What the recent data protection updates mean for your business (in plain-English)

What’s it all about?

LegalEdge’s experienced Data Protection Consultant Jo Brianti gives her practical take on what needs to be on your radar.

The Data (Use and Access) Act 2025 (DUAA) has recently been updated – but it doesn’t replace the rules you already follow (including those under the UK GDPR (General Data Protection Regulation), PECR (Privacy and Electronic Communications Regulations) and the DPA 2018 (Data Protection Act 2018). The new Act tweaks and adds to them.

The changes are coming in phases. Most of the significant ones started on 5 February 2026. The final piece – a mandatory complaints-handling process – starts on 19 June 2026. We cover both below.

For most scaling businesses, the core message is this: if you already have your data protection basics sorted, you’re in a good position. Some changes make things easier. Others – particularly around marketing and cookies – carry significantly more enforcement risk than before.

Why you need to pay attention

Here’s the headline: fines under PECR – the rules covering marketing emails, texts and cookies – have jumped dramatically.

The old cap was £500,000.
The new cap is up to £17.5 million, or 4% of your global annual turnover – whichever is higher.
That brings PECR fines in line with UK GDPR penalties.

The ICO (Information Commissioner’s Office – the UK’s data protection regulator) also has expanded enforcement powers: it can now compel witnesses, demand technical reports, and issue these higher penalties more efficiently.

In short, marketing, cookies and how you handle complaints now carry a lot more financial and reputational risk than they did before.

Key dates at a glance

Date	Key Update
19 June 2025	DUAA receives Royal Assent. Some technical provisions take effect immediately.
5 February 2026	Most major changes come into force: recognised legitimate interests, cookie rule changes, increased PECR fines, updated DSAR rules, automated decision-making changes.
19 June 2026	Mandatory data protection complaints process required for all organisations. ⚠️ This is the biggest new obligation for start-ups and scaling businesses. You need to prepare for it now.

The key changes in more detail

1. Mandatory complaints-handling process (coming 19 June 2026)

From 19 June 2026, every organisation that processes personal data must have a formal, accessible process for handling data protection complaints.

Previously, if someone had a concern about how you handled their data, they could go straight to the ICO. Under the new rules, they must be able to bring that complaint to you first — and you must have a proper process in place to handle it.

In practice, your complaints process needs to:

Include an accessible way for people to submit a complaint — an online form, email address, or both.
Acknowledge complaints within 30 days.
Investigate and respond without undue delay, keeping the person updated.
Be clearly signposted in your privacy notice and on your website.

Think of this as adding a ‘first line’ of dispute resolution before people escalate to the regulator. Handled well, it’s an opportunity to resolve issues directly. Handled poorly, it increases the risk of ICO involvement.

What to do before 19 June 2026

✅ Make sure the right person in your business knows how to handle these complaints.

✅ Set up a clear route for people to submit data protection complaints (email address or online form).

✅ Write a simple internal complaints process covering how you receive, acknowledge and respond.

✅ Update your privacy notice to signpost the new complaints route.

2. Cookies and website tracking (in force 5 February 2026)

This is one of the most practical changes for any scaling business with a website.

The DUAA adds five new categories of cookies that no longer require consent upfront — provided the conditions are met and you give people an easy way to opt out. The five exemptions are:

Analytics cookies — collecting aggregate statistics to improve your website or service.
Security cookies — used for fraud prevention and device security.
Functionality cookies — that enhance service features or tailor the user interface.
Software update cookies — for delivering updates.
Interface customisation cookies — for adapting how your site looks to user preferences.

Strictly necessary cookies (the ones your site needs to function) continue to work exactly as before.

A few important caveats. Each exemption only applies where the cookie is used solely for that stated purpose. If an analytics cookie also feeds into advertising targeting, it does not qualify. And advertising cookies — including most social media and ad-network trackers — still require consent.

The ICO is finalising its updated cookie guidance, so watch for that in spring/summer 2026.

What to check

🔍 Audit what cookies and tracking tools your website actually uses and what each one does.

🔍 Check whether each cookie fits one of the five new exemptions — or still needs consent.

🔍 Update your cookie banner and cookie notice to reflect your current setup accurately. You should check with your cookie banner provider (e.g. CookieBot) to find out if the banner you are using has been updated. The good news is it may mean your cookie banner can be simplified!

🔍 Remember: advertising and social media cookies still require consent.

3. International data transfers (in force 5 February 2026)

If your business uses suppliers or tools that process personal data outside the UK — cloud software, payment platforms, email tools — this section is relevant to you.

The legal test for international transfers has been updated. The focus is now on whether the level of data protection in the receiving country is ‘not materially lower’ than UK standards. This is a slightly more flexible test than before, designed to make international data flows more practical.

It doesn’t remove your obligation to know where your data goes. It’s also worth noting that the EU renewed the UK’s adequacy decision in December 2025, which means UK data can continue flowing to the EU without additional safeguards for now.

What to check

🔍 Map which suppliers or tools send or process personal data outside the UK and where.

🔍 Review your contracts and data transfer arrangements with key providers.

4. Marketing rules and bigger fines (in force 5 February 2026)

As covered above, PECR fines now match UK GDPR levels. This is the single biggest risk change for most scaling businesses that do any form of email or text marketing.

The Act also introduces a single, consistent definition of direct marketing: any advertising or marketing material sent to specific individuals, by any method. And PECR now covers attempted calls and messages, even if they don’t connect or aren’t delivered.

If you’ve been treating PECR compliance as a lower priority than UK GDPR, that calculation has changed.

What to check

🔍 Review your marketing emails, texts and outreach processes end to end.

🔍 Make sure your opt-out and unsubscribe process is easy to use and genuinely works.

🔍 Check that your records clearly show when consent was given — or what legal basis you’re relying on instead.

🔍 Brief anyone in your team who handles marketing on the updated rules.

5. Recognised legitimate interests (in force 5 February 2026)

Legitimate interests is one of the legal bases you can use to justify processing someone’s personal data. Normally, you need to work through a balancing exercise before relying on it.

The DUAA creates a new, shorter list of ‘recognised’ legitimate interests — specific purposes where you can skip that exercise entirely. These are:

National security, public security and defence.
Detecting, investigating or preventing crime.
Responding to requests from public bodies acting in the public interest.
Safeguarding vulnerable individuals.

The Act also confirms a broader (but non-exhaustive) list of activities that may qualify as legitimate interests — including direct marketing and intra-group data sharing — though these still require a balancing assessment.

This change won’t affect most scaling businesses day to day, but it’s worth knowing about if any of your processing falls into the categories above.

What to check

🔍 Review whether any of your existing data processing falls into one of the four recognised categories.

🔍 Update your privacy notice and internal records if this applies to you.

6. Data requests (DSARs) (in force 5 February 2026)

A data subject access request (DSAR) is when someone asks you to share the personal data you hold about them. The DUAA makes a few useful clarifications.

You now only need to carry out ‘reasonable and proportionate’ searches when responding. This codifies in law what was already good practice: you don’t need to check every system exhaustively if doing so would be disproportionate.

The ‘stop the clock’ rule is also now in effect. If you need more information from the person to fulfil their request — for example, to clarify what they’re asking for or to verify their identity — you can pause the one-month response deadline until they respond.

🔍 Update your DSAR process and template responses to reflect the ‘reasonable and proportionate’ standard. And if you don’t yet have a documented process – be sure to implement that now.

🔍 Add a clear step for when you need to request clarification, and document how you track the paused clock.

🔍 Make sure the right person knows how to handle these requests.

7. A note for charities (in force 5 February 2026)

If you run or work for a charity, there’s a new ‘charitable purpose soft opt-in’ under PECR. In certain situations, you can send marketing or fundraising messages without prior consent — where someone has already shown interest or support, and there’s a clear opt-out in every message.

This is a PECR-specific change. UK GDPR still applies in full. And remember: with PECR fines now at GDPR levels, getting this wrong costs a lot more than it used to.

What to check

🔍 Review how you collect supporter details and what wording you use at sign-up.

🔍 Ensure every message includes a clear, one-step opt-out.

8. Automated decision-making and children’s protections (in force 5 February 2026)

The DUAA relaxes some of the restrictions on automated decision-making (ADM) – where a system makes a significant decision about someone without human involvement, such as in recruitment or credit scoring.

Under the previous rules, this was only permitted in specific circumstances. The new rules allow it more broadly, but with safeguards: you must be transparent about it, give people a way to challenge the decision, and ensure meaningful human oversight is available.

If your business processes data about children or operates a service children are likely to use, there is also an explicit new duty to take their specific needs into account when making decisions about how their data is used.

What to check

🔍 If you use any automated processes to make decisions about individuals, review them for transparency and human oversight.

🔍 If children are likely to use your service, review how you handle their data against the new children’s protection requirements.

Your action checklist

Here’s a clear summary of what to do and when

🟥 Before 19 June 2026 (your most urgent priority):

• Set up a formal data protection complaints process – a submission route, an acknowledgement within 30 days, and a clear written procedure.
• Update your privacy notice to signpost the new complaints route.

🟨 If you haven’t already done these, since February 2026, you should:

• Review your privacy notice and records of processing activities.
• Refresh your DSAR process to reflect the ‘reasonable and proportionate’ standard and the stop-the-clock rule.
• Audit your cookie banner and website tracking tools against the five new PECR exemptions.
• Review your marketing emails, texts, suppression lists and unsubscribe process.
• Check whether any of your processing qualifies as a newly recognised legitimate interest.
• Map international data transfers and review contracts with overseas suppliers.
• If children could use your service, review how you handle their data.
• If you’re a charity, explore whether the new soft opt-in applies to your communications.
• Brief your team on the higher PECR fines and updated marketing rules.

Jo and our data protection specialists are here to help. Get in touch if you need help with setting up your formal data protection complaints process or with any of the above or want to talk through your compliance requirements,

What do our clients think?

Working with LegalEdge means that we've been able to reduce the amount of legal support we need by 20%, saving money as well as delivering a better and more efficient service
CFO - Bright Network
LegalEdge have allowed us to operate with efficiency and agility across all of our requirements, at a fraction of the costs without compromising on experience and expertise.
CFO - Talion
LegalEdge’s fractional in-house lawyers provided expert, no-nonsense legal support right when we needed it — practical, efficient, and reliable.
Founder - Workflow Science
What is special about LegalEdge is that they take time to understand our culture and strategy so that the legal advice is always relevant and appropriate to how we operate.
Chief People Officer - Clarasys
LegalEdge took the time to understand our business first and then introduced us to an expert in our field who was best placed to support our growth plans.
VP Finance & Operations - Arctic Shores
Legal Edge have been amazing for us. We love the fact that we get to work with brilliant legal talent with many years of experience and experts in their fields.
Founder & COO - Saint & Sofia
Our lawyer quickly understood our business needs and assisted us in a commercial and pragmatic way.
CFO - Sanctus
Most commercial and practical legal support. Fast, efficient and absolutely cutting straight to the crux of the issue.
Commercial Product Director - NatureMetrics
Having an experienced lawyer as your single point of contact to manage legal matters effectively whilst providing pragmatic solutions is exactly what you get from LegalEdge
Legal & Compliance Officer - Distributed
We have found LegalEdge to be highly competitive, extremely effective and very commercial. They get the job done! A true partnership.
CFO - Talion
LegalEdge has provided invaluable support, and their customer service is second to none.
BD Director - Toca.io
LegalEdge’s practical approach to our day-to-day legal requirements has been second to none. I highly recommend their commercial contract support – it’s a game changer.
COO/CFO - Fluent Commerce
Our lawyers at LegalEdge have been fantastic partners to our company. They are pragmatic, responsive and personable.
Compliance Lead - Streetbees
We’re very pleased with the work LegalEdge are doing for us. We’re getting quick and decisive responses that are really helping us move forward.
FINANCE & OPERATIONS DIRECTOR - DEPOP
Our original MSA was very one-sided and not favourable to us, with LegalEdge’s help getting this agreement in place we have significantly reduced the risk to the agency.
Operations Director – Contracts and Commercial, - The Social Element
LegalEdge has provided unparalleled legal support to our EMEA business as our in-house lawyers to help us negotiate our software license contracts successfully and quickly.
VP & GM EMEA - Wherescape
The Intellectual Property audit provided by LegalEdge was extremely thorough. Securing our IP is enabling us to scale confident that our brand is protected under the law.
Founder - Arishi
The advice we have received has been superb. We have been impressed with every LegalEdge lawyer we have worked with.
Founder & COO - Saint & Sofia
It’s not an understatement that the new contracts gave us a lot of confidence in negotiating. It sets the right tone with our clients that we know what we are doing.
Operations Director - OneSixOne
Working with Legal Edge is seamless - the support we receive is always timely and clear.
Chief People Officer - Clarasys
I don’t always need the technicalities of a matter; LegalEdge provide pragmatic solutions that help us to close the deal.
Co-founder - Lexonis
Using LegalEdge means we can access their vast legal expertise as and when needed, on a flexible basis that suits us.
VP Finance & Operations - Arctic Shores
LegalEdge has provided excellent, commercially focused advice as part of our in-house legal team that has helped us close contracts with our customers and partners.
CEO - Diona
The fact that all their lawyers have worked inside businesses means they are commercial, pragmatic and know exactly how to prioritise what’s important.
COO - Squirro
Having made the decision to outsource our legal work, we have been extremely impressed by how quickly LegalEdge have quickly understood our business.
Commercial Director - The Social Element
LegalEdge understood our needs more than any traditional law firm had before: we were able to dip in and dip out of their services, they acted like a general counsel for us.
Co-Founder - Young Foodies
We use LegalEdge for support on our contracts, and they do an excellent job!
Director - Haig Barrett Partners
LegalEdge are awesome at taking complex ideas and turning them into simple contracts whilst streamlining processes to make it easy to do business.
Founder - Lola Tech, a DataArt company
The LegalEdge team just intuitively understood our business and needs, picked up the matters that needed dealing with, and ran with them.
General counsel - The Engine Group
Working with a professional squad like LegalEdge on the legal stuff means, as CFOs, we can focus on what we’re good at – the numbers!
Founder - Emergeone
LegalEdge were brilliant from start to finish in helping us to develop a proper brand strategy and implementing it.
CEO - Placemake.io
LegalEdge have been fantastic advisers to our business. Between shareholder agreements & fundraise, Trademark & IP, and commercial agreements, we deeply value their guidance.
Co-Founder - Days Brewing
Having worked closely with LegalEdge I have no hesitation in recommending them to any business requiring smart, articulate and professional legal counsel.
Founder - Low Carbon Group
Working with LegalEdge has been a breath of fresh air! They have provided a unique, entrepreneurial approach to legal services within a rapidly growing organisation.
COO and Co-Founder - hybris GmbH (now a SAP company)
The support we have received has been first class – from day one. LegalEdge have gone above and beyond to truly understand our business.
Director EMEA Operations - Stella & Dot
The ideal solution for the busy in-house counsel who is unable to add a permanent head as you have the ability to flex support without the need to rely on expensive law firms.
Vice President and EMEA Managing Counsel - World-Check [now Thomson Reuters]
LegalEdge’s experience has proven invaluable as they have picked up, negotiated and completed contracts with commercial aptitude.
Group Counsel - Funding Circle
What sets LegalEdge apart is that they focus on problem solving and keeping issues in perspective. They know and understand our business and the array of legal issues we face.
Partner - Portal Tech Reply
As our trusted go to lawyers for complex contract queries and negotiations, LegalEdge know how to focus on the things that matter and to get deals done.
Commercial Director - Connect Managed
The Oxial team was very impressed with the quality of the contracts that the LegalEdge team produced for our business and with their responsive and collaborative approach.
COO - Hammer Team & Oxial

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_32854648_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

By LegalEdge News Apr 24, 2026

What the recent data protection updates mean for your business (in plain-English)

What do our clients think?

Contact

Navigate Site

Stay In Touch

We’ll set up a cost-effective, efficient legal function for your business. You’ll have an experienced lawyer as your single point of contact who works as part of your operations team.

We work with small in-house legal teams that need additional support on a flexible basis without adding to headcount.

By LegalEdge News Apr 24, 2026

What the recent data protection updates mean for your business (in plain-English)

What’s it all about?

Why you need to pay attention

Key dates at a glance

The key changes in more detail

What to check

What to check

What to check

What to check

What to check

What to check

Your action checklist

Here’s a clear summary of what to do and when

🟥 Before 19 June 2026 (your most urgent priority):

🟨 If you haven’t already done these, since February 2026, you should:

What do our clients think?

For Companies

We’ll set up a cost-effective, efficient legal function for your business. You’ll have an experienced lawyer as your single point of contact who works as part of your operations team.

For Legal Teams

We work with small in-house legal teams that need additional support on a flexible basis without adding to headcount.

But first, cookies 🍪