From 19 June 2026, UK organisations face new statutory obligations around data protection complaints. This verified guide explains what the law requires, what it means in practice, and how to build a compliant process.
What Is the DUAA Data Protection Complaints Duty?
The DUAA data protection complaints duty is a statutory obligation, introduced by Section 103 of the Data (Use and Access) Act 2025, requiring data controllers to accept, acknowledge, investigate, and respond to data protection complaints. It came into force on 19 June 2026 as part of Phase 4 of the Act’s commencement schedule.
The Data (Use and Access) Act 2025 (DUAA) is defined as primary legislation that amends the Data Protection Act 2018 and UK GDPR, introducing new obligations across data use, access, and governance in the United Kingdom. Section 103 inserts a new section 164A into the Data Protection Act 2018, creating a formal statutory complaints mechanism for the first time.
Previously, data subjects were broadly expected to complain to an organisation before escalating to the Information Commissioner’s Office (ICO). This expectation was informal. The DUAA converts it into a legal obligation with defined timelines, process requirements, and regulatory oversight.
Why Has the UK Government Introduced a Statutory Complaints Duty?
The ICO received 42,881 data protection complaints in 2024 to 2025. The statutory complaints duty was introduced to ensure that more complaints are resolved at organisational level, reducing the volume escalating to the ICO and improving outcomes for data subjects.
Mayer Brown LLP describes the new requirements as a fundamental change to the UK’s complaint-handling landscape. The ICO’s own consultation confirmed that the policy intent is to create a structured intermediate step. Data subjects must now complain directly to the organisation first. Only if they remain unsatisfied, or receive no response, can they escalate to the ICO.
This reform changes the status of your complaints process. It is no longer an internal customer service function. It is a frontline regulatory obligation with enforceable timelines and documented outcomes.
Which Organisations Are Subject to the DUAA Complaints Duty?
Any UK organisation that acts as a data controller under UK GDPR and the Data Protection Act 2018 is subject to the DUAA complaints duty. This includes private companies, public bodies, law enforcement agencies, pension scheme trustees, financial institutions, and charities.
Kennedys Law LLP confirms that Section 103 applies broadly, with no sector-based exemptions. Baker McKenzie highlights that pension scheme trustees must review not only their own complaints procedures but also the processes operated by data processors and scheme administrators acting on their behalf. If processing is outsourced, the data controller retains responsibility for compliance.
The ICO has confirmed that law enforcement agencies are also within scope. There is no size threshold. Organisations of all scales must meet the same four statutory requirements.
What Are the Four Statutory Requirements Under the DUAA?
The DUAA complaints duty has four core requirements. Every data controller must: (1) accept complaints through an accessible channel including an electronic form; (2) acknowledge complaints within 30 calendar days; (3) investigate without undue delay; and (4) communicate the outcome in a meaningful response.
These requirements are established in ICO guidance updated in May 2026, which distinguishes between obligations the ICO says organisations must follow (legally required), should follow (recommended), and could follow (optional).
What Counts as a Data Protection Complaint?
A data protection complaint is defined as any expression of dissatisfaction from an individual about how their personal data has been handled, regardless of whether it uses legal terminology.
Doyle Clayton Solicitors emphasise that a complaint does not need to cite UK GDPR or the Data Protection Act 2018. An individual expressing frustration that their data was shared without consent, or asking why their subject access request was delayed, may be making a complaint for statutory purposes. Complaints submitted via social media also fall within scope, as confirmed by CMS Cameron McKenna Nabarro Olswang.
Organisations must be able to identify and correctly route complaints across all inbound channels, including email, telephone, web forms, and social media platforms.
What Is the 30-Day Acknowledgement Requirement?
The 30-day acknowledgement requirement is defined as the obligation to formally acknowledge receipt of a data protection complaint within 30 calendar days of it being received. The clock starts the day after receipt. Weekends and bank holidays count.
This is a hard deadline, not a target. Doyle Clayton Solicitors confirm that the 30-day period runs from the day after the complaint is received, with no suspension for non-working days. The acknowledgement must confirm the complaint has been received and set out what the individual can expect next.
What Does a Compliant Data Protection Complaints Process Look Like?
A compliant data protection complaints process includes: an accessible electronic complaints form, a documented internal workflow with clear ownership, a 30-day acknowledgement mechanism, a formal investigation process, and a written outcome response. All stages must be evidenced and auditable.
The table below compares a manual approach to complaints handling with a structured platform-based approach using the ProvePrivacy platform.
| Requirement | Manual / Spreadsheet Approach | ProvePrivacy Platform |
|---|---|---|
| Accessible complaints channel | Ad hoc email or web form | Configured electronic complaints form |
| 30-day acknowledgement | Manual calendar tracking | Automated deadline alerts and notifications |
| Investigation workflow | Shared inbox, no audit trail | Structured workflow with ownership assigned |
| Governance reporting | Manual reporting, significant lag | Real-time MI dashboards for senior leadership |
Burges Salmon LLP identify the ICO’s must, should, and could framework as the clearest diagnostic tool for assessing a complaints process. The gap between what an organisation should do and what it must do is where reputational and regulatory risk lives.
What Are the Operational Challenges Most Organisations Are Underestimating?
The most underestimated operational challenges are: recognising what counts as a complaint across all channels, managing children’s complaints with a competency assessment, coordinating complaints with Data Subject Access Requests (DSARs), and training staff to identify and escalate complaints correctly.
CMS Cameron McKenna Nabarro Olswang flag several areas that require immediate attention:
- Social media monitoring to capture complaints submitted via platforms such as X, LinkedIn, or Facebook
- Third-party verification processes where a complaint is submitted on behalf of a data subject
- Children’s complaints, which require a competency assessment and age-appropriate language in all communications
- DSAR coordination, where a request expressing dissatisfaction may simultaneously be both a DSAR and a complaint
Mayer Brown LLP add staff training and governance reporting as immediate priorities. For most organisations, these are not minor process adjustments. They represent a material change to how complaints are identified, classified, tracked, and resolved.
What Should a Data Protection Complaints Procedure Contain?
A data protection complaints procedure should contain:
- a definition of what constitutes a complaint,
- the name and role of the person responsible for handling complaints,
- a clear description of what the individual can expect at each stage,
- the 30-day acknowledgement timeline, and
- instructions on how to escalate if the individual remains dissatisfied.
The ICO step-by-step guide recommends that organisations:
- Provide a named point of contact for each complaint
- Link their complaints procedure directly from their privacy notice
- Communicate clearly at each stage of the process
- Keep a full record of every complaint received, including source, date, nature, and outcome
Doyle Clayton Solicitors confirm that privacy notices must be updated to reflect the new complaints right and to signpost individuals to the procedure. This is a mandatory step, not an optional enhancement.
How Will the ICO Enforce the DUAA Complaints Duty?
The ICO has indicated it will take a measured approach to enforcement during the initial transition period following 19 June 2026. However, this leniency is not open-ended. Organisations that have not implemented a compliant process are exposed to regulatory action and reputational harm.
Mayer Brown LLP confirm that the ICO’s stated enforcement position is transitional. The regulator has not committed to a fixed grace period. Organisations that fail to resolve complaints at organisational level, or that breach the 30-day acknowledgement deadline, risk complaints escalating to the ICO unnecessarily.
The reputational damage of a data protection complaint that reaches the ICO because an organisation failed to acknowledge it in time is significant. Regulatory action, adverse ICO decisions, and public scrutiny all carry operational and commercial consequences.
How Does the ProvePrivacy Platform Support DUAA Complaints Compliance?
The ProvePrivacy platform supports DUAA data protection complaints compliance by providing a centralised, auditable workflow for logging, tracking, acknowledging, investigating, and responding to complaints. It replaces manual spreadsheets and shared inboxes with a structured, deadline-managed digital process.
Key capabilities relevant to the DUAA complaints duty include:
- Incident and breach management module for logging complaints with full audit trail
- Automated notifications to enforce the 30-day acknowledgement deadline
- MI dashboards providing senior leadership with real-time visibility of complaint volumes and status
- Exportable records for evidencing compliance to the ICO if required
- Policy management to store and review the complaints procedure
Current regulatory guidance suggests that organisations handling dozens or hundreds of data-related queries each month cannot maintain consistent compliance through manual processes alone. The ProvePrivacy platform is designed for lean data protection teams who need structured oversight without complexity.
What Actions Should Organisations Take Immediately?
Organisations should take the following actions without delay to comply with the DUAA data protection complaints duty:
- Review your complaints procedure against the ICO’s four-part framework: accessibility, acknowledgement, investigation, and outcome.
- Update your privacy notice to include a link to your complaints procedure and explain the new complaints right.
- Implement an electronic complaints form as a mandatory channel for receiving complaints.
- Configure a 30-day deadline alert to ensure acknowledgements are never missed.
- Train relevant staff to recognise complaints across all channels, including social media.
- Establish governance reporting so senior leadership has visibility of complaint volumes and trends.
- Audit your data processor agreements to confirm that outsourced processing functions meet the same complaints-handling standard.
The DUAA complaints duty is soon to be live. Organisations that have not yet completed these steps are already behind.
Frequently Asked Questions
What is the DUAA complaints duty? The DUAA complaints duty is a statutory obligation, introduced by Section 103 of the Data (Use and Access) Act 2025, requiring data controllers to accept, acknowledge, investigate, and respond to data protection complaints. It came into force on 19 June 2026.
What is the 30-day rule under the DUAA? The 30-day rule requires data controllers to acknowledge a data protection complaint within 30 calendar days of receipt. The clock starts the day after the complaint is received. Weekends and bank holidays are included in the count.
Does the DUAA complaints duty apply to small organisations? Yes. The DUAA complaints duty applies to any organisation that acts as a data controller under UK GDPR, regardless of size. There is no small-organisation exemption.
Can a complaint be submitted via social media? Yes. A data protection complaint submitted via social media is within scope of the DUAA complaints duty. Organisations must monitor and respond to complaints regardless of the channel through which they are received.
What happens if an organisation fails to comply? Non-compliant organisations risk regulatory action by the ICO, reputational damage, and complaints escalating to the ICO that could otherwise have been resolved internally. The ICO has indicated a transitional enforcement approach, but this is not a permanent grace period.
External Sources:
- ICO Complaints Handling: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/
- ICO DUAA: https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/
- HM Government: https://www.legislation.gov.uk/ukpga/2025/18
- Burges Salmon: https://www.burges-salmon.com/articles/102mnc5/the-data-use-and-access-act-2025-preparing-for-the-new-data-protection-complai/
- Mayer Brown: https://www.mayerbrown.com/en/insights/publications/2026/02/preparing-for-the-data-use-and-access-act-2025-upcoming-complaints-procedure-requirement
- CMS Law: https://cms.law/en/gbr/legal-updates/data-use-and-access-act-2025-new-statutory-rules-on-handling-data-protection-complaints-from-19th-june-2026
