The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026

Published: Tue 21st Apr 26

These 2026 Regulations require the Secretary of State to direct the Information Commissioner to prepare an official code of practice offering guidance on good practice for processing personal data when developing and using artificial intelligence and automated decision-making systems, specifically including provisions for children's data.

Furthermore, the regulations modify existing law by ensuring that any advisory panel considering the code must exempt aspects related to national security from their review process.

Arguments For

Mandates clarity and guidance on handling personal data when developing and deploying Artificial Intelligence systems, thereby promoting compliance with existing UK data protection standards (UK GDPR and DPA 2018).
Ensures specific focus on protecting children's personal data within AI and automated decision-making contexts, addressing a key vulnerability area.
Streamlines the code preparation process by explicitly excluding national security aspects from the external panel review, potentially speeding up the issuance of necessary guidance.

Arguments Against

Excluding national security aspects from the review panel may reduce independent oversight on crucial data processing practices related to AI and automated decision-making in sensitive areas.
The requirement for the Commissioner to produce an impact assessment after these Regulations are made places procedural burden on the subsequent guidance development, rather than preemptively.
Defining 'automated decision-making' by referencing recently inserted articles (Article 22C of UK GDPR and section 50C of the 2018 Act) could lead to initial confusion as practitioners adapt to these newer legislative components.

STATUTORY INSTRUMENTS

2026 No. 425

DATA PROTECTION

The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026

| Made - - - | 16th April 2026 | |---|---| | Laid before Parliament | 21st April 2026 | | Coming into force - | 12th May 2026 |

These are the formal details for the Statutory Instrument, identifying it as "The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026," numbered 425 of 2026.

The instrument was formally made on April 16, 2026, presented to Parliament on April 21, 2026, and set to become legally effective on May 12, 2026.

The Secretary of State makes these Regulations in exercise of the powers conferred by section 124A(1) and (2) and section 124B(11) of the Data Protection Act 2018( 1 ). In accordance with section 182(2) of that Act, the Secretary of State has consulted the Commissioner and such other persons as the Secretary of State considers appropriate.

The relevant Secretary of State created these Regulations using specific powers granted by sections 124A and 124B of the Data Protection Act 2018.

Before enacting them, the Secretary of State fulfilled a legal obligation to consult with the Information Commissioner (the Commissioner) and any other relevant individuals or bodies.

Citation, commencement, extent and interpretation

-(1) These Regulations may be cited as The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026.

(2) These Regulations come into force 21 days after the day on which they are laid.
(3) These Regulations extend to England and Wales, Scotland and Northern Ireland.
(4) In these Regulations, 'the 2018 Act' means the Data Protection Act 2018.

The first regulatory section covers basic procedural details.

The official title is confirmed in sub-paragraph (1).

The commencement date is established as 21 days following the date the instrument was officially laid before Parliament in sub-paragraph (2).

These rules apply across all constituent countries of the UK: England, Wales, Scotland, and Northern Ireland, as specified in sub-paragraph (3).

Finally, sub-paragraph (4) establishes a shorthand reference, referring to the Data Protection Act 2018 simply as 'the 2018 Act' throughout the document.

The code of practice

-(1) The Commissioner must prepare an appropriate code of practice giving guidance as to good practice in the processing of personal data( 2 ) under the relevant data protection legislation in relation to-

(a) developing and using artificial intelligence, and
(b) automated decision-making.

(2) The code of practice must include guidance as to good practice in the processing of children's personal data.

(3) In this regulation-

( 1 ) 2018 c. 12. Sections 124A and 124B were inserted by sections 92(2) and 93, respectively, of the Data (Use and Access) Act 2025 (c. 18). Commissioner is defined in section 3(8) of the Data Protection Act 2018 as the Information Commissioner.

( 2 ) See section 124A(7) of the Data Protection Act 2018 for the meaning of 'good practice in the processing of personal data'.

'automated decision-making' means-

(a) decision-making to which Article 22C(1) of the UK GDPR( 3 ) applies, or
(b) decision-making to which section 50C(1) of the 2018 Act( 4 ) applies.

'relevant data protection legislation' means-

(a) the UK GDPR, and
(b) the 2018 Act, except Part 4 of that Act.

The primary requirement is placed on the Information Commissioner to develop a suitable code of practice. This guidance must detail good practices for processing personal data under the relevant data protection laws when dealing with the creation and deployment of Artificial Intelligence systems and automated decision-making processes.

The code must also specifically cover good practices related to handling children's personal data.

Definitions clarify that 'automated decision-making' refers to decisions covered by Article 22C(1) of the UK GDPR or section 50C(1) of the 2018 Act. 'Relevant data protection legislation' encompasses the UK GDPR and the 2018 Act, excluding Part 4 of the 2018 Act (which relates to intelligence services processing).

Modification to panel requirements

Section 124B of the 2018 Act applies to the preparation or amendment of the code of practice required under regulation 2 as if after subsection (7) there were inserted-

'(7A) The panel must not consider or report on any aspect of the code relating to national security.'.

These Regulations amend the process outlined in section 124B of the 2018 Act concerning the establishment of a review panel for the data protection code.

A new subsection (7A) is inserted, explicitly prohibiting the panel from reviewing or providing reports on any component of the code that concerns national security.

16th April 2026

Ian Murray Minister of State Department for Science, Innovation and Technology

( 3 ) Article 22C was inserted by section 80 of the Data (Use and Access) Act 2025. See section 3(10) of the Data Protection Act 2018 for the meaning of 'the UK GDPR'.

( 4 ) Section 50C was inserted by section 80 of the Data (Use and Access) Act 2025.

This section provides the signatory details, showing that the instrument was signed on April 16, 2026, by Ian Murray, the Minister of State in the Department for Science, Innovation and Technology.

Footnotes clarify that Article 22C and Section 50C were recently added to the relevant legislation by the Data (Use and Access) Act 2025, and reference where the meaning of 'the UK GDPR' can be found.

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations require the Information Commissioner ('the Commissioner') to prepare a code of practice on the processing of personal data under relevant data protection legislation in relation to developing and using artificial intelligence and automated decision-making. Relevant data protection legislation is defined in regulation 2 as the UK GDPR and the Data Protection Act 2018 ('the 2018 Act'), except Part 4 of that Act (intelligence services processing).

Regulation 3 modifies the requirements under section 124B of the 2018 Act for the Commissioner to establish a panel of individuals to consider the code of practice by providing that the panel must not consider or report on any aspect of the code of practice relating to national security.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen as a result of the instrument itself. The Commissioner is required to produce an impact assessment when preparing the code of practice under these Regulations.

The Explanatory Note confirms that the instrument mandates the Information Commissioner to draft guidance (a code of practice) covering personal data processing related to developing and using AI and automated decision-making, referencing the UK GDPR and DPA 2018 (excluding intelligence services processing).

It reiterates that the setup for the review panel is amended to exclude national security from its purview.

Finally, the note states that a full impact assessment was not produced for the Regulations themselves, as any significant impact assessment obligation falls on the Commissioner when creating the subsequent code of practice.

View Source

Economy Health and Social Care Justice Trade

The Nutrition (Amendment etc.) (EU Exit) (Amendment) Regulations 2026

Tue 21st Apr 26

The regulations permitted the use of the mineral substance, magnesium L-threonate monohydrate, as a source of magnesium in the manufacture of food supplements in England by amending Schedule 2 of the 2019 EU Exit Regulations.

Economy Foreign Policy Justice Trade

The Syria (Sanctions) (EU Exit) (Amendment) Regulations 2026

Tue 21st Apr 26

Amended the Syria (Sanctions) (EU Exit) Regulations 2019 by revoking specific trade prohibitions, correcting definitions, and updating references to the Government of Syria.

Justice Local Government Technology Transport

The Automated Vehicles Act 2024 (Commencement No. 2) Regulations 2026

Tue 21st Apr 26

The regulations brought into force Part 5 (excluding civil sanctions and certain administrative subsections) and Section 93 of the Automated Vehicles Act 2024 effective from May 15, 2026.

Infrastructure Justice Transport

The Air Navigation (Restriction of Flying) (Epsom) Regulations 2026

Tue 21st Apr 26

The Regulations imposed temporary altitude and radius restrictions on unmanned aircraft flight near Epsom for June 5th and 6th, 2026, citing public safety concerns for the Derby event.