United Kingdom: Information Commissioner’s Office updated Data protection by design and by default guidance reflecting changes introduced by the Data (Use and Access) Act 2025

On 5 February 2026, the Information Commissioner’s Office updated the guidance titled Data protection by design and by default under the Guide to accountability and governance. The update reflects changes introduced by the Data (Use and Access) Act 2025, which amended the UK General Data Protection Regulation provisions on data protection by design and by default. The guidance outlines controller obligations under Article 25 to embed data protection and privacy into the design, development, operation, and decommissioning of systems, services, products, and processes, and to implement appropriate technical and organisational measures, including data minimisation, purpose limitation, storage limitation, and access controls by default. The update introduces a dedicated subsection on the children’s higher protection matters duty added by the Data (Use and Access) Act 2025, clarifying additional requirements for online services likely to be accessed by children under Articles 25(1A), 25(1B), and 25(4). The guidance also addresses controller responsibility, processor involvement, data protection impact assessments, governance measures, and certification mechanisms under Article 25(3).