The law has changed.
Here is what it means for you.
The Data (Use and Access) Act 2025 came into force on 5 February 2026. Most of your existing compliance still stands. There are four things that are new — and one deadline you need to meet.
From that date, individuals have a statutory right to complain directly to your business about a data breach. You must have a written complaints procedure, a complaint log, and an updated privacy notice in place before that date. This is a fixed legal deadline — not guidance..
What Changed on 5th February 2026?
IN FORCE NOW - Cookie consent fines increased dramatically
The maximum PECR fine has risen from £500,000 to £17.5 million — the same level as a data breach. A banner that says "we use cookies" without a real Reject option is now a much higher-risk position.
IN FORCE NOW- AI-assisted decisions now require three safeguards
Using AI to inform significant decisions about clients is now permitted — but only if you tell them AI was involved, give them the right to contest it, and offer a route to human review.
IN FORCE NOW -Creating deepfake intimate images is now a criminal offence
Section 138 of the Act creates criminal liability for AI-generated intimate images without consent. Relevant to anyone using AI image tools with client photographs.
Deadline: 19 June 2026- Formal complaints procedure becomes mandatory
Individuals gain a statutory right to complain directly to you — not just to the ICO. You must acknowledge within 30 days and keep a documented log of every complaint.
What did not change.
Special Category Data rules are unchanged.
Health records, biometric data, mental health disclosures — strict Article 9 rules apply in full. The Act's relaxed AI decision rules do not extend to this data.
Data Processing Agreements are unchanged.
Every AI tool processing personal data on your behalf still requires a written DPA. Free consumer accounts without DPAs remain unlawful for client data. Our Platform DPA Checker findings remain current.
72-hour breach notification is unchanged.
The requirement to notify the ICO within 72 hours of a notifiable breach remains in full force.
UK–EU data flows are unchanged.
The UK adequacy decision was renewed in December 2025 until 2031. Your international transfer obligations are unaffected.
What you need to do NOW
Meet the June 2026 deadline
The AI Safe Legal Pack includes a complaints procedure template, a complaint log, and an updated privacy notice — everything required before 19 June.
Not sure where you stand?
Start with your profession's Industry Action Guide. It covers the obligations specific to your sector, including how the Act's changes apply to your work.