If you run a small business website, you’ve probably heard whispers that “GDPR is changing.” It is, but not in the dramatic way some headlines (and ads) suggest. Here’s a plain English rundown of what’s actually happened and what you need to do about it.

A Quick Timeline

The Data (Use and Access) Act 2025, known as the DUAA, became law back in June 2025. Most of its real changes only came into force on 5 February 2026, and the most recent update landed on 19 June 2026. That last date is the one that matters most right now.

What Changed on 19 June 2026

As of that date, every organisation handling personal data is legally required to have a process for dealing with data protection complaints. In practice, this means:

  • People now have a specific right to complain directly to your business about how their data is handled, before they go to the Information Commissioner’s Office (ICO).
  • You must acknowledge any complaint within 30 days of receiving it.
  • You must provide a full response without unreasonable delay.

This applies whether you’re a sole trader, a charity, or a larger company. It’s not optional, and it’s not just for big corporations with dedicated legal teams.

The Cookie Rules Eased Slightly

There’s also been a small relaxation around cookie consent. Cookies used purely for things like basic website analytics or improving site functionality no longer require the same strict opt in consent that, say, marketing or tracking cookies do, as long as users are still given a clear way to opt out.

In practice though, the exemption is narrow, and trying to split your cookie banner into “needs consent” and “doesn’t need consent” categories can get messy fast. My advice to clients is to keep using a standard consent banner that covers everything. It’s simpler, it avoids grey areas, and it keeps you firmly on the right side of the rules.

What Hasn’t Changed

It’s worth being clear about what didn’t change too, because there’s a lot of noise (and a fair few “act now or face huge fines” courses and adverts) suggesting GDPR has been overhauled. It hasn’t. The definition of personal data is the same. Requirements around Data Protection Officers, records of processing, and impact assessments remain the same for businesses that already needed them. This is a targeted update, not a rewrite.

What You Should Do

1. Add a short complaints clause to your privacy policy explaining how someone can raise a concern about their data directly with you, and confirming you’ll acknowledge it within 30 days.
2. Keep your existing cookie consent banner as is, rather than trying to carve out exemptions, unless you have specific legal advice telling you otherwise.
3. Don’t panic. For most small businesses and charities, this is a small addition to an existing policy, not a ground up rebuild.

Published On: June 30th, 2026 / Categories: AI and Google for Websites, Social Media Enfield, Social Media Marketing, Web Design Enfield, Web Design Essex, Web Design Hertfordshire / Tags: /

Related Posts