Written by Liz Taylor

DUAA Complaints Procedure: What Changes on 19 June 2026

Published on 18 Jun, 2026

From 19 June 2026, the way individuals can raise data protection complaints changes. New rules under the Data (Use and Access) Act 2025 (DUAA) introduce a statutory requirement for all UK organisations to handle GDPR complaints directly, before individuals can escalate to the Information Commissioner’s Office (ICO). If you have not yet updated your processes, you have very little time left.

How it worked before

Previously, if an individual believed their personal data was being mishandled, they could lodge a complaint directly with the ICO, the UK’s data protection regulator. While the ICO always encouraged people to approach the organisation first, there was no legal obligation on controllers to have a formal internal complaints process in place.

What is changing from 19 June 2026

DUAA creates a formal intermediate step between individuals experiencing concerns about their data and regulatory intervention. Data subjects must now first raise their complaint with the controller before escalating to the ICO. 

There are no exemptions. The duty applies to all organisations, regardless of size or sector, and the new rules apply alongside, not instead of, the UK GDPR and Data Protection Act 2018.

The scope of what counts as a DUAA complaint is broad. Complaints may arise in relation to any alleged infringement of the UK GDPR, including subject access requests, direct marketing, retention practices, transparency obligations, security incidents, and the lawful basis relied upon for processing. Crucially, data protection complaints do not need to use legal terms or quote sections of legislation in order to be treated as complaints under the Act. If a customer or employee feels their personal information has been mishandled, that is likely to be enough. 

What you must have in place

The statutory requirements set out in the DUAA are specific. Controllers must:

  • Provide a way for individuals to make complaints, which can include an electronically completable complaint form.
  • Acknowledge receipt of any complaint within 30 days of receiving it.
  • Take appropriate steps to investigate complaints without undue delay, keep complainants informed of progress, and communicate outcomes without undue delay.
  • Update your privacy notice to clearly explain individuals’ right to complain to the organisation, and ensure this is also communicated when responding to requests to exercise data protection rights. Failing to do this is itself a compliance failing.

Non-compliance will amount to a breach of UK data protection law. 

What you need to do before 19 June

Don’t panic! If you previously would have acknowledged and responded to a data protection complaint that was sent to your organisation, the chances are you’ll need to make very little, if any change to your existing processes.   

If you are a consumer-facing business or handle personal data in any capacity and you want to make sure you’re complying with the law, here is where to focus your attention in the time remaining. 

Put an accessible complaint channel in place. Organisations must provide at least one accessible way for individuals to submit data protection complaints, for example, an online complaint form which can be completed and submitted electronically. A dedicated email address is also likely to meet this requirement, as long as it is clearly signposted. 

Update your privacy notice. Your privacy notice must now explain that individuals have the right to raise a complaint with you directly, as well as with the ICO. This is not optional. 

Think carefully about what counts as a complaint. You need to be clear, internally, about what constitutes a data protection complaint, since these will not always arrive labelled as such. A customer expressing concern about a subject access request response, or questioning how their data is being used, may well be making a data protection complaint without using that language. 

Train your staff. Data protection training is essential here. Staff need to be able to recognise and escalate data protection complaints, since they may not always be clear. Organisations should keep clear records of complaints and actions taken, including the date received, acknowledgement, outcome and any steps taken, as the ICO may request to see these records. 

Consider how this fits with existing complaints processes. If your organisation already handles customer complaints, make sure it’s clear how your data protection process integrates with the existing process. Staff need to know when a general complaint tips into data protection territory and what to do when it does. 

Need support getting ready?

Tkm & Associates works with organisations to put practical, proportionate data protection processes in place. Whether you need a complaint handling procedure drafted, your privacy notice updated, or data protection consultancy tailored to your organisation’s needs, we can help. Get in touch today.

Recent Articles

Read More By Category

Read More By Topic