PCC action required under changes to data protection law

The Data (Use and Access) Act 2025 has introduced a number of changes to UK data protection law. While many of the changes affect larger organisations, there are some important updates that PCCs should be aware of.

The most significant change is the introduction of a mandatory data protection complaints process. 

PCCs should ensure that individuals can easily raise concerns about how their personal data is handled, that complaints are acknowledged promptly, investigated appropriately, and that records of complaints and outcomes are maintained. Please see template here.

PCCs should also review their existing data protection arrangements in light of wider changes to:

  • Legitimate interests and information sharing, including safeguarding-related processing.
  • The handling of Subject Access Requests (SARs).
  • The use of automated decision-making and AI tools where personal data is processed.
  • International data transfers and website cookie requirements.

Action for PCCs

Please set up a data protection complaints process, review your data protection policies, privacy notices, complaint handling arrangements, and any procedures relating to Subject Access Requests to ensure they remain compliant with the latest legal requirements.

The Governance Support Team can be contacted via governance.support@bristoldiocese.org if you have any questions.

First published 8th July 2026
Powered by Church Edit