Data Protection Complaints
Why 19th June is a Key Date for Every UK Business
Update — May 2026: The deadline is confirmed as 19 June 2026 — no delays or extensions have been announced. The ICO published its finalised complaints handling guidance on 12 February 2026. Organisations now have one month to ensure compliance.
AI and Data Protection: the backdrop
The UK government has explicitly stated it will not pass a heavy, EU-style “AI Act” in 2026. On the contrary, it is using the Data (Use and Access) Act 2025 (DUAA) to adjust existing data laws to make AI easier to use in the workplace. Good news for some, worrying for the rest.
The UK’s DUAA 2025 — which received Royal Assent on 19 June 2025 — ironically inspired some of the EU’s subsequent changes. The UK was the first to explicitly list “AI training” and “internal administration” as legitimate reasons to process data without repeated new consent forms. The EU Omnibus is now playing catch-up.
Key regulations, perspectives and priorities
Two positions worth distinguishing:
• If you export or sell to the EU: you have until late 2027 to get your “high-risk” AI (such as recruitment filtering) fully compliant.
• If you are purely UK-based: you do not have an AI Act deadline to worry about, but you will need to comply with the UK DUAA and the ICO’s AI guidance — with complaints handling sitting at the top of the list.
Sources: ICO, UK Government, European Parliament.
From 19 June 2026, every UK organisation that processes personal data will be legally required to operate a formal, documented data protection complaints process. The ICO has confirmed there are no exemptions — this obligation applies to all organisations regardless of size or sector.
Why this is happening
Under current rules, individuals can take complaints directly to the ICO. However, with data protection complaints reaching 42,881 in 2024/25 — with forecasts of 45,000 to 55,000 if trends continue — the ICO has been forced to develop new mechanisms allowing it to concentrate on those cases with the biggest impact or most systemic risk.
From 19 June 2026, a complainant must first raise their concern with the Data Controller within their organisation. Only if dissatisfied with the response — or if the organisation fails to respond within a reasonable timeframe — may they escalate to the ICO.
What organisations must now do
• Provide clear complaint channels — electronic forms, live chat, postal, or phone lines. Complaints must be accepted regardless of channel, including via social media.
• Acknowledge complaints within 30 days — from the day after receipt, including weekends and public holidays. Where the final day falls on a weekend or public holiday, the deadline extends to the next working day. Where an organisation can both investigate and respond substantively within 30 days, a separate acknowledgement is not required.
• Investigate without undue delay — the duty to investigate begins immediately on receipt, not after the acknowledgement period expires. Complainants must be kept informed throughout.
• Provide outcomes promptly — clearly explaining findings, conclusions and actions taken. If the complainant remains dissatisfied, they must be directed to the ICO.
• Maintain records — logs must capture: date of receipt; acknowledgement; relevant correspondence and documentation; outcome; and remedial actions taken. The ICO and industry bodies may request access to these records.
While the ICO may hope to reduce its own workload, for businesses this represents a significant new compliance responsibility. The emphasis has shifted from good practice to legal obligation.
Getting ahead of the requirement
With the ICO’s guidance now finalised (published 12 February 2026) and the deadline around six weeks away, the time to act is now. The ICO advises:
• Audit current processes — the ICO has confirmed that a brand-new standalone process is not required. Existing complaint frameworks can be adapted, provided they properly cover data protection issues and meet the DUAA’s procedural requirements.
• Train all staff — everyone needs to recognise a data protection complaint, from the front line to senior management, and understand the revised or new process.
• Build tracking systems — to record complaint dates, complainant contact details, acknowledgements, investigation progress and outcomes. The ICO has been explicit that complaint records may become relevant during regulatory enquiries.
• Test before the deadline — run simulations or ‘mystery complaints’ before 19 June to verify that the process functions effectively in practice, not just on paper.
Beyond 19 June 2026
The complaints handling deadline is the most concrete, time-bound obligation under the DUAA, but it sits within a broader set of regulatory shifts. Key mindsets to develop:
• Data use flexibility is increasing, but so are governance expectations.
• Complaint handling is becoming a regulated process — not just reputation management or good customer experience.
• AI compliance timelines may shift, but risk accountability is not going away.
• AI literacy in the workplace is moving from ‘nice to have’ to ‘demonstrable control’.
Demonstrating control: further options
• Get familiar with the ICO — visit ico.org.uk. Searching ‘AI’ from the home page leads to all relevant resources, including the AI and data protection risk toolkit.
• Consider ISO/IEC 42001 — particularly relevant if you bid for contracts with Tier-1 firms or government bodies, are moving into AI agent use, or are building an AI product for others. It provides a structured governance framework and demonstrates due diligence to clients and regulators.
Summary of actions
For most organisations, the priority order is straightforward:
1. Deal with the complaints procedure first — assess current processes, train staff, build your tracking system, and test before 19 June 2026.
2. Move on to the DUAA’s legitimate interests provisions — intended to ease the burden of repeated consent requests. Understand ‘Records of Processing Activities’ and how they provide protection under the DUAA.
3. Think through AI upskilling — plan your approach using the free government and ICO resources available, including the risk assessment tools linked below.
Are you already building your complaint process? For SMEs with key accounts, a robust data protection procedure could become a competitive differentiator rather than simply a compliance exercise. It would be interesting to hear how businesses in Hampshire and Wiltshire are approaching this.
Useful sources
ICO: Data (Use and Access) Act 2025 — what it means for organisations
ICO: Guidance on AI and data protection
GOV.UK: Data (Use and Access) Act 2025 — data protection and privacy changes
ISO/IEC 42001 — AI management systems
European Parliament: EU AI Act overview
