What Organisations Need to Know About the UK’s Updated Data Protection Requirements on 19 June 2026

The UK’s Data (Use and Access) Act 2025 introduces a series of important updates to the country’s data protection and privacy framework.

The legislation received Royal Assent on 19 June 2025 and amends the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). The changes are being introduced in stages. Many of the core data protection provisions came into force on 5 February 2026. Further provisions affecting complaints handling, cookies, electronic marketing, and PECR enforcement are due to take effect on 19 June 2026.

For organisations that process personal data, the Act provides a useful opportunity to review policies, governance arrangements, and compliance processes.

What Changed on 5 February 2026

Automated Decision-Making

The Act updates the rules for decisions based solely on automated processing where those decisions have legal or similarly significant effects.

Organisations can now rely on a wider range of lawful bases when using automated decision-making, provided they implement appropriate safeguards, including:

• Informing individuals that automated decision-making is being used

• Giving individuals the right to request human review

• Allowing them to challenge decisions

• Allowing them to make representations

Additional protections continue to apply where special category data is involved.

International Data Transfers

A revised “data protection test” now applies when assessing transfers of personal data outside the UK.

Organisations should review their transfer risk assessments and supporting documentation to ensure they reflect the updated legal standard.

Recognised Legitimate Interests

The Act introduces a new concept of “recognised legitimate interests” for certain specified purposes, such as safeguarding national security and preventing crime.

Where these apply, organisations do not need to carry out the usual balancing test required under the standard legitimate interests basis.

Direct Marketing as a Legitimate Interest

The Act confirms in legislation that direct marketing may constitute a legitimate interest, reinforcing an approach that was already recognised under the UK GDPR.

Scientific Research

The Act clarifies that scientific research includes commercial research and confirms that broad consent may be used for related areas of research where specific purposes are not fully known at the outset.

Children’s Data Protection

Providers of online services likely to be accessed by children must take children’s needs into account when designing services and processing personal data.

Subject Access Requests

The Act clarifies that organisations responding to subject access requests are required to conduct searches that are reasonable and proportionate, rather than exhaustive in every circumstance.

What Changes on 19 June 2026

Data Protection Complaints Handling

Organisations will be required to make it easier for individuals to raise complaints about the use of their personal data.

This includes:

• Providing a clear way to submit complaints electronically

• Acknowledging complaints within 30 days

• Responding without undue delay

• Maintaining a documented complaints handling process

  
  

Cookies and Similar Technologies

Certain low-risk cookies and similar technologies will be permitted without consent in specific circumstances, including some analytics and functionality cookies.

Organisations should review cookie banners, consent mechanisms, and website privacy notices.

PECR Enforcement

The maximum fines for breaches of PECR will increase to align with UK GDPR penalties.

This means organisations could face fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.

Charity Soft Opt-In

Charities will be able to send electronic marketing to individuals who have supported or expressed an interest in their work, provided recipients are given a clear and simple opportunity to opt out.

Additional Regulatory Provisions

Further operational provisions and regulatory powers are also scheduled to come into force.

What Organisations Should Do Now

Organisations should review:

• Data protection policies

• Complaints handling procedures

• Privacy notices

• Cookie consent mechanisms

• Electronic marketing practices

• International transfer assessments

• Automated decision-making processes

• Governance and accountability structures

  
  

Organisations that rely on personal data for marketing, analytics, customer management, and operational decision-making should review their current practices and ensure they align with the updated legal framework.

The UK’s Information Commissioner’s Office (ICO) continues to publish guidance to support implementation, and organisations should monitor further updates as additional provisions come into force.