The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026

Published: Tue 21st Apr 26

These 2026 Regulations require the Secretary of State to direct the Information Commissioner to prepare an official code of practice offering guidance on good practice for processing personal data when developing and using artificial intelligence and automated decision-making systems, specifically including provisions for children's data.

Furthermore, the regulations modify existing law by ensuring that any advisory panel considering the code must exempt aspects related to national security from their review process.

Arguments For

Mandates clarity and guidance on handling personal data when developing and deploying Artificial Intelligence systems, thereby promoting compliance with existing UK data protection standards (UK GDPR and DPA 2018).
Ensures specific focus on protecting children's personal data within AI and automated decision-making contexts, addressing a key vulnerability area.
Streamlines the code preparation process by explicitly excluding national security aspects from the external panel review, potentially speeding up the issuance of necessary guidance.

Arguments Against

Excluding national security aspects from the review panel may reduce independent oversight on crucial data processing practices related to AI and automated decision-making in sensitive areas.
The requirement for the Commissioner to produce an impact assessment after these Regulations are made places procedural burden on the subsequent guidance development, rather than preemptively.
Defining 'automated decision-making' by referencing recently inserted articles (Article 22C of UK GDPR and section 50C of the 2018 Act) could lead to initial confusion as practitioners adapt to these newer legislative components.

STATUTORY INSTRUMENTS

2026 No. 425

DATA PROTECTION

The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026

| Made - - - | 16th April 2026 | |---|---| | Laid before Parliament | 21st April 2026 | | Coming into force - | 12th May 2026 |

These are the formal details for the Statutory Instrument, identifying it as "The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026," numbered 425 of 2026.

The instrument was formally made on April 16, 2026, presented to Parliament on April 21, 2026, and set to become legally effective on May 12, 2026.

The Secretary of State makes these Regulations in exercise of the powers conferred by section 124A(1) and (2) and section 124B(11) of the Data Protection Act 2018( 1 ). In accordance with section 182(2) of that Act, the Secretary of State has consulted the Commissioner and such other persons as the Secretary of State considers appropriate.

The relevant Secretary of State created these Regulations using specific powers granted by sections 124A and 124B of the Data Protection Act 2018.

Before enacting them, the Secretary of State fulfilled a legal obligation to consult with the Information Commissioner (the Commissioner) and any other relevant individuals or bodies.

Citation, commencement, extent and interpretation

-(1) These Regulations may be cited as The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026.

(2) These Regulations come into force 21 days after the day on which they are laid.
(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
(4) In these Regulations, 'the 2018 Act' means the Data Protection Act 2018.

The first regulatory section covers basic procedural details.

The official title is confirmed in sub-paragraph (1).

The commencement date is established as 21 days following the date the instrument was officially laid before Parliament in sub-paragraph (2).

These rules apply across all constituent countries of the UK: England, Wales, Scotland, and Northern Ireland, as specified in sub-paragraph (3).

Finally, sub-paragraph (4) establishes a shorthand reference, referring to the Data Protection Act 2018 simply as 'the 2018 Act' throughout the document.

The code of practice

-(1) The Commissioner must prepare an appropriate code of practice giving guidance as to good practice in the processing of personal data( 2 ) under the relevant data protection legislation in relation to-

(a) developing and using artificial intelligence, and
(b) automated decision-making.

(2) The code of practice must include guidance as to good practice in the processing of children's personal data.

(3) In this regulation-

( 1 ) 2018 c. 12. Sections 124A and 124B were inserted by sections 92(2) and 93, respectively, of the Data (Use and Access) Act 2025 (c. 18). Commissioner is defined in section 3(8) of the Data Protection Act 2018 as the Information Commissioner.

( 2 ) See section 124A(7) of the Data Protection Act 2018 for the meaning of 'good practice in the processing of personal data'.

'automated decision-making' means-

(a) decision-making to which Article 22C(1) of the UK GDPR( 3 ) applies, or
(b) decision-making to which section 50C(1) of the 2018 Act( 4 ) applies.

'relevant data protection legislation' means-

(a) the UK GDPR, and
(b) the 2018 Act, except Part 4 of that Act.

The primary requirement is placed on the Information Commissioner to develop a suitable code of practice. This guidance must detail good practices for processing personal data under the relevant data protection laws when dealing with the creation and deployment of Artificial Intelligence systems and automated decision-making processes.

The code must also specifically cover good practices related to handling children's personal data.

Definitions clarify that 'automated decision-making' refers to decisions covered by Article 22C(1) of the UK GDPR or section 50C(1) of the 2018 Act. 'Relevant data protection legislation' encompasses the UK GDPR and the 2018 Act, excluding Part 4 of the 2018 Act (which relates to intelligence services processing).

Modification to panel requirements

Section 124B of the 2018 Act applies to the preparation or amendment of the code of practice required under regulation 2 as if after subsection (7) there were inserted-

'(7A) The panel must not consider or report on any aspect of the code relating to national security.'.

These Regulations amend the process outlined in section 124B of the 2018 Act concerning the establishment of a review panel for the data protection code.

A new subsection (7A) is inserted, explicitly prohibiting the panel from reviewing or providing reports on any component of the code that concerns national security.

16th April 2026

Ian Murray Minister of State Department for Science, Innovation and Technology

( 3 ) Article 22C was inserted by section 80 of the Data (Use and Access) Act 2025. See section 3(10) of the Data Protection Act 2018 for the meaning of 'the UK GDPR'.

( 4 ) Section 50C was inserted by section 80 of the Data (Use and Access) Act 2025.

This section provides the signatory details, showing that the instrument was signed on April 16, 2026, by Ian Murray, the Minister of State in the Department for Science, Innovation and Technology.

Footnotes clarify that Article 22C and Section 50C were recently added to the relevant legislation by the Data (Use and Access) Act 2025, and reference where the meaning of 'the UK GDPR' can be found.

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations require the Information Commissioner ('the Commissioner') to prepare a code of practice on the processing of personal data under relevant data protection legislation in relation to developing and using artificial intelligence and automated decision-making. Relevant data protection legislation is defined in regulation 2 as the UK GDPR and the Data Protection Act 2018 ('the 2018 Act'), except Part 4 of that Act (intelligence services processing).

Regulation 3 modifies the requirements under section 124B of the 2018 Act for the Commissioner to establish a panel of individuals to consider the code of practice by providing that the panel must not consider or report on any aspect of the code of practice relating to national security.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen as a result of the instrument itself. The Commissioner is required to produce an impact assessment when preparing the code of practice under these Regulations.

The Explanatory Note confirms that the instrument mandates the Information Commissioner to draft guidance (a code of practice) covering personal data processing related to developing and using AI and automated decision-making, referencing the UK GDPR and DPA 2018 (excluding intelligence services processing).

It reiterates that the setup for the review panel is amended to exclude national security from its purview.

Finally, the note states that a full impact assessment was not produced for the Regulations themselves, as any significant impact assessment obligation falls on the Commissioner when creating the subsequent code of practice.

View Source

Environment Foreign Policy Justice Science

The Biodiversity Beyond National Jurisdiction Act 2026 (Meaning of “Digital Sequence Information”) Regulations 2026

Fri 15th May 26

The Regulations formally defined 'digital sequence information' in relation to marine genetic resources for the Biodiversity Beyond National Jurisdiction Act 2026.

Justice Local Government Transport

The Air Navigation (Restriction of Flying) (Edinburgh) Regulations 2026

Fri 15th May 26

The regulations imposed temporary flight restrictions over Edinburgh airspace for specific periods between June 27th and July 3rd, 2026, to ensure public safety during the State Opening of the Scottish Parliament and Royal Week.

Justice Local Government Technology Transport

The Air Navigation (Restriction of Flying) (Wembley Stadium, London) Regulations 2026

Fri 15th May 26

The Regulations imposed temporary flight restrictions on unmanned aircraft around Wembley Stadium for a specified period on May 16th, 2026, to ensure public safety during the FA Cup Final.

Housing Infrastructure Justice

The Building Safety (Responsible Actors Scheme and Prohibitions) (Amendment) Regulations 2026

Fri 15th May 26

The Regulations amended the 2023 rules governing the Responsible Actors Scheme by correcting language, omitting a prohibition notice, and modifying exceptions related to building control prohibitions for various building works and property transfers.