New Data Protection Requirements from 19 June 2026: What Organisations Need to Know

From 19 June 2026, some important changes to UK data protection law will come into force under The Data (Use and Access) Act 2025.  The legislation is making various changes to UK Data Protection Law over time, but the next deadline is looming.

The key changes that organisations need to make are to their data privacy policies and complaint-handling processes, as there is a new mandatory requirement for organisations to have a formal internal policy and process for handling data protection complaints.  This will have to deal with certain specified elements (see below).

In the past, a Data Privacy policy would typically say something like the following (from one we did earlier): 

“If you have any questions about this privacy policy or our privacy practices, please contact our Data Protection Officer/Privacy [with contact details included].  You have the right to make a complaint at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.”

So, previously individuals could raise concerns directly with the ICO without first engaging with the organisation involved first.

What is changing?

The changes coming in on the 19 June make it a legal requirement that individuals contact the organisation first.

Under the new rules, all organisations must establish and maintain an internal complaints process for data privacy issues as they will become the first port of call for someone who wants to complain about the use or handling of their personal data.  The ICO will only get involved after the organisation has tried to resolve the issue.

As a result, there are a few things that need to be done: amend your current Data Privacy Policies and, if you have not got one already, develop and implement a DP Complaints Policy.

Amend Data Privacy Policies

Instead of the previous wording, they will need to say something broadly along the lines that:

“If you are not happy with how we have handled your personal data, you have a right to complain to us and say how a complaint can be made eg online form (with a link), by email or by post with details of address (with details). 

We will acknowledge your complaint within 30 days and respond without undue delay – then link to the Complaints Policy” 

The policy should also refer to the right to complain to the ICO, but the ICO will expect the complaint to be made to the organization in the first instance.

Complaints Policy

This needs to include the following elements and it is recommended that there is a link to this on the website if the privacy policy is on the website and, of course, hard copies too for privacy policies that are not online.

The Complaints Policy and Procedure should cover:

• How to complain: It must provide clear and accessible ways for individuals to submit complaints to the organisation, there should be an online form and at least one other method email address, postal address etc.
• Acknowledgment: The organisation must acknowledge receipt of complaints within 30 days.
• Investigation: The organisation named role (eg Data Protection Officer/Data Privacy Manager) must act promptly to investigate and respond, keeping the complainant informed throughout. 
• Outcome: The organisation must tell the complainant of the outcome without undue delay.
• Escalation.  If the complainant is not satisfied, they may complain to the ICO (with details of how of the ICO website etc.)
• If a complaint ? covering more than one thing eg goods/services provided and data privacy, the two elements should be split out and the data privacy element dealt with in accordance with the procedure for that and any other complaint dealt with any other complaint procedure.
• Of course, it isn’t sufficient to just have the Complaints Policy, staff have to be made aware of it and for a process to be implemented and documented if this does not already exist.

And another thing….

If, like most organisations, you are a data controller and has processors/sub-processors who use, store and maintain data on your behalf, you will also need to check your agreements with them to ensure that they are under an obligation to notify you of any complaints they receive promptly; and help you to resolve them.

What businesses need to do now

It means that organisations need to review and update their policies and procedures (or create new ones) and update staff on the changes and how this will affect internal processes and record keeping before the deadline. 

How we can help?

If you would like help in reviewing or preparing relevant policies, please contact Kim Whitaker, Senior Solicitor at Wellers at kim.whitaker@wellerslawgroup.com