Strategy, Legal & Operations

UK data protection changes in 2026: What businesses must do now

Thanks to the DUAA, the UK’s data protection rules have undergone a post-Brexit and post-GDPR refresh, with big changes as of June 2026. Here’s your crash course.

Published 25 June, 202610 min read Share

Key Takeaways

• The Data (Use and Access) Act 2025 updates UK data protection law, but does not replace UK GDPR or the Privacy and Electronic Communications Regulations, known as PECR.
• For the majority of smaller businesses, practices for cookie, marketing, Subject Access Requests (SAR), and automated decision-making may need refreshing.
• Data-focused businesses and enterprises may require more significant work to understand the changes and remain compliant, if they haven’t already put this in place.
• Every organisation must have a route for people to make data protection complaints.

The Data (Use and Access) Act 2025, often shortened to DUAA, is the first major UK-specific reshaping of data protection since the introduction of the GDPR in 2018, and Brexit in 2020.

It amends the UK GDPR legislation, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations, known as PECR. It has been switched on in stages after becoming law in 2025, with June 2026 marking the final major phase of the core data protection changes.

But don’t panic if this is the first time you’re hearing about it. This definitely isn’t GDPR all over again.

For most businesses outside of enterprises, data-heavy industries, and specialist scientific operations, it’s more about focused policy-and-process review—and some colleague education.

Here’s what we discuss in this article, which is non-exhaustive and should not be considered a substitute for seeking legal advice specific to your business and situation:

What’s changed with data protection for businesses as of 2026?

For most small businesses, the DUAA means you still need to use personal information fairly, lawfully, and transparently. You still need to keep it secure. You still need to respond to people’s rights.

But you may need to update how you explain, document and manage those responsibilities.

First, some brief history.

The DUAA became law in June 2025 and had a staged rollout over the following 12 months.

Some of its changes have made headline news because they affect UK individuals.

For example, the digital identity measures came into effect on 1 December 2025. The deepfake intimate-image offence came in on 6 February 2026.

But from a business perspective, the big compliance items came into effect as follows:

• 5 February 2026: Clearer rules for using data in research, a new list of “recognised legitimate interests” that don’t need a balancing test, more flexibility around automated decision-making, a lighter touch on certain cookies, and confirmation that subject access request searches only need to be “reasonable and proportionate.”
• 19 June 2026: Mandatory data protection complaints handling.
• 23 June 2026: The updated data protection enforcement rules and aligned penalty scales are officially active.

Let’s dig into all of this, beginning with the most important changes for the average smaller business.

The 2 new obligations: Complaints, and children’s data

Two changes are genuinely new duties.

Complaints under the DUAA

First, you must now give people a clear way to complain to you directly about how you handle their personal data.

Essentially, the law now expects organisations to provide a simpler route for people to raise data protection complaints directly with them before matters escalate to the Information Commissioner’s Office (ICO).

This way to complain to your business could be an electronic complaints form, or a monitored email address, as just two examples.

What’s more, you have to acknowledge the complaint within 30 days and respond without undue delay, keeping a record of what you did.

While there isn’t a hard legislative deadline for the final response, the ICO expects matters to be resolved promptly, with best practice suggestions from experts and those involved intimately in data protection suggesting you should aim to conclude within three months.

The legislation says that complaints should be able to arrive by any channel and might not use the words “data protection,” so frontline staff could need to be educated in order to recognise them.

Children must be taken into account under the DUAA

The second obligation is that, if you run an online service likely to be used by children, you must explicitly take their needs into account when deciding how to use their data.

If you already follow the ICO’s Age appropriate design code, you’re largely there. If not, it’s the best place to start.

The code is built around 15 flexible standards that set expectations rather than banning or prescribing specific practices, and its key practical points are:

• Settings must be “high privacy” by default, unless there’s a compelling reason not to.
• Only the minimum amount of personal data should be collected and retained.
• Children’s data should not usually be shared.
• Geolocation services should be switched off by default.
• “Nudge techniques” should not be used to encourage children to provide unnecessary personal data or to weaken or turn off their privacy settings.

The code also addresses parental controls and profiling.

Marketing and cookies: Privacy and Electronic Communications Regulations (PECR) changes in the DUAA

There’s helpful flexibility when it comes to PECR changes.

Some lower-risk cookies, such as those used purely for website analytics or to remember a user’s preferences, can now be set without consent—provided you’re transparent and offer an opt-out.

This is an attempt to cut down on “cookie banner fatigue”, so that the user isn’t bothered quite as much with permission requests upon first visiting a site or other digital asset.

Advertising and tracking cookies still need consent, though, so your banner should keep “reject” as easy to find as “accept” if you’re using the likes of Google AdSense or Analytics.

Charities gain a new “soft opt-in,” letting them email people who have supported or shown interest in their work, unless those people object. Commercial organisations have had this for some time, so this is simply aligning charities with other kinds of business. This is considered a good thing for them, allowing them to send direct marketing to existing supporters who have expressed interest in their causes, greatly simplifying fundraising outreach.

Subject Access Request (SAR) changes in the DUAA

Handling Subject Access Requests (SARs) has become much more manageable for small businesses, thanks to two common-sense changes.

First, the law officially codifies a “reasonable and proportionate” search standard. This legally confirms that you do not have to conduct an exhaustive, “leave no stone unturned” hunt through every backup server or deleted item for personal data. You just need to make a well-documented, reasonable effort.

Second, the Act introduces a helpful “stop the clock” provision. If a request is vague, you can pause the standard one-month response deadline while you ask the individual for clarification, and the countdown only resumes once they provide the details you need.

Combined with a brand-new statutory exemption for legal professional privilege (meaning you never have to accidentally hand over confidential correspondence between your business and its legal team), these updates protect small teams from being buried under weaponised SARs from activists, or overly burdensome admin traps.

Other changes under the DUAA

The following changes might not affect all businesses but are worth reading through to check against what you do day-to-day:

• Commercial research and development is officially “scientific research”: Under the old framework, there was a lingering misconception that “scientific research” only applied to universities or public health bodies. The DUAA clears this up by introducing a wide statutory definition: scientific research is any research that can reasonably be described as scientific, whether it is publicly or privately funded, and whether it is carried out as a commercial or non-commercial activity. What’s more, it introduces a broad consent concept, where you can ask individuals to consent to a generalised area of research, rather than many specifics.
• Legitimate Interest Assessments (LIAs): The DUAA introduces “recognised legitimate interests” for activities like crime prevention, safeguarding vulnerable individuals, or public emergencies. If you share data with authorities for these specific reasons, you no longer need to complete a complex balancing test document.
• Automated Decision-Making (ADM) policies: Do you use algorithmic software or AI tools to make automatic, significant decisions about people without human intervention (such as automated CV screening for jobs or automated credit checks)? In the DUAA, the strict prohibition on ADM has been lifted for non-sensitive data, but you must still provide clear transparency and a meaningful path for the applicant to request a manual human review if they want to contest the result.

The ICO now has upgraded enforcement powers and penalties

The Information Commissioner’s Office (ICO) now has stronger enforcement powers should it need it. This includes the ability to compel a witness to attend an interview (e.g. forcing an individual in a business to explain practices), and to require organisations to produce reports (at the expense of the business).

There are some potential financial changes, too. ICO fines under PECR, which cover cookies and electronic marketing, now align with UK GDPR levels, reaching up to £17.5 million or 4% of global turnover in the most serious cases. This is up from the old £500,000 cap.

The practical takeaway is that marketing and cookie compliance now carries the same level of risk as the rest of your data handling. This may affect any business indemnity insurance for data protection.

From the ICO’s perspective, this is all part of it transitioning into a new Information Commission-style structure with modernised enforcement capabilities.

What businesses should do right now for the DUAA

For most smaller organisations, a focused review of your existing data protection documentation and measures will likely be necessary, along with awareness sessions for colleagues.

Here are some non-comprehensive suggestions to sense check and review, as well as educate your wider team:

• Privacy notices: Update the wording on your website privacy policy to clearly signpost how an individual can lodge a data protection complaint directly with you.
• Complaints procedures: Document an internal process so that whoever monitors your customer service channels or generic email inboxes knows how to identify a data complaint, log it, and trigger the 30-day acknowledgement.
• Subject Access Request (SAR) handling: Train your team on the updated standard.
• Cookie practices: Audit your website’s cookies policies. If you are only using them for basic analytics and page functionality, you may be able to streamline or completely remove your cookie banner.
• Legitimate Interest Assessments (LIAs): If you share data with authorities for these specific reasons, you no longer need to complete a complex balancing test document. Ensure this is documented and those handling LIAs know what to do.
• Automated Decision-Making (ADM) policies: The strict prohibition on ADM has been lifted for non-sensitive data, but you must still provide clear transparency and a meaningful path for the applicant to request a manual human review if they want to contest the result. Ensure this is documented, and colleagues know what to do.

If you feel you might need outside help, then get it. Don’t leave anything to chance or leave any area shrouded in ambiguity.

But for many businesses, the above should genuinely complete the necessary work. Like we said earlier, the DUAA is not GDPR 2.0.

If you’re a more data-driven organisation, or a larger one, the changes might run deeper and you’ll want specialist support—though if that’s you, the chances are you’ve already got this completed or at least underway by the time you’re reading this article.

Final thoughts

The Data (Use and Access) Act is a sensible modernisation of rules you already follow.

For most smaller businesses, the work is targeted: review a few key policies, set up a proper complaints route, and tidy up your cookie practices.

Do that now, while the changes are fresh, and you can treat compliance as a quick tune-up rather than a scramble later.

If in doubt, the ICO’s guidance is free, plain-English and a good place to sense-check what you’ve done.

Frequently asked questions

Browse more topics from this article

• GDPR
• Security and fraud