The Data (Use and Access) Act 2025 (DUAA) rewrote the UK GDPR’s approach to regulating the processing of personal data to make it easier to make wholly automated decisions (ADMs) with legal or significant effects. It replaces Article 22 with new Articles 22A–22D and shifts the provisions from a general prohibition, with narrow exceptions, to a framework that is more permissive and ­safeguard-led.

The relevant provisions came into effect on 5 February 2026, and apply from this date – they do not have retroactive effect. On 31 March 2026, the ICO opened a consultation on updated guidance aligned to the DUAA amendments. The consultation is open until 29 May 2026, and the draft guidance is already an important indicator of likely regulatory expectations.