What to Do If You Missed the DUAA Complaints Deadline
The data protection complaints duty under section 103 of the Data (Use and Access) Act 2025 came into force on 19 June 2026. If you do not yet have a process in place, you are not alone, and you can still put this right quickly.
The duty does not go away because the date has passed. The sensible response is to get a compliant process live now and to handle any complaints that arrive in the meantime properly.
Get the Basics Live First
You do not need a perfect system on day one. You need the core duty working: a way for people to complain, an acknowledgement within 30 days, and a record of what you did.
Stand up a complaint form and an alternative route, name an owner, and start a log today. Our complaints procedure checklist walks through the minimum steps.
Handle Any Live Complaints Properly
If a complaint has already come in, deal with it now. Acknowledge it, investigate to the extent appropriate, and tell the person the outcome.
A complaint handled well after a late start looks very different to a regulator than a complaint ignored. The duty is ongoing, so good handling from this point forward matters.
What the Risk Actually Is
The complaint-handling duties are enforceable by the ICO. The realistic trigger for scrutiny is a complaint you mishandle or ignore, rather than the date itself.
Serious infringements of UK data protection law can attract fines of up to 17.5 million pounds or 4 percent of global annual turnover, whichever is higher. For most organisations the immediate concern is showing the ICO you have acted promptly to comply.
A Fast Recovery Plan
| Priority | Action |
|---|---|
| Today | Name an owner, set up a complaints log, publish a complaint route |
| This week | Add an electronic complaint form and an acknowledgement template |
| Now and ongoing | Acknowledge any live complaints within 30 days and respond without undue delay |
| This month | Update your privacy notice to point to the new complaints route |
How Policy Pros Can Help
We can get a compliant data protection complaints procedure in place fast, with the complaint form wording, acknowledgement template and log you need to meet the section 103 duties.
Our GDPR consultancy and privacy policy writing services then bring the rest of your documentation up to date. Start with the complaints procedure guide for the full picture of what the duty requires.
Frequently Asked Questions
We missed the 19 June 2026 DUAA deadline. What should we do first?
Get the core duty working now: name an owner, publish a route to complain including an electronic complaint form, start a log, and prepare an acknowledgement template. Then handle any complaints already received by acknowledging within 30 days and responding without undue delay.
Will we be fined for missing the deadline?
The complaint-handling duties are enforceable by the ICO, and serious infringements can attract fines of up to 17.5 million pounds or 4 percent of global annual turnover. In practice the realistic trigger for action is mishandling or ignoring a complaint, so acting promptly to comply now reduces your risk.
Is it too late to comply with the DUAA complaints duty?
No. The duty is ongoing, so it is never too late to put a compliant process in place. Standing one up now and handling complaints properly from this point forward is the right response.
