On 12 February 2026, the ICO published its final guidance on handling data protection complaints under the Data (Use and Access) Act 2025 (DUAA).
Much of DUAA is already in force. However, one of its key operational reforms, a new statutory obligation on companies to implement and maintain a data protection complaints process, amends and inserts a new provision into the Data Protection Act 2018. That obligation will apply to complaints received on or after 19 June 2026.
At first glance, the requirements look simple. In practice, they represent an important shift in how organisations will be assessed by the regulator and how quickly issues may escalate.
This is less about creating a new inbox and more about embedding a defensible, documented governance process before complaint data starts shaping your regulatory profile.
What has actually changed?
DUAA introduces a new right for individuals to complain directly to controllers if they believe their personal data has been handled in breach of data protection law.
In response, controllers must:
- provide a way for individuals to submit data protection complaints
- acknowledge receipt within 30 days
- investigate and respond without undue delay
- keep complainants informed during the process
- communicate the outcome without undue delay
Unlike subject access requests, there is no fixed deadline for the substantive response. “Without undue delay” means without unjustifiable or excessive delay, and the ICO expects organisations to assess this case by case. These are procedural obligations but they do require operational design.
A broad scope
A data protection complaint is not limited to formal legal language or structured submissions. If someone considers that you have infringed data protection law in the way you handled their personal information, it qualifies.
That may include complaints about:
- how a DSAR was handled
- security measures or a data breach (even if not reportable)
- retention periods
- accuracy of records
- marketing practices
- employee monitoring
- use of automated decision-making or AI systems
This breadth means complaint handling cannot sit solely within legal or compliance. HR, IT security, marketing and customer service functions will all need to recognise and escalate issues appropriately.
Is a new platform required?
One of the more pragmatic aspects of the ICO’s guidance is flexibility. Organisations are not required to build a standalone complaints system. Existing complaint tools can be adapted, whether that is a general complaints email address, an online form, a telephone route or an internal case management system.
However, there is an important operational nuance in that individuals are not required to use your chosen channel. A complaint made via social media, to a frontline employee, or through live chat still counts.
This shifts the risk away from system design and towards staff awareness. Recognition becomes critical. If complaints are not correctly identified at intake, your carefully drafted procedure becomes irrelevant.
For many businesses, the real work between now and June 2026 will be in training and internal escalation pathways rather than technology.
The 30-day acknowledgment
The requirement to acknowledge complaints within 30 days is relatively straightforward. The ICO has confirmed that automated email acknowledgements are sufficient for electronically submitted complaints, and verbal acknowledgement is acceptable for verbal complaints.
That is helpful. But it assumes your systems are configured correctly and that complaints are being captured in the first place. A failure to acknowledge is not a procedural misstep. Once the provision takes effect, it is a statutory breach.
Investigation and record-keeping
The more significant compliance exposure lies in how complaints are investigated and documented. The ICO expects organisations to make appropriate enquiries without undue delay. That means gathering relevant information, reviewing internal policies, speaking to staff involved, and assessing whether data protection obligations were met.
Under the accountability principle, you must be able to evidence what you did and how you reached your conclusion. The ICO has indicated it may ask to see complaint investigation records.
This has two implications for businesses.
First, complaint handling needs to be structured and consistent. Informal or undocumented internal discussions will not suffice.
Second, organisations must think carefully about legal privilege. Investigation documentation, internal communications and evidence collection practices may need refinement to ensure privilege is preserved where appropriate.
Complaint handling is therefore as much a governance exercise as an operational one.
A strategic signal
Alongside its guidance, the ICO has published a framework explaining how it will assess complaints it receives. The regulator cannot investigate every complaint. Instead, it applies threshold criteria, considering factors such as harm, impact, strategic priorities and whether the organisation is already investigating the issue.
Importantly, the ICO will record complaint volumes about organisations. If complaints exceed certain thresholds within a specified period, thresholds that are yet to be finalised, it may analyse available information to determine whether intervention is necessary.
Reaching a threshold does not automatically trigger enforcement. But complaint data will help the ICO identify patterns and emerging compliance weaknesses.
For businesses, this means complaint handling is no longer just about resolving individual disputes. It may influence regulatory scrutiny more broadly. Poorly managed complaints can accumulate into a signal of systemic non-compliance.
Conversely, a well-documented, proactive investigation process may significantly reduce enforcement risk.
Why this matters
From a litigation perspective, data protection complaints are frequently used as leverage. A disgruntled employee or customer who can demonstrate that an organisation failed to implement a compliant complaints process will hold a stronger negotiating position once the new provisions are live.
Equally, organisations that can demonstrate prompt acknowledgement, documented investigation and reasoned outcomes are more likely to be viewed favourably by the regulator.
There is also reputational exposure. Complaint trends can indicate cultural or operational weaknesses, particularly in high-risk sectors or where sensitive personal data is involved.
What should businesses be doing now
With the 19 June 2026 deadline approaching, organisations should be reviewing their readiness. Key actions include:
- Reviewing privacy notices and DSAR response templates to ensure individuals are informed of their right to complain.
- Mapping all potential intake channels, including social media and frontline staff routes.
- Updating existing complaints or DSAR procedures to incorporate data protection complaints.
- Implementing reliable acknowledgment mechanisms for electronic submissions.
- Establishing structured record-keeping and investigation documentation processes.
- Training staff to recognise and escalate complaints appropriately.
- Reviewing processor and joint controller contracts to ensure complaint escalation and cooperation obligations are covered.
These steps require coordination across legal, compliance, HR, IT and customer operations.
DUAA is often characterised as business-friendly. In many respects, that is accurate. But the complaints-handling requirement is one of the few new operational obligations introduced by the reform.
It can become another regulatory burden, if it is handled reactively. But if it is approached strategically, it can actually reduce escalation to the ICO, indicate systemic risks early and strengthen organisational accountability. Basically, the legal requirements are simple but the governance implications are not.
DUAA is here, and compliance can’t wait. To help you prepare, we’ve created a free, practical compliance checklist you can download and tailor to your organisation. Get it here.
