UK data protection changes in 2026: what care providers should check 

There has been a lot of discussion recently about changes to UK GDPR. Some of this has sounded quite alarming, especially for small businesses and care providers. 

The reality is more straightforward. 

UK GDPR has not been replaced. However, the Data (Use and Access) Act 2025 has made some changes to UK data protection and privacy rules. Some of these changes are already in place, and one important change comes into force on 19 June 2026. 

For adult social care providers, this is a good time to check that your data protection processes are clear, practical and up to date. 

Care providers handle personal information every day. This may include information about people who use services, relatives, staff, job applicants, visitors, professionals and website enquiries. Some of this information may be sensitive, such as health, care, medication, safeguarding, mental capacity, employment or complaint records. 

Good data protection is not just about having a privacy notice on your website. It is about making sure personal information is collected, used, shared, stored and deleted safely. 

1. People must know how to raise a data protection complaint

From 19 June 2026, organisations must have a process for handling data protection complaints. 

This means people should be able to complain if they are unhappy about how their personal information has been handled. This could include a person receiving care, a relative, a member of staff, a former employee, a job applicant or someone who has made an enquiry through your website. 

Care providers should check: 

• Is it clear how someone can raise a data protection complaint? 

• Is there an email address, web form or written process? 

• Do staff know what to do if someone raises a concern about their information? 

• Are complaints acknowledged within the required timescale? 

• Is there a clear record of the complaint, the response and any action taken? 

This does not need to be complicated. It could be added to your privacy notice, complaints procedure, website or staff guidance. The important thing is that people know what to do, and your team knows how to respond. 

2. Subject Access Requests still need a clear process

A Subject Access Request, often called a SAR, is when someone asks for a copy of the personal information an organisation holds about them. 

In adult social care, SARs may come from staff, former staff, people using services, relatives, advocates or solicitors. 

The 2026 changes clarify that organisations only need to carry out searches that are reasonable and proportionate. This is helpful, because some requests can be very wide. However, it does not mean requests can be ignored or handled casually. 

Care providers should check: 

• Do staff know how to recognise a Subject Access Request? 

• Is there a named person or role responsible for managing SARs? 

• Is there a process for checking identity before sharing information? 

• Is there a system for finding relevant records? 

• Are staff clear about what can and cannot be shared? 

• Are timescales being monitored? 

A request does not have to include the words “Subject Access Request”. If someone asks, “Can I see what information you hold about me?”, this may still count. 

3. Website cookies and tracking need reviewing

Many care providers now use websites for enquiries, recruitment, downloads, contact forms, newsletters, analytics and marketing. 

Some cookie rules have been relaxed for low-risk uses. However, this does not mean all cookies can be used without consent. 

Care providers should check: 

• Does the website use cookies? 

• Does it use analytics tools? 

• Does it use tracking pixels, advertising tools or retargeting? 

• Is the cookie banner accurate? 

• Does the cookie policy match what the website actually does? 

• Can people accept or reject non-essential cookies? 

This is especially important if your website uses tools linked to marketing, advertising, social media or behaviour tracking. 

4. Email marketing still needs care

Many providers send emails to families, staff, commissioners, professionals, enquiries, job applicants or potential clients. Not all emails are marketing, but some are. 

For example, an email about a person’s care package is not the same as an email promoting a service, event, open day, newsletter or training offer. 

Care providers should check: 

• Who is on your email marketing list? 

• How did they get there? 

• Did they consent, or are you relying on another lawful route? 

• Can people unsubscribe easily? 

• Are unsubscribes acted on promptly? 

• Are webinar, event or newsletter sign-up forms clear? 

• Are staff using personal contact lists or old spreadsheets? 

The increased fine level for some marketing and electronic communication breaches is a reminder that marketing lists should be properly managed. For most care providers, the main focus should be good records, clear wording, easy opt-outs and avoiding unwanted marketing. 

5. Staff information should not be forgotten

Data protection is not only about people who use services. It also applies to staff. 

Care providers hold a lot of staff information, including recruitment records, right to work documents, DBS information, sickness records, supervision notes, training records, disciplinary records, payroll details and emergency contacts. 

Care providers should check: 

• Is staff information only accessed by people who need it? 

• Are records kept securely? 

• Are old records deleted when they are no longer needed? 

• Are sickness, performance and disciplinary records handled confidentially? 

• Are staff told how their information is used? 

• Is there a clear staff privacy notice? 

This is especially important where records include health information, absence details, safeguarding concerns or employment disputes. 

6. Be careful with automation and AI tools

Some organisations are starting to use more automation, artificial intelligence or digital tools. In care settings, this might include learning platforms, recruitment systems, rostering tools, monitoring systems, CRM systems or automated reporting. 

The rules around automated decision-making have changed, but safeguards still matter. 

Care providers should think carefully if a system makes decisions about people with little or no human involvement. This could include decisions about recruitment, access to services, risk, training, performance or employment. 

Care providers should check: 

• Are any systems making automatic decisions about people? 

• Could those decisions have a significant effect on someone? 

• Is there human oversight? 

• Can the person challenge the decision? 

• Is the process explained clearly? 

Most everyday digital systems will not be a problem, but providers should understand what their systems are doing. 

7. Keep evidence that you have reviewed the changes

Care providers do not need to panic or rewrite every policy overnight. But it is sensible to show that you have reviewed the changes and taken proportionate action. 

This could include: 

• Reviewing your privacy notice. 

• Checking your data protection complaints process. 

• Reviewing your SAR process. 

• Checking your cookie banner and cookie policy. 

• Reviewing email marketing lists and unsubscribe processes. 

• Briefing managers and relevant staff. 

• Recording any actions taken. 

This links well with good governance. It shows that the provider is keeping systems under review and taking reasonable steps to protect personal information. 

Final takeaway 

The 2026 data protection changes are not about starting again from scratch. 

They are a reminder to check that your processes are clear, current and practical. 

For adult social care providers, the most important areas to review are: 

• How people complain about data handling. 

• How Subject Access Requests are managed. 

• How website cookies and tracking are used. 

• How email marketing lists are managed. 

• How staff and care records are protected. 

• Whether any digital tools or automated systems need extra oversight. 

Good data protection protects people, supports trust and helps services show that they are well led, organised and accountable. 

Need more information? Get in touch with us and we’ll be happy to answer any questions you may have.