Getting Ready for the Complaints Regime Under the Data (Use and Access) Act 2025

On 19 June 2026, one year after the Data (Use and Access) Act 2025 (“DUAA”) received Royal Assent, all data controllers subject to UK data protection law will be required by statute to have a formal process for handling data protection complaints. With the deadline now three months away, organisations should review their existing arrangements, updating relevant policies and procedures, and ensuring they are ready to comply with the new obligations. 

To assist businesses with their compliance efforts, the UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), published guidance entitled “How to deal with data protection complaints” on 12 February 2026. The guidance follows the ICO’s usual framework, distinguishing between what controllers must do to comply with the law, what they should do as good practice, and what they could do to adopt a more robust approach.

Key Takeaways

The key takeaways businesses need to be aware of include:

• No exemptions. All controllers must have a process for handling data protection complaints in place by 19 June 2026.
• 30-day acknowledgement. Complaints must be acknowledged within 30 days of receipt. Organisations must then investigate without undue delay, making appropriate enquiries and keeping complainants informed of progress. Once resolved, the outcome should be communicated clearly, with sufficient detail for the complainant to understand how the conclusion was reached.
• Flexibility in receiving complaints. Organisations have flexibility in how they receive complaints but must provide an accessible mechanism for individuals to complain directly to them. The ICO indicates that organisations should not unduly restrict the channels through which complaints can be made and should ensure that complaints received through other routes, including by staff outside designated channels, are properly recognised and handled.
• A robust complaints process. Having a clear, documented process may reduce the likelihood of individuals escalating complaints to the ICO, potentially lowering the risk of regulatory scrutiny or enforcement action. The ICO encourages maintaining an open dialogue with complainants to build trust.
• Staff training and record-keeping. Staff should be trained to recognise and escalate data protection complaints. Organisations should keep clear records of complaints and actions taken, including the date received, acknowledgement, outcome and any steps taken. These records will provide evidence of compliance and the ICO may request to see them. Tracking complaint volumes and themes can also help identify areas for improvement.

Background

The DUAA received Royal Assent on 19 June 2025, making targeted amendments to the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), and the Privacy and Electronic Communications Regulations. Among its reforms, the DUAA revisits the rules on automated decision-making, introduces a framework of recognised legitimate interests, streamlines international data transfers and updates cookie consent requirements. The DUAA has been implemented in stages – some provisions took effect immediately upon Royal Assent, most of the remaining data protection provisions came into force on 5 February 2026, and the new complaints handling requirements follow on 19 June 2026.

The Complaints Procedure Requirement

What constitutes a complaint

Under section 164A of the DPA 2018, inserted by Section 103 of the DUAA, individuals are granted a statutory right to complain directly to a data controller if they believe their personal data has been processed in breach of data protection law. Individuals will be required to first raise their complaint with the controller before escalating it to the ICO, creating an intermediate step between data subjects and regulatory intervention. In practice, a wide range of concerns may constitute a data protection complaint, including how a subject access request or other rights request has been handled, the security measures used to store personal data (including where someone has been affected by a data breach), and how personal data has been collected, used, stored, retained or kept accurate.

Receiving complaints

From 19 June 2026, all controllers must provide a means for individuals to make data protection complaints directly to them, though there is flexibility in how this is achieved. Options include complaint forms (online or paper), a dedicated email address, telephone complaints, an online portal, or in-person routes. Existing complaints tools can be adapted to include data protection complaints, even if they are not data protection specific. However, while organisations may invite individuals to use their set processes, there is no obligation for them to do so and organisations must accept complaints made through any channel, including to any member of staff. Complaints may also be received via social media where the organisation has an online presence, though responses should generally be moved to a more secure channel.

Complaints from children

Complaints from children should be handled with particular care. Children have the same data protection rights as adults, but organisations should respond in plain, clear language and assess the child’s competence to understand and exercise their rights. Organisations in scope of the Age Appropriate Design Code should ensure they are familiar with the requirements in standard 15 of that code. 

Acknowledgement

Once a complaint is received, organisations must acknowledge it within 30 days. The 30-day period begins the day after receipt, regardless of whether that day falls on a weekend or bank holiday. Where the 30^th day falls on a non-business day, organisations have until the next working day to issue their acknowledgement.

Investigation and outcomes

The DUAA also requires controllers to conduct appropriate enquiries into the subject matter of complaints and keep complainants informed of progress and outcomes. ICO guidance clarifies that controllers should provide meaningful updates, including expected timeframes for resolution and explanations for any delays, though detailed accounts of every investigative step are not required. While the DUAA does not fix a maximum statutory timeframe for outcomes, the ICO expects investigations to be completed “without undue delay,” meaning without unjustifiable or excessive delay, taking into account factors such as the complexity and scale of the issue and any harm the complainant is suffering. Decisions must be communicated in plain, accessible language, and individuals must be informed of their right to escalate to the ICO if dissatisfied.

Practical Steps for Organisations

Organisations should prioritise the following preparatory steps ahead of 19 June 2026:

1. Adopt or adapt a written complaints handling policy setting out the organisation’s approach to receiving, handling and resolving data protection complaints, including responsibilities, escalation routes and timelines.
2. Establish accessible complaints submission channels, including an electronic form, email, and postal options, clearly signposted in privacy notices and on your organisation’s website.
3. Implement systems to acknowledge complaints within 30 days, logging and tracking complaints from the date of receipt.
4. Prepare standard templates for acknowledgement letters, progress updates and outcome communications.
5. Coordinate complaints handling with data subject access request processes to avoid duplication or conflicting timelines.
6. Train staff likely to receive complaints (including customer-facing, HR, IT, and operations teams) to identify and escalate data protection complaints appropriately.
7. Ensure complaints handling is integrated within your organisation’s existing data protection governance structure, including escalation routes to data protection officers or privacy teams, and provide regular reporting on complaints volumes and outcomes to senior management.
8. Update contracts with joint controllers and processors, as necessary, to address complaint handling responsibilities.

Our data protection team is available to assist with any queries relating to the DUAA’s new complaints handling obligations or your organisation’s compliance readiness. Please get in touch if you would like to discuss this further.

*Lavinia Puder and Georgia Griesbaum, trainees in Katten's London office, contributed to this article.