UK Data Protection Reform: New Complaints-Handling Duties Take Effect

Posted
By , , and

As of June 19, 2026, the Data (Use and Access) Act 2025 (DUAA) has brought into force new complaints-handling requirements for controllers under the UK data protection regime. (See our previous post on the DUAA here.) While many businesses already operate customer complaint or data subject rights processes, the DUAA now places specific statutory obligations on controllers to receive, acknowledge, investigate and respond to data protection complaints received on or after June 19, 2026.

What Has Changed?
The DUAA inserts a new section into the Data Protection Act 2018, giving data subjects a statutory route to complain directly to a controller if they consider that there has been an infringement of relevant UK data protection legislation in connection with their personal data.

Controllers must now proactively facilitate the making of such complaints, e.g., by providing an electronic complaint form, a dedicated email address, or by adapting existing complaints portal to accept data protection complaints. However, even where complaints are received outside of formal channels, such as via social media, the same statutory duties apply and there is no requirement for data protection complaints to use legal wording or quote legislative provisions in order to be valid.

Once a complaint is received, the controller must acknowledge receipt within 30 days. While automated responses can be helpful to satisfy this requirement, prompt human review should be initiated and appropriate steps to respond to the complaint should be taken, including making appropriate inquiries into the subject matter of the complaint and keeping the complainant informed about progress.

The legislation does not impose a fixed deadline for issuing a final response. Instead, the applicable standard is “without undue delay”—i.e., without an unjustifiable or excessive delay. This will depend on a range of factors, including the complexity and scale of the matter complained about.

How Should Businesses Prepare?
Controllers should review whether they have a clearly documented process for recognizing and managing data protection complaints, including complaints that may not be clearly labelled or easily identifiable as such.

This new duty is particularly relevant in light of the growing use of AI-generated complaints, which may increase complaint volumes and make it more difficult for businesses to identify the underlying factual basis of a complaint. However, a complaint should not be disregarded merely because it appears formulaic, generic or AI-generated. Where it raises an identifiable data protection concern, businesses will still be expected to acknowledge receipt, make the relevant inquiries, and avoid unjustifiable or excessive delays in handling the complaint.

To ensure compliance with the new complaints-handling framework, businesses should consider:

  • creating or adapting formal channels to receive data protection complaints;
  • adopting or updating a data protection complaints-handling policy;
  • establishing procedures for staff across business functions to identify and escalate data protection complaints received through any channel;
  • creating template acknowledgements and outcome letters;
  • centrally recording receipt dates, acknowledgements, investigation steps, progress updates, outcomes and remedial actions; and
  • updating privacy notices and other external-facing materials (including template responses to data subject requests) to accurately explain how and where individuals can submit complaints and what to expect.

Staff training will be particularly important. Even where formal channels exist, data protection complaints may still arise through any mode of communication with employees in any business function and at any level of seniority. The statutory clock will not wait for a complaint to reach the legal or privacy team.

Key Takeaways
The new DUAA complaints regime gives individuals a clearer route to effectively challenge perceived data protection infringements directly with controllers and gives the ICO a stronger basis to expect businesses to resolve complaints before escalation.

For controllers, the compliance burden should be manageable if complaints-handling is embedded into governance, training, and recordkeeping processes. Businesses that have not yet reviewed their data protection complaints procedures should do so.

RELATED ARTICLES

Proposed Changes to the UK Data Protection Regime: What Do Businesses Need to Know?