gdpr ico enforcement data protection compliance

GDPR Complaints Process: New June 2026 Deadline for UK Businesses

From June 2026, all UK organisations processing personal data must establish formal complaints procedures. The ICO requires acknowledgment within 30 days and timely resolution communication. Failure to comply risks enforcement action.

Published 12 June 2026 · Source: Slaughter and May

New GDPR Complaints Requirement Comes Into Force This Month

The Information Commissioner's Office (ICO) has confirmed that new requirements for handling data protection complaints come into force in June 2026. Every organisation processing personal data must now have a formal complaints process in place.

Under the new rules, organisations must:

  • Establish and operate a formal complaints procedure
  • Acknowledge complaints within 30 days
  • Take appropriate steps without undue delay, including necessary enquiries
  • Keep complainants updated on progress
  • Communicate the final outcome

This represents a significant tightening of data protection compliance expectations. The ICO has recently intensified enforcement action, including issuing £15 million in GDPR fines against Capita and LastPass UK Limited for data breaches caused by cyberattacks. In October 2025, Capita alone received a £14 million fine for cybersecurity failures affecting 6.6 million people.

For SMEs and Ltd companies, the message is clear: document your complaints handling process now, train your team on the 30-day acknowledgement requirement, and establish audit trails to demonstrate compliance. The ICO is actively investigating breaches and complaints handling failures are a key enforcement priority.

Read more: Slaughter and May Data Privacy Newsletter

← Back to News & Insights Got a question? Book a free call