top of page

Data Protection — New Legislation

The Data (Use and Access) Act 2025 has now taken effect, bringing meaningful changes to how organisations handle personal data in the UK. While the core principles of UK GDPR remain intact, the reforms introduce greater flexibility in several areas.


New Complaints Procedure Requirement — 19 June 2026

From 19 June 2026, organisations must have a formal process enabling individuals to raise data protection complaints directly with the company before escalating to the Information Commissioner’s Office. We have updated our complaints procedure and have informed our employees in News@Glen this month.


Other Key Changes

Recognised Legitimate Interests (RLI) — a new lawful basis now covers specific activities including crime prevention, safeguarding vulnerable individuals, and certain disclosures to public authorities.

Automated Decision-Making — restrictions on solely automated decisions have been relaxed, allowing the use of AI and automated analytics (for example in recruitment or operations).

Subject Access Requests (SARs) — clearer rules now apply to handling SARs, including when organisations may seek clarification on overly broad requests before responding.

International Transfers — a revised framework applies to personal data transfers outside the UK, requiring updated assessments.


“The primary task is not a wholesale redesign but a careful review and update of our governance documents, privacy policies, data protection impact assessments, and operational procedures — including safeguarding policies and data management practices.”

— Alan North, Group Compliance Director


Kim Stevens, Group Business Improvement Director, holds the duty of Glen’s Data Protection Officer.





bottom of page