What Do the New Data Protection Laws Mean for UK Businesses?How to stay on top of your responsibilities from June 2026

You might have missed the implementation of the UK Data Use and Access Act 2025.

It marked the most significant changes since GDPR to how businesses must handle customer data.

And the latest requirements came into place on June 19th 2026.

Is your business up to date and prepared?

You could risk being forced to commission and pay for reports or face sanctions if you don’t keep up.

This article will look at the changes introduced in the act, and the practical steps your business needs to take to keep on the right side of the regulators.

What changed in the UK Data Use and Access Act 2025?

The act includes the reworking and clarification of several regulations, as well as the introduction of new responsibilities for businesses.

One such clarification was to the rules around reusing personal data for other uses. For example, if a business collects customer data as part of a sale, they may want to later use that data for future product development.

There is more clarity given on such secondary uses, but that certainly doesn’t constitute approval to do so. Businesses should assess each new use case against the guidelines given. Some exceptions have been written in however, like in the interest of public safety.

Updated provisions for research have also been provided, so organisations in fields like health tech or artificial intelligence should check whether any of the new criteria fit their own activity.

There’s also additional guidance for transferring data to other countries and how the data protection measures there are compared to the UK. In addition, online services likely to be used by children should be following the age-appropriate design principles provided by the Information Commissioner’s Office (ICO).

There are new responsibilities too, and the latest of them came into force just a short time before this article.

What must businesses do as of June 19th?

June 19th 2026 marked the day that “all organisations will be legally required to handle data protection complaints under the Data (Use and Access) Act 2025.

What does that mean? It means your business must be prepared for 4 specific actions.

A route for complaint submission

The first is to provide a way for individuals to raise any complaints they might have about data protection. Importantly, customers are given a lot of flexibility about how they can provide complaints.

That might mean it arrives through a different channel than expected, or that it doesn’t obviously contain an explicit reference to data protection. Your business needs to handle it just the same.

Prompt acknowledgment of complaints

Following receipt of a complaint, businesses must acknowledge it within 30 days. That might be straightforward to clear complaints arriving through expected channels, but if a customer submits a less typical complaint, it will still need to be handled in the same timeline.

Start an investigation

While there is more flexibility in the wording here, digging into the details of the complaint must happen “without undue delay”. The complainant should be kept informed as the investigation proceeds.

Report the result

Finally, and perhaps unsurprisingly, you will also need to tell the complainant when the investigation is finished and give them details of the end result.

The implications for your business

With these new responsibilities, it’s important to have a process in place for how complaints will be investigated and handled. Given the need to respond “without undue delay”, you don’t want to be scrambling when you receive a complaint, trying to work out how it should be sorted.

If you use a dedicated channel for complaints, make sure that is monitored regularly. Checking it could be something you add to your managerial to-do list! Be aware that complaints received through other channels still need to be handled to the same standards.

Unsure if your business is up to scratch? Consider a review by a professional or reaching out to the ICO for assistance. It may be better to get help in improving your processes than to wait for a complaint to catch you out!

Rooster je medewerkers online in.

Geen creditcard nodig, niets om te downloaden, geen mailinglijsten en geen verrassingen.