The Data (Use and Access) Act & AI: What UK Businesses Must Do Now (2026)

From 19 June 2026, every UK organisation that holds personal data must have a compliant data-protection complaints process — and that is just the most visible deadline in a wave of reform that quietly rewrote the rulebook for AI. The Data (Use and Access) Act 2025 (DUAA) has been commencing in stages, and three of those stages land squarely on anyone using AI to make decisions about people. Here is what changed, what is now in force, and what to do before the regulator's new AI code of practice arrives.

First, the framing: this is reform, not a new AI act

The UK still has no single statute equivalent to the EU AI Act. Its approach remains principles-based and delegated to existing sector regulators, now supported by tools such as the AI Growth Lab — a cross-economy regulatory sandbox launched on 8 June 2026, with legal services and conveyancing as its first focus area. So when people ask "what is the UK's AI law?", the honest answer in 2026 is: a patchwork of existing regimes, led by data protection.

That is exactly why the DUAA matters so much. Most real-world AI in business touches personal data — CV screening, credit and pricing decisions, fraud detection, customer profiling, HR analytics. The law that governs that data is the law that governs your AI. And that law has just changed underneath you.

The key dates, in plain English

Date	What changed	What it means if you use AI
19 June 2025	DUAA received Royal Assent	The clock started on a phased, staged commencement
5 February 2026	New Articles 22A–22D replace Article 22 UK GDPR (SI 2026/82); "recognised legitimate interests" added	Solely automated decisions allowed on ordinary personal data — with safeguards; special category data stays restricted
12 May 2026	Code of Practice on AI & ADM Regulations 2026 (SI 2026/425) in force	The ICO is now legally required to produce a statutory AI & automated-decision-making code
19 June 2026	Statutory complaints-handling duty live (new s.164A DPA 2018)	Every organisation must operate a compliant data-protection complaints process
2027 (expected)	ICO's AI & ADM code of practice finalised	A statutory benchmark for "good practice" in AI processing of personal data

The big one for AI: automated decision-making was deregulated — with strings

Under the old Article 22 UK GDPR, decisions based solely on automated processing that had legal or similarly significant effects were broadly prohibited, with narrow exceptions. The DUAA flips that logic. Section 80 replaced Article 22 with new Articles 22A–22D, in force since 5 February 2026, moving from a prohibition-based model to a permission-plus-safeguards model.

In practice: you can now make solely automated, high-impact decisions about people using ordinary personal data — but only if you put four safeguards in place. The individual must be:

• Informed — given clear information about the automated decisions being made about them;
• Able to make representations — given a route to put their side forward;
• Able to obtain human intervention — a real person can review the decision; and
• Able to contest — they can challenge the outcome.

One critical exception survives intact: where the decision relies on special category data (health, biometrics, ethnicity, sexual orientation, religion and so on under Article 9), the stricter regime continues — solely automated decisions are prohibited unless an Article 9 lawful basis applies and the safeguards are met. If your model touches sensitive attributes, assume the higher bar.

This is a genuine commercial opening — and a genuine governance trap. The barrier to deploying automated decisioning is lower; the cost of deploying it without the safeguards is now a clearer, more enforceable breach.

"Recognised legitimate interests": useful, but not an AI training licence

The DUAA also introduces a new lawful basis — "recognised legitimate interests" — that lets organisations process personal data for a pre-approved list of public-interest purposes without running the usual legitimate-interests balancing test. Those purposes are narrow: crime prevention, public security, safeguarding, emergencies, and sharing data to help other bodies perform public tasks.

Read the room before you celebrate. This is not a blanket basis for scraping customer data into a model. Training AI on personal data still requires a standard lawful basis and, where you rely on ordinary legitimate interests, a documented balancing assessment. Treat "recognised legitimate interests" as a tightly scoped tool, not a green light.

The ICO is becoming the Information Commission — and writing the AI rulebook

Two governance shifts matter for AI leaders. First, the ICO is being restructured into the Information Commission, with a board and CEO model, modernised enforcement powers, and the complaints duty above feeding directly into its remit. Second, and more strategically, the Code of Practice on Artificial Intelligence and Automated Decision-Making Regulations 2026 (SI 2026/425), in force from 12 May 2026, legally require the regulator to produce a statutory code of practice on processing personal data when developing and using AI.

The catch: the code has not been drafted, and no consultation timeline has been confirmed. A realistic finish date is 2027. That is not a reason to wait — it is a reason to build your governance now, on the principles already in force, so the eventual code finds you compliant rather than scrambling.

What UK businesses should actually do before this lands

1. Map your automated decisions. Inventory every place a model materially decides something about a person — hiring, credit, pricing, fraud, eligibility. You cannot safeguard what you have not found.
2. Implement the four ADM safeguards wherever solely automated, high-impact decisions are made: notice, representations, human review, and a contest route.
3. Stand up the complaints process now. The 19 June 2026 duty is live. A compliant, documented data-protection complaints procedure is no longer optional.
4. Refresh DPIAs and your record of processing. The new ADM framework and lawful bases change your risk picture; your documentation should reflect the 2026 rules, not the 2018 ones.
5. Separate "can" from "should". Lower legal friction does not mean lower reputational risk. Decide where automated decisioning is appropriate as a matter of policy, not just legality.
6. Train the people in the loop. "Human intervention" only counts if the human is competent and empowered. Frontline reviewers, HR, and managers need to understand what a meaningful review actually requires.

Where Spicy Advisory fits

This is the part most AI rollouts get wrong: governance and adoption are treated as separate projects, run by separate teams, on separate timelines. The DUAA closes that gap — the safeguards are only real if the people operating your AI understand and apply them.

Spicy Advisory is a founder-led AI consulting and training boutique. We've trained 1,500+ professionals across 50+ companies including L'Oréal, EssilorLuxottica and IGN, with a 4.98/5 client rating. We help UK teams turn regulation into operational reality: an AI readiness and governance audit that maps where you make automated decisions, an AI strategy sprint that turns the DUAA's safeguards into workflows your teams actually use, and hands-on enablement so "human in the loop" means a trained human, not a rubber stamp — in English or French. For the governance foundations, see our guides on the UK ICO AI governance framework and UK vs EU AI regulation.

Frequently asked questions

Want this translated into an action plan for your stack and teams? Book a free 20-minute AI audit, or read our client reviews first.