The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026, S.I. 2026/82, brought section 80 of the Data (Use and Access) Act 2025 into force on 5 February 2026. Section 80 replaces Article 22 of the UK General Data Protection Regulation with a new four-article automated decision-making structure. The commencement is at the final, operative stage.
The controlling authority is section 80 of the Data (Use and Access) Act 2025 (c. 18), which substitutes into the UK GDPR a new Section 4A comprising Articles 22A through 22D. Article 22A defines two threshold concepts: a decision is based solely on automated processing where there is no meaningful human involvement in the taking of the decision, and a significant decision is one that produces a legal effect for a data subject or has a similarly significant effect. Article 22B prohibits significant decisions based entirely or partly on processing of special-category data unless an Article 22B exemption applies. Firms must identify which decisions cross these thresholds and recalibrate their human oversight procedures accordingly.
Controllers that make significant automated decisions must, under Articles 22C and 22D, notify affected data subjects and provide a meaningful right to contest the decision, request human review, and receive an explanation. The definition of meaningful human involvement requires that reviewers have genuine decision-making authority rather than rubber-stamp authority. Processors supplying decision-support tools must review contractual and technical arrangements to ensure controllers can meet these obligations. Financial services firms, insurers, employers, and recruitment technology providers applying automated scoring or risk assessment tools are directly within scope; the regime covers both AI-driven tools and rule-based systems, provided the threshold tests are met.
S.I. 2026/82 also brings section 103 of the DUAA 2025 into force on 19 June 2026, inserting new section 164A into the Data Protection Act 2018, which requires controllers to maintain a data subject complaint procedure with a 30-day acknowledgment obligation and a structured response duty. Firms currently relying on legacy Article 22 documentation, impact assessments, or contractual clauses referencing the old provision must update those documents to reference Articles 22A through 22D.
Our firm advises controllers, processors, and technology vendors on UK GDPR reform compliance, automated decision-making governance, and data protection programme design. We work with a dedicated network of data protection and AI law specialists. Organisations seeking to assess their automated decision-making systems against the new rules, or draft updated notices and procedures, are welcome to reach out. We regularly assist with: UK GDPR and DUAA compliance reviews, automated decision-making impact assessments, AI governance policy drafting, and data subject rights programme implementation.
Source: The Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026, S.I. 2026/82, regs. 2(j) and 3(a); Data (Use and Access) Act 2025 (c. 18), s. 80. Available at: https://www.legislation.gov.uk/uksi/2026/82/made and https://www.legislation.gov.uk/ukpga/2025/18/section/80. Confirmed 28 April 2026.
The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.