When the General Data Protection Regulation (GDPR) was first introduced, it reshaped many aspects of data protection compliance, except one. The GDPR never imposed a formal obligation on organisations to operate a publicly accessible complaints process.
The Data (Use and Access) Act 2025 (DUAA) closes that gap and introduces one of the most practical and operationally significant reforms to UK data protection law since the GDPR came into force. From 19 June 2026, all organisations will be required to operate and maintain a publicly accessible complaints process, supported by an internal procedure capable of investigating and resolving concerns in a timely and transparent way.
For many organisations, this represents a shift from informal, ad-hoc handling of complaints to a structured and transparent process. It will change how organisations engage with individuals, how they demonstrate accountability and how the Information Commissioner’s Office (ICO) expects concerns to be resolved.
To support organisations in preparing for these obligations, this article explains how the new regime will operate in practice and what we recommend you do ahead of 19 June 2026.
The historic position: a patchwork of approaches
Historically, complaints handling has been inconsistent. Some organisations built sophisticated internal processes, while others relied on existing teams such as customer services or HR to manage complaints and concerns. Under the UK GDPR and Data Protection Act 2018, organisations have been required to:
- respond to individuals who exercise their rights
- handle concerns raised directly by the individuals
- cooperate with the ICO
Until now, there has been no legal requirement to:
- publish a complaints process
- acknowledge complaints within a set timeframe
- follow a defined internal investigation procedure
- keep individuals updated
- record and track complaints
This has led to inconsistent outcomes, with complaints being handled appropriately and others being lost, delayed or misunderstood.
The DUAA changes this.
What the DUAA 2025 introduces
The DUAA places a new statutory duty on all organisations to maintain and operate a data protection complaints process. This duty applies regardless of size or sector and requires a shift from reactive handling to proactive governance.
Organisations must publish a clear, easy-to-find route for individuals to raise concerns about:
- how their personal data has been used
- how their rights have been handled
- concerns about non-compliance
This must be accessible to all individuals: Employees, candidates, customers, clients or service users.
The DUAA adopts a deliberately wide definition of a “data protection complaint”. Any expression of dissatisfaction relating to the collection, use, storage, sharing or other processing of personal data may fall within scope.
Complaints may be raised through any channel such as a concern raised in a customer service call, a social media message, or a routine email may all qualify. This means staff across your organisation must be trained to recognise when an interaction relates to data protection and know how to escalate it internally. Therefore, should an individual complain to a staff member within your organisation about how their data subject access request (DSAR) has been handled, you are now legally required to investigate that complaint.
Ultimately what matters is whether the individual is, in substance, challenging the organisation’s handling of their personal data.
What the complaints process must achieve
The DUAA sets out several mandatory elements of the complaints process. Firstly, once a complaint is received, organisations must acknowledge it within 30 days.
After acknowledgement, you must investigate and respond, “without undue delay”. This includes gathering relevant information, making appropriate enquiries, keeping the individual informed of progress, and maintaining clear records of the complaint, the investigation, and the outcome.
The final response should explain the steps which you have taken, the conclusion reached, and the reasoning behind it. You must also inform individuals of their right to escalate the matter to the ICO and to provide the ICO’s contact details. The intention is clear: tostrengthen procedural fairness by ensuring individuals receive a reasoned explanation before turning to the ICO.
Preparing for 19 June 2026
With the implementation date approaching, organisations must begin aligning their existing privacy frameworks with the DUAA.
Visibility
Organisations will need a clear, accessible route for individuals to raise concerns, typically a dedicated section on the website or a prominent section of the privacy notice. This must be written clearly and easy to navigate.
Privacy notices should be updated to reflect the new right to complain directly to the organisation. Internally, organisations should ensure they have a structured procedure for handling complaints, with clear lines of responsibility and a consistent approach to investigations.
Process
Internal procedures must be designed or updated to meet the DUAA’s requirements. For many organisations, this will involve adapting existing complaints handling procedures, rather than building something entirely new.
Record keeping
Record keeping will be essential. The ICO expects organisations to maintain a log of complaints, the steps taken during each investigation, and the final outcomes. These records may be requested by the ICO if a matter is escalated.
Conclusion
The DUAA marks a significant shift by placing early-stage accountability on organisations. Ultimately, a well‑run process will help you resolve issues early and reduce escalations to the ICO. A poorly run process, however, will now carry regulatory risk.
The ICO will expect organisations to treat complaints as a core compliance function, supported by trained staff, along with consistent record keeping and well thought out processes. Preparation is therefore key.
Should you require support in preparing for 19 June 2026, please contact a member of our dedicated Data Protection & Privacy Team.
You can view our full range of Data Protection services here
Related Articles
Article
Agentic AI: what HR and data protection teams need to know about the ICO’s latest report
Posted on: 13/01/2026
