UK data law changes on 5 Feb and 19 Jun 2026 explained
Two dates to circle: 5 February 2026 and 19 June 2026. On those days the UK switches on more of its data law. If you handle pupil records, run a youth charity, manage a college mailing list or simply want to see what data an organisation holds on you, these dates change the rules you work with.
What is a commencement regulation? Parliament passes an Act, but it rarely starts all at once. A commencement regulation is the legal notice that says which bits start when and what happens to old cases in the meantime. The one we’re talking about is Statutory Instrument 2026 No. 82, made on 29 January 2026 and published on legislation.gov.uk. It brings further parts of the Data (Use and Access) Act 2025 into force and sets the bridge rules between the old and the new.
What starts on 5 February 2026? According to SI 2026/82, provisions on the lawfulness of processing, purpose limitation, consent for scientific research, recognition of relevant international law, responses by elected representatives, time limits and information duties around requests, automated decision‑making, stronger design duties for children, codes of conduct, and transfers of personal data overseas all go live. Changes also land in the Privacy and Electronic Communications Regulations, covering cookies and direct marketing, alongside updated enforcement powers for the Information Commissioner.
For everyday life that means two visible shifts. First, cookie and device storage rules are updated, so the way websites ask for your permission may look and feel different. Second, charities get a clarified route to send direct marketing emails. If you manage comms for a museum or youth charity, double‑check how your consent forms and mailing lists are set up before you hit send.
What starts on 19 June 2026? A new duty on organisations, known in law as controllers, to handle complaints from data subjects comes into force. From that date, if you write to an organisation to complain about how they handled your data, they must follow the new complaint‑handling steps set out in the legislation. Complaints received before 19 June continue under the previous approach.
Two key terms keep appearing. A controller is the person or organisation that decides why and how personal data is used. A data subject is the living individual the data is about. If your school decides how to use attendance records, the school is the controller and you, the pupil or parent, are the data subject. If a college outsources email hosting, the college is still the controller because it sets the purpose; the provider processes data on its behalf.
Subject access requests are a good way to see the transition in action. If you ask an organisation for a copy of your personal data on 4 February 2026, the older timetable and rules for answering you still apply. Ask the same question on 6 February 2026 and the new timetable applies instead. The commencement regulation says the cut‑off is when your request is received, not when it is answered, so logging the date matters.
Automated decision‑making is another area with a line in the calendar. Decisions taken before 5 February 2026 stay under the pre‑existing safeguards. Decisions taken on or after that date follow the updated framework. Picture a bank’s fraud check that instantly declines a transaction: whether the old or new rules apply depends on when the decision was made.
Penalties have their own bridge rule. If the Information Commissioner issued a notice of intent before 5 February 2026, the earlier penalty process continues for that case. New penalty rules only apply where no such notice had been issued before the switch‑on date. This protects people and organisations from mid‑case rule changes.
Privacy and Electronic Communications (PEC) enforcement gets a practical tweak. From 5 February 2026, the Commissioner can use the updated investigatory powers for PEC matters even when looking at conduct that happened earlier, but sanctions are tied to the date of the breach. If a spam texting campaign happened in 2025, the old PEC regime governs any fine; if it happens after 5 February 2026, the amended regime applies.
Research and international transfers are tidied up too. The law defines what counts as research and statistical purposes, sets rules for consent in scientific research, and adds safeguards when data is used for research. It also refreshes how personal data can be sent to countries outside the UK, including new schedules for general and law‑enforcement processing. If your university team uses an overseas cloud tool, you should re‑check your transfer paperwork against the new schedules.
For teachers and administrators the to‑do list is manageable. Note the two dates in your policies, update any templates for responding to data rights requests, and review any tools that make automated decisions about pupils or applicants. If you run a charity, review your email practices and cookie banners, and brief your team on how to handle complaints from 19 June.
A final detail for the footnotes fan club. These are the sixth commencement regulations under the Data (Use and Access) Act 2025. They also update some cross‑references in the Data Protection Act 2018 to reflect an earlier commencement date of 20 August 2025. The source for all of this is the Government’s legislation website entry for Statutory Instrument 2026/82.