The Data Deadline Every UK Business Needs to Know About
The Data Deadline Every UK Business Needs to Know About
There's a date coming up that most small businesses haven't heard of, let alone prepared for: 19 June 2026.
Under the Data (Use and Access) Act 2025 - the UK's updated data protection framework - all UK businesses that handle personal data must have a formal internal complaints procedure in place by this date.
If you've got a contact form on your website, a client database, or a mailing list of any kind, this applies to you.
Here's what you need to know - in plain English, without the legal jargon.
What is the Data (Use and Access) Act 2025?
The Data (Use and Access) Act 2025 (usually shortened to DUAA) received Royal Assent on 19 June 2025. It's the UK Government's update to data protection law following Brexit - amending, but not replacing, UK GDPR and the Data Protection Act 2018.
The stated goal is to reduce red tape for businesses while keeping individual data rights protected. For most small businesses, the majority of the changes are either irrelevant or quietly beneficial less bureaucracy around legitimate interests, more flexibility on data subject access requests, and clearer guidance on automated decision-making.
But there are a few things that require action. The most time-sensitive is the complaints procedure requirement.
What changes on 19 June 2026?
From 19 June 2026, individuals gain an express statutory right to complain directly to your organisation about how you've handled their personal data before going to the Information Commissioner's Office (ICO).
This means you need a formal internal process for receiving and responding to those complaints. Specifically:
- A way for people to submit a data protection complaint to you directly
- A commitment to acknowledge complaints within a reasonable timeframe (30 days is the practical standard)
- An investigation process
- A written response explaining the outcome
- A record of complaints received and how they were resolved
The ICO has confirmed it will take a measured approach to enforcement during the transition period but compliance should be treated as an immediate priority, not something to revisit later in the year.
Do I need to publish a complaints policy?
No, there's no requirement to publish your internal complaints procedure publicly. It's an internal document.
What you do need to do is update your privacy notice to tell people they have the right to raise a data protection complaint directly with you, and how to do it. A single email address is sufficient as a complaints route.
What else has already changed?
The 19 June 2026 deadline is the most urgent item, but several other DUAA provisions came into force on 5 February 2026. The ones most relevant to small businesses:
Cookie consent flexibility For certain analytics tools, the strict requirement for prior consent has been relaxed slightly. However, the ICO has simultaneously increased the maximum fines for cookie violations to align with UK GDPR levels up to £17.5 million or 4% of global turnover, up from the previous £500,000 cap. The message: more flexibility, but higher stakes if you get it wrong.
Data subject access requests (DSARs) If someone asks to see the data you hold about them, you now only need to conduct a "reasonable and proportionate" search rather than an exhaustive one. You can also pause the 30-day clock while waiting for the individual to clarify their request. Practically useful for small businesses that receive complex DSARs.
Legitimate interests A new "recognised legitimate interests" basis has been introduced for specific activities like national security and crime prevention largely irrelevant for most SMEs, but it signals a broader direction of travel towards making data protection less burdensome for businesses.
What does this mean for your privacy policy?
If your privacy policy was written before June 2025, it almost certainly doesn't mention the right to complain directly to you. You need to add this.
Your updated privacy policy should include:
- How people can submit a data protection complaint directly to your organisation (email address)
- A commitment to acknowledge within 30 days
- Their ongoing right to escalate to the ICO if they're not satisfied with your response
If you're a Foxcube IT client, your managed IT support plan includes a review of your data protection documentation on request. If you're not a client and would like a second pair of eyes on your privacy policy, get in touch.
The practical checklist
Here's what a small business needs to do before 19 June 2026:
1. Write an internal complaints procedure A short document (one or two pages) covering: how complaints are received, who's responsible, how they're acknowledged and investigated, how responses are communicated, and how complaints are recorded. Keep it simple this doesn't need to be a legal document.
2. Update your privacy notice Add a section explaining that individuals can complain directly to you about data protection matters, with an email address and a note that they can escalate to the ICO if unsatisfied.
3. Make sure someone owns it In a small business, data protection complaints are usually the responsibility of the owner or a nominated director. Make sure that's clearly defined internally even if it's just a line in the procedure document.
4. Train your team If you have staff, they need to know what to do if a data protection complaint comes in. This doesn't need to be a formal training session, a five-minute conversation and a copy of the procedure is sufficient for most small businesses.
The bigger picture
The DUAA is broadly good news for small businesses. It doesn't add significant new obligations on top of UK GDPR in fact it reduces several. The complaints procedure requirement is the main new action item, and for most small businesses it's a one-off task that takes an afternoon.
The businesses that will get caught out are the ones that do nothing. The ICO has expanded powers under the new Act, and the information landscape is shifting clients, prospects and insurers are increasingly asking questions about data protection practices.
Getting this sorted now puts you ahead of the vast majority of small businesses, and costs nothing but a bit of time.
Need help?
If you're a small business in Nottingham or across the UK and you're not sure whether your data protection practices are up to date, we're happy to take a look as part of our free IT assessment.
Sources: Data (Use and Access) Act 2025; ICO guidance on DUAA complaints procedure; Mayer Brown, Farrer & Co, Michelmores legal analysis; CMS Law DUAA update May 2026.
This article is for general information purposes only and does not constitute legal advice. For specific legal guidance on data protection compliance, consult a qualified solicitor.