AdviceIndustry info

Data Protection for Wedding Businesses: The June Deadline You Can’t Miss

Professional woman reviewing paperwork at an office desk with a laptop, representing business compliance, legal administration and data protection processes.

A plain-English guide to the Data (Use and Access) Act 2025 — and what every wedding venue, photographer, caterer, planner, dressmaker, florist and entertainer needs to do before 19 June

You’re in the business of making people’s most personal day perfect. That means you hold more personal data than you might realise — names, addresses, dietary requirements, health information, budgets, family dynamics, even details about children attending. All of it is covered by UK data protection law. And right now, that law is changing.

Here’s what you need to know, and what you need to do.

What’s the DUAA, and why should you care?

The Data (Use and Access) Act 2025 — DUAA — builds on UK GDPR and the Data Protection Act 2018. It doesn’t replace them; it extends and updates them. It’s being rolled out in phases, but there’s one date that affects every business regardless of size or sector:

19 June 2026 — the deadline to have a formal data protection complaints process in place.

No exemptions. No grace period. If you collect personal data (and you do), this applies to you.

First things first: are you registered with the ICO?

Before we get to June’s deadline, a more fundamental question: are you registered with the ICO?

Most businesses that collect and use personal data are legally required to pay an annual data protection fee to the Information Commissioner’s Office and appear on their public register. This is not optional — if you need to pay and do not pay, you could be fined up to £4,000. The current fee starts at £52 per year for micro-organisations — one of the cheapest bits of legal compliance you’ll ever do. ICOAcuity Law

For a wedding business, you almost certainly need to be registered. You’re collecting names, contact details, dietary requirements, financial information and more — all of it counts as processing personal data. The ICO publishes a public list of all companies that have paid the fee — and a separate list of those that haven’t. Couples increasingly check that register. Being absent from it is not a good look. 1stchoiceincorporations

You can check and register at ico.org.uk/registration. If you’re not registered, stop reading and go do that first.

The data you hold is more sensitive than you think

A florist might think: I just have someone’s name and a delivery address. But consider what wedding businesses typically hold:

  • Full names, home addresses, phone numbers and email addresses of couples and often their families
  • Dietary requirements and allergies — which can reveal health conditions and religious beliefs
  • Children’s details for guest lists, entertainment and catering
  • Financial information — deposits, full payment amounts, card details if you process online
  • Supplier and contractor data — the people who work with you, not just for you
  • Photos and video — some of the most personal images people will ever have taken

Each category carries its own obligations. Health-related data (allergies, disabilities) is “special category” data under UK GDPR, meaning it needs a higher standard of protection and a specific legal basis for processing.

What’s changed under the DUAA?

DSARs – slightly less painful

A data subject access request (DSAR) is when someone asks you to tell them everything you hold about them. Under the DUAA, you’re now only required to carry out reasonable and proportionate searches. You can also pause the one-month response deadline if you need more information from the requestor to locate what they’re looking for.

What to do: Have a written DSAR process, even a short one. Document every decision you make when handling one. If a couple separates and one party demands their data, having a clear paper trail matters.

Cookies and marketing

From February 2026, the rules on cookies have been slightly relaxed for low-risk uses like analytics. But PECR fines — those are the rules around marketing by email, text or phone — are now aligned to GDPR levels. That means bigger penalties for unsolicited marketing.

What this means for you: If you’ve been sending follow-up emails to enquiries who didn’t book, or adding people to a mailing list without explicit consent, review that practice now.

The big one: the complaints process deadline – 19 June

From 19 June 2026, every business that processes personal data must have a documented process for handling data protection complaints. Here’s what’s required:

  • A written process for receiving and managing complaints
  • Acknowledgement within 30 calendar days — that means weekends and bank holidays count
  • Regular updates to the complainant on progress
  • A clear outcome communicated in writing
  • An auditable log of every complaint — date received, who handled it, what was sent, when

The reason this matters: the ICO is now directing complainants back to businesses first. The ICO received 66,000 complaints in 2025. Going forward, if a couple complains to the ICO about how you handled their data, the ICO will ask whether they raised it with you first. They’ll come back to you — probably more frustrated than when they started. Your process is your first line of defence.

What counts as a data protection complaint in your world?

It’s broader than you might expect. A data protection complaint could be:

  • A couple who discovers you shared their personal details with another supplier without permission
  • A guest who finds their dietary information was disclosed to the wrong caterer
  • A bride who asks you to delete her data after a cancelled wedding — and you don’t
  • A wedding guest who spots themselves in marketing photos on your Instagram without consent
  • A former employee who thinks you’ve kept their payroll data longer than necessary

It’s separate from a general service complaint (“the flowers weren’t what we agreed”). A data protection complaint is specifically about how you’ve handled someone’s personal information

What you need to put in place before 19 June

A written complaints procedure. Even one page is enough to start. If you already have a general complaints process, adapt it to cover data protection specifically.

A dedicated complaints contact. A named email address (something like [email protected]) routed to at least two people. Not just the owner — what happens when you’re on-site at a wedding all day?

Templates. Draft an acknowledgement, a holding response, and an outcome letter. You won’t want to be writing from scratch when you’re also dealing with a panicking client two weeks before their big day.

An audit log. A simple spreadsheet is fine — date received, who handled it, what you sent, when. Keep it somewhere secure, not in a shared inbox.

An updated privacy notice. Your privacy policy should clearly explain that people can make a data protection complaint, how to do it, and that they can escalate to the ICO if they’re unhappy with your response. If your privacy notice is a paragraph buried in your contract, it needs updating.

Retention policy. How long are you keeping client data? And consider how long will you retain data protection complaints details specifically? You need a documented answer — and you should only be keeping data for as long as there’s a legitimate reason to do so.

Watch-outs specific to the wedding industry

Photography and video. Images of identifiable people are personal data. If you use client photos for marketing, you need a clear consent process — not just a line buried in your contract. This applies to social media, website galleries and printed portfolios.

Children. Weddings often involve under-18s in guest lists, entertainment briefs, and sometimes as part of the couple. If you hold data about children, you need a higher level of care and a child-friendly privacy notice.

Social media complaints. If someone posts on your Instagram or sends a DM raising a data concern, don’t try to resolve it in the comments. Direct them politely to your formal process.

Sub-contractors and suppliers. If you use a third-party CRM, booking platform, or cloud storage, that provider is handling personal data on your behalf. You need a data processing agreement with them. Check what data they hold, where it’s stored, and what happens to it if you stop using the service.

Angry exes. Divorce, separation, and family disputes are never far from the wedding industry. If a couple separates after enquiring or booking with you, you may receive conflicting requests about data. Have a clear, neutral process that doesn’t put you in the middle.

Your pre-19 June Data Protection Complaints checklist

  • Confirm you’re registered with the ICO (ico.org.uk/registration)
  • Appoint a primary and backup data protection complaints contact
  • Set up a dedicated data protection complaints email address
  • Create a secure log for recording data protection complaints
  • Draft acknowledgement, holding and outcome templates
  • Update your privacy notice to reference the data protection complaints process and ICO escalation route
  • Document your data retention periods
  • Check your contracts with photographers, caterers and other subcontractors include data processing agreements and that they would be able to assist you with a complaint.
  • Brief anyone in your business who might receive a data protection complaint — including contractors who liaise with clients directly
  • Run a dummy complaint to test the process

The bottom line

You’ve built a business around trust. Couples share some of their most personal details with you, often during an emotionally heightened time. Getting data protection right isn’t just about avoiding ICO fines — though those are real, and can be significant. It’s about being the kind of business your clients can rely on completely.

The DUAA is asking you to do something reasonable: have a proper process for when things go wrong. Most of the businesses that get this right won’t ever need to use it. But when you do, you’ll be very glad it’s there.

Who to contact for support

If you need a hand with the process, legal firms such as Farringford Legal can help with:

  • Drafting or updating your privacy and data retention policies
  • Templates your team can use from day one — acknowledgements, holding responses, and outcomes
  • RoPA and data flow mapping, so you know exactly what you hold and why
  • Practical guidance on building a process that works for your business

Not sure where to start? Book a free 30-minute call and we’ll point you in the right direction. No strings attached.

This article is for general information only and does not constitute legal or professional advice. The law may have changed since publication. Farringford Legal provides expert legal services across England and Wales.

May 2026

Farringford Legal logo

The content in this piece was supplied by our partners at Farringford Legal. Their contribution helps ensure the information in this article is accurate, relevant and grounded in real industry expertise.

Related Articles