If you've seen headlines about changes to UK GDPR and data protection laws recently, and you're not really sure what you need to do (if anything) then this blog should help.

One of the most important tasks that I do in Lucy Legal is keep small business owners updated on things that you need to know so that you're not inadvertently breaking the law. 

So what do you need to know...

The Data (Use and Access) Act 2025 (DUAA) introduces some of the biggest changes to the UK's data protection framework since GDPR was first introduced back in 2018.

The good news?

For many small business owners, the changes are designed to make certain aspects of data protection easier and more practical.

The not-so-good news?

There is at least one important action that UK business owners need to take now to ensure their Privacy Notice remains up to date, but there is a deadline this month and a lot of small businesses aren't ready.

Whilst some parts of the legislation came into effect last year, the remainder comes into force on Friday 19th June 2026, and there are steps all business owners need to take before then to be compliant.

TOP TIP: It's worth noting that if you get your privacy notice free from your website host, or you've got it from ChatGPT, you're going to have a gap.

You need to update your privacy notice with your bespoke privacy complaints policy and have that detailed as a separate document in your business. 

First Things First: GDPR Isn't Going Anywhere

Let me take a step back first to explain that whilst there is new data legislation, the GDPR remains in place.

Despite the changes introduced by the Data Use Access Act (DUAA), the GDPR has not disappeared.

The UK GDPR remains the foundation of data protection law in the UK.

You still need to follow the 7 legal principles of GDPR. I appreciate that you may already know these but a quick refresher is always good at times like this. 

Your 7 key data protection obligations as a business owner (whether sole trader or limited company) to comply with GDPR are:

1. Handle personal data lawfully, fairly and transparently

2. Tell people why you are collecting their information (e.g. to deliver your services and to market to them) and to only use the data for that purpose

3. Minimise the amount of data you obtain 

4. Ensure the data you hold is accurate

5. Keep personal data secure

6. Implement confidentiality measures to protect data from accidental loss or unauthorised access

7. Take accountability for complying with the above principles through good record keeping, demonstrating compliance. This is things like having an up-to-date, compliant Privacy Notice on your website.

How does any of this change with the DUAA?

If you are still doing the same things that you've always done, such as collect names, email addresses, phone numbers, customer information, mailing list sign-ups or client details, then GDPR still applies to your business.

The DUAA gives you potentially more flexibility, depending on what sector you're in and how you use data (e.g. cookies) but it does also requires that you now to add in a process for handling complaints.

What Is the Data (Use and Access) Act?

The DUAA updates the UK's data protection framework and introduces several changes designed to:

• Reduce unnecessary administrative burdens

• Support innovation and technology

• Modernise data use practices

• Clarify certain areas of the law

While some of the reforms are aimed at larger organisations, charities, research bodies and public authorities, there are several changes that online business owners should be aware of.

Number 6 is the big one for small business owners and the one that you must ensure that you've done.

1. Changes to Cookie Rules

One of the most talked-about changes relates to cookies.

The DUAA creates additional circumstances where certain cookies may be used without obtaining consent first.

This is potentially huge, if you don't have to use a cookies banner, but read more below.

In particular, exemptions may apply where cookies are used:

• For website analytics

• To improve services

• For security purposes

• To detect fraud

• To remember user preferences

At first glance, this sounds like great news.

Many people assumed this would mean the end of cookie banners altogether.

In reality, the position is more nuanced.

If your website uses cookies for multiple purposes, particularly marketing or advertising activities, consent requirements may still apply.

For that reason, many businesses may decide that maintaining their existing cookie consent process remains the safest and simplest approach. Obviously, we can't give you legal advice on a blog post but you may consider the best approach here is to do what you're doing now. Whilst you may be doing more than you need to legally, you wouldn't risk not having the permission you need.

2. Greater Recognition of Legitimate Interests

The DUAA introduces a new category of recognised legitimate interests.

What does that mean I hear you ask?

In order to process personal data you must have a lawful basis to do so. One lawful way to process data is if you have a legitimate interest to do so. 

In certain situations, organisations may now be able to process data without carrying out the "balancing exercise" that was previously required.

Examples include:

• Crime prevention

• Safeguarding vulnerable individuals

• Certain disclosures to public authorities

For most small business owners, this is unlikely to create a major operational change, but it is a change and so I'm sharing it here, so that you have the full picture, but it may not be something that you need to worry about. 

However, businesses operating in regulated sectors or working with vulnerable individuals may wish to review whether these new provisions are relevant.

3. More Flexibility Around Automated Processing

As technology and AI become increasingly embedded in business operations, the law is adapting too.

The DUAA introduces greater flexibility around automated decision-making and data processing.

This is particularly relevant as businesses increasingly use:

• AI tools

• Automation software

• Customer management systems

• Marketing platforms

Whilst this doesn't remove your obligations under GDPR, it reflects the reality that technology is now a core part of running a modern business.

4. Subject Access Requests Must Be Reasonable and Proportionate

The DUAA introduces clarification around subject access requests.

Organisations are now permitted to carry out reasonable and proportionate searches when responding to requests.

This aims to reduce the burden of excessive or disproportionate requests while still protecting individuals' rights.

5. Stronger Protections for Children

The DUAA introduces enhanced safeguards for children using online services.

If your business markets directly to children or provides services aimed at younger users, you should take particular care to understand these requirements.

6. The Biggest Change for Most Small Business Owners: The New Right to Complain

This is the change that is likely to affect the widest range of UK businesses.

Under the new legislation, individuals now have a specific right to complain about how their personal data is being handled.

As a business owner you must tell them about this right. By 19th June, you must:

• Provide a way for individuals to raise data protection complaints

• Acknowledge complaints within 30 days

• Explain how complaints will be handled

• Deal with complaints before they are escalated to the ICO

Importantly, this is not the same as your normal customer complaints process.

This relates specifically to complaints about data protection and privacy rights.

As a result, many businesses will need to update their Privacy Notice to explain:

• How a complaint can be made

• Where complaints should be sent

• How the complaint process works

• What timescales apply

So... Do You Need to Update Your Privacy Notice?

For most UK business owners, the answer is yes.

Platforms like Kartra and Wix can't create this complaints policy for you as you have to integrate it into your business. You have to decide what your complaints process will be, write out the process and then detail the key features in your Privacy Notice so that your clients have the steps available to them. 

Even if many of the wider reforms do not directly affect your business, the introduction of the new complaints process means you need to take steps by 19th June 2026. This applies to you whether you work in person or online, whether you're a coach, consultant, service provider or you have a physical or digital products business. 

Your Next Step:

1. Create a Complaints Process which is compliant with the DUAA - you'll need to ensure that you adhere to the legal timeframes and warn people about their additional rights to complain to the ICO directly. This needs to be done in two sections. An internal document that you keep in your business to demonstrate that you've got the process in place, and wording which needs to be added to your current privacy policy/notice on the footer of your website. 
2. Update your Privacy Notice - Once you've created your complaint's procedure you need to add the key information and timescales into your privacy notice/policy, so that you are legally compliant. You need to do this by 19th June 2026.

How we can help:

If you already have a Lucy Legal Privacy Policy template - either as a standalone template or in a bundle - we've added two training videos to our Privacy Notice Template to walk you through the legal changes and also guide you through the process of putting together your complaints procedure. 

We've also given you an example complaints policy which you can adopt exactly and plug and play it into your business in less than five minutes.

You can watch the short videos and add the new wording to your Privacy Notice/Policy so that you're fully compliant. We estimate it will take you around 15-20 minutes. 

If you don't already have our Privacy Policy template - grab it for less today. As a thank you for reading this update we're giving you the chance to get £20 using code: PRIVACYBLOG. Rather than spending hours researching the new legislation and next steps, get it all delivered right to your inbox. 

Rest easy that this isn't just an investment into your business today, but every time the legislation is updated, you'll get updates like this one for free. 

Simply enter "PRIVACYBLOG" at the checkout for £20 off and get instant access to the updated Privacy Notice. 

Executive Summary - Speed Read

The DUAA brings in a number of data protection changes. Not all of them will apply to your business but there is a mandatory deadline of 19th June 2026 when you will legally be required to have a privacy complaints procedure within your privacy documentation, both internally and within the wording of your privacy policy.

There are legal timeframes you must adhere to within your complaints procedure, we've mapped those out in a complaints template ready for you along with two short video trainings. All of which can be found in our Privacy Notice Template. 

You can get £20 off our Privacy Notice Template when you purchase before midnight on 19th June 2026.