17/02/2026

The Data (Use and Access) Act 2025 (Commencement No 6 and Transitional and Saving Provisions) Regulations 2026 (SI 2026/82) (Regulations) were made on 29 January 2026 and bring into force specific provisions of the Data (Use and Access) Act 2025 (DUA Act) on 5 February and 19 June 2026, amending the UK GDPR and Data Protection Act 2018.

The DUA Act provides the ICO with new powers, including the ability to compel witnesses to attend interviews, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under the Privacy and Electronic Communications Regulations (PECR).

In particular employers should be aware of the following areas:

1. Data Subject Access Requests (DSARs)

• Simplified process: Employers must respond to DSARs more efficiently, with clearer timelines and clarified the scope for extensions.
• Clarity of refusal grounds: The DUA Act narrows the circumstances under which requests can be refused, requiring detailed justification.
• Electronic access emphasis: Employees should be able to access their data digitally, with secure formats encouraged.

2. International Data Transfers

• New transfer mechanisms: DUA Act introduces streamlined rules for cross‑border data transfers, replacing some of the older adequacy and safeguard models.
• Recognised legitimate interests: Employers may rely on “recognised legitimate interests” for certain transfers, provided risks are assessed and documented.
• Greater accountability: Organisations must demonstrate compliance through updated records and risk assessments when transferring employee data abroad.

3. Complaint Handling (In force from 29 June 2026)

• Mandatory procedure: From 19 June 2026, all organisations must have a complaints procedure for data protection issues.
• Transparency: Employees must be informed of how to raise complaints and the expected timelines for resolution.
• ICO oversight: The Information Commissioner’s Office will monitor compliance, and failure to implement a procedure could lead to enforcement action.

In more detail: Data Subject Access Requests (DSARs)

In relation to subject access request (DSAR) in December 2025 the ICO published updated Guidance to reflect recent DUA Act amendments that essentially codified existing practice and ICO Guidance.

How organisations handle subject access requests is the ICO’s most complained of issue, so the purpose of the Guidance is to remind organisations of their responsibilities under the law.

In particular, the DUA Act and Guidance clarifies:

• Searches in response to DSARs must be “reasonable and proportionate” – they do not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.
• Employers can “stop the clock” on the one‑month response deadline if further clarification is reasonably required from the data subject. Controllers must be able to demonstrate that clarification is genuinely necessary to provide an effective response. Clarification requests cannot be made on a blanket basis – only where reasonably required.
• Extend time to respond by a further two months if the request is complex; or there are a number of requests from the same person. For example if the organisation requires any information to confirm the identity of the person the information is about or any information you request to confirm that the third party is authorised to act on behalf of the person; or
• Clarifies the meaning of “manifestly unfounded” and “manifestly excessive” requests, aligning with DUA Act. The ICO emphasizes that this is a high threshold and we recommend that any organisation wishing to rely on this should first carefully read the Guidance and examples provided.

You can view the updated Right of Access guidance: here
In more detail: Updated ICO Guidance on International Data Transfers (9 February 2026)

On 16 January 2026, the ICO updated its guidance on international data transfers.

The previous Guide to International Transfers has now been broken down into more detailed, topic‑specific guides. This includes a new, expanded guide explaining when a transfer is considered “restricted”, who is responsible for complying with the rules, and how employers can meet their obligations under the UK GDPR.

You should pass this Guide to the persons responsible for data in your workplace if you transfer employee, customer, or client data outside the UK, or if you advise others on doing so.

What has Changed?

The ICO has:

• Expanded its explanation of what is and isn’t a restricted transfer.
• Introduced a clearer three‑step test.
• Provided more practical examples.
• Added new content on who is responsible for complying with transfer rules.
• Clarified key responsibilities for organisations making international transfers.

The aim is to help organisations understand when the rules apply, how to make a restricted transfer, and who must comply.

The ICO has released two introductory videos to support the new guidance.

The first video focusses on What Is a Transfer and explains:

• What counts as a restricted transfer.
• Common questions about when the rules apply.
• Who is responsible for complying with the transfer rules.
• Practical scenarios to illustrate the principles.

Important note: In the video, step 2 of the three‑step test focuses on whether information is being transferred outside the UK. In the updated written guidance, the ICO has refined this. Step 2 now focuses on who is initiating the transfer to an organisation outside the UK. If your organisation is not initiating the transfer, then it is not a restricted transfer for you.

This is a helpful clarification for employers who rely on third‑party processors or cloud‑based systems.

The second video explains how to make restricted transfers in a compliant way. Employers must ensure that any transfer is covered by:

• Adequacy regulations, or
• Appropriate safeguards, or
• A relevant exception.

For those who require further advice on this area, on 10 March 2026 the ICO is hosting a 1 hour webinar to support the launch of the updated guidance on international transfers.

In more detail: handing data protection complaints.

On 12 February 2026, the ICO published their final complaints procedure guidance, Under the DUA Act, organisations must have a clear and accessible process for handling data protection complaints by 19 June 2026.

A complaint can come from anyone who believes their personal information has been handled in a way that infringes data protection law and so having the right procedures in place is essential.
The new guidance adopts the now familiar wording used by ICO setting out what organisations must, should and could do to comply with the changes to the law. It includes practical tips and advice for each stage of the process to help DPOs and organisations build a robust approach.

The Guidance has been published early in advance of the obligation to have an effective complaints procedure becoming law on 19 June 2026.