Get started

DUAA 2026 — How the Data Use and Access Act Changes UK Data Protection

regulatory-update 8 min read Updated 2026-03-23

DUAA 2026 — How the Data Use and Access Act Changes UK Data Protection

The Data (Use and Access) Act 2026 received Royal Assent in June 2025 and started coming into force in August 2025. The most significant provisions — the ones that affect SME data handling — came into force in February 2026. This is the most substantial reform of UK data protection law since the UK retained the GDPR after Brexit.

If your privacy policy, cookie consent, or data handling practices haven’t been revisited since February 2026, you have compliance gaps. Here’s what changed, who it affects, and what you need to do.

What Changed: The Headlines

The DUAA updated five key areas:

  1. Complaint handling: The process for complaining to the ICO about data protection violations changed
  2. Lawful basis rules: The circumstances when you can process data under “legitimate interest” were clarified
  3. Cookie consent: Requirements for cookie consent and tracking were updated
  4. ICO powers: The Information Commissioner’s Office gained new enforcement powers and statutory objectives
  5. Data transfers: How data can be transferred internationally shifted slightly

For most SMEs, items 1, 3, and 5 matter most. Item 2 (lawful basis) and item 4 (ICO powers) matter more for larger operations.

Change 1: Complaint Handling (High Impact)

What changed: The process for complaining to the ICO is now clearer and faster. The ICO has new timescales for assessing complaints and a new “early resolution” process for straightforward issues.

What this means for your business:

  • If a customer files a complaint with the ICO about your data handling, the ICO processes it faster than before
  • You may see enforcement action more quickly if a problem is identified
  • The ICO has clearer criteria for what constitutes a valid complaint, so trivial complaints might be filtered out faster (good for businesses with robust practices, risky if your practices are poor)

What to do: Make sure your privacy policy explains the ICO complaint process. Include the ICO’s contact details. Reference the DUAA framework. Example: “If you’re unhappy with how we handle your data, you can complain to the Information Commissioner’s Office at [ICO contact details].”

Change 2: Lawful Basis Clarification (Medium Impact)

What changed: The DUAA clarifies when businesses can rely on “legitimate interest” as a lawful basis for processing data. This is relevant for analytics, marketing, and security.

What this means for your business:

  • If you process data for marketing without consent (relying on “legitimate interest”), the DUAA provides clearer guidance on when this is valid
  • For analytics (Google Analytics, etc.), the rules are slightly less restrictive than under the pre-DUAA framework
  • For certain types of security scanning and fraud detection, legitimate interest is now explicitly permitted in some cases
  • You should be more specific in your privacy policy about what “legitimate interest” means for your business

What to do:

  • Review your privacy policy’s explanation of lawful bases
  • For each data processing activity, state the specific lawful basis (consent, contract, legitimate interest, legal obligation, vital interests, public task)
  • If you rely on legitimate interest, explain the balancing test you’ve done (your interest vs individuals’ rights)
  • Update the language to reflect DUAA provisions

What changed: The DUAA updated cookie consent requirements under the Privacy and Electronic Communications Regulations (PECR). The standard is still “explicit consent before non-essential cookies,” but the DUAA introduces clearer definitions and new safe harbours.

Specifically:

  • “Essential” cookies (those required for the site to function technically) can be set without consent
  • “Analytics” and “Marketing” cookies require explicit consent
  • Pre-ticked boxes are not valid consent (still)
  • Consent must be granular (separate toggles for analytics vs marketing)
  • You must offer the same functionality if someone rejects non-essential cookies

What this means for your business:

  • Your existing cookie consent mechanism might now be non-compliant even if it was compliant in 2025
  • If your banner doesn’t offer separate toggles, update it
  • If your banner pre-ticks the marketing box, remove the pre-tick
  • If rejecting cookies makes the site harder to use (slower, fewer features), that’s non-compliant
  • Test your mechanism: don’t load any trackers until the user has clicked through and given consent

What to do:

  • Audit your current cookie banner. Does it block non-essential cookies until consent? If not, fix it.
  • Ensure separate toggles for essential, analytics, and marketing. Not just “accept all.”
  • Test in your browser’s developer tools. Reload the site. Don’t interact. Check if Google Analytics, Facebook Pixel, or other trackers fire. If yes, you’re non-compliant.
  • Use a Consent Management Platform (CMP) like Cookiebot, Osano, or iubenda if you don’t have technical resources to fix this yourself.
  • Update your privacy policy to disclose each cookie type and explain when they’re used.

This is the highest-impact change for SME websites. Most websites we scan have non-compliant cookie consent.

Change 4: ICO Objectives and Powers (Low-Medium Impact)

What changed: The DUAA gave the ICO new statutory objectives:

  • To support innovation and competition (not just privacy)
  • To promote data-driven decision-making
  • To maintain public trust in data handling

The ICO also gained new powers to conduct audits, issue enforcement notices faster, and streamline the complaints process.

What this means for your business:

  • The ICO may be more supportive of businesses trying to innovate (small exception for SMEs experimenting with new services)
  • But the ICO is also faster at enforcement if violations are found
  • The push toward data-driven decision-making doesn’t exempt you from GDPR — it just changes the tone of ICO communication (less “privacy by default,” more “privacy by design with innovation in mind”)

What to do: This change doesn’t require immediate action for most SMEs. Stay aware that the ICO’s approach has shifted. Don’t assume privacy restrictions are loosening — they’re not. Just know that the ICO is balancing privacy with other objectives.

Change 5: Data Transfers (Low Impact)

What changed: The DUAA introduced new mechanisms for international data transfers, notably “Digital Verification Services” (coming later in 2026). The standard “adequacy decision” and “Standard Contractual Clauses” approach is still valid, but the DUAA adds alternatives.

What this means for your business:

  • If you transfer data to non-adequate countries (notably the US), you can still use Standard Contractual Clauses
  • The DUAA adds new pathways, but they’re not required yet (Digital Verification Services are still being implemented)
  • If your current transfer mechanisms use SCCs, you’re fine — no immediate change needed

What to do: If you transfer data to the US (via Google Analytics, Stripe, HubSpot, etc.), ensure you have Standard Contractual Clauses in place with the service provider. Most major services offer them as standard. Check your service agreements.

Phased Implementation Timeline

The DUAA was phased in across 2025 and 2026:

  • August 2025: Phase 1 (Smart Data framework, PECR breach notification, ICO objectives)
  • December 2025: Phase 2 (Digital Verification Services framework introduced)
  • February 2026: Phase 3 (Bulk of data protection provisions, including complaint handling and cookie consent rules)
  • June 2026: Full implementation expected

We’re currently post-Phase 3. If you haven’t updated your privacy policy, cookie consent, or lawful basis documentation since February 2026, you likely have gaps.

What to Do Now

  1. Update your privacy policy. It should reference the DUAA framework. Include complaint handling language that reflects the new process. State your lawful bases clearly. Date it.

  2. Fix your cookie consent. Test it in your browser. Does anything fire before you’ve clicked? If yes, it’s non-compliant. Use a CMP or code a consent check to block non-essential cookies until consent is given.

  3. Audit your third-party services. Every service you use that processes personal data should be disclosed in your privacy policy. Check that you have Data Processing Agreements with external providers.

  4. Review your lawful bases. For each data processing activity, document the lawful basis. “Consent,” “contract,” “legitimate interest” (with explanation), “legal obligation,” “vital interests,” or “public task.”

  5. Check employee data handling. If you have employees, your HR data practices should reflect DUAA provisions. Issue a staff privacy notice and review retention policies.

  6. Plan for Digital Verification Services. Later in 2026, new identity verification mechanisms will become available for international data transfers. Monitor ICO guidance when this launches.

The most urgent item is cookie consent. This is the most visible compliance gap and the area where the ICO is focusing enforcement.

What to Watch Next

  • ICO guidance updates: The ICO is publishing detailed guidance on DUAA implementation. Subscribe to their updates.
  • Digital Verification Services: Later in 2026, new mechanisms for data transfers will be available. Monitor the ICO website.
  • Case law: As the first DUAA-based enforcement actions emerge, watch how courts interpret the new provisions.
  • EU divergence: The UK and EU continue to diverge on data protection. If you serve EU customers, track how the two frameworks are evolving.

For now, the practical focus is on privacy policy updates, cookie consent fixes, and clear documentation of lawful bases. These address the February 2026 Phase 3 changes.

If you want a detailed review of your compliance posture against the updated DUAA provisions, Bartram Web screens your website, checks your privacy policy and cookie consent, and flags gaps against the current framework. The GDPR compliance checklist also covers DUAA requirements.

The Data (Use and Access) Act isn’t a revolution — it’s an evolution. Your existing privacy and data security practices are likely mostly fine. But cookie consent mechanisms from 2024 and privacy policies from 2023 need updating. Spend a day or two on these updates and you’ll be compliant with the new framework.

Last updated: 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

Privacy Policy Requirements — What Must Be Included Under UK GDPR

A complete privacy policy must cover 12 specific requirements under UK GDPR. This guide explains what each requirement means and how to audit yours.

Read article →

7 GDPR Myths That Are Costing UK Businesses Money

Seven myths about GDPR are costing UK businesses money. Here's what's actually true — from company size exemptions to data security.

Read article →

GDPR Compliance Checklist for UK Small Businesses

20 testable GDPR compliance items grouped by category. Tick them off as you go. Most take less than an hour each to fix.

Read article →