UK Enacts SI 2026/425: Mandating the First Statutory Data Protection Code of Practice for AI and Automated Decision-Making

In a major departure from its historically voluntary, sector-led approach to artificial intelligence regulation, the United Kingdom has established its first statutory obligation for an AI and Automated Decision-Making (ADM) code of practice. On May 12, 2026, The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 (SI 2026/425) officially entered into force across England, Wales, Scotland, and Northern Ireland.

This statutory instrument places a binding legal duty on the UK Information Commissioner's Office (ICO) to draft, consult on, and publish a statutory Code of Practice that will govern how personal data is processed when developing and deploying AI and automated decision-making systems.

1. Key Provisions of SI 2026/425

• Mandatory Code of Practice: Under Regulation 2(1), the Information Commissioner must prepare a code of practice providing guidance on "good practice" in the processing of personal data under the UK GDPR and the Data Protection Act 2018 (excluding intelligence services processing under Part 4) in relation to:
  1. Developing and using artificial intelligence, and
  2. Automated decision-making (ADM).
• Focus on Children's Data: Regulation 2(2) explicitly mandates that the statutory code must include "guidance as to good practice in the processing of children's personal data."
• Defining Automated Decision-Making: ADM is defined with specific reference to Article 22C(1) of the UK GDPR and section 50C(1) of the 2018 Act, connecting the code directly to statutory restrictions on profiling and automated individual decision-making.
• National Security Exemption: Regulation 3 modifies Section 124B of the Data Protection Act 2018, specifying that the advisory panel established to review the Commissioner's draft code "must not consider or report on any aspect of the code relating to national security."

Verbatim Quotes

From the statutory text of SI 2026/425:

"The Commissioner must prepare an appropriate code of practice giving guidance as to good practice in the processing of personal data under the relevant data protection legislation in relation to— (a) developing and using artificial intelligence, and (b) automated decision-making." "The code of practice must include guidance as to good practice in the processing of children’s personal data."

From the Fieldfisher Legal Update:

"The ICO is the next focus and the team looks at... a new Code of Practice on AI and Automated Decision Making Regulations together with the new guidance on storage and access technologies."

What This Means for Enterprises

While SI 2026/425 does not directly regulate AI software or impose direct civil liability on its own, it creates the legal mandate for a statutory "rulebook" that the ICO will use to enforce the UK GDPR.

• Transition from Guidance to Statutorily Backed Rules: Historically, the ICO's AI guidance and risk toolkits were persuasive but voluntary. Once the statutory Code of Practice is finalized and approved by Parliament, it will carry significant weight in courts and regulatory enforcement actions. Non-compliance with a statutory code under the Data Protection Act 2018 is highly influential in establishing whether an organization breached the UK GDPR.
• Heightened Focus on AI Profiling and Children: Any enterprise using AI for automated hiring, credit scoring, marketing profiling, or user personalization—particularly where children are involved—must prepare for a much stricter, statutorily backed regulatory regime.
• Upcoming Public Consultation: The ICO is expected to launch a broad public consultation on the draft code in mid-2026, which will serve as a key opportunity for enterprises to provide input on the operational feasibility of the proposed rules.