Home/Blog/Digital Sovereignty: From DPA 2018 to the 2025 Information Commission Era

February 6, 2026

Digital Sovereignty: From DPA 2018 to the 2025 Information Commission Era

Explore the shift from DPA 2018 to the Data (Use and Access) Act 2025. A strategic guide to the UK’s new risk-based regime, Senior Responsible Individuals, and the 'reasonable' standard for data rights in 2026.

The transition from the Data Protection Act 2018 to the Data (Use and Access) Act 2025 (DUAA) marks a fundamental shift in the UK’s approach to digital governance. While the 2018 Act was built to anchor the EU’s GDPR principles into British law, the 2025 Act represents a "British divergence" aimed at reducing administrative friction and boosting innovation.

For organisations operating in 2026, compliance is no longer just about preventing data leaks; it is about navigating a more flexible, risk-based landscape that empowers businesses to use data strategically while maintaining a robust shield for individual rights.

1. The Core Evolution: DPA 2018 vs. DUAA 2025

The primary difference between the two eras lies in the shift from a "process-heavy" regime to an "outcome-focused" one. The 2018 Act introduced a rigid set of administrative requirements—such as the mandatory appointment of Data Protection Officers (DPOs) for many and the strict "balancing test" for every legitimate interest assessment.

The 2025 Act has introduced "Recognised Legitimate Interests" (RLIs). For activities like crime prevention, safeguarding, and emergency response, the traditional three-part balancing test is no longer required. This allows organisations to act swiftly in the public interest without being bogged down by paperwork. Furthermore, the 2025 Act has modernised Subject Access Requests (SARs). We have moved from an era of "exhaustive searches" to a standard of "reasonable and proportionate" efforts. The introduction of the "stop the clock" mechanism—allowing businesses to pause the 30-day response window while waiting for clarification from the requester—is a pragmatic victory for operational efficiency.

2. New Governance Controls: The Rise of the SRI

Perhaps the most significant change in organisational structure is the transition from the Data Protection Officer (DPO) to the Senior Responsible Individual (SRI). Under the 2018 Act, the DPO was often an arms-length advisor. In contrast, the DUAA 2025 requires the SRI to be a member of senior management—typically at board or director level.

This shift places the accountability for data protection directly in the hands of those who hold the purse strings. The SRI is now personally responsible for the organisation's Privacy Management Programme. While they can delegate tasks to technical experts, the ultimate liability for systemic failure rests with them. This control mechanism is designed to ensure that data protection is never "siloed" in the IT department but is instead a permanent fixture of the boardroom agenda.

3. Policy Shifts: Complaints and AI Governance

The 2025 reforms have necessitated a comprehensive rewrite of organisational policies. The most urgent update for 2026 is the Statutory Right to Complain. Organisations are now legally required to have a formal, internal complaints procedure in place. This policy must include a commitment to acknowledge any data-related grievance within 30 days and provide a resolution "without undue delay." This is a "controller-first" model, meaning individuals must generally attempt to resolve issues with the business before escalating to the newly formed Information Commission.

Furthermore, policies regarding Automated Decision-Making (ADM) and AI have become high-priority. While the DUAA 2025 has relaxed the restrictions on solely automated decisions (provided they do not involve sensitive "special category" data), it has introduced strict safeguard requirements. Organisations must now have clear policies that allow individuals to contest a decision, request human intervention, and receive a meaningful explanation of how an algorithm reached a particular conclusion.

4. Stakeholder Roles and Responsibilities

The modern data landscape has redefined what is expected from every party involved in the data lifecycle.

The Senior Responsible Individual (SRI): As the primary stakeholder, the SRI must oversee the strategic management of information risk. Their role is to ensure that data protection objectives are aligned with business growth, personally signing off on high-risk processing activities.
The Information Commission: Replacing the ICO, this body is now led by a board and a Chief Executive. Their role has shifted toward supporting economic growth and providing clearer, more "business-friendly" guidance, though their enforcement powers remain formidable.
Data Subjects (Individuals): Individuals have gained more granular control. They have a strengthened right to data portability and a simplified path for raising complaints, though they are now expected to engage with the organisation’s internal processes first.
Developers and Tech Leads: In 2026, the burden of "explainability" falls on the tech teams. They must ensure that the systems they build—especially those involving AI—are transparent enough to satisfy the SRI's reporting requirements and the individual's right to an explanation.

5. Comparison: Governance Controls and Policy Impact

Control/Policy Area	DPA 2018 Standard	DUAA 2025 Standard
Leadership	Data Protection Officer (DPO)	Senior Responsible Individual (SRI)
SAR Searches	Exhaustive / All-encompassing	Reasonable and Proportionate
SAR Timelines	Strict 30-day window	"Stop the clock" for clarification
Complaints	Direct escalation to ICO	Mandatory internal process first
AI/ADM	Generally prohibited if significant	Generally permitted with safeguards
Legitimate Interest	Mandatory Balancing Test	RLI Exemption for specific cases

Conclusion: A More Mature Digital Future

The shift from 2018 to 2025 is a move toward regulatory maturity. By empowering senior leaders through the SRI role and streamlining administrative tasks like SARs and LIAs, the UK has created a framework that respects both the value of data and the rights of the person behind it. For the modern organisation, success in 2026 depends on integrating these new controls into the very culture of the business, turning data protection from a legal hurdle into a hallmark of operational integrity.

References and Further Reading

Data (Use and Access) Act 2025. UK Public General Acts. [Legislation.gov.uk]
Information Commission. (2026). Guidance on the New Statutory Right to Complain. [ico.org.uk]
Department for Science, Innovation and Technology (DSIT). (2025). Implementing the Senior Responsible Individual Role.
Data Protection Act 2018. UK Public General Acts, Chapter 12.
Pinsent Masons. (2026). Automated Decision-Making and AI: Safeguards under the DUAA.

Our News and Blogs

February 6, 2026

The Blueprint for Data Privacy: Navigating Data Protection for Modern Digital Businesses

Discover how modern digital businesses navigate our complex data laws. This guide covers the frameworks, AI-driven best practices, and essential steps to secure data and build stakeholder trust.

February 6, 2026

Why Risk Management is the Secret Sauce of Success !

Risk management isn't just a "mood hoover." The UK's top firms use it as a strategic GPS to navigate the Data Act and global volatility. Discover how the "Serious Business" of risk becomes your ultimate competitive power.

February 6, 2026

Navigating the UK Data Protection Act and the DUA Act 2025

Master UK data governance in 2026. Explore the shift from DPA 2018 to the DUA Act 2025, including Senior Responsible Individuals, AI ethics, and a risk-based approach to privacy that turns compliance into a strategic competitive advantage.

February 6, 2026

Flourishing Safety Risk Management:Culture

Discover how risk management adoption serves as fundamental step toward establishing effective Safety Risk Management capability and fostering thriving safety cultures in safety-critical environments.

February 6, 2026

Mastery of the Assessment: How to Succeed at Your Data Protection Impact Assessment

avigate the shift from GDPR to the Data (Use and Access) Act with this strategic guide to DPIAs. Learn to move beyond compliance checklists to build a proactive, risk-based culture of Privacy by Design.

February 6, 2026

The Resilience Advantage: From Operational Risk to Strategic Excellence

Shift from reactive compliance to strategic resilience. This guide explores building a proactive risk culture, leveraging maturity models, and integrating the 2025 Data Act into operational excellence.

February 6, 2026

Privacy-Centric ITSM: Integrating Data Protection into the Service Lifecycle

Embed privacy within the ITIL framework to satisfy the UK Data Protection Act and the Data (Use and Access) Act. This guide details the strategic alignment of service management with modern data law to build resilient, trust-based IT services.

February 6, 2026

Data Breach Management: Detection, Response, and Notification

Master the complete data breach management lifecycle from detection and containment to notification and prevention, with practical guidance for **GDPR** compliance and operational resilience.

February 5, 2026

Implementing a Risk Management Process: A Starter's Guide

Essential guide for selecting and successfully deploying risk management frameworks, covering implementation strategies, stakeholder responsibilities, and proven approaches for organizational success.

February 5, 2026

Privacy by Design: Weaving Data Protection into the Fabric of Software Development

Master the integration of data protection compliance throughout the Software Development Life Cycle (SDLC) to mitigate risks, safeguard personal data, and build trust in your digital products.

February 5, 2026

Risk Management Maturity Models: Your Compass to Risk Excellence

Navigate your risk management journey with comprehensive maturity models that provide structured approaches for evaluating capabilities, identifying gaps, and guiding continuous improvement.

February 5, 2026

Beyond Hazard Logs: Transforming Safety Risk Management into Cultural DNA

Why the most resilient organisations in 2026 are moving past "reactive" safety and using SRM as a strategic engine for continuous improvement and trust.

February 5, 2026

Navigating Complexity with Strategic Risk Frameworks

Building a Culture of Assurance and Strategic Growth

February 5, 2026

Beyond the Checklist: Navigating the UK’s New Data (Use and Access) Act 2025

From Compliance to Excellence: A 9-Step Journey Through the UK’s New Data Landscape

February 5, 2026

Privacy-Enhancing Technologies: Tools and Implementation Guide

Explore cutting-edge privacy-enhancing technologies (PETs) that enable data protection while maintaining utility, with practical implementation strategies for modern organisations.

February 5, 2026

Subject Access Requests: Complete Guide to Compliance and Best Practices

Master the complete **Subject Access Request** (SAR) process from recognition and verification to response and documentation, with practical guidance for **GDPR** compliance and stakeholder management.

February 5, 2026

Data Protection by Design and Default: Implementation Guide

Master the implementation of data protection by design and default principles, with practical guidance for integrating privacy into systems, processes, and organizational culture.

February 5, 2026

Data Protection Governance: Building Organizational Excellence

Master the implementation of comprehensive data protection governance frameworks that ensure regulatory compliance, manage privacy risks, and build stakeholder trust in today's complex data landscape.

February 5, 2026

Data Protection Impact Assessments: A Comprehensive Guide

Master the art and science of conducting **Data Protection** Impact Assessments (DPIAs) with this comprehensive guide covering methodology, implementation, and best practices for **GDPR** compliance.

February 5, 2026

Data Protection Officers: Roles, Responsibilities, and Requirements

Comprehensive guide to **Data Protection** Officer roles, responsibilities, qualifications, and organizational requirements for **GDPR** compliance and effective privacy governance.

February 5, 2026

International Data Transfers: Compliance Frameworks and Mechanisms

Navigate the complex landscape of international data transfers with comprehensive guidance on legal frameworks, transfer mechanisms, and compliance strategies for global operations.

February 5, 2026

Data Protection Officer Career Guide: Skills, Qualifications, and Pathways

A comprehensive guide to becoming a Data Protection Officer, including essential skills, qualifications requirements, and career development pathways in the data protection field.

All content, trademarks, logos, and brand names referenced in this article are the property of their respective owners. All company, product, and service names used are for identification purposes only. Use of these names, trademarks, and brands does not imply endorsement. All rights acknowledged.

© 2026 Riskmanage.io. All rights reserved. The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of any other agency, organisation, employer, or company.