This update concerns data protection and AI governance frameworks with no direct connection to financial services products or deposit-taking, investment management, lending, or digital asset services.
While financial institutions may be subject to these data protection rules, the update itself is a general UK data protection and AI governance regulation with no specific financial services product angle.
Specialism
The update establishes regulatory requirements for AI and automated decision-making in personal data processing under UK GDPR and the Data Protection Act 2018, which directly concerns AI governance in financial services.
Mandatory inheritance: Artificial Intelligence is a child of Technology, so Technology must be raised as the secondary tag.
2026-04-22 11:54:24·csoo@vixio.com
Meta Id
3083711
Content ID
3092193
GUID
1060f477dd54a7bdad3ead23a0338d37
Pipeline Progress
🔄 Pipeline Journey
⏱
11s
total
✓
Queued11:54:12
+0s
✓
Metadata11:54:12
+0s
✓
S3 Content11:54:12
+0s
✓
Extracted11:54:12
+3s
✓
LLM Gen11:54:15
+8s
✓
Stored11:54:23
TITLE: United Kingdom Parliament Establishes Code of Practice Requirements for Artificial Intelligence and Automated Decision-Making
BODY:
On 16th April 2026, the Secretary of State made The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 (Statutory Instrument 2026 No. 425). The regulations were laid before Parliament on 21st April 2026 and come into force on 12th May 2026.
The regulations require the Information Commissioner to prepare a code of practice providing guidance on good practice in processing personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in relation to developing and using artificial intelligence and automated decision-making. The code of practice must include specific guidance on processing children's personal data. Automated decision-making is defined as decision-making to which Article 22C(1) of the UK GDPR or section 50C(1) of the Data Protection Act 2018 applies. The relevant data protection legislation covers the UK GDPR and the Data Protection Act 2018, except Part 4 (intelligence services processing).
The regulations modify the requirements for the Information Commissioner to establish a panel to consider the code of practice by providing that the panel must not consider or report on any aspect of the code relating to national security. The Information Commissioner is required to produce an impact assessment when preparing the code of practice. The regulations extend to England and Wales, Scotland and Northern Ireland.
**Reference:**
The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026, Statutory Instrument 2026 No. 425
Status: This is the original version (as it was originally made). This item of legislation is currently only available in its original format. STATUTORY INSTRUMENTS 2026 No. 425 DATA PROTECTION The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026 Made - - - - 16th April 2026 Laid before Parliament 21st April 2026 Coming into force - - 12th May 2026 The Secretary of State makes these Regulations in exercise of the powers conferred by section 124A(1) and (2) and section 124B(11) of the Data Protection Act 2018(1). In accordance with section 182(2) of that Act, the Secretary of State has consulted the Commissioner and such other persons as the Secretary of State considers appropriate. Citation, commencement, extent and interpretation 1.—(1) These Regulations may be cited as The Data Protection Act 2018 (Code of Practice on Artificial Intelligence and Automated Decision-Making) Regulations 2026. (2) These Regulations come into force 21 days after the day on which they are laid. (3) These Regulations extend to England and Wales, Scotland and Northern Ireland. (4) In these Regulations, “the 2018 Act” means the Data Protection Act 2018. The code of practice 2.—(1) The Commissioner must prepare an appropriate code of practice giving guidance as to good practice in the processing of personal data(2) under the relevant data protection legislation in relation to— (a) developing and using artificial intelligence, and (b) automated decision-making. (2) The code of practice must include guidance as to good practice in the processing of children’s personal data. (3) In this regulation— (1) 2018 c. 12. Sections 124A and 124B were inserted by sections 92(2) and 93, respectively, of the Data (Use and Access) Act 2025 (c. 18). Commissioner is defined in section 3(8) of the Data Protection Act 2018 as the Information Commissioner. (2) See section 124A(7) of the Data Protection Act 2018 for the meaning of “good practice in the processing of personal data”. Document Generated: 2026-04-21 Status: This is the original version (as it was originally made). This item of legislation is currently only available in its original format. “automated decision-making” means— (a) decision-making to which Article 22C(1) of the UK GDPR(3) applies, or (b) decision-making to which section 50C(1) of the 2018 Act(4) applies. “relevant data protection legislation” means— (a) the UK GDPR, and (b) the 2018 Act, except Part 4 of that Act. Modification to panel requirements 3. Section 124B of the 2018 Act applies to the preparation or amendment of the code of practice required under regulation 2 as if after subsection (7) there were inserted— “(7A) The panel must not consider or report on any aspect of the code relating to national security.”. Ian Murray Minister of State Department for Science, Innovation and 16th April 2026 Technology (3) Article 22C was inserted by section 80 of the Data (Use and Access) Act 2025. See section 3(10) of the Data Protection Act 2018 for the meaning of “the UK GDPR”. (4) Section 50C was inserted by section 80 of the Data (Use and Access) Act 2025. 2 Document Generated: 2026-04-21 Status: This is the original version (as it was originally made). This item of legislation is currently only available in its original format. EXPLANATORY NOTE (This note is not part of the Regulations) These Regulations require the Information Commissioner (“the Commissioner”) to prepare a code of practice on the processing of personal data under relevant data protection legislation in relation to developing and using artificial intelligence and automated decision-making. Relevant data protection legislation is defined in regulation 2 as the UK GDPR and the Data Protection Act 2018 (“the 2018 Act”), except Part 4 (intelligence services processing). Regulation 3 modifies the requirements under section 124B of the 2018 Act for the Commissioner to establish a panel of individuals to consider the code of practice by providing that the panel must not consider or report on any aspect of the code of practice relating to national security. A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen as a result of the instrument itself. The Commissioner is required to produce an impact assessment when preparing the code of practice under these Regulations. 3