.png)
A new legal requirement comes into force on 19 June 2026, and it's one that a surprising number of organisations haven't spotted yet.
The Data (Use and Access) Act 2025 (DUAA) introduces a statutory obligation for organisations to have a formal internal data protection complaints process in place. From that date, individuals will be expected to raise data protection complaints with you first, before taking them to the ICO.
It sounds like a small procedural change. But for organisations that currently handle these things informally (or not at all), it's a real compliance gap that needs closing before the deadline.
Here's what's changing, what your process needs to look like, and what you should be doing right now.
What we'll cover:
- What's changing on 19 June 20?
- What actually counts as a data protection complaint?
- What does the law actually require?
- What does a compliant complaints process look like?
- What do you need to update before 19 June?
- Do you need to build something from scratch?
- What happens if you're not ready?
What's changing on 19 June 2026?
The DUAA inserts a new section 164A into the Data Protection Act 2018, creating a statutory right for individuals to raise data protection complaints directly with organisations.
Previously, individuals had the right under Article 77 of the UK GDPR to go straight to the ICO with a complaint. That right hasn't disappeared, but the new regime introduces a clear expectation that they try to resolve things with you first.
This reflects the ICO's broader direction of travel: encouraging organisations and individuals to resolve data protection disputes directly, wherever possible, rather than defaulting to regulatory escalation. The ICO's own guidance confirms that in most cases, if someone complains to them about how you've handled their personal information, they'll ask the individual to raise a complaint with you first.
For organisations, the implication is significant. The informal handling of data protection concerns — a quick reply from whoever fielded the email, no documented process, no consistent acknowledgement timelines — is no longer sufficient. The obligation is now statutory, and there are no exemptions.
What actually counts as a data protection complaint?
This is where a lot of organisations will need to do some thinking, because the definition is broader than many expect, and the line between a data protection complaint and a general complaint isn't always obvious.
According to the ICO's guidance, a data protection complaint arises when someone believes you've infringed data protection legislation through the way you've handled their personal information. They don't need to use legal language or cite specific legislation to make a valid complaint. Common examples include:
- How you responded to a subject access request or other rights request
- The security measures you used to store their information (including if they've been affected by a data breach)
- How you collected or used their personal information — where you stored it, how long you kept it, or whether it was accurate
But here's the important distinction: a general complaint or service issue that happens to include a data rights request does not automatically become a data protection complaint.
For example:
- An employee raising a grievance who also requests copies of their personal information — the grievance is not a data protection complaint, but if you handle the SAR poorly — missing the deadline, providing incomplete information, or refusing without valid grounds — that handling could itself become one
- A customer complaining about service quality who also asks you to delete their data — the service complaint is separate from the deletion request
If you're not sure whether something qualifies as a data protection complaint, the ICO's guidance is clear: ask the person to clarify. The important thing is that your staff know to ask the question, not to assume one way or the other.
Complaints can arrive through any channel: email, contact form, phone, social media, in person, or through any member of your team. Regardless of how a complaint reaches you, you must respond to it — even if, after investigation, you conclude the complaint is unfounded. If you have a social media presence, it's worth noting that complaints can and do arrive that way. And while you should ask for an alternative secure contact method to respond, you can't decline to deal with it simply because it came in via Twitter or LinkedIn.
What does the law actually require?
Section 164A requires organisations to have an appropriate complaints handling process in place. The ICO's guidance sets out four things organisations must do. These are legal requirements, not recommendations, and there are no exemptions:
- Give individuals a clear and accessible means of submitting a data protection complaint
- Acknowledge complaints within 30 days of receipt
- Investigate and respond without undue delay, keeping the complainant informed throughout
- Notify the complainant of the outcome without undue delay
These aren't aspirational targets or best practice guidelines, the ICO classifies all four as legal requirements with no exemptions. If you can't demonstrate you're meeting them, you're exposed.
One thing worth flagging on the 30-day acknowledgement window: the clock starts the day after you receive the complaint — and that day counts regardless of whether it falls on a weekend or bank holiday. If the last day to acknowledge falls on a weekend or bank holiday, you have until the next working day to send your acknowledgement." But this is a ceiling, not a target. A complainant who waits the full 30 days to hear anything is unlikely to feel the process is working.
.png?width=1024&height=200&name=Blog%20Banners%20(21).png)
What does a compliant complaints process look like?
The mechanics aren't overly complex, but they do need to be consistent. A compliant process typically covers four stages:
1. A clear way to submit a complaint
Individuals need to know they can raise a data protection complaint directly with you, and they need to know how. This could be a dedicated email address, a complaints form, an online portal, or a phone line. You're not required to set up a new standalone tool. If you have an existing complaints process, you can adapt it to cover data protection complaints. What it can't be is buried in your terms or impossible to find. If you have a social media presence, factor that in too: complaints arriving via those channels must be accepted, then redirected to a secure method for your response.
2. A reliable acknowledgement mechanism
Complaints must be acknowledged within 30 days of receipt. That means someone needs to own the inbox, recognise what a data protection complaint looks like when it arrives, and send a meaningful acknowledgement, not just a generic auto-reply. It's also worth noting that your obligation to investigate begins when you receive the complaint, not after the 30-day acknowledgement period expires. Waiting to start your investigation until after you've acknowledged is not compliant. Both things need to happen in parallel.
3. An investigation and response workflow
Once received, the complaint needs to be investigated properly and without undue delay. That means gathering relevant facts, speaking to relevant staff, comparing the complaint against your own policies and records, and understanding what outcome the complainant is looking for. The ICO notes that complexity, scale, and the harm the complainant is experiencing should all inform how quickly you move. There's no single fixed timeframe for resolution beyond the acknowledgement window, but "without undue delay" means exactly that.
4. Documentation and record-keeping
Under the UK GDPR accountability principle, you need to be able to demonstrate compliance. The ICO is explicit that you should keep records of: the date you received the complaint, your acknowledgement, relevant conversations and documents, the outcome, and any actions you took as a result. The ICO — or industry bodies — may ask to see this if a complaint is made about you in future. If you're also tracking themes and trends across complaints, that's good practice and will help you identify systemic issues before they become bigger problems.
What do you need to update before 19 June?
The process itself is only part of the picture. Several other things need to change too, some of which your team may not have flagged yet.
Privacy notices
Individuals need to know this right exists. From 19 June, your privacy notices must inform people that they have the right to raise a data protection complaint directly with you — including when you first collect their personal data, and when you respond to data subject access requests and other rights requests. If your current notices don't mention this, they need updating before the deadline.
Internal policies and procedures
Your internal documentation needs to reflect the new requirement. That means defining what counts as a data protection complaint (see above — it's not always obvious), who is responsible for handling them, what the timelines are, and what the escalation path looks like. Complaints can arrive via any channel, so your procedures need to cover all of them, including social media.
Staff training
A documented process is only useful if the right people know about it. The ICO's guidance is clear that all staff should be able to recognise a data protection complaint and know what to do if they receive one, including where to direct it within the organisation. That's not limited to your legal or compliance team. It applies to ops, support, customer success, and anyone else handling incoming correspondence. Include data protection complaints in any internal data protection training you run.
Processor contracts
If you work with third-party processors, check your contracts. They should require processors to send complaints to you, help you investigate, and allow you to obtain the necessary information to handle a complaint. The obligation to handle complaints remains with you as the controller — but without the right contractual provisions, your processors may not be set up to support you when it matters. If you're unsure how your contracts stack up, the vendor risk issues scale-ups most commonly overlook are a good place to start.
.png?width=1024&height=200&name=Blog%20Banners%20(22).png)
Do you need to build something from scratch?
For most organisations, no. If you already handle customer complaints, respond to data subject requests, or have any kind of documented privacy governance in place, the foundations are likely there. The ICO is explicit that there's no requirement to set up a standalone data protection complaints process. You can integrate these obligations into your existing complaints framework, as long as you can still meet the legal requirements.
That said, "we handle things as they come up" is not a compliant process. If your current approach relies on informal judgement calls, undocumented workflows, or the knowledge of one person who might leave the business, now is the time to address it.
The gap between a defensible process and a non-existent one is usually smaller than people expect, but it still needs to be closed before the deadline.
For broader context on where data protection gaps tend to appear in scaling businesses, see Trust Keith's guide to privacy risks scaling businesses need to get ahead of in 2026.
What happens if you're not ready?
The new section 164A regime changes the complaints pathway for individuals — which means the ICO is likely to ask, when it receives an escalated complaint, whether the individual raised it with you first and what happened when they did.
If you can't demonstrate that you had an appropriate process in place, or that complaints were acknowledged and investigated on time, you've handed the ICO a compliance issue to examine on top of whatever the underlying complaint was about.
For organisations that are regularly handling personal data at scale, a steady flow of data protection complaints is a realistic operating condition, not a rare edge case. Having a process that holds up isn't just a regulatory box to tick, it's risk management.
You can also find Trust Keith's overview of recent ICO fines and the cost of non-compliance useful as context for how regulators are approaching enforcement more broadly.
The bottom line
19 June 2026 is closer than it might feel. The requirement isn't technically complex, but it does touch multiple parts of your organisation — your privacy notices, your internal policies, your staff training, and your supplier contracts. If any of those pieces are missing, the 30-day clock on complaints acknowledgement won't mean much in practice.
If you're not sure whether your current setup meets the new requirement, or you want to make sure you're covered across all the changes the DUAA introduces, Trust Keith can help. Our privacy experts work as an extension of your team — reviewing what's in place, identifying gaps, and making sure you're compliant before the deadline lands.
You can also find wider context on building a privacy programme that doesn't slow your business down — which is exactly the kind of framework that makes handling new obligations like this one a lot more straightforward.
.png?width=260&height=65&name=CTAs%20(13).png)
.png?width=2400&height=800&name=blog%20cta%20(4).png)