What changed on 19 June

The Data (Use and Access) Act 2025 received royal assent on 19 June 2025 and is being switched on in phases. The commencement regulations, SI 2026 No. 82, set two dates that matter for operators: 5 February 2026 for the bulk of the data protection amendments, and 19 June 2026 for the complaints regime under section 103 and Schedule 10.

Since that second date, every organisation subject to the UK GDPR must run a formal procedure for data protection complaints. The new section 164A of the Data Protection Act 2018 requires accessible ways to complain, including an electronic complaint form alongside routes such as email and post, an acknowledgment within 30 days, and a substantive outcome communicated in language the complainant can understand, together with a pointer to their right to escalate to the ICO.

There is no statutory deadline for the outcome itself, but the ICO's draft guidance recommends resolving complaints within three months unless exceptional circumstances apply, and expects the process to be prominent: easy to find, linked from privacy notices and websites. February's first phase also brought recognised legitimate interests as a lawful basis, a stop-the-clock mechanism for access requests, and looser rules for some low-risk cookies.

The quiet part: marketing fines grew 35-fold

The change fewer owners noticed came earlier. Since 5 February 2026 the ICO's fining powers under PECR, the rules governing electronic direct marketing and cookies, jumped from a cap of 500,000 pounds to UK GDPR levels: up to 17.5 million pounds or 4 percent of global annual turnover, whichever is higher.

For years, PECR enforcement was a bounded nuisance: a mis-consented email campaign was a six-figure problem at worst. That asymmetry is gone. A marketing list with sloppy consent now sits in the same penalty class as a data breach, and the new complaints channel gives every annoyed recipient a formal route that ends, if mishandled, at the regulator's door.

What UK-exposed businesses should do now

The scope is broader than many assume. The UK GDPR applies not only to companies established in the UK but also to those outside it that offer goods or services to people in the UK. A German machine builder with UK customers, a Dutch webshop shipping to London, a French SaaS firm with British users: the complaints duty reaches them all.

The build is not heavy, which is precisely why not having it looks bad. Publish a complaint route, including an electronic form. Wire it into the processes you already run for GDPR requests, with one owner, one log, and templated acknowledgments that beat the 30 day clock. Track outcomes against the three month expectation and record the reasoning for each closure.

Then treat the log as what it is: evidence. Every complaint, timestamp and response is a record the ICO can ask for, and a pattern of ignored complaints is the easiest enforcement case a regulator will ever build. The same log, read quarterly, is also a free audit of where your data handling actually irritates customers. Few compliance duties come with that kind of return.