Keep up to date with your latest data protection requirements
The Information Commissioner’s Office (ICO) has updated its guidance on data protection by design and by default under the Data Use and Access Act (DUAA).
The update was developed with input from small businesses and organisations to make the information clearer and more practical. It includes simplified language, new examples to support implementation, and details of a new duty – ‘Children’s higher protection matters’.
What organisations need to know
Under the UK General Data Protection Regulation (UK GDPR), you must build data protection into every stage of how you collect, use and store personal information.
Data protection by design means considering privacy and security from the outset of any project. Data protection by default means limiting the personal data you collect and use to what is necessary for each specific purpose.
The new ‘Children’s higher protection matters’ duty introduced under DUAA applies if your service is likely to be accessed by children. You must now take this into account when deciding what safeguards to put in place. This change strengthens safeguards for children’s personal information and helps organisations meet their obligations under the UK GDPR and DUAA.
What to do next
Review the updated guidance and check how the DUAA changes apply to your organisation.
Make sure your organisation applies data protection by design and default throughout the lifecycle of your products and services. Pay particular attention if your service is likely to be used by children.
You can read the full design and default guidance on the ICO website.
First published 10 February 2026
