New UK data rules are now live — every business needs a complaints process
The Data (Use and Access) Act brought in a new duty from 19 June. There's no small-business exemption, and the fines for getting marketing wrong have risen sharply.
The UK's data protection rules changed this year, and one part of it now applies to every business that handles personal data, with no exemption for small firms. The Data (Use and Access) Act updates the existing UK GDPR rather than replacing it, so most of what you already do still stands. But it adds a new duty that took effect on 19 June 2026, and it raises the stakes on getting electronic marketing right.
The new duty: a proper complaints process
From 19 June, every organisation that processes personal data must have a formal way for people to make a data protection complaint. In practice that means a clear route for someone to raise a concern, a written procedure behind it, someone who owns it, and a log. You have to acknowledge a complaint within 30 days and deal with it properly. This applies whether you employ five people or five hundred. The aim is to let people raise issues with you directly before they go to the regulator.
Marketing fines just caught up with GDPR
Earlier in the year, the penalties for breaking the electronic marketing rules, the ones covering unsolicited emails, texts and cookies, rose from a maximum of £500,000 to the same level as UK GDPR: up to £17.5 million or 4% of global annual turnover, whichever is higher. If your business does email or SMS marketing, or relies on cookies for analytics, the cost of getting consent wrong now sits in a different league.
A few things got a little easier
It isn't all new obligations. The Act introduces a 'stop the clock' option on subject access requests, so if someone asks for their data and you need them to clarify what they want, you can pause the one-month response window until they reply. It also relaxed the consent rules for certain low-risk cookies, such as basic analytics, provided people can still opt out. These are sensible adjustments rather than a free pass.
What to actually do
Three steps cover most of it. Put a written complaints procedure in place and make the route to it visible. Check your privacy notice reflects the current rules. And if you do any electronic marketing, review how you collect consent, because the downside of getting it wrong has grown a lot. None of this is heavy lifting, but the complaints duty is live now, so it isn't something to leave for later.
What this means for your business
The complaints-handling duty applies to your business today, and the penalties for marketing missteps have risen sharply. We help South West businesses get the practical side in order, from how personal data is stored and access-controlled to tested backups, so compliance rests on systems that hold up rather than a folder of policies nobody follows.
#WEARECOBALT
Ready when you are.
Tell us what's slowing your business down. We'll tell you exactly how we'd fix it — plainly, with no obligation.