Product has been added to your basket.
Nubis 365 Ltd | Logo
Managed Services
Managed It Support
About Us
Meet the Team
Shop
Log TicketQuick Connect

GDPR & DUAA Updates 2026

Significant updates to the Data (Use and Access) Act 2025 (DUAA) and GDPR have taken effect since January 2026, marking a major shift in the UK’s regulatory landscape.

UK: DUAA Provisions Now in Force

The majority of the data protection and privacy provisions in the DUAA came into force on February 5, 2026. Key updates include:

  • Recognised Legitimate Interests: A new lawful basis for processing personal data that does not require a “balancing test” for specific activities like crime prevention, safeguarding, and national security.

  • PECR Fines Increase: Maximum fines under the Privacy and Electronic Communications Regulations (PECR) for cookie and marketing breaches have risen to UK GDPR levels—up to £17.5 million or 4% of global turnover.

  • Automated Decision-Making (ADM): Rules have been relaxed to allow ADM for non-special category data under broader lawful bases, provided safeguards like human review and the right to contest are in place.

  • Data Subject Access Requests (DSARs): Organisations now have more flexibility to seek clarification for broad requests, effectively “pausing the clock” on the one-month response deadline.

  • Scientific Research: The definition has been broadened to include commercial research, making it easier to reuse data for compatible secondary research purposes.

  • International Data Transfers: The required standard for transfers from the UK has shifted from “essentially equivalent” to a “not materially lower” standard of protection.

Upcoming Deadlines for 2026

Several major requirements are scheduled to launch later this year:

  • June 19, 2026: A new mandatory right to complain directly to controllers takes effect. Organisations must have formal procedures to acknowledge complaints within 30 days and respond fully “without undue delay”.

  • August 2, 2026: The EU AI Act begins to apply more broadly, which will impact UK businesses operating within the EU or using certain high-risk AI systems.

  • September 12, 2026: Core data-access obligations under the EU Data Act come into effect.

EU: GDPR and International Updates

  • Brazil-EU Adequacy: On January 27, 2026, the EU and Brazil officially announced mutual recognition of data protection adequacy, allowing personal data to flow between the jurisdictions without additional complex transfer mechanisms.

  • GDPR Procedural Regulation: This new regulation entered into force on January 1, 2026, aiming to harmonise how EU supervisory authorities handle cross-border complaints and investigations.