UK data protection changes in June 2026: what businesses using data for decisions need to know

This week in context

Several UK data protection developments converge in early June 2026.

On 29 May 2026, the Information Commissioner's Office (ICO) published its plan for enabling safe AI-powered innovation. The plan responds to a request from the Technology and Business Secretaries. It does not change the law. It sets out how the ICO intends to apply existing rules, including guidance priorities for automated decision-making and agentic AI.

On 19 June 2026, new statutory duties on data protection complaint handling take effect under the Data (Use and Access) Act 2025 (DUAA). Controllers subject to the UK GDPR must have documented processes to receive, acknowledge, and resolve complaints.

Separately, reforms to automated decision-making (ADM) under the UK GDPR took effect on 5 February 2026. Organisations that use data — including AI-assisted tools — to support significant decisions are operating under an updated framework.

What is changing on 19 June 2026

From 19 June 2026, data controllers must have formal complaint-handling arrangements that meet DUAA requirements. Published guidance indicates that organisations should be able to:

• provide accessible routes for individuals to raise data protection complaints;
• acknowledge complaints within 30 days;
• investigate and resolve complaints without undue delay;
• document outcomes in a structured, auditable way.

Privacy notices may also need updating to reflect the new right for individuals to complain directly to controllers.

This applies across sectors. Any organisation that processes personal data under the UK GDPR — regardless of size — should review whether existing governance processes meet the new standard.

Automated decision-making: what is already in force

The DUAA amended UK GDPR rules on automated decision-making. Key points documented in regulator and legal commentary include:

• The previous broad prohibition on ADM has been replaced with a more flexible regime for processing that does not involve special category data.
• Where solely automated decisions produce legal or similarly significant effects, organisations must still meet conditions and safeguards under the amended UK GDPR (Articles 22A to 22D).
• Data protection impact assessments remain relevant where processing is high risk.
• The ICO is developing a statutory code of practice on AI and automated decision-making.

For businesses that use data intelligence — dashboards, scoring models, workflow automation, or AI-generated summaries — the practical requirement is documentation. Organisations should maintain a clear record of which decisions rely on automated processing, what data is used, and what human review exists.

The ICO plan for safe AI innovation

The ICO's May 2026 plan emphasises regulatory certainty rather than lighter regulation. Stated priorities for 2026/27 include:

• a code of practice on AI and automated decision-making;
• dedicated guidance on agentic AI (systems that act on behalf of users);
• resources to support transparency for businesses deploying AI.

The ICO has stated that human intervention in automated decisions must be meaningful, not tokenistic. For leadership teams using data to support decisions, this reinforces a principle many organisations already apply in practice: automated outputs inform decisions; people remain accountable for outcomes.

What teams responsible for business data should review

The following checks are consistent with published regulatory guidance and do not constitute legal advice.

1. Complaint handling readiness

Confirm that a documented complaint process exists, that ownership is assigned, and that privacy notices reflect the new rights effective from 19 June 2026.

2. Inventory of decision-support systems

List systems where data analysis — including AI-assisted tools — informs or executes decisions affecting customers, employees, or commercial outcomes. Record whether processing is solely automated and whether special category data is involved.

3. Visibility across data sources

Growing businesses often hold decision-relevant data across CRM, finance, operations, and external sources. When regulatory and operational requirements increase simultaneously, fragmented data makes compliance and oversight harder. A single view of what data exists, where it flows, and how it supports decisions reduces that risk.

4. Human review pathways

Where automated or AI-assisted outputs inform significant decisions, confirm that review steps are documented, accessible to relevant staff, and proportionate to the decision's impact.

How a data intelligence layer supports oversight

Regulatory change increases the importance of knowing what data your organisation holds, how it is used in decisions, and where gaps exist.

An intelligence layer — one trusted view across internal business data and relevant external signals — helps leadership teams:

• see which data sources feed decision-support tools;
• identify where reporting is fragmented or inconsistent;
• maintain oversight as new AI and automation tools are introduced;
• respond to complaint or subject access requests with greater confidence.

This is not a substitute for legal compliance. It is an operational foundation that makes compliance and decision oversight more manageable as requirements evolve.

Sources and further reading

• ICO plan for safe AI-powered innovation (published 29 May 2026)
• Data (Use and Access) Act 2025 — complaint handling commencement, 19 June 2026
• UK GDPR automated decision-making reforms — in force from 5 February 2026

Organisations with specific legal questions should consult qualified data protection advisers.