Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes
Selling fear
Urgently in need of converting those last few sales? Time to hit the target and not completely there yet? Sell fear! It seems to work. ‘’For us, it’s always been about keeping people safe’’, the first sentence in Volvo’s announcement for its armoured cars. A product usually sold behind closed doors to the highly affluent and those in power is now used as a marketing strategy in a YouTube video, released during times of conflict. And whilst you’re waiting for the Volvo video to start, that VPN advertisement is probably not the first time you have seen it, keeping you safe, no matter where you go.
In data protection, selling fear seems to be an increasingly used tactic. If you’ve spent any time on LinkedIn lately, your feed has likely been bombarded by alarming legal warnings and individuals trying to sell you “DUA Emergency Toolkits’’ and anything else to make you worry about the upcoming enforcement of the Data (Use and Access) Act changes on the 19th of June 2026.
Don’t panic
Before anyone tries to squeeze out any more money, hitting their targets and using scare tactics, all we want to say is: do not panic.
To be clear, the situation is different for everyone, but you might be surprised that for most, the upcoming changes are hardly the nightmare your LinkedIn feed makes them out to be. Apart from some of the more recent ‘direct’ and ‘urgent’ language used, even the ICO takes a more glass half full approach, such as in their practical guide: ‘’You may already have an existing complaint tool that isn’t data protection specific, but you can adapt it to include data protection complaints.’’
What is new?
At a glance, data protection law says you must do the following:
- Give people a way of making data protection complaints to you;
- Acknowledge receipt of complaints within 30 days of receiving them;
- Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep the complainant informed; and
- Inform them of the outcome of their complaints.
Your ‘don’t panic’ checklist
If the above still makes you feel slightly panicky, please don’t worry. There is no need to, as just a couple of practical steps will provide you with clear guidance, without the need to spend large amounts of money to stay compliant.
- Establish a clear complaints channel: Set up a straightforward web form or dedicated email (e.g., privacy@yourdomain.co.uk). Make this highly visible on your website.
- Designate a handler: Within your organisation, decide exactly who is responsible for these complaints.
- Implement a 30-day acknowledgement SLA: Ensure an acknowledgement email is sent immediately upon receipt.
- Update your privacy notice today: Explicitly state that individuals have the statutory right to complain directly to your business, and provide the link or email address that allows them to do so.
- Log everything: Set up a secure internal register tracking when complaints are received, acknowledged, investigated, and resolved. If the ICO comes knocking, this document is your best defence.
- Refresh your DSAR protocol: Take a moment to review your current approach to handling Data Subject Access Requests. If you aren’t following your own processes, it’s better to find out now than during review!
There we go, a simple, free checklist which helps you navigate the upcoming enforcement of the Data (Use and Access) Act changes. To most, this should provide enough guidance. If Ronald McDonald was still the mascot for McDonald’s when you last reviewed your GDPR documents, we advise you to give them a second look. Please do not listen to any fear-selling; there is no need to worry.
