You may have noticed increased discussion around the Data (Use and Access) Act 2025 (DUAA). While the Act received Royal Assent in 2025, its implementation has been phased, with a number of provisions already in force and further requirements, including the new complaints handling provisions, taking effect on 19 June 2026.
As a result, many businesses are taking the opportunity to review their data protection arrangements and ensure their policies and procedures remain fit for purpose.
What Are the Key Areas Businesses Should Review?
Several changes will be relevant to businesses, but three areas are likely to have the biggest practical impact.
1. Privacy Complaints Procedures
One of the most important and often overlooked changes is the increased focus on how organisations handle privacy-related complaints.
Businesses should have a clear process that allows individuals to raise concerns about how their personal data is being used. Privacy notices should explain how complaints can be made, and organisations should be prepared to investigate and respond appropriately.
For many businesses, this may require updates to both privacy documentation and internal procedures.
2. Subject Access Requests
The DUAA introduces a more proportionate approach when responding to Subject Access Requests (SARs).
Rather than carrying out exhaustive searches in every possible location, organisations are expected to undertake searches that are reasonable and proportionate in the circumstances. This provides greater clarity and reflects a more practical approach to compliance.
3. Marketing and Data Privacy Compliance
The rules around electronic marketing remain an important area of risk.
The Information Commissioner's Office (ICO) now has stronger enforcement powers, meaning organisations should ensure their email marketing, cookie practices and online data collection methods remain compliant.
What Should Businesses Check?
The upcoming implementation date provides a useful opportunity to carry out a data protection health check.
Ask yourself:
- Is your Privacy Policy up to date?
- Does it explain how individuals can raise a privacy complaint?
- Do you have an internal process for handling those complaints?
- Are staff aware of how Subject Access Requests should be managed?
- Are your marketing activities and cookie practices compliant?
- Do your data protection policies accurately reflect how your business operates today?
For many organisations, small updates now could help avoid larger compliance issues later.
The DUAA is not about starting again. For most businesses, it is about reviewing existing arrangements and making sure they remain fit for purpose.
The organisations that are likely to benefit most from these changes are those that take the opportunity to assess their current policies, procedures and privacy documentation before the new provisions take effect.
If you are unsure whether your Privacy Policy, data protection procedures or marketing practices need updating, Grace Legal can help you identify any gaps and ensure your business is ready for the changes taking effect on 19 June 2026.
Get in touch below.