Is Your UK Complaints Process Ready by Friday?

Every UK controller needs a working complaints process by 19 June — three days out. Section 103 of the Data (Use and Access) Act 2025 inserts a new s.164A into the DPA 2018, giving individuals a statutory right to complain directly to a controller before escalating to the ICO. You must offer an accessible way to submit a complaint (including an electronic form), acknowledge within 30 days, investigate without undue delay, and record a plain-language outcome. The same Act swapped UK GDPR Article 22 for a new automated-decision safeguards regime (Arts. 22A–22D) and lifted the PECR fine cap from £500,000 to £17.5m. This is a hard commencement date, not guidance.

Sources: https://www.legislation.gov.uk/ukpga/2025/1/contents and https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/

EU regulators put privacy notices on trial. The EDPB has launched its 2026 Coordinated Enforcement Framework on transparency under GDPR Articles 12–14, with 25 DPAs contacting controllers across sectors through the year. Pressure-test the clarity and accessibility of your privacy notices now.

California enforcement has no cure period. The CPPA's Audits Division has been operational since February and reports 100+ active investigations under the ADMT and risk-assessment rules in force since 1 January. Recent hits: $1.1m against PlayOn Sports (defective opt-out involving student data) and a $2.75m AG settlement with Disney DTC/ABC. Confirm your ADMT opt-out flows and risk assessments are documented.

One breach form for all of Europe. The EDPB adopted a draft common Article 33 breach-notification template — ~120 fields, predefined answers, conditional logic — open for consultation until 5 August. Map your breach workflow to it and consider filing feedback.

Digital Omnibus retreat. The Council's latest compromise (Cypriot Presidency, doc 9547/26) drops the contested entity-relative "personal data" redefinition and removes the proposed Article 22 ADM changes — easing fears that cookies, device IDs and hashed emails would lose GDPR protection. The file remains in flux.

19 June 2026 (3 days): UK DUAA s.164A statutory complaints duty commences. No transition period.

Stand up or verify your UK internal data-protection complaints procedure — electronic intake, 30-day acknowledgement, plain-language outcome — and add the right-to-complain line to your privacy notices before Friday.

AI Governance — the latest on AI regulation and governance worldwide.

CyberEyeQ — Actionable Regulatory Intelligence. Questions or tips: [email protected]