The Short Answer
Most businesses missed it. On 19 June 2026, new legal requirements came into force under the Data (Use and Access) Act 2025, and most business owners have no idea it happened. That's not a criticism. It's a busy law with a quiet rollout. But the consequences of doing nothing are real, and worth understanding.
The Data (Use and Access) Act 2025 is the most significant update to UK data protection law since GDPR came in eight years ago. It doesn't replace UK GDPR. It amends it, in ways that directly affect how businesses handle personal data.
From 19 June 2026, every organisation that processes personal data is legally required to have a data protection complaints procedure in place. There is no exemption, regardless of size. That means a written policy, a way for people to submit complaints, and a 30-day acknowledgement requirement. If you don't have this, you're already out of compliance.
Privacy notices need to be updated to reflect the new complaints right. If your policy was written before this year and hasn't been reviewed, it almost certainly doesn't include what it now needs to.
The maximum fine for breaches of PECR, the regulation that covers email marketing and cookies, has increased from £500,000 to £17.5 million. If you send marketing emails or use cookies on your website, this is the environment you're now operating in.
At a minimum, UK businesses now need:
Most businesses already have some version of these documents. The issue is that existing documents were written under the old rules and haven't been updated.
I offer a fixed-fee DUAA Compliance Update at £450.
The service covers a full review of your existing privacy policy and compliance documents, updates based on solicitor-drafted DUAA templates, a ready-to-publish privacy policy tailored to your business, a data protection complaints policy and acknowledgement template, and a plain-English summary of what changed and why. Everything delivered within five working days.
These documents are based on professionally drafted legal templates. I'm not a solicitor and this isn't legal advice. For the vast majority of businesses, this service covers exactly what you need. If your situation is more complex, I'll tell you upfront.
Yes. The legal requirement applies to every organisation that processes personal data, including sole traders and partnerships. If you have a contact form, a mailing list, or a booking system on your website, this applies to you.
Almost certainly yes. Privacy policies written before 2026 won't include the new complaints right or reflect the updated legal position under the DUAA. The question isn't whether you have a policy, it's whether it reflects current law.
Having documents in place is a good start. The issue is that documents written under the old rules don't reflect what the law now requires. An update is faster and cheaper than starting from scratch, which is exactly what this service covers.
No. MARS is a digital marketing consultancy, not a law firm. The documents I provide are based on solicitor-drafted templates and reflect current UK data protection law. If your business has complex data processing needs, I'll tell you and point you toward the right specialist.
The deadline has passed. The longer this sits, the longer your business is operating without the documentation the law now requires. If you'd like to get this sorted, visit the link below and I'll come back to you within one working day.


Free
SEO Audit