Data (Use and Access) Act receives Royal Assent — what changes for UK businesses using AI
What is the Data (Use and Access) Act?
The Data (Use and Access) Act 2026 — previously known as the Data (Use and Access) Bill — is a significant piece of UK legislation that updates and extends the UK GDPR and the Data Protection Act 2018. It received Royal Assent on 19 June 2026, meaning all provisions affecting data protection law are now in force.
The Act has wide implications for any UK business that processes personal data, but for businesses using AI it introduces three particularly important changes.
Change 1: New rules on automated decision-making
Under the old UK GDPR (Article 22), automated decisions with legal or similarly significant effects on individuals were essentially prohibited unless specific conditions were met. The Act replaces this with a new framework — Articles 22A to 22D — that takes effect from 5 February 2026.
The key shift: automated decisions are now permitted by default, provided certain safeguards are in place. Those safeguards include:
- Providing individuals with meaningful information about how the AI decision was made
- Giving individuals the right to request human review of automated decisions
- Giving individuals the right to contest the decision
- Documenting what counts as genuine human involvement — the Act requires this to be an active review before a decision takes effect, not simply a sign-off after the fact
For UK SMEs using AI tools to make HR decisions, assess creditworthiness, or interact with customers, this means the legal basis for automated processing has changed. Your data protection policies and privacy notices may need updating.
Change 2: ICO must produce a statutory AI Code of Practice
The Act places the Information Commissioner under a legal duty to prepare a statutory Code of Practice covering both the development and use of AI, with a mandatory section on children's data. This duty came into force on 12 May 2026 via separate regulations.
The Code has not yet been drafted — no consultation timeline has been announced — but when published it will carry significant weight in ICO enforcement. Businesses will be expected to demonstrate compliance with the Code, not just awareness of it.
The ICO has already consulted on draft guidance on automated decision-making and profiling (consultation closed 29 May 2026). Final guidance is expected over the summer of 2026 and will be the clearest available signal of what the Code will require.
Change 3: Data complaints process required by 19 June 2026
The Act requires all UK organisations to have established a formal data protection complaints process by 19 June 2026. The ICO has specifically reminded businesses of this obligation. If your business does not have a clear process for individuals to raise data protection concerns — including concerns about AI decisions — this needs to be addressed immediately.
- Review any AI tools that make or assist decisions about individuals — recruitment, performance, credit, access to services. Check whether your privacy notices and data protection policies reflect the new Article 22A framework.
- Ensure any automated decision process includes a genuine human review mechanism — not just a rubber-stamp — and that this is documented.
- Check your data protection complaints process is in place and accessible to individuals.
- Watch for the ICO's final automated decision-making guidance, expected summer 2026. It will clarify exactly what is required of businesses using AI.