GDPR Changes June 2026: What Your Business Must Do

If you run a UK business, pencil 19 June 2026 into the diary. That is when a small but important set of GDPR changes June 2026 take effect. Unlike the bigger reforms that arrived in February, this one places a direct duty on every organisation that handles personal data. It is not the sort of headline-grabbing rule that generates panic, but it is a duty you cannot opt out of, and you need a plan.The change comes from the Data (Use and Access) Act 2025 (the DUAA), the legislation that has been quietly reshaping UK data protection law throughout 2026. Most of the DUAA package landed on 5 February. The 19 June phase adds the last piece: a statutory complaints process for individuals who feel their data has been mishandled.

What is changing on 19 June 2026?

The Data Protection Act 2018 will gain a new section 164A, giving any individual a statutory right to complain about how their data has been handled directly to the organisation that holds it. Historically that path was informal. After 19 June, it becomes a defined legal route, and the Information Commissioner’s Office (ICO) expects people to use it before escalating to a regulatory complaint.

A few facts worth pinning down:

• Every organisation that collects or processes personal data is in scope. There are no SME exemptions.
• You must have a clear, internal complaints process people can use.
• You must acknowledge a complaint within 30 days, and provide a full response without undue delay.
• The route applies to your customers, your staff, your suppliers’ staff, and anyone else whose personal data you handle.

In short, every door in the UK that handles personal data needs the same well-marked complaints channel behind it. Does yours have one yet?

What the GDPR changes June 2026 mean for your business

For most Gloucestershire and South West SMEs, this is a light-touch change. You almost certainly already deal with data queries; you just have not formalised the response process. The DUAA simply asks you to make it visible, written down and consistent.

The bigger risk is failing to notice. If a complaint arrives in an email to accounts, on social media, or through a customer service form, and nobody recognises it as a formal data protection complaint, the clock still starts ticking. Thirty days passes quickly when nobody is counting.

There is a cultural shift too. Once customers know you have a real complaints route, they will use it. That is a good thing. Catching a small grievance early is far cheaper than dealing with an ICO referral six months later.

Your readiness checklist

The short version of what to put in place before 19 June:

• Add a short complaints section to your Privacy Policy. Tell visitors how to raise a data protection complaint, the address it goes to, and the response window you commit to.
• Set up a dedicated address such as privacy@ or data@. Route it to the person who owns this, not the general inbox.
• Assign an internal owner. Someone needs to triage complaints, log them, and own the response. In small businesses this is usually the owner-director or the office manager.
• Train front-line staff to recognise a complaint. It will rarely arrive labelled as one. “I never agreed to be on your mailing list”, “Why do you still have my information?”, or “I want my account closed and my data deleted” all count.
• Log every complaint, acknowledge within 30 days, and respond fully without undue delay. A simple shared spreadsheet or ticket queue covers most businesses. The key is that nothing falls through the cracks.

None of this requires expensive tooling. A few hours of careful thought, a one-page internal procedure and a small Privacy Policy update will cover most organisations.

How System Force IT can help

Most of the work above sits in operations rather than IT, but the supporting controls (mailbox routing, access logging, audit trail, secure document retention) all live in the systems we already manage for our clients.

If you would like a calm second pair of eyes on your data protection posture, we offer a short data protection and compliance review covering the new DUAA complaints requirement alongside your wider Microsoft 365, backup and access posture. It pairs naturally with our Cyber Essentials preparation and our UKAS ISO/IEC 27001:2022 certified managed IT service for organisations wanting a structured framework around all of it.

We have supported UK SMEs since 2006. We are a Microsoft Solutions Partner, Cyber Essentials Practitioners, Certified 3CX Partner and RIPE NCC Member, and we run the same posture for ourselves that we set up for our clients. So we have been through this checklist recently, ourselves.

If you would prefer to talk it through first, call us on 01452 701355 or drop a note via the contact form. No sales pitch, just a conversation.