DUAA ICO Enforcement 2026: New Powers, Record Fines

The DUAA Takes Effect New ICO Powers Meet a Tougher Enforcement Stance Bratby Law DATA PROTECTION

The Data (Use and Access) Act 2025 (DUAA) commenced on 5 February 2026, bringing into force the most substantial reform of UK data protection law since the UK left the EU. At the same time, the ICO is entering 2026 with sharpened enforcement tools, a track record of record fines in 2025, and new statutory powers that give it reach it did not previously have. For telecoms operators, fintechs and online services, the combination of reformed rules and a more assertive regulator demands immediate attention. This article builds on our earlier analysis of what the DUAA means for UK businesses, published when the Act received Royal Assent, and examines how the reforms are working now that they are in force.

Regulatory background

The DUAA amends the UK GDPR and the Data Protection Act 2018 in several areas. The Commencement No. 6 Regulations brought the majority of Part 5 (data protection) into force on 5 February. One provision, the requirement for controllers to operate a formal complaints procedure, follows on 19 June 2026. The ICO governance reforms will commence at a later date.

The Act was the successor to the abandoned Data Protection and Digital Information Bill, reintroduced with a narrower scope after the 2024 general election. It received Royal Assent in November 2025. As we noted in our October 2025 analysis, the government chose reforms it could deliver quickly rather than a wholesale rewrite of the UK GDPR. The question then was whether the changes would be substantive enough to matter. Six weeks into commencement, the answer is becoming clearer.

What has changed since commencement

Our October 2025 article set out the DUAA’s provisions in detail: reformed automated decision-making rules, the new recognised legitimate interests basis, PECR fine increases, scientific research consent, and international transfer mechanisms. Those changes are now live. Rather than repeat that analysis, this article focuses on three developments that have crystallised since 5 February: the ICO’s expanded enforcement toolkit, its record of using it, and the EU adequacy question that hangs over the entire reform.

The headline enforcement change is the ICO’s new power to compel individuals to attend interviews and to require controllers to produce technical reports. These close gaps that made complex investigations slow and reliant on voluntary cooperation. The PECR fine cap has moved from GBP 500,000 to GBP 17.5 million or 4% of global turnover, bringing electronic marketing enforcement into line with UK GDPR levels. The ICO issued GBP 4.63 million in PECR fines in 2025; with the new maximum, future penalties could be an order of magnitude higher.

The enforcement context

These reforms land in an enforcement environment that is already more active than at any point since the UK GDPR came into force. In 2025, the ICO issued six monetary penalty notices totalling over GBP 20 million in UK GDPR fines. Capita was fined GBP 14 million and Advanced Computer Software GBP 3.07 million, both for security failings following cyber attacks. The ICO also fined 23andMe GBP 2.31 million and LastPass GBP 1.23 million. The common thread was inadequate technical and organisational measures under Article 32 UK GDPR.

The ICO consulted in late 2025 on new enforcement procedural guidance introducing a structured settlement procedure. The settlement framework offers discounts of up to 40% for early resolution before a notice of intent, 30% after notice of intent, and 20% after written representations. This mirrors the approach used by the FCA and Ofcom: it incentivises early engagement and reduces the cost of contested proceedings for both sides. The final guidance, incorporating the DUAA powers, is expected in the first half of 2026.

Two high-profile appeals remain live. The Clearview AI enforcement notice, originally GBP 7.5 million, was upheld on jurisdiction by the Upper Tribunal in October 2025 and remitted for reinstatement. TikTok’s appeal of the ICO’s GBP 12.7 million penalty for processing children’s data is listed for hearing in May 2026. Both cases will test the boundaries of UK data protection jurisdiction over international technology companies.

What this means for regulated businesses

For data protection compliance teams, the immediate priorities are threefold. First, review automated decision-making processes. The relaxation of Article 22 is welcome, but the safeguards requirement is not optional. Organisations must document their ADM processes, implement contestation mechanisms, and ensure human review is available on request. The ICO has indicated it will publish findings from its investigation into ADM in recruitment by late March 2026.

Second, reassess PECR exposure. Any organisation relying on direct marketing, cookies, or similar electronic communications should treat the PECR fine increase as a material change in risk. The GBP 500,000 cap allowed some businesses to treat PECR fines as a cost of doing business. At GBP 17.5 million, that calculation no longer works.

Third, prepare for the complaints procedure requirement. By 19 June 2026, all controllers must operate a formal complaints procedure for data subjects. This is a new obligation that requires process design, staff training, and integration with existing subject access request workflows.

For telecoms and payments businesses specifically, the interaction between these reforms and sector-specific regulation matters. Telecoms operators already subject to TSA 2021 security obligations should ensure their Article 32 measures align with both regimes. Payment institutions subject to the FCA’s safeguarding requirements should assess whether their customer data handling meets the reformed UK GDPR standards.

Viewpoint

The DUAA is a pragmatic reform, not a radical one. It fixes specific problems with the UK GDPR framework, particularly the impractical ADM restrictions and the anachronistic PECR fine cap, without attempting a wholesale departure from the EU model. The ICO’s new powers, combined with its settlement procedure and recent enforcement track record, suggest a regulator that intends to use what it has been given. The outstanding question is the EU adequacy decision, due for review in 2026. The DUAA’s divergence from EU GDPR on ADM, cookie consent, and scientific research processing creates risk. If the EU concludes that the UK no longer provides essentially equivalent protection, the consequences for cross-border data flows would be severe. Businesses should track this closely.

Links

Data (Use and Access) Act 2025

ICO: Statement on the commencement of the DUAA

ICO: What the DUAA means for organisations

ICO: Enforcement action

Contact

For advice on DUAA compliance, automated decision-making safeguards, or data protection for telecoms and payments businesses, contact Rob Bratby at Bratby Law.

Key telecoms regulatory issues for 2011 (do too many connectives watch star trek?)

(Digital and mobile) money, money, money

Net neutrality: religious or secular war?

Broadband aid (do they know it’s Christmas)

Is BT’s wholesale content connect the end of the world?