%20(2).png)
What the recent data protection updates mean for your business (in plain-English)
- Jun 4
- 2 min read
From our partners, LegalEdge
What's it all about?
LegalEdge’s experienced Data Protection Consultant Jo Brianti gives her practical take on what needs to be on your radar.
The Data (Use and Access) Act 2025 (DUAA) has recently been updated – but it doesn’t replace the rules you already follow (including those under the UK GDPR (General Data Protection Regulation), PECR (Privacy and Electronic Communications Regulations) and the DPA 2018 (Data Protection Act 2018). The new Act tweaks and adds to them.
The changes are coming in phases. Most of the significant ones started on 5 February 2026. The final piece – a mandatory complaints-handling process – starts on 19 June 2026. We cover both below.
For most scaling businesses, the core message is this: if you already have your data protection basics sorted, you’re in a good position. Some changes make things easier. Others – particularly around marketing and cookies – carry significantly more enforcement risk than before.
Why you need to pay attention
Here’s the headline: fines under PECR – the rules covering marketing emails, texts and cookies – have jumped dramatically.
The old cap was £500,000.
The new cap is up to £17.5 million, or 4% of your global annual turnover – whichever is higher.
That brings PECR fines in line with UK GDPR penalties.
The ICO (Information Commissioner’s Office – the UK’s data protection regulator) also has expanded enforcement powers: it can now compel witnesses, demand technical reports, and issue these higher penalties more efficiently.
In short, marketing, cookies and how you handle complaints now carry a lot more financial and reputational risk than they did before.
Key dates at a glance
Date | Key Update |
19 June 2025 | DUAA receives Royal Assent. Some technical provisions take effect immediately. |
5 February 2026 | Most major changes come into force: recognised legitimate interests, cookie rule changes, increased PECR fines, updated DSAR rules, automated decision-making changes. |
19 June 2026 | Mandatory data protection complaints process required for all organisations. ⚠️ This is the biggest new obligation for start-ups and scaling businesses. You need to prepare for it now. |
The key changes in more detail
Find a comprehensive breakdown of these over on LegalEdge's website.
Your action check-list
Here’s a clear summary of what to do and when...
Before 19 June 2026 (your most urgent priority):
Set up a formal data protection complaints process – a submission route, an acknowledgement within 30 days, and a clear written procedure.
Update your privacy notice to signpost the new complaints route.
If you haven’t already done these, since February 2026, you should:
Review your privacy notice and records of processing activities.
Refresh your DSAR process to reflect the ‘reasonable and proportionate’ standard and the stop-the-clock rule.
Audit your cookie banner and website tracking tools against the five new PECR exemptions.
Review your marketing emails, texts, suppression lists and unsubscribe process.
Check whether any of your processing qualifies as a newly recognised legitimate interest.
Map international data transfers and review contracts with overseas suppliers.
If children could use your service, review how you handle their data.
If you’re a charity, explore whether the new soft opt-in applies to your communications.
Brief your team on the higher PECR fines and updated marketing rules.
Find out more about LegalEdge's services.
