Data Protection Changes from 19 June 2026
What Parish and Town Councils Need to Know

Data Protection Changes from 19 June 2026: What Parish and Town Councils Need To Know

Important changes to UK data protection law came into force on 19 June 2026 and parish and town councils should review their procedures to ensure they remain compliant.

The changes arise from the Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025. Rather than replacing existing legislation, the Act amends and updates the current UK GDPR and Data Protection Act 2018 framework.

While several reforms will affect how organisations manage personal data, one change stands out as requiring immediate action from councils.

A New Statutory Complaints Procedure

From 19 June 2026, individuals will have a legal right to submit data protection complaints directly to the organisation that controls their data.

For parish and town councils, this means having a documented complaints procedure in place that allows members of the public to raise concerns about how their personal data has been handled.

The legislation requires councils to:

  • Provide a complaints form that can be completed electronically and through non-digital methods.

  • Acknowledge complaints within 30 days.

  • Respond without undue delay.

  • Maintain a clear process for handling and recording complaints.

Councils that do not have an accessible complaints process in place by 19 June will not meet the new legal requirements.

Changes to Subject Access Requests (SARs)

The Act also introduces greater clarity around Subject Access Requests (SARs).

A key change is the formal introduction of a "reasonable and proportionate" search standard. Councils will no longer be expected to carry out exhaustive searches across every archive, storage location, or historic record. Instead, searches should be targeted, sensible, and capable of being justified if challenged.

The legislation also confirms the ability to "stop the clock" on the one-month response period when further clarification is needed from the applicant. This provides greater flexibility where requests are unclear or excessively broad.

These changes support a more structured and manageable approach to SAR handling while maintaining individuals' rights to access their information.

Automated Decision-Making

The DUAA permits broader use of automated decision-making processes, provided appropriate safeguards are in place.

Where decisions have legal or similarly significant effects on individuals, councils must ensure that people can:

  • Understand how a decision was reached.

  • Challenge the outcome.

  • Request human review and intervention.

While many parish and town councils make limited use of automated decision-making, this change may become increasingly relevant as digital services evolve.

Recognised Legitimate Interests

The legislation introduces a new lawful basis known as Recognised Legitimate Interests.

For certain activities, including areas such as crime prevention and safeguarding, organisations will no longer need to undertake a full legitimate interests balancing test before processing personal data. Councils will still need to document the processing and ensure it falls within the permitted categories.

This change is intended to reduce administrative burdens while maintaining appropriate safeguards.

Stronger ICO Enforcement Powers

The Information Commissioner's Office (ICO) will gain enhanced enforcement powers under the Act.

These include the ability to:

Compel individuals to attend formal interviews during investigations.

Require organisations to commission and fund independent technical reports where necessary.

While these powers are likely to be used only in specific circumstances, they reinforce the importance of maintaining robust data protection practices and accurate records.

What Should Councils Do Now?

The most pressing priority is to ensure a compliant data protection complaints procedure is in place before 19 June 2026.

Councils should also review:

  • Data protection and privacy policies.

  • Subject Access Request procedures.

  • Complaint handling processes.

  • Staff and councillor awareness of the new requirements.

  • Record-keeping arrangements for data protection matters.

Although some commentary around the changes has been alarmist, the reforms are genuine and the implementation date is approaching quickly. Councils that prepare now will be well placed to meet their obligations and demonstrate good governance.

As always, members requiring specific advice should contact GALC through the member portal.

in News
House of Lords backs key amendment to strengthen parish governance
A key moment for parish and town councils as devolution and local government reorganisation reshape the future of local democracy