New UK Data Protection Rules from 19 June 2026: What Sole Traders Need to Know

If you book clients, take payments, or keep notes, you handle personal data — which means UK data protection law applies to you, even as a one-person business. On 19 June 2026, a new set of rules comes into force that you should know about. The good news: for most sole traders, getting ready is straightforward.

This post explains what’s changing in plain English, who it affects, and the simple steps to be prepared.

What’s actually changing?

The Data (Use and Access) Act 2025 (DUAA) updates — but doesn’t replace — the UK GDPR and the Data Protection Act 2018. Most of it is aimed at large organisations, but one change matters to everyone who handles client data.

From 19 June 2026, individuals get a new statutory right to complain directly to you about how you handle their personal data, before they go to the regulator. As the person who decides how client data is used (the “data controller”), you’ll be legally required to:

Make it easy to complain — accept complaints through any reasonable channel, including email and even social media
Acknowledge a complaint within 30 days of receiving it
Investigate it without undue delay, in a way that’s proportionate to how serious and complex it is
Give the person an outcome, and let them know they can escalate to the Information Commissioner’s Office (ICO) if they’re not satisfied

Crucially, there is no exemption for small businesses. Whether you’re a solo therapist or a one-van dog groomer, the same baseline applies.

Who does this affect — and how much?

Every Booker user handles personal data, but not all data is equal in the eyes of the law. How much you need to think about this depends on what you keep.

You handle sensitive (“special category”) data

If you’re a therapist, counsellor, psychotherapist, physiotherapist, osteopath, chiropractor, nutritionist, speech therapist or acupuncturist, you almost certainly hold health-related information about your clients. That’s “special category” data — the most protected kind under UK GDPR.

For you, the bar is highest. A client trusting you with sensitive information is also more likely to care deeply about how it’s stored, who can see it, and what happens if something goes wrong. A clear, calm complaints process isn’t just a legal box to tick — it’s part of the trust your practice runs on.

You handle everyday contact and booking data

If you’re a driving instructor, tutor, personal trainer, hairdresser, beauty therapist, photographer, dog groomer, music teacher or accountant, you’re typically holding names, contact details, appointment history and payment records. That’s ordinary personal data — lower-risk, but still covered.

The new complaints rules apply to you too. The lift is lighter, but you still need a way for clients to raise concerns and a plan for responding to them.

The common thread

Whatever you do, three things are now expected of every sole trader:

People can find out how to complain to you about their data.
You respond within the timelines above.
You can point them to the ICO if they remain unhappy.

How Booker helps you stay on the right side of this

Booker is built for sole traders who don’t have a compliance department, so a lot of the heavy lifting is already done for you.

Your client data is stored securely. Booker keeps client information in UK-hosted, encrypted storage. When clients share sensitive documents, that’s protected with email verification — so the underlying “are you handling data responsibly?” question already has a solid answer.
One booking page to publish your terms. Your Booker booking link is the natural home for the things clients need to see before they book — your cancellation policy, your privacy information, and how to raise a data complaint. Putting your complaints contact and a link to the ICO right there means individuals always know their options, which is exactly what the new rules expect.
A clear record of every interaction. Bookings, reminders, cancellations and payments are all logged in one place. If a client ever queries what data you hold or how an appointment was handled, you can answer from a single source instead of digging through texts and inboxes.
Less data sprawl. Because bookings, reminders and payments run through one system rather than scattered across personal phones, paper diaries and spreadsheets, there’s simply less to go wrong — and less to account for if someone asks.

Your simple checklist before 19 June 2026

You don’t need a lawyer for this. For most sole traders, being ready means:

Write down how someone complains to you about their data. A couple of sentences is enough: where to send it (an email address is fine) and what they can expect.
Publish it where clients can see it — on your booking page, in your privacy notice, and ideally in your booking confirmation emails.
Mention the ICO. State that if they’re unhappy with your response, they can complain to the Information Commissioner’s Office at ico.org.uk.
Set yourself a reminder rule: acknowledge any data complaint within 30 days, and respond properly without dragging your feet.
Keep a simple record of any complaint and what you did about it.

That’s the core of it. A short, honest process — visible to clients and actually followed — is what the law is asking for.

The bottom line

The 19 June 2026 changes formalise something good practice already pointed to: clients should be able to raise a concern about their data and get a fair, timely response. For sole traders, it’s a small amount of preparation, not a mountain.

If your client data already lives in Booker, you’re starting from a strong position — secure storage, a single record of every interaction, and a booking page where you can make your complaints process clear. Spend twenty minutes writing your process down and publishing it, and you’ll be ready.

This article is general information, not legal advice. For guidance specific to your situation, the ICO publishes free, plain-English resources for small businesses at ico.org.uk.