Data Protection Complaints Procedure Under the DUAA

From 19 June 2026, every organisation that controls personal data must have a formal process for handling data protection complaints from individuals. This is a new legal duty, not a recommendation.

It comes from section 103 of the Data (Use and Access) Act 2025, which inserts new duties into the Data Protection Act 2018. There is no exemption for small businesses, so the requirement applies to a sole trader and a large employer alike.

This guide explains what the new duty requires, the timeframes you must meet, and what a compliant complaints procedure needs to contain.

What Is Changing on 19 June 2026

Section 103 of the DUAA inserts two new sections into the Data Protection Act 2018: section 164A and section 164B. It also changes the route individuals take when they want to complain about how their data is handled.

Until now, a person could complain straight to the Information Commissioner's Office. From 19 June 2026 they are expected to raise the matter with the organisation first, and the ICO can decline to act on a complaint that has not been put to the controller.

The practical effect is that organisations become the first point of contact for data protection complaints. You need a process ready to receive, acknowledge and respond to them.

The New Duties on Controllers

Section 164A places three core obligations on every controller.

Facilitate complaints

You must make it easy for someone to complain about how you handle their personal data. The Act specifically refers to providing a complaint form that can be completed electronically and by other means.

In practice this means a clear, accessible route to raise a concern, not a buried email address.

Acknowledge within 30 days

You must acknowledge receipt of a complaint within 30 days of receiving it. This is a hard statutory deadline, so your process needs to log when a complaint arrives and track the acknowledgement.

Respond without undue delay

You must take appropriate steps to respond to the complaint without undue delay, and tell the complainant the outcome. Appropriate steps include making inquiries into the complaint to the extent appropriate and keeping the complainant informed of progress.

The Duties at a Glance

Requirement	What it means	Timeframe
Facilitate complaints	Provide a complaint form completable electronically and by other means	In place by 19 June 2026
Acknowledge receipt	Confirm to the complainant that you have received the complaint	Within 30 days
Respond	Take appropriate steps, make inquiries, inform the complainant of the outcome	Without undue delay
Keep records	Log complaints received, actions taken and outcomes	Ongoing

Notifying the ICO

Section 164B gives the Secretary of State the power to require controllers to notify the ICO of the number of complaints they receive over a set period. This is a reserve power that may be brought in through later regulations rather than an immediate reporting duty.

Even so, the direction of travel is clear. Keeping a clean record of the complaints you receive and how you resolved them will matter, both for any future reporting and as evidence of compliance.

What Your Complaints Procedure Should Contain

• A clear way for individuals to complain, including an electronic complaint form and an alternative route.
• A named owner responsible for handling data protection complaints.
• A log that records the date each complaint is received, so the 30-day acknowledgement can be tracked.
• A standard acknowledgement that goes out within 30 days.
• Steps for investigating the complaint and keeping the complainant updated on progress.
• A way to record the outcome and communicate it to the complainant.
• A reference to the individual's right to escalate to the ICO if they remain dissatisfied.

What Happens If You Do Not Comply

The complaint-handling duties are enforceable by the ICO. Failing to put a process in place, or ignoring complaints, exposes you to regulatory action.

Serious infringements of UK data protection law can attract fines of up to 17.5 million pounds or 4 percent of global annual turnover, whichever is higher. For most organisations the more realistic risk is reputational damage and ICO scrutiny triggered by a complaint you handled badly.

How Policy Pros Can Help

We write data protection complaints procedures that meet the section 103 duties without drowning a small team in process. The procedure sets out the complaint form, the 30-day acknowledgement, the investigation steps and the records you need to keep.

Our GDPR consultancy and data protection and confidentiality policy services make sure your wider data protection documentation reflects the DUAA changes, not just the old UK GDPR baseline.

If you are short on time before the deadline, our small business complaints checklist gives you a fast route to a compliant process, and our DUAA 2025 employer guide covers the wider changes the Act brings in.