— Outlook

Regulatory commentary, briefings, and analysis.

ICO enforcement analysis, DUAA commentary, sector briefings, compliance how-tos — written for the people who actually need to make data protection work, not for the people who write about it.

DUAA — Lead piece · April 2026

The DUAA reshapes SME accountability. Here is what actually changes.

The Data (Use and Access) Act 2025 takes effect on 19 June 2026. Most public commentary has overstated the scale of change. The detail matters: complaint handling is the genuine new obligation, transparency rules tighten, and the rest is incremental. A briefing for SME data owners on what to action and what to ignore.

Read the full piece →

— Days to compliance

53days

19 June 2026. The deadline by which every UK organisation must have a complaint handling process in place under section 164A DPA 2018, as inserted by the DUAA.

By

Matthew Varnham

Founder & Principal · CIPP/E · CIPM

— Recent pieces

What I have been writing about.

Pieces are published roughly monthly. Each one is something I would otherwise be saying in a client conversation — written down so the answer is consistent and the reasoning is preserved.

DUAA complaint handling: what your organisation needs by 19 June 2026.

The mandatory complaints process under section 164A DPA 2018 — what it is, who it applies to, and how to put it in place without over-engineering.

ICO reprimand analysis: lessons from recent SME enforcement actions.

What the ICO's recent reprimands and enforcement notices tell us about where SME compliance gaps are landing — and what to fix first.

ICO Enforcement

The SME guide to handling your first subject access request.

A step-by-step for organisations that have received a DSAR and are not sure where to start. The clock is one month — here is how to use it well.

Compliance Guides

Do you need a DPO? A practical guide for UK SMEs.

Article 37 mandates a DPO in certain circumstances. A practical assessment of your position — and what to do if the answer is borderline.

Compliance Guides

Data protection for charities: five areas trustees must get right.

Compliance challenges facing charities working with vulnerable beneficiaries — and how trustees can discharge their governance obligations under the Charities Act in the data protection context.

Sector Briefings

The Data (Use and Access) Act 2025: what has changed and what is coming.

A practical summary of the DUAA provisions, the implementation timeline, and what to do now versus what to wait on.

Breach or blip? Assessing whether an incident is reportable to the ICO.

A decision framework for the Article 33 notification threshold. The 72-hour clock starts when you become aware — but awareness has a specific legal meaning, and most incidents do not require notification.

Compliance Guides

— Browse by category

Or by what you are looking for.

ICO Enforcement

Analysis of ICO reprimands, monetary penalties, and enforcement notices. What the regulator actually does, calibrated against what the regulator says.

DUAA Updates

The Data (Use and Access) Act 2025 in detail. What has changed, what is coming, what to action now and what to wait on.

Compliance Guides

Step-by-step guidance on the practical compliance tasks — DSAR handling, breach response, DPIA construction, ROPA maintenance.

Sector Briefings

Sector-specific data protection challenges and how to handle them — healthcare, financial services, charities, recruitment, education.