates to research processing, higher protection by design for children, cross‑border transfers and the Information Commissioner’s enforcement powers under the Privacy and Electronic Communications Regulations (PEC).

Time limits for responding to data subjects’ requests change under section 76 of the 2025 Act. Regulation 4 makes the cut‑over simple: if a controller received a request before 5 February 2026, the previous deadlines and rules continue; if it is received on or after that date, the new section 76 regime applies. Keep your queue split by received date and lock the audit trail. Example: a request that lands on 4 February 2026 follows the old timeline, including any extension rules you relied on; a request dated 6 February 2026 must be handled against the new clock. Section 77 updates what must be told to data subjects; refresh your templates accordingly.

The Act reframes fees and reasons for responses in law enforcement contexts at section 75. Public bodies and suppliers handling policing data should check that request triage notes reflect the new categories and wording from 5 February 2026. The elected‑representatives route to respond to constituents is also clarified at section 73.

A new complaints duty for controllers arrives later. Section 103 and Schedule 10, which insert section 164A duties into the Data Protection Act 2018, start on 19 June 2026. Regulation 7 confirms the duty only applies to complaints received on or after that date. Build a simple, trackable complaints workflow and publish it before the summer.

Automated decision‑making is recast at section 80, with minor and consequential changes in Schedule 6. Regulation 5 draws a clean line: decisions taken before 5 February 2026 remain under the pre‑existing UK GDPR and DPA 2018 safeguards; decisions taken on or after that date must follow the new regime. Product teams should update DPIAs, fairness tests and human‑review routes for any scoring, profiling or eligibility models that run after the changeover.

Cookies and other terminal equipment storage are updated at section 112, alongside fresh enforcement mechanics for the PEC Regulations in section 115 and Schedule 13. Regulation 8 allows the Information Commissioner (ICO) to use investigatory powers from 5 February 2026 even if the conduct predates it, but enforcement sanctions for pre‑5 February events continue under the old PEC regime, as Regulation 11 sets out. Any audits started before 5 February can be completed under the previous rules. For site owners this means refreshing consent management settings, ensuring consent logs are exportable, and double‑checking that non‑essential scripts remain off until consent is recorded. Treat 5 February 2026 as the date your cookie governance evidence needs to be camera‑ready.

Charities and their agencies gain a bespoke rule for electronic mail used in direct marketing from 5 February 2026 under section 114. Review supporter lists, lawful bases and the unsubscribe process, and make sure your privacy notices, contracts and campaign briefs reflect the new conditions. If you send on a partner’s platform, confirm the partner’s templates and suppression lists are aligned.

Cross‑border transfers are updated at section 85 with Schedules 7 to 9 covering general and law‑enforcement processing plus consequential changes. Expect fresh emphasis on documented assessments and clearer recognition routes, including provisions on co‑operation with overseas authorities and recognition of certain overseas products and EU conformity assessment bodies. Map all third‑country flows, update transfer risk assessments and ensure contracts match the new wording.

Research processing gets sharper edges. Sections 67 and 68 define research and scientific consent more precisely, while section 71 and Schedule 5 address when further processing is compatible with the original purpose. Sections 86 and 87 set safeguards for research and statistical work. Universities, health providers and analytics teams should update privacy notices, retention schedules and ethics approvals to reflect the new definitions.

Children continue to sit in a higher‑protection bracket. Section 81 makes that explicit for data protection by design. Any product that might be used by under‑18s should ship with data‑minimising defaults, prominent controls and clear, age‑appropriate explanations. Fold these expectations into sprint checklists and supplier statements of work.

There are also housekeeping changes to the penalty framework. If the ICO issued a notice of intent before 5 February 2026, Regulation 6 says the previous penalty provisions apply to that case. Meanwhile, sections 116 and 83 open the door to updated codes of conduct. Trade bodies should move early: a strong code can reduce friction at audit and give members a predictable standard the ICO recognises.

What to do now is straightforward. Snapshot your DSAR queue and mark items by received date; refresh response templates and privacy notices for the information changes; retune cookie banners and consent logs; audit any automated decisions that will run after 5 February; and brief marketing teams and agencies on the charity email rule before the next send. Use 19 June 2026 as the deadline to publish a controller complaints process and train staff.

The direction of travel is clear: faster, more transparent responses to individuals, tighter evidence around cookies and transfers, and clearer guardrails for automation and research. For most SMEs, the work is manageable in a fortnight with a single owner, a legal sign‑off and a short list of system changes. The statutory instrument gives you the dates; the rest is execution.