The rules and governance that bind the Great Britain energy data layer in May 2026, from the Data (Use and Access) Act 2025 through UK GDPR to the seven industry codes

Where the rules-and-governance stack stands in May 2026

Four moves in the last twelve months have changed how the data-layer rulebook reads in May 2026. The first move is the Data (Use and Access) Act 2025 itself. Royal Assent landed on 19 June 2025; Commencement Order No. 1 (SI 2025/904) brought a small number of operative provisions into force on 20 August 2025; Commencement Order No. 5 (SI 2026/31) brought Section 138 into force on 6 February 2026; and Commencement Order No. 6 (SI 2026/82) brought the majority of Part 5's data-protection provisions into force on 5 February 2026.^{4 9 10} Section 138 sits inside the Smart Data scheme provisions and grants the Secretary of State the information-requirement powers needed to operationalise a sector Smart Data scheme; Part 5 is the data-protection block that amends the UK General Data Protection Regulation in place.

The second move is the practical consolidation of UK GDPR after Part 5 came into force. The retained-EU-law text that has governed personal-data processing in GB since 25 May 2018 is now read together with the Act's amendments. The lawful-basis tests in Article 6 still hold; the rights of access, erasure, restriction, portability and objection still hold; and the regime for automated decision-making under Article 22 still holds. What has shifted is the treatment of recognised legitimate interests (new statutory list of processing purposes that qualify as legitimate interests without the controller balancing test), the treatment of cookies and similar technologies (lighter touch on consent for specified low-risk uses), and the framing of the Smart Data scheme itself (which lifts certain consumer-authorised data flows into a positive-law route rather than a contractual one).⁵

The third move is the publication of the Energy Smart Data and Privacy Framework by DESNZ. The framework, published as a 2024 update and refreshed in March 2026 alongside the Commencement Orders, is the policy framework for the energy-smart-data scheme that the Act enables.⁸ The framework names the consumer-authorised data flows that will run under the Smart Data scheme inside the energy domain, the Privacy Assessment Package each Authorised Third Party will need to complete before reading consumer data, and the role of the Retail Energy Code Company in operating the Consumer Consent Solution that will sit underneath the framework.

The fourth move is the in-flight transition of the Information Commissioner's Office to a new body called the Information Commission. The Act provides the statutory underpinning for the Commission as a body corporate, replacing the current Information Commissioner as the regulator for data protection. The transition has been signalled for late spring or early summer 2026, with the practical handover of statutory functions running through the rest of the year; the Commission inherits the enforcement portfolio and the guidance estate of the Commissioner, with the same maximum-fine envelope of the higher of 17.5 million pounds or 4 percent of global annual turnover.⁴ The transition is non-substantive for almost every controller decision (the law it enforces is the same), but it is administratively material because the published guidance estate at ico.org.uk will migrate to the Commission's domain over the year that follows.

Behind these four moves sits the code architecture. The seven industry codes are the operational instruments that translate the licence conditions into named processes. Each code has a code manager, a panel and a modification procedure; together they form the operational governance of the data layer. The framework above and the codes below converge inside the data-classification scheme that every licensee uses to decide what is published openly, what is shared on request, what is restricted under a data-sharing agreement and what is closed under a confidentiality or security obligation. The rest of the page reads each layer in turn.

The regulatory hierarchy from Acts to Engineering Recommendations, tier by tier

The five tiers stay in view because every reform debate in May 2026 starts by naming an actor and an instrument, and almost every instrument resolves to one of the tiers. A clear view of the tiers turns a casual question (who decides whether the Embedded Capacity Register publishes a new field this year?) into a structured answer (Distribution Code modification under section 11A of the Electricity Act 1989, raised by a DNO or a connected party, with the Distribution Code Review Panel as the deciding panel and Ofgem as the approving authority).

Tier 1 in detail, the three Acts that hold the data layer up

The Electricity Act 1989 is the parent statute. Section 6(1) created the four electricity licence types (generation, transmission, distribution, supply) that still govern the system in May 2026. Section 7 sets the conditions on those licences. Section 11A is the modification gate that every code change has to pass through. The 1989 Act has been amended many times since enactment but the structural anchors (sections 4, 6, 7, 11A, the duties on the Authority under sections 3A and 3B) remain the load-bearing provisions for the data layer.

The Energy Act 2023 added the body of provisions that created NESO as a public corporation independent of National Grid plc, introduced the Future System Operator architecture, brought heat networks under Ofgem regulation, and gave the Authority a statutory net-zero duty. NESO launched on 1 October 2024 under the Energy Act 2023 and now operates under conditions Ofgem issues, varies and enforces under the same framework that the 1989 Act introduced for every other licensee.

The Data (Use and Access) Act 2025 is the most recent of the three primary statutes. Royal Assent on 19 June 2025 set the timetable. The Act is in three substantive blocks. Part 1 is the data-access block that introduces sector Smart Data schemes. Part 5 is the data-protection block that amends UK GDPR in place. Schedule 16 is the energy-specific block that grants smart meter communications licences in line with section 91A of the Energy Act 2008. The Act sits across the data-protection and energy-policy estates, which is why the framework above the operational codes carries provisions from both regimes.⁴

Tier 2 in detail, the statutory instruments that commence and operationalise the Acts

A statutory instrument is the subordinate legislation that an Act delegates to a minister to bring into force or to operationalise. Two are central to the data layer in May 2026. SI 2026/31, the Data (Use and Access) Act 2025 (Commencement No. 5) Regulations 2026, brings Section 138 of the Act into force on 6 February 2026.⁹ Section 138 sits inside Part 1's Smart Data scheme provisions and confers the information-requirement powers needed to operationalise a sector Smart Data scheme. SI 2026/82, the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026, brings the majority of Part 5's data-protection provisions into force on 5 February 2026.¹⁰ Part 5 is the block that amends UK GDPR in place.

Other SIs that bind the data layer include the Electricity Safety, Quality and Continuity Regulations 2002 (SI 2002/2665) which set the headline LV envelope at regulation 27; the Network and Information Systems Regulations 2018 (SI 2018/506) which create the cyber-resilience overlay for operators of essential services; the Smart Meters Act 2018 (commencement orders); and the Heat Networks (Market Framework) Amendment Regulations 2026 which brought heat networks under Ofgem regulation on 27 January 2026.

Tier 3 in detail, the licences that turn statutory powers into operational duties

Ofgem grants, varies and enforces the licences under the Electricity Act 1989, the Gas Act 1986 and the Energy Act 2008. Each licence carries Standard Licence Conditions specific to its type. The conditions that bind the data layer include SLC 25 of the Electricity Distribution Licence which produces the Long Term Development Statement; SLC 11.5 which governs network-charging methodology publication; SLC 49 which governs DNO data on connections; and the equivalent transmission-licence conditions for the LTDS published by the three transmission owners. Each SLC is a child of the parent Act and can be varied by Ofgem through the licence-modification procedure under section 11A, with a statutory consultation, an Authority decision and a right of appeal to the Competition and Markets Authority.

The smart meter communications licence is the licence held by the Data Communications Company (DCC). It runs under section 91A of the Energy Act 2008 and Schedule 16 of the Data (Use and Access) Act 2025 confirms the legal basis for the grant. The licence specifies the duties on the licensee in carrying communications between energy suppliers and consumer-end smart meters, including the security and data-protection obligations that sit alongside the Smart Energy Code.⁷

Tier 4 in detail, the seven industry codes and their managers

The seven codes that cover every operational data flow in the GB electricity and gas system are: the Balancing and Settlement Code (BSC), held by Elexon; the Connection and Use of System Code (CUSC), held by NESO; the Distribution Code, held by the Distribution Code Review Panel; the Distribution Connection and Use of System Agreement (DCUSA), held by the DCUSA Service Company; the Grid Code, held by NESO; the Retail Energy Code (REC), held by the Retail Energy Code Company; and the Smart Energy Code (SEC), held by Smart DCC. Gas governance runs alongside under the Uniform Network Code (UNC) held by the UNC committees. Each code has a modification procedure (a CMP for the CUSC, a P for the BSC, a GC for the Grid Code, a SEC modification for the SEC) and a code panel that decides on raised modifications.^{2 3}

The in-flight modifications that matter most for the data layer in May 2026 are BSC P408 (which puts in place the BSC arrangements to support the Market-wide Half Hourly Settlement programme, approved in 2021 and progressing through implementation with cutover at Milestone M16 in July 2027) and GC0139 (which updates the Grid Code to mandate the network licensees to publish the planning data that the Strategic Spatial Energy Plan and the Centralised Strategic Network Plan consume; workgroup report 3 December 2025, last updated 7 April 2026).^{1 6}

Tier 5 in detail, the Engineering Recommendations that the codes incorporate

Engineering Recommendations are the technical envelopes the codes incorporate by reference. ENA G98 Issue 2 (10 March 2025) sets the connection requirements for micro-generation; G99 Issue 2 (10 March 2025) sets the requirements for larger generators; G5/5 (June 2020) sets harmonic compatibility levels; P28 sets voltage-fluctuation limits; P29 sets voltage-unbalance limits; and P2/7 sets the security-of-supply standard for distribution networks. The Engineering Recommendations are technical artefacts but they bind operationally because the Distribution Code incorporates them by reference. A connection that does not meet the G99 envelope is not compliant with the Distribution Code, even though the Distribution Code text itself does not name the envelope number.

The Data (Use and Access) Act 2025 in detail, Sections 138 and the majority of Part 5

The Act runs to 18 Parts, several hundred sections and 16 Schedules. Three substantive blocks bind the energy data layer: the Smart Data block in Part 1, the data-protection block in Part 5, and the smart-meter-communications block in Schedule 16. Each block has its own commencement profile and its own operational implications.

The Smart Data block in Part 1, with Section 138 the operative trigger

Part 1 of the Act creates the legal framework for sector Smart Data schemes. A Smart Data scheme is a regulation-making power that lets a Secretary of State designate a sector (banking, energy, telecommunications) and prescribe how customer data and business data in that sector can be shared with authorised third parties at the customer's request. The pattern was set in 2017 by the Open Banking initiative under the Competition and Markets Authority order on the nine largest retail banks; Part 1 generalises that pattern to other sectors under positive law.

Section 138 is the operative trigger inside Part 1 for the energy domain. It confers the information-requirement powers needed to operationalise a sector Smart Data scheme: a Secretary of State can require a designated data holder to provide specified data to a customer or to an authorised third party acting on the customer's behalf. SI 2026/31 brought Section 138 into force on 6 February 2026.⁹ The combination of Section 138 in force and the Energy Smart Data and Privacy Framework operating above it gives the energy domain the positive-law route the framework needs.

The data-protection block in Part 5, with SI 2026/82 the commencement order

Part 5 is the block that amends UK GDPR and the Data Protection Act 2018 in place. SI 2026/82 brought the majority of Part 5's data-protection provisions into force on 5 February 2026.¹⁰ The block introduces the new statutory list of recognised legitimate interests in Article 6(1)(f) processing (so a controller relying on legitimate interests for a purpose on the list does not have to run the three-part balancing test); refines the rules on cookies and similar technologies (so consent is no longer required for specified low-risk uses such as audience-measurement cookies); refines the treatment of automated decision-making under Article 22 (so a wider class of automated decision-making is permissible where the safeguards are met); and confirms the legal basis for international data transfers (so the existing adequacy regulations continue to operate under the same envelope).⁵

Part 5 also introduces administrative changes to the regulator: the planned transition of the Information Commissioner's Office to the Information Commission, the modernisation of the enforcement powers, and the alignment of the regulator's strategic objectives with the statutory net-zero duty that sits across other regulators. The administrative changes are non-substantive for almost every controller decision (the law the regulator enforces is the same), but they reshape the way the regulator's published guidance is hosted and updated.

The smart-meter-communications block in Schedule 16, with Part 1 the operative provisions

Schedule 16 of the Act is the energy-specific block. Schedule 16 Part 1 grants smart meter communication licences in line with section 91A of the Energy Act 2008.⁷ The provisions sit alongside Part 1 of the Act (the Smart Data block) and Part 5 (the data-protection block); they put the smart-meter communications licence on the same statutory footing as the other licences the Authority grants. The practical implication is that the DCC's licence terms are now read together with the Act's wider data-access and data-protection provisions, and a change to either feeds through to the operational rules under the Smart Energy Code.

Commencement profile, the public timetable

The public commencement timetable for the Act, in summary, runs as follows. Commencement No. 1 (SI 2025/904) brought a small set of operative provisions into force on 20 August 2025, two months after Royal Assent. Commencement No. 5 (SI 2026/31) brought Section 138 into force on 6 February 2026. Commencement No. 6 (SI 2026/82) brought the majority of Part 5's data-protection provisions into force on 5 February 2026. The remaining provisions (including some Schedule 16 provisions and some Part 5 administrative provisions) are timetabled for further commencement orders through 2026 and into 2027.

UK GDPR as consolidated by the Act, the post-February 2026 ruleset

UK GDPR as consolidated by the Act is the same instrument every controller has applied since 2018, with the practical changes the Act introduced for processing on the legitimate-interests lawful basis, for cookies and similar technologies, and for automated decision-making. The structural articles still hold. Article 5 sets the data-protection principles (lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; accountability). Article 6 sets the six lawful bases (consent; contract; legal obligation; vital interests; public task; legitimate interests). Articles 12 to 23 set the rights of data subjects. Article 32 sets the security obligation on every controller and processor.⁵

Recognised legitimate interests under the new statutory list

The substantial change for the energy data layer is the new statutory list of recognised legitimate interests in Article 6(1)(f). Before the Act, a controller relying on legitimate interests as the lawful basis had to run a three-part balancing test for every processing purpose: identify the legitimate interest pursued; show the processing is necessary to pursue it; balance the interest against the data subject's rights and freedoms. After the Act, a controller relying on legitimate interests for a purpose on the new statutory list does not have to run the balancing test (the test is taken to be passed for that purpose). The statutory list is intended to cover specified purposes of recognised public benefit: detecting and preventing crime, public-health emergencies, statutory functions and similar. The energy domain has a small set of processing purposes that the new list affects; in most cases the controller's legitimate-interests assessment under the old test is upheld under the new list.

Cookies and similar technologies under the refined consent regime

The Act refines the consent regime for cookies and similar technologies. Before the Act, every cookie that was not strictly necessary required prior consent from the user. After the Act, consent is no longer required for specified low-risk uses such as audience-measurement cookies that count anonymous visits or strictly functional cookies for accessibility preferences. The change is most material for consumer-facing energy services (price-comparison sites, advice services, tariff-switching services) that previously had to surface a cookie banner for every analytics purpose; the Act lets those services run the audience-measurement workflow without a banner, with a published transparency notice instead.

Automated decision-making under Article 22

The Act refines the treatment of automated decision-making under Article 22. Before the Act, Article 22 prohibited automated individual decisions that produced legal effects or similarly significant effects on a data subject, with three exceptions: contractual necessity, explicit consent and statutory authorisation. After the Act, the prohibition continues to apply but a wider class of automated decision-making is permissible where the safeguards are met (notably, where the controller informs the data subject of the use of automated decision-making, gives the data subject the right to obtain human intervention, the right to express their view and the right to contest the decision). The change is most material for energy services that propose to use AI-driven decision-making in tariff selection, in eligibility for support schemes or in fraud detection.

The lawful-basis tests that still hold without change

The six lawful bases under Article 6 still hold without change to their core conditions. A controller in the energy domain processes personal data on one of: consent (when the data subject has given a specific, informed, freely given, unambiguous consent); contract (when the processing is necessary for the performance of a contract to which the data subject is a party); legal obligation (when the processing is necessary for compliance with a legal obligation to which the controller is subject, for example settlement under the BSC or charging-methodology publication under SLC 11.5); vital interests (when the processing is necessary to protect the vital interests of the data subject or another natural person); public task (when the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller); and legitimate interests (when the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, where the data subject's interests do not override). The new statutory list of recognised legitimate interests amends the legitimate-interests test for the specified purposes only; the other five lawful bases are unchanged.

Special category data, sensitive processing and the Article 9 conditions

Article 9 sets the additional conditions for processing special category data (racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership; genetic data; biometric data for identification; health data; sex life or sexual orientation data). The energy data layer does not generally process special category data, but two edge cases come up: a vulnerability-flagging dataset that includes health-related categories can trigger Article 9 conditions, and disaggregated smart-meter consumption data can reveal religious observance through consumption patterns (for example, the Sabbath profile of a household). The case-by-case approach is to test whether the controller's processing purpose engages Article 9 before relying on the Article 6 lawful basis alone; where Article 9 is engaged, the controller needs an Article 9 condition (explicit consent, employment law obligations, vital interests, public-interest tasks, archiving in the public interest, or substantial public interest under domestic law) in addition to the Article 6 lawful basis.

The rights of data subjects under Articles 12 to 23

The rights of data subjects under Articles 12 to 23 hold without substantive change. The right of access under Article 15 lets a data subject obtain a copy of the personal data the controller holds about them, plus information on the processing purposes, the categories of personal data, the recipients, the retention period and the safeguards. The right to erasure under Article 17 (the right to be forgotten) lets a data subject have personal data erased in defined circumstances (no longer necessary for the purpose, consent withdrawn, processing unlawful, legal obligation to erase). The right to restriction under Article 18 lets a data subject have processing restricted (so the controller can store the data but not process it further) in defined circumstances. The right to portability under Article 20 lets a data subject receive the personal data they have provided to a controller in a structured, commonly used and machine-readable format. The right to object under Article 21 lets a data subject object to processing for specified purposes (legitimate interests; public task; direct marketing). The right not to be subject to automated decision-making under Article 22 lets a data subject obtain human intervention.

The Energy Smart Data and Privacy Framework from DESNZ, the operational overlay for the energy domain

The Energy Smart Data and Privacy Framework is the DESNZ policy framework that sits above the operational codes and below the primary legislation. It scopes how the Smart Data scheme under Part 1 of the Act will operate inside the energy domain. The framework was first published in 2024 and refreshed in March 2026 alongside the Commencement Orders that brought Section 138 and the majority of Part 5 into force.⁸

What the framework names and what it leaves to the codes

The framework names four things at the policy level. It names the consumer-authorised data flows that will run under the Smart Data scheme: a consumer who wants a price-comparison service to read the consumer's half-hourly data, evaluate alternative tariffs and act on the consumer's behalf gets a positive-law route for the data to flow under the framework. It names the Privacy Assessment Package each Authorised Third Party will need to complete before reading consumer data: the package covers the data-protection impact assessment, the security assessment, the consent-architecture description and the redress arrangements. It names the role of the Retail Energy Code Company in operating the Consumer Consent Solution that will sit underneath the framework: the solution is the central register of consumer consents that lets a consumer view, amend and withdraw consents across multiple authorised third parties from one place. And it names the cadence on which the framework itself is reviewed: an annual refresh, with quarterly updates to the underlying technical documents.

The framework leaves the operational detail to the codes. The Smart Energy Code carries the operational rules for the DCC's communications with smart meters. The Retail Energy Code carries the operational rules for the consumer-to-supplier interactions and for the Consumer Consent Solution. The Balancing and Settlement Code carries the operational rules for the settlement of half-hourly data into the supplier accounts. Each code has its own modification procedure; the framework defines the policy envelope inside which the codes operate.

The Privacy Assessment Package, four parts each Authorised Third Party completes

The Privacy Assessment Package the framework defines has four parts. The first part is a Data Protection Impact Assessment under Article 35 of UK GDPR that describes the processing operations and the purposes; assesses the necessity and proportionality of the processing in relation to the purpose; assesses the risks to the rights and freedoms of data subjects; and sets out the measures to address the risks. The second part is a Security Assessment that describes the technical and organisational measures the third party has implemented under Article 32 of UK GDPR, with the assurance levels mapped against the NCSC Cyber Assessment Framework where the data is held in the energy sector or against the equivalent industry frameworks where the data is held in another sector. The third part is a Consent Architecture description that describes how the third party obtains, records, withdraws and refreshes consumer consent under the framework. The fourth part is a Redress Arrangements description that describes how the third party handles consumer complaints, what the consumer's right to redress is, and how the third party interacts with the Energy Ombudsman and the regulator.

The Consumer Consent Solution, central register operated by the Retail Energy Code Company

The Consumer Consent Solution is the central register of consumer consents that the Retail Energy Code Company operates. The solution lets a consumer view, amend and withdraw consents across multiple authorised third parties from one place; it lets an authorised third party verify that a consent it relies on is still current; and it lets a supplier or DCC confirm that an authorised third party has the consent it claims. The solution's minimum viable product is timetabled for late 2026. The operational rules for the solution sit inside the Retail Energy Code and are amended through the REC modification procedure.

The framework's relationship to UK GDPR and the codes, the three regimes side by side

The framework is not a substitute for UK GDPR; the two regimes apply in parallel. A controller in the energy domain processes personal data under UK GDPR for the lawful-basis test, the rights-of-data-subjects regime and the security obligation; under the framework for the consent architecture and the redress arrangements; and under the code for the operational rules. The three regimes converge inside the Privacy Assessment Package: the package shows how the controller meets the UK GDPR obligations, follows the framework's consent architecture and conforms to the code's operational rules.

The framework's historical baseline, the 2012 origins under the smart meter rollout

The framework's policy lineage goes back to the 2012 Smart Meter Data Access and Privacy Framework that the energy department published when the smart-meter rollout was in its early phase. The 2012 framework set the original four-tier granularity ladder for smart-meter data access (daily readings as the default for supplier processing; half-hourly readings only with consumer consent; the half-hourly data settlement profile that the DCC retained for settlement reconciliation; the wider permissions for analytical and research access under further controls). The 2024 update consolidated the framework into the Energy Smart Data and Privacy Framework that DESNZ now publishes, expanding the scope from the smart-meter rollout specifically to the wider energy-smart-data ecosystem. The 2026 refresh aligns the framework with the Data (Use and Access) Act 2025 commencement profile.

The framework's annual cadence and the published technical documents

The framework operates on an annual cadence with quarterly updates to the underlying technical documents. The annual refresh aligns the framework with changes in UK GDPR, in the codes and in the Act's continuing commencement profile. The quarterly updates cover the operational details: the technical specifications for the Privacy Assessment Package, the schema for the Consumer Consent Solution, the operational reporting templates for Authorised Third Parties, and the published register of accredited third parties. A reader who wants to track the framework's current state checks the annual refresh first and the quarterly updates next; the canonical reference is the published framework page on gov.uk and the underlying technical documents the framework links from there.

Schedule 16 of the Data (Use and Access) Act 2025, the smart meter communications licence provisions

Schedule 16 of the Data (Use and Access) Act 2025 is the energy-specific Schedule that confirms and adjusts the statutory basis for smart meter communications licences. The Schedule reads alongside section 91A of the Energy Act 2008, which is the section the Authority grants smart meter communications licences under.⁷

What Schedule 16 confirms about the legal basis for the DCC licence

Schedule 16 Part 1 grants smart meter communication licences in line with section 91A of the Energy Act 2008. The combination of section 91A as the parent power and Schedule 16 as the Data (Use and Access) Act 2025 confirmation puts the DCC's licence on the same statutory footing as the other licences the Authority grants. The practical effect is that the DCC's licence terms are now read together with the Act's wider data-access provisions (Part 1, Smart Data) and the Act's data-protection provisions (Part 5, UK GDPR amendments); a change to either of those blocks feeds through to the operational rules under the Smart Energy Code.

Why Schedule 16 matters operationally, the data-access route through the DCC

The DCC sits at the centre of the smart-meter data layer. It carries the communications between energy suppliers and consumer-end smart meters; it carries the half-hourly readings from the smart meters back to the suppliers for settlement; and it carries the consumer-authorised data flows under the Smart Data scheme from the smart meters to authorised third parties. Schedule 16 puts the DCC's legal basis on a footing that lets the framework's data-access provisions run through the same operational chain that already carries settlement and consumer-authorised data.

The Smart Energy Code as the operational counterpart

The Smart Energy Code is the operational counterpart to Schedule 16. The code carries the operational rules for the DCC's communications with smart meters, including the security envelope, the data-format envelope, the meter-firmware-update envelope and the meter-replacement envelope. The Smart Energy Code is amended through the SEC modification procedure with a code panel, a code modification report and an Authority decision; the modification timetable is typically 12 to 18 months for a substantive change. The May 2026 priority modifications include the modifications that operationalise the framework's Privacy Assessment Package process and the modifications that align the SEC with the post-DUA Act UK GDPR ruleset.

The interaction with the consumer-consent route through the Retail Energy Code

The consumer-consent route moved from the Smart Energy Code to the Retail Energy Code in 2024 as part of the wider reset of the retail-market data architecture. The Smart Energy Code retains the operational rules for the DCC's carriage of consumer-authorised data, while the Retail Energy Code carries the consumer-facing rules for how a consumer grants, amends and withdraws consent. Schedule 16 sits above both: the schedule confirms the statutory basis for the DCC's licence that the SEC operationalises, and the framework above sits across the SEC and the REC together as a single policy envelope. A reader who wants to track how a single consumer-authorised data flow lands in operational rules follows the chain from Schedule 16 down through the SEC and REC together, and the framework sits across the two codes as the shared policy envelope.

What Schedule 16 does not change about the DCC's existing licence terms

Schedule 16 does not displace the DCC's existing licence terms or the operational rules under the SEC. The DCC's licence continues to specify the duties on the licensee in carrying communications between energy suppliers and consumer-end smart meters, including the security and data-protection obligations. The SEC continues to specify the operational rules for the carriage. Schedule 16 confirms and adjusts the statutory hook, putting the licence on the same statutory footing as the other licences the Authority grants, and the practical effect on the operational rules under the SEC will follow through SEC modifications timetabled across 2026 and 2027.

Code governance for the BSC, REC, SEC, CUSC, DCUSA, Grid Code and Distribution Code modification process

The seven industry codes are the operational instruments that translate licence conditions into named processes. Each code has a manager, a panel and a modification procedure. Each modification procedure is rooted in section 11A of the Electricity Act 1989 (for the electricity codes) or in the equivalent gas provisions (for the Uniform Network Code). The procedure has four shared steps: a proposer raises a modification; the code panel considers it and convenes a workgroup; the workgroup reports back to the panel; the panel makes a recommendation to the Authority and the Authority decides.

The Balancing and Settlement Code held by Elexon, with BSC P408 supporting MHHS

The Balancing and Settlement Code (BSC) is the code that covers the imbalance settlement and the balancing services market in the electricity sector. Elexon is the BSC manager. BSC modifications are numbered as "P" modifications (P408, P432, and so on). The P408 modification puts in place the BSC arrangements to support the Market-wide Half Hourly Settlement programme; it was approved in 2021 and is progressing through implementation with cutover at Milestone M16 in July 2027.⁶ The data-volume change from MHHS is large: 33 million MPANs each producing 48 half-hourly observations per day instead of one daily reading produces roughly 1.6 billion observations per day flowing through the settlement chain. The BSC modification procedure is documented at elexon.co.uk and runs through the BSC panel and the Imbalance Settlement Group.

The Retail Energy Code held by the Retail Energy Code Company, with the Consumer Consent Solution due late 2026

The Retail Energy Code (REC) is the code that covers the consumer-to-supplier interactions and the retail-market data flows. The Retail Energy Code Company is the REC manager. REC modifications are numbered as "R" modifications. The R modifications that matter for the data layer in May 2026 are the ones that operationalise the Consumer Consent Solution and the ones that align the REC with the post-DUA Act UK GDPR ruleset. The REC took on the consumer-consent operations from the Smart Energy Code in 2024 and is preparing for the Consumer Consent Solution's minimum viable product in late 2026.

The Smart Energy Code held by Smart DCC, with the smart-meter communications operational rules

The Smart Energy Code (SEC) is the code that covers the operational rules for the DCC's communications with smart meters. Smart DCC is the SEC manager. SEC modifications run through the SEC modification procedure with the Modification Panel and the Authority. The SEC carries the security envelope, the data-format envelope, the meter-firmware-update envelope and the meter-replacement envelope. The 41 million GB smart meters installed by May 2026 (over 80 percent residential coverage) generate the data flows the SEC governs.

The Connection and Use of System Code held by NESO, with the transmission charging methodology

The Connection and Use of System Code (CUSC) is the code that covers the transmission connection and the transmission charging methodology. NESO is the CUSC manager. CUSC modifications are numbered as "CMP" modifications (CMP442, CMP446, and so on). The CMP modifications that matter for the data layer are the ones that change the published charging methodology (CMP442 on TNUoS structural reform) and the ones that change the connections process (the modifications that operationalised the Connections Reform Gate 2 outcomes in April 2026).

The Distribution Connection and Use of System Agreement held by the DCUSA Service Company

The Distribution Connection and Use of System Agreement (DCUSA) is the code that covers the distribution connection and the distribution charging methodology between DNOs, suppliers and connected customers. DCUSA modifications run through the DCUSA Panel. DCUSA covers the data flows for the embedded export tariff, the small-scale embedded generation, and the use-of-system charging for the supplier-DNO interface.

The Grid Code held by NESO, with GC0139 the in-flight planning-data-exchange modification

The Grid Code is the code that covers the transmission-system operation and the technical conditions for connecting to the transmission system. NESO is the Grid Code manager. Grid Code modifications are numbered as "GC" modifications. The Grid Code carries the operational rules for transmission-system frequency control, voltage control, reactive power compensation, ancillary services and balancing.² The in-flight Grid Code modification that matters most for the data layer is GC0139, which updates the Grid Code to mandate the network licensees to publish the planning data that the Strategic Spatial Energy Plan and the Centralised Strategic Network Plan consume; the workgroup report was issued on 3 December 2025 and the modification was last updated on 7 April 2026.¹

The Distribution Code held by the Distribution Code Review Panel, Issue 59 of April 2026

The Distribution Code is the code that covers the operation of the distribution networks. The Distribution Code Review Panel is the Distribution Code manager. The Distribution Code is at Issue 59, dated 24 April 2026, with the same version operated by every DNO.³ Distribution Code modifications run through the Review Panel and the Authority; they cover the planning standards (P2/7), the connection requirements (G98, G99), the harmonic envelope (G5/5), the voltage-fluctuation envelope (P28) and the voltage-unbalance envelope (P29). The modifications that matter most for the data layer are the ones that update the Engineering Recommendations and the ones that align the Distribution Code with the post-DUA Act UK GDPR ruleset.

The modification process shared across the codes, four steps

The shared modification process across the codes has four steps. Step one is a proposer raising the modification: a code party (a licensee or another signatory) raises the modification in writing, setting out the change proposed, the rationale, the affected provisions and the impact on parties. Step two is the code panel considering the modification: the panel meets, considers the proposal, decides whether to convene a workgroup, and if so sets the terms of reference and the membership. Step three is the workgroup reporting back: the workgroup runs a series of meetings, prepares draft text, runs consultation with parties, prepares the workgroup report and submits it to the panel. Step four is the panel recommendation and the Authority decision: the panel votes on its recommendation; the panel chair submits a modification report to the Authority; the Authority issues a decision, with reasons, and either approves the modification, rejects it, or remits it back to the panel.

The typical timetable for a substantive modification is 12 to 36 months from raising to in-force date. Smaller modifications can run in 6 to 9 months. The longest-running modifications can be in flight for years (CMP442 ran across multiple workgroups before settling). The Authority's decision can be appealed to the Competition and Markets Authority on judicial-review-style grounds.

The four-tier data classification of open, shared, restricted and closed, and how it sits in the rules-and-governance stack

The four-tier data classification of open, shared, restricted and closed is the working classification every licensee uses to decide how a dataset is published. The classification is rooted in the Energy Digitalisation Framework and the Data Best Practice principles, and it is the operational consequence of the rules-and-governance stack: a controller running through the framework, the codes and UK GDPR ends up at one of the four tiers for any dataset.

Tier 1 in detail, open data

Open data is data published without restriction under an open licence (typically the Open Government Licence v3.0 for Crown copyright datasets, or CC BY 4.0 for non-Crown datasets). The data is available to any consumer; the publisher does not need to identify the consumer; the publisher does not restrict the use of the data once published. Open data in the energy domain includes the published Long Term Development Statement contents (under SLC 25.2 of the Electricity Distribution Licence); the published transmission charging methodology (under SLC 11.5); the published Embedded Capacity Register summaries; the published settlement-day prices on the Balancing Mechanism Reporting Service; and the published Future Energy Scenarios datasets from NESO.

Tier 2 in detail, shared data

Shared data is data shared between specified parties under a data-sharing agreement or under a licence condition. The publisher identifies the consumer and the consumer agrees to specified use conditions. Shared data in the energy domain includes the DNO-to-NESO data flows under GC0139 (which is in flight to become a Grid Code obligation rather than a bilateral agreement); the DNO-to-DNO data flows that support cross-DNO planning; the data flows between code bodies (Elexon to the BSC parties, REC to the supplier parties); and the data flows between the framework's Authorised Third Parties and the suppliers.

Tier 3 in detail, restricted data

Restricted data is data that is held with restrictions on access, typically because it is personal data under UK GDPR or because it is commercially sensitive. The publisher identifies the consumer, runs the lawful-basis test under UK GDPR, and restricts the use to the purpose specified at the point of collection or consent. Restricted data in the energy domain includes the smart-meter half-hourly readings (personal data under UK GDPR because the readings can identify a household and reveal occupancy patterns); the supplier-customer billing data (personal data; commercially sensitive); the connected-customer load profile data; and the network-asset register entries that hold commercially sensitive parameters.

Tier 4 in detail, closed data

Closed data is data that is held without external sharing, typically because it carries a security obligation (under the Network and Information Systems Regulations 2018, the NCSC Cyber Assessment Framework, or the Critical National Infrastructure regime), because it is subject to a confidentiality obligation under a contract, or because it carries a sub-national-security-classified handling caveat. Closed data in the energy domain includes the operational-technology telemetry that carries the live SCADA picture for the transmission and distribution networks; the cyber-incident reports that NCSC and Ofgem receive under NIS; the contract terms between specified parties that the framework does not designate for sharing; and the network-asset register entries that carry security-sensitive details (specific substation layouts, specific routing of high-criticality circuits).

How the classification reads through the stack, the worked path for a smart-meter reading

A single smart-meter reading walks through the stack as follows. The Data (Use and Access) Act 2025 provides the statutory hook for the data flow (Section 138 for the Smart Data scheme; Part 5 for the data-protection envelope; Schedule 16 for the smart meter communications licence). UK GDPR provides the lawful-basis test (consent or contract for the supplier's processing; the Smart Data scheme provides the positive-law route for an authorised third party). The Smart Energy Code provides the operational rule for the DCC's carriage of the reading. The Retail Energy Code provides the operational rule for the consumer-consent register. The framework provides the policy envelope inside which the codes operate. The classification result is: the reading is restricted data while it is held by the supplier and by the DCC; it becomes shared data when it is shared with an authorised third party under the framework; it may become open data only when it is aggregated and anonymised to a level that breaks the link to the individual household (and the test for whether that level is achieved sits with the controller and is informed by the regulator's guidance on anonymisation).

The transition of the Information Commissioner's Office to the Information Commission, still pending in May 2026

The Information Commissioner's Office has been the independent regulator for data protection in the UK since the Data Protection Act 1998. The Office sits with the Department for Science, Innovation and Technology rather than the energy departments; it is independent of the Authority and of the Secretary of State. The Office's enforcement portfolio has steadily grown since 2018 when UK GDPR came into force, and the Office's published guidance estate at ico.org.uk is the canonical reference for almost every controller question.

What the transition does at the statutory level

The Data (Use and Access) Act 2025 provides the statutory underpinning for a new body called the Information Commission. The Commission is a body corporate, replacing the current Information Commissioner as the regulator for data protection. The Commission inherits the enforcement portfolio of the Commissioner and the guidance estate; the maximum-fine envelope of the higher of 17.5 million pounds or 4 percent of global annual turnover continues to apply.⁴

What the timetable looks like in May 2026

The transition has been signalled by DSIT and by the Information Commissioner's Office in published statements for late spring or early summer 2026, with the practical handover of statutory functions running through the rest of the year. The transition is non-substantive for almost every controller decision (the law the regulator enforces is the same), but it is administratively material because the published guidance estate at ico.org.uk will migrate to the Commission's domain over the year that follows. Controllers in the energy domain do not need to alter their lawful-basis assessments or their security postures as a result of the transition; controllers need only update their published privacy notices and their internal references when the Commission's domain is the canonical reference rather than the Office's.

What does not change for the energy data layer

The law UK GDPR sits inside does not change as a result of the transition. The Articles continue to bind controllers and processors. The lawful-basis test continues to apply. The rights of data subjects continue to apply. The security obligation continues to apply. The enforcement regime continues to apply. The transition is administrative, not substantive; controllers that are running a clean UK GDPR posture in May 2026 do not need to alter the posture as a result of the transition. The transition is most material for the regulator's organisational identity (a Commission with a board, rather than a single Commissioner) and for the published guidance estate (which will migrate over time).

The relationship to the energy regulator and the framework

The Information Commission, like the Information Commissioner before it, sits in parallel to the Authority. The Commission regulates personal-data processing under UK GDPR; the Authority regulates the energy licensees under the Electricity Act 1989, the Gas Act 1986 and the Energy Act 2008. A controller in the energy domain that processes personal data is subject to both regulators; the two regulators can act independently and have separate sanction routes. The Energy Smart Data and Privacy Framework operates across the boundary, with DESNZ as the policy owner, the Commission as the personal-data regulator and the Authority as the energy regulator.

The Network and Information Systems Regulations 2018 as a cyber-resilience overlay alongside UK GDPR

The Network and Information Systems Regulations 2018 (SI 2018/506) are the operative cyber-resilience overlay that sits alongside UK GDPR. The Regulations transpose the EU NIS Directive into the GB regime, designating Operators of Essential Services (OES) in specified sectors and imposing security and incident-reporting obligations on the designated operators. The energy sector is one of the in-scope sectors; the designated operators include the transmission and distribution licensees, NESO, the Smart DCC, and the larger generators above a designation threshold.

The four NIS objectives that map across the controllers

The Regulations rest on four security objectives that the NCSC Cyber Assessment Framework operationalises. The first objective is managing security risk: the operator identifies the assets, the threats and the dependencies; runs a security-management framework; runs supply-chain assurance; and runs assurance against the framework. The second objective is protecting against cyber attack: the operator applies identity and access management; data security; system security; resilient networks and systems; and staff awareness and training. The third objective is detecting cyber security events: the operator runs security monitoring and proactive event discovery. The fourth objective is minimising the impact of cyber security incidents: the operator runs response and recovery planning, and improvement-from-lessons-learned.

How NIS reads alongside UK GDPR for a cyber incident that involves personal data

A cyber incident that causes personal data to leak triggers both regimes. Under NIS the operator notifies NCSC and the Authority within the timescales set in the Regulations. Under UK GDPR the controller notifies the Information Commission within 72 hours of becoming aware of a personal data breach under Article 33, and notifies affected data subjects without undue delay under Article 34 where the breach is likely to result in a high risk to the rights and freedoms of natural persons. The two regulators coordinate in practice but each retains independent sanction power; enforcement notices can come from both.

What NIS adds that UK GDPR does not, and what UK GDPR adds that NIS does not

NIS adds the cyber-resilience obligation on the system, irrespective of whether the data is personal data. A SCADA telemetry feed that carries no personal data is in scope under NIS but is out of scope under UK GDPR; the operator still has the security obligation under NIS even where UK GDPR does not apply. UK GDPR adds the data-protection obligation on personal data, irrespective of whether the data is held inside an essential-service system. A consumer billing dataset held by a supplier outside the in-scope operator list is in scope under UK GDPR but is out of scope under NIS; the supplier still has the data-protection obligation under UK GDPR even where NIS does not apply. The two regimes overlap inside the in-scope operators that hold personal data, and the operator's compliance posture needs to address both.

The enforcement and redress routes a reader can engage with when the rules are tested

The enforcement and redress routes are easier to read when set out in one place rather than scattered through the stack. Each route ties a specific regime to a specific decision-maker, a specific sanction envelope and a specific right of appeal. A controller, a consumer or a third party that is uncertain which route applies can use the table below to walk to the right starting point.

The personal-data route through the Information Commission

The personal-data route runs through the Information Commission (and, until the transition completes, the Information Commissioner's Office). A data subject who is unhappy with a controller's processing can complain to the controller; if the controller does not resolve the complaint, the data subject can complain to the Commission. The Commission can investigate, issue an information notice (requiring the controller to provide information), an enforcement notice (requiring the controller to take or stop a specified action), or a monetary penalty notice (a fine up to the higher of 17.5 million pounds or 4 percent of global annual turnover). The controller has a right of appeal to the First-tier Tribunal (Information Rights).⁵

The energy-regulator route through the Authority

The energy-regulator route runs through the Authority. A licensee that is alleged to be in breach of a Standard Licence Condition can be the subject of a compliance investigation by the Authority, which can issue a final order, a provisional order, a compliance order, or a financial penalty. The financial-penalty envelope under the Electricity Act 1989 is set by reference to turnover. The licensee has a right of appeal to the Competition and Markets Authority on judicial-review-style grounds. The Authority's published Enforcement Guidelines set out the procedural framework. The Authority publishes its compliance and enforcement decisions on its website, and the decisions are catalogued on the EPR (electricity policy register) portal at epr.ofgem.gov.uk.

The consumer-redress route through the Energy Ombudsman

The consumer-redress route runs through the Energy Ombudsman. A consumer who is unhappy with their supplier (a billing dispute, a customer-service complaint, a switching issue, a complaint about the supplier's handling of personal data alongside the Commission route) can complain to the supplier first and then escalate to the Energy Ombudsman. The Ombudsman can investigate, issue a binding decision on the supplier (up to a specified award envelope), and require remedies including apologies, goodwill payments and corrected billing. The Citizens Advice consumer service is the signposting and advice service that supports the consumer through the route. The Ombudsman publishes its annual reports and aggregate decision statistics on its website.

The code-modification route through the code panels and the Authority

The code-modification route runs through the code panels and the Authority. A code party that wants to change a code provision raises a modification with the relevant code body; the code panel considers the modification; the workgroup reports; the panel recommends; the Authority decides. A code party that is unhappy with the Authority's decision on a modification has a right of appeal to the Competition and Markets Authority on judicial-review-style grounds. The CMA's decisions on code-modification appeals are catalogued on its website and form part of the operational record on each modification.

The framework-redress route through the Privacy Assessment Package process

The framework-redress route runs through the Privacy Assessment Package process inside the Energy Smart Data and Privacy Framework. An Authorised Third Party whose Package is rejected or whose accreditation is suspended has a right of representation under the framework's published procedures; the framework's accreditation body considers the representations and makes a final decision; the third party retains its right under general administrative law to challenge a decision by judicial review. A consumer who has authorised a third party under the framework and is unhappy with the third party's processing has the personal-data route to the Commission and the consumer-redress route to the Ombudsman in addition to the framework-internal redress.⁸

A worked controller decision under UK GDPR and the Energy Smart Data and Privacy Framework

A worked example makes the rulebook easier to read against a concrete path through it. The example is a price-comparison service that wants to read a consumer's half-hourly smart-meter data, evaluate alternative tariffs and offer a switch on the consumer's behalf. The service is an Authorised Third Party under the Energy Smart Data and Privacy Framework; the data is personal data under UK GDPR; the access route is the Smart Data scheme under Part 1 of the Data (Use and Access) Act 2025.

The worked example shows the rules-and-governance stack working end to end. The Act provides the statutory hook; UK GDPR provides the data-protection envelope; the framework provides the policy envelope; the codes provide the operational rules. The four layers converge inside a single controller decision. A reader who can walk the path from the consumer's consent at the top down to the half-hourly reading flowing into the service at the bottom can read every other data flow in the energy domain by the same path.