Data law | UK Regulatory Outlook February 2026

UK updates 

Data (Use and Access) Act 2025 

Key data protection reforms in effect  

The Data (Use and Access) Act 2025 (DUA Act) makes a number of significant reforms to the UK General Data Protection Regulation (GDPR). The Data (Use and Access) Act 2025 (Commencement No 6 and Transitional and Saving Provisions) Regulations 2026, made on 29 January 2026, now bring many of these provisions into force as part of the Act's phased implementation. 

Although the government had previously signalled that the DUA Act would be commenced in stages over roughly a year, between around August 2025 and August 2026 (meaning that the commencement regulations no. 6 were hardly unexpected), the window between their publication (on 29 January) and entry into force (on 5 February – see below) is particularly short. This compressed implementation period may provide a challenge for business, especially given that much of the supporting Information Commissioner's Office (ICO) guidance remains outstanding.

Some of the DUA Act's data protection provisions, brought into effect on 5 February 2026 by these commencement regulations, include: 

• A new "recognised legitimate interest" lawful basis for processing data. A list of "recognised legitimate interests" (set out in Schedule 4 to the DUA Act) includes processing for certain purposes relating to security, defence, emergencies, crime and safeguarding vulnerable individuals, as well as responding to public body requests.
• An expanded range of processing purposes that are more likely to qualify as "legitimate interests", including processing for the purposes of direct marketing, intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and network and IT system security.
• A modernised automated decision-making framework that broadens permissible uses while preserving essential safeguards. See AI section for more information.
• A streamlined test in relation to international data transfers to assess whether the standard of data protection in the transferee country is "not materially lower" than the standard in the UK.
• Enhanced ICO enforcement powers, including the ability to issue GDPR-style fines of up to £17.5 million or 4% of global turnover under the Privacy and Electronic Communications Regulations (PECR).
• Clarification of the meaning of processing for research and statistical purposes. 

See this Insight for more information on the changes under the DUA Act.

Looking ahead, controllers should prepare for 19 June 2026, when the requirement to implement data protection complaint-handling processes takes effect (see below).

New criminal offence for creating non-consensual intimate images  

With only slightly more notice than the commencement regulations no. 6 (see above), the Data (Use and Access) Act 2025 (Commencement No. 5) Regulations 2026 were made on 20 January 2026 bringing into effect on 6 February 2026 the offence of creation – or requesting the creation – of purported intimate images, including AI-generated deepfakes, of an adult without consent, under the DUA Act. The announcement of these commencement regulations was brought forward by the government in response to heightened public and political concern following the Grok deepfake controversy (where images of people were manipulated by the chatbot to show them unclothed or in sexualised situations, without their consent), which accelerated the government's timetable for introducing criminal sanctions in this area. 

ICO updates

Handling data protection complaints guidance  

To help businesses acting as controllers understand their new requirements in relation to handling data protection complaints, due to come into effect on 19 June 2026 (see above), the ICO has published relevant guidance. See this Insight for more information and practical steps for businesses.

The ICO has also updated its guidance on data protection by design and by default and on subject access requests to reflect the DUA Act changes.

Updated guidance on international transfers 

The ICO has updated its guidance on international transfers of personal data. According to the regulator, the revised guidance sets out the key requirements in a more accessible way, reduces complexity and supports the responsible transfer of personal information.

The guidance sets out a "three-step test" to assist organisations in determining whether they are making a restricted transfer. The ICO has also added new content in areas where recurring questions have been identified. This includes expanded sections on roles and responsibilities to reflect the realities of complex, multi-layered transfer scenarios. To support organisations, it has also introduced a brief guide, quick reference FAQs and a glossary of key terms.

This update forms part of a wider programme of work by the ICO to further refine and develop its international transfers guidance. 

ICO issues a fine for unlawful processing of children's personal data 

The ICO has fined MediaLab.AI, Inc., the owner of image sharing and hosting platform Imgur, £247,590 for unlawfully processing children's personal data. The ICO found that MediaLab breached the UK GDPR by: 

• Failing to implement any measures to verify the users' age.
• Processing the personal information of children under 13 without parental consent or any other lawful basis when offering online services.
• Failing to conduct a data protection impact assessment to identify and reduce privacy risks to children. 

The Information Commissioner has stated that this fine forms part of the ICO's broader efforts to drive improvements in how digital platforms process children's personal data, indicating that non-compliant businesses could face similar action. 

ICO's Agentic AI report 

See AI section.

EU updates 

EDPB and EDPS publish joint opinion on the Digital Omnibus 

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) have issued a joint opinion on the European Commission's proposal for a "Digital Omnibus", which proposes amendments to the EU GDPR, the ePrivacy framework and the broader EU data legislative acquis. See this Insight for more information.

The EDPB and EDPS have also published a joint opinion on the proposal for the "Digital Omnibus on AI" which seeks to simplify the implementation of certain rules under the EU AI Act. See AI section for more details.

EDPB work programme 2026-2027 

The EDPB has adopted its work programme for 2026-2027 with a focus on easing compliance as a key priority. The programme is built around four pillars:

• Enhancing harmonisation and promoting compliance: the EDPB intends to develop further guidance on key issues and concepts of EU data protection law, including anonymisation, children's data and "consent or pay" models, and to develop new tools to make EU GDPR application easier, especially for SMEs (such as templates, illustrative examples, checklists, FAQs and "How to" guides). Following a consultation on the development of ready-to-use templates for organisations, the EDPB has decided to develop templates for legitimate interest assessments, records of processing activities and privacy notices/policies, in addition to the previously announced templates for data breach notifications and data protection impact assessments.
• Reinforcing a common enforcement culture and effective cooperation: the EDPB intends to enhance consistency in the application and enforcement of the EU GDPR, as well as cooperation among its members.
• Safeguarding data protection in the developing digital and cross-regulatory landscape: the EDPB intends to establish common positions and guidance in the cross-regulatory landscape (for example, joint guidelines on the interplay between the EU GDPR and the EU AI Act, the Digital Markets Act and the Digital Services Act, on political advertising regulation); monitoring and assessing new technologies and developing guidance to promote a human-centric approach on topics including generative AI and data scraping, telemetry and diagnostic data, and blockchain technology.
• Contributing to the global dialogue on data protection: the EDPB will continue its work on EU GDPR and Law Enforcement Directive data transfer mechanisms and provide further guidance on their practical implementation.