Warning over June data deadline for UK businesses
Key Points
- Under the Data (Use and Access) Act 2025, all UK organisations that control personal data must have a formal data protection complaints process in place by 19 June 2026.
- Businesses must acknowledge a complaint within 30 days, investigate it appropriately, keep the complainant informed and confirm the outcome without undue delay.
- The rule applies to all controllers with no exceptions, from small businesses to global firms.
- Individuals gain a statutory right to complain directly to a business about how it uses their personal data before escalating to the ICO.
- Complaints must be accepted regardless of how they are submitted, and businesses must inform people of their right to complain in privacy notices.
UK businesses have until 19 June 2026 to put a formal process in place for handling complaints about how they use people’s personal data, with consultants warning that many organisations are not ready for the deadline.
The requirement is introduced by the Data (Use and Access) Act 2025, which amends the UK’s existing data protection framework.
From 19 June, every organisation that controls personal data must give individuals a clear way to make a data protection complaint directly to the business, before any escalation to the Information Commissioner’s Office (ICO).
The rule applies to all controllers with no exceptions, covering everything from small businesses to global firms.
Once a complaint is received, organisations must acknowledge it within 30 days, investigate the issue appropriately, keep the complainant informed of progress and confirm the outcome without undue delay.
Complaints must be accepted regardless of how they are submitted, and individuals must be told of their right to complain in privacy notices.
Privacy Helper, a UK data protection consultancy, warned that a privacy policy or a general customer service process will no longer be enough.
Organisations need a practical procedure with clear ownership, escalation routes and record-keeping, the firm says, adding that the potential fines for getting it wrong are substantial.
“Most businesses believe they are compliant until a complaint exposes the gaps,” said Andy Chesterman, Managing Director of Privacy Helper. “From 19 June, organisations need a practical process that staff understand and can follow.”
Chesterman said the risk is less about receiving a complaint and more about being unable to demonstrate it was handled correctly.
“A routine issue can escalate quickly if nobody knows who owns the complaint, what needs to be recorded or when it should be referred internally. The real risk is not simply receiving a complaint, it is being unable to show that the business handled it properly.”
He framed the change as a commercial concern as well as a regulatory one.
“This is a commercial issue as much as a compliance issue. Poor handling creates avoidable cost, management time and reputational damage.”
The ICO, which has published guidance on the new requirements, has signalled a measured approach to enforcement during the transition period.
However, the obligation itself takes effect on 19 June regardless, leaving organisations a narrow window to get a compliant process in place.
