Is Your UK Complaints Process Ready? 10 Days Left

A core obligation of the UK's Data (Use and Access) Act 2025 takes legal effect on 19 June 2026 — just 10 days out. Every data controller must operate a formal internal procedure for handling data-protection complaints from individuals, acknowledge each complaint within 30 days, and respond without undue delay. There is no small-business exemption: the duty applies to controllers of every size. The ICO has published guidance to help organisations stand up a compliant process before commencement, and separately the DUAA lifts the PECR penalty ceiling from £500,000 to £17.5M — sharply raising the stakes for marketing and cookie compliance.

GOV.UK guidance · ICO complaints guidance

California lands record $12.75M GM/OnStar settlement. Announced 8 May, AG Bonta's settlement is the largest CCPA penalty in state history and California's first enforcement of the law's data-minimization rule. GM allegedly sold drivers' precise geolocation and driving-behavior data to brokers including LexisNexis and Verisk without adequate notice. Audit what connected-product or telematics data you collect, sell, or share — and confirm each use ties to a disclosed purpose. California OAG

CNIL fines IQVIA €5M over health-data warehouses. France's regulator penalised IQVIA Operations France on 26 May for failing to honour the conditions of its CNIL authorizations — weak transparency, poor rights handling, no log analysis, and missing MFA on one warehouse. IQVIA has six months to remediate or face €10,000/day. Re-check access controls and audit logging on any special-category data store. CNIL

EDPB research-processing guidelines: comment by 25 June. The Board's draft Guidelines 1/2026 on processing personal data for scientific research close for public consultation in 16 days. They set six factors defining "scientific research" and clarify when erasure and objection rights apply. If you rely on the research basis, submit comments and re-test your six-factor analysis. Consultation page

Europe's enforcement engine is accelerating. Supervisory authorities reportedly imposed an estimated €68M in GDPR fines in Q1 2026 — a near-400% jump year over year — with France and the UK driving the bulk. The 2026 signal is clear: less new lawmaking, more aggressive enforcement of rules already on the books.

19 June (10 days) — UK DUAA internal complaints procedure must be live.

25 June (16 days) — EDPB scientific-research guidelines consultation closes.

Stand up — and document — a written internal data-protection complaints procedure with a 30-day acknowledgement workflow before 19 June. If you operate in the UK, this is now a legal requirement with no size carve-out.

AI Governance — the latest on AI regulation, the EU AI Act timeline, and global AI policy moves.

CyberEyeQ — Actionable Regulatory Intelligence. Questions or feedback? [email protected]