1. Finance
  2. The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026

The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026

Published: Tue 21st Apr 26

These 2026 Regulations require the Secretary of State to direct the Information Commissioner to prepare an official code of practice offering guidance on good practice for processing personal data when developing and using artificial intelligence and automated decision-making systems, specifically including provisions for children's data.

Furthermore, the regulations modify existing law by ensuring that any advisory panel considering the code must exempt aspects related to national security from their review process.

Arguments For

  • Mandates clarity and guidance on handling personal data when developing and deploying Artificial Intelligence systems, thereby promoting compliance with existing UK data protection standards (UK GDPR and DPA 2018).

  • Ensures specific focus on protecting children's personal data within AI and automated decision-making contexts, addressing a key vulnerability area.

  • Streamlines the code preparation process by explicitly excluding national security aspects from the external panel review, potentially speeding up the issuance of necessary guidance.

Arguments Against

  • Excluding national security aspects from the review panel may reduce independent oversight on crucial data processing practices related to AI and automated decision-making in sensitive areas.

  • The requirement for the Commissioner to produce an impact assessment after these Regulations are made places procedural burden on the subsequent guidance development, rather than preemptively.

  • Defining 'automated decision-making' by referencing recently inserted articles (Article 22C of UK GDPR and section 50C of the 2018 Act) could lead to initial confusion as practitioners adapt to these newer legislative components.

STATUTORY INSTRUMENTS

2026 No. 425

DATA PROTECTION

The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026

| Made - - - | 16th April 2026 | |---|---| | Laid before Parliament | 21st April 2026 | | Coming into force - | 12th May 2026 |

The Secretary of State makes these Regulations in exercise of the powers conferred by section 124A(1) and (2) and section 124B(11) of the Data Protection Act 2018( 1 ). In accordance with section 182(2) of that Act, the Secretary of State has consulted the Commissioner and such other persons as the Secretary of State considers appropriate.

Citation, commencement, extent and interpretation

  1. -(1) These Regulations may be cited as The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026.
  • (2) These Regulations come into force 21 days after the day on which they are laid.
  • (3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
  • (4) In these Regulations, 'the 2018 Act' means the Data Protection Act 2018.

The code of practice

  1. -(1) The Commissioner must prepare an appropriate code of practice giving guidance as to good practice in the processing of personal data( 2 ) under the relevant data protection legislation in relation to-
  • (a) developing and using artificial intelligence, and
  • (b) automated decision-making.

(2) The code of practice must include guidance as to good practice in the processing of children's personal data.

(3) In this regulation-

( 1 ) 2018 c. 12. Sections 124A and 124B were inserted by sections 92(2) and 93, respectively, of the Data (Use and Access) Act 2025 (c. 18). Commissioner is defined in section 3(8) of the Data Protection Act 2018 as the Information Commissioner.

( 2 ) See section 124A(7) of the Data Protection Act 2018 for the meaning of 'good practice in the processing of personal data'.

'automated decision-making' means-

  • (a) decision-making to which Article 22C(1) of the UK GDPR( 3 ) applies, or
  • (b) decision-making to which section 50C(1) of the 2018 Act( 4 ) applies.

'relevant data protection legislation' means-

  • (a) the UK GDPR, and
  • (b) the 2018 Act, except Part 4 of that Act.

Modification to panel requirements

  1. Section 124B of the 2018 Act applies to the preparation or amendment of the code of practice required under regulation 2 as if after subsection (7) there were inserted-

'(7A) The panel must not consider or report on any aspect of the code relating to national security.'.

16th April 2026

Ian Murray Minister of State Department for Science, Innovation and Technology

( 3 ) Article 22C was inserted by section 80 of the Data (Use and Access) Act 2025. See section 3(10) of the Data Protection Act 2018 for the meaning of 'the UK GDPR'.

( 4 ) Section 50C was inserted by section 80 of the Data (Use and Access) Act 2025.

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations require the Information Commissioner ('the Commissioner') to prepare a code of practice on the processing of personal data under relevant data protection legislation in relation to developing and using artificial intelligence and automated decision-making. Relevant data protection legislation is defined in regulation 2 as the UK GDPR and the Data Protection Act 2018 ('the 2018 Act'), except Part 4 of that Act (intelligence services processing).

Regulation 3 modifies the requirements under section 124B of the 2018 Act for the Commissioner to establish a panel of individuals to consider the code of practice by providing that the panel must not consider or report on any aspect of the code of practice relating to national security.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen as a result of the instrument itself. The Commissioner is required to produce an impact assessment when preparing the code of practice under these Regulations.

View Source

Related

Justice Armed Forces and Veterans

The Education (Student Support for Postgraduate Provision) (Amendment) Regulations 2026

Thu 4th Jun 26

The UK Parliament enacted the Armed Forces Act 2023, which revised the service discipline legislation governing the conduct and judicial processes for members of the armed forces.

Read More
Finance Labour Local Government

Correction slip

Wed 3rd Jun 26

A correction document was issued to amend specific textual errors relating to cross-references and phrasing within sub-paragraph (3B) of regulation 2(c) of The Local Government Pension Scheme (Elected Member Pensions) (Consequential Amendment) Regulations 2026.

Read More
Justice

The A47 Wansford to Sutton Development Consent (Revocation) Order 2026

Wed 3rd Jun 26

This order enacted specified, previously dormant provisions of the Police, Crime, Sentencing and Courts Act 2022 into law across England and Wales on 15th February 2024.

Read More
Finance Justice

The Publication of Information About Tax Avoidance Schemes (Legally Privileged Communications Declarations) Regulations 2026

Tue 2nd Jun 26

The Regulations established the mandatory contents, format, and timing requirements for a lawyer's declaration confirming reliance on legally privileged communications to support objections against HMRC's publication of tax avoidance scheme information.

Read More

Latest Legislation

The Education (Student Support for Postgraduate Provision) (Amendment) Regulations 2026
4th Jun 26
 Correction slip
3rd Jun 26
 The A47 Wansford to Sutton Development Consent (Revocation) Order 2026
3rd Jun 26
 The Air Navigation (Restriction of Flying) (Royal International Air Tattoo, Royal Air Force Fairford) (Revocation) Regulations 2026
3rd Jun 26
 The Publication of Information About Tax Avoidance Schemes (Legally Privileged Communications Declarations) Regulations 2026
2nd Jun 26
Subscribe via RSS

Search