UK Data Protection Changes in June 2026: What Jewellery Businesses Need to Know (Without the Panic)

If you run a jewellery business in the UK, you may have seen headlines about ‘new GDPR rules’ coming in during June 2026 and wondered whether you need to change everything overnight.

The good news is: probably not.

The changes form part of the UK’s Data (Use and Access) Act 2025 which updates existing UK data protection law rather than replacing it. Most jewellery businesses already doing sensible things with customer data are unlikely to need a complete overhaul.

That said, there are a few things worth checking now so that you stay compliant and avoid stress later.

Please note: this blog post is intended as practical information rather than legal advice. If you are unsure about your specific circumstances, please speak to a legal adviser or data protection specialist.

 
 

1. Check whether you need to register and pay a data protection fee to the ICO

This is one of the biggest things we see small businesses miss.

Many businesses that process personal data are required to pay a data protection fee to the Information Commissioner’s Office (ICO). This isn’t determined by turnover alone and not every business needs to register, but if you collect customer information, run email marketing, keep client records or sell online, it is worth checking.

Examples of data you might process include:

  • Customer names and addresses

  • Email marketing lists

  • Customer orders

  • Website enquiries

  • Student records

  • Photography and testimonials

  • Payment information

Use the ICO self-assessment tool to find out whether you need to pay the fee:
ICO Fee Checker

If you do need to register, you can also complete it online directly with the ICO.

https://ico.org.uk/for-organisations/data-protection-fee/



2. Add a clear data complaints process before 19 June 2026

One of the main practical changes coming into force is that organisations must have a way for people to complain about how their personal data has been handled. Organisations must acknowledge complaints within 30 days and respond without undue delay.

For most jewellery businesses this does not need to become complicated.

You could:

  • Add a privacy email address for people to contact

  • Add a section to your privacy policy explaining how people complain

  • Decide internally who handles complaints (if you’re the sole staff member it’s you!)

  • Keep a simple log of complaints and actions taken



Questions to ask yourself:

  • If someone asked “what information do you hold about me?” would you know where to look?

  • If someone wanted data corrected or removed, do you have a process?

  • Would your team know what to do?

The ICO has practical guidance to help businesses set this up.



3. Review your privacy policy

Now is a good excuse to revisit your privacy notice.

Check that it explains:

  • What data you collect

  • Why you collect it

  • Which systems you use

  • How long you keep it

  • How people contact you

  • How people make a complaint

Many jewellery businesses created these years ago and haven’t looked at them since.



4. Review your email marketing and customer permissions

If you send newsletters, launch emails, workshop invitations or promotions, make sure your marketing practices still make sense.

Check:

  • Are people opting in clearly?

  • Do forms explain what subscribers receive?

  • Can people unsubscribe easily?

  • Are old mailing lists still appropriate?

The good news is that if you use an email marketing product like Mailchimp, Mailer Lite or even one provided by your website, it should be updated to ensure compliance.

The changes do not remove the need to think carefully about consent and email marketing rules.



5. Think about where your customer data actually lives

Many of us collect information in more places than we realise.

You might have customer information in:

  • Shopify

  • Squarespace

  • Mailchimp

  • Meta lead forms

  • Google Drive

  • Google Analytics

  • Booking systems

  • Online course platforms

  • Accounting software

  • AI tools

Create a simple list.

You do not need a 40-page compliance manual. A spreadsheet is often enough.



6. If you use AI in your business: pause before uploading personal information

AI is becoming increasingly common for marketing, admin and content creation.

Before uploading customer details, student information or enquiries into AI tools, check:

  • whether personal data is being processed

  • what permissions exist

  • whether the platform stores data

  • whether your privacy information reflects this


We would recommend that you do not put any customer data into AI to keep your customer’s identity safe.

Use of AI is also worth considering if you create courses, teaching materials or downloadable resources.



Your June 2026 Data Protection Checklist

☐ Check whether you need to pay the ICO data protection fee
☐ Add a data complaints process
☐ Update your privacy policy
☐ Review email marketing permissions
☐ List where customer data is stored
☐ Consider how AI tools are being used

Helpful Resources

Information Commissioner’s Office: Data (Use and Access) Act overview
Information Commissioner’s Office: How to deal with data protection complaints
ICO: Data protection fee self-assessment
ICO: Guide to UK GDPR
Government guidance on data protection changes

A little time spent reviewing this now is likely to save a lot of scrambling later. Compliance does not need to be intimidating, but it does need to be intentional.



“Jewellers Academy cannot provide legal or compliance advice, but we hope these resources point you in the right direction.”


Bonus: AI Prompts to Help You Review Your Jewellery Business Data Protection

AI can be surprisingly useful for helping you think through data protection and compliance tasks. It should not replace legal advice, but it can help you create checklists, identify gaps and draft documents faster.

Try copying and pasting these prompts into your preferred AI tool.

Prompt 1: Do I need to do anything?

Act as a UK small business data protection advisor.

I run a jewellery business.

Please ask me one question at a time to understand:

  • how I sell (website, Etsy, markets, commissions etc)

  • how I collect customer data

  • which systems I use

  • whether I send marketing emails

  • whether I work with students or clients

  • whether I store photographs or testimonials

  • whether I use AI tools

At the end create:

  1. A simple GDPR compliance checklist

  2. A list of documents I should have

  3. A list of areas I should review

  4. Questions I should verify with the ICO

Do not provide legal advice and flag anything uncertain.

Prompt 2: Build my data map

Help me create a data map for my jewellery business.

Ask me where customer information enters my business and where it is stored.

For each system create a table with:

  • What personal data is collected

  • Why it is collected

  • Where it is stored

  • Who has access

  • Retention recommendation

  • Whether consent is needed

  • Any GDPR concerns

At the end identify gaps and suggest actions.

Prompt 3: Review my privacy notice

Act as a UK privacy notice reviewer.

I will paste my current privacy notice.

Review it against:

  • UK GDPR

  • PECR

  • June 2026 UK data protection updates

Tell me:

  • what is missing

  • what is unclear

  • what needs updating

  • what systems should be named

  • what sections may not apply

Do not rewrite the whole thing unless I ask.

Prompt 4: Check whether I may need to pay the ICO fee

I run a jewellery business in the UK.

Ask me questions one at a time to help me understand whether I may need to pay the ICO data protection fee.

At the end:

  • summarise what I told you

  • explain areas that suggest registration may apply

  • explain areas that may be exempt

  • direct me to check the official ICO assessment tool

Do not give a definitive legal answer.

Prompt 5: Help me create a data complaints process

Act as a data protection consultant for a small creative business.

Help me create a practical complaints process that complies with UK data protection requirements.

Create:

  • a complaints email workflow

  • acknowledgement template

  • internal checklist

  • suggested response timeline

  • wording for my privacy policy

Keep this proportionate for a small business.

Prompt 6: Audit my website

Act as a website privacy and cookie reviewer.

I will give you:

  • my website URL

  • my cookie banner wording

  • the platforms I use

Help me identify:

  • cookies and tracking tools

  • missing privacy information

  • analytics tools

  • embedded content

  • consent issues

  • actions to improve compliance

Create a prioritised action list.

Important: Always sense check AI outputs and cross-reference with official ICO guidance before publishing policies or making business decisions.

Jessica RoseComment