For many UK organisations, 19 June 2026 may become the most important date in DUAA’s implementation timeline. From that date, businesses and other organisations processing personal data will be legally required to operate a formal internal data protection complaints procedure. Individuals who believe their data rights have been infringed must be able to complain directly to the organisation before escalating concerns to the ICO
The new regime represents a major shift in the UK’s approach to data protection enforcement. Rather than relying primarily on regulator-led intervention, DUAA places greater responsibility on organisations themselves to investigate, manage and resolve complaints quickly and transparently.
In practice, businesses will need to acknowledge complaints within 30 days, investigate issues without undue delay, keep complainants informed and clearly communicate outcomes. The ICO has already signalled that the quality of an organisation’s complaints handling process may influence its wider regulatory approach.
For businesses, this is part of a broader shift toward operational accountability under DUAA, which is already reshaping areas such as AI governance, automated decision-making, international transfers and lawful processing.
With major reforms already in force and the June 2026 complaints deadline approaching quickly, organisations will want to review their governance frameworks, internal procedures and staff readiness.
How is DUAA being rolled out?
DUAA became law on 19 June 2025, but the reforms are being introduced gradually in a phased process.
Some technical changes started immediately, including clarification around SAR searches. Further reforms followed throughout late 2025, but the most significant implementation phase arrived on 5 February 2026, when the majority of the new data protection provisions came into force.
From that point on, organisations began operating under updated rules covering recognised legitimate interests, automated decision-making, international transfers, cookies and expanded ICO enforcement powers.
The next major milestone is now approaching on 19 June, when the mandatory complaints handling requirements come into effect.
Further reforms, including governance changes transforming the ICO into the new “Information Commission” structure, are expected later in the year.
Why the complaints procedure requirement matters
The upcoming complaints regime may become one of the most operationally significant aspects of DUAA. Under the new rules, people need to raise complaints directly with organisations before escalating matters to the ICO.
This means businesses will increasingly become the first line of investigation, response and resolution for data protection concerns. The ICO has indicated that the quality of an organisation’s complaints handling process will influence its regulatory approach indicating that complaints handling is becoming a governance issue as well as a customer service issue.
What will count as a data protection complaint?
Not every unhappy email from a customer or employee will fall within that scope. But organisations will need to become significantly better at identifying complaints that may trigger the new DUAA obligations.
These include complaints about how SARs have been handled, concerns around data retention or accuracy, objections to monitoring or surveillance practices, dissatisfaction with security measures, or challenges relating to AI-driven decision-making and data sharing practices.
Issues like standard customer service complaints or employment grievances may fall outside scope unless they specifically concern data protection rights.
If there is uncertainty, the ICO recommends clarifying directly with the person whether they intend to raise a formal complaint.
The new mandatory complaints process
From 19 June, businesses will need to provide people with accessible and effective ways to submit complaints directly to them. Many businesses already operate customer complaints processes but DUAA elevates certain data protection complaints into a more formal regulatory framework with defined procedural obligations.
Organisations cannot insist individuals use only one designated route. Complaints may arrive through ordinary customer service emails, HR channels, live chat functions, online forms, social media interactions or even informal correspondence. This could create a practical challenge for businesses because complaints will need to be recognised consistently across multiple teams and operational functions.
Once a complaint is received, the clock begins running immediately. Organisations must acknowledge receipt within 30 days, with the ICO clarifying that the timeframe begins the day after the complaint is received, including weekends and public holidays. In practice, however, businesses should not view this as a comfortable response window. The obligation to investigate begins immediately upon receipt of the complaint, regardless of whether a formal acknowledgement has been sent.
The requirement to act “without undue delay” introduces a degree of flexibility, but also uncertainty. The ICO has indicated that expectations will depend on the complexity of the complaint, the sensitivity of the data involved, the scale of the issue and the level of potential harm to the individual. A relatively straightforward complaint regarding data retention practices may require only limited enquiries, while complaints involving AI systems, monitoring technologies or large-scale disclosures could demand extensive internal investigations.
Throughout the process, organisations are expected to maintain transparency with complainants. This does not necessarily mean providing constant updates or disclosing every internal investigative step. However, individuals should be informed about expected timelines, delays and progress where appropriate.
The final response must clearly explain the organisation’s findings, any remedial action taken and the complainant’s right to escalate concerns to the ICO if they remain dissatisfied.
Perhaps most importantly, DUAA effectively turns complaints handling into a documented accountability exercise. Organisations will need to maintain detailed records of complaints received, investigations conducted, correspondence exchanged, decisions reached and corrective actions taken. The ICO has made clear that these records may become relevant during regulatory enquiries.
For many businesses, this will require a significant operational shift. Complaints handling can no longer sit solely within customer service or legal teams. Instead, organisations will need coordinated processes involving compliance, HR, IT, security, operational leadership and senior governance functions.
What should businesses be doing now?
Businesses should treat these weeks leading up to June 2026 as a preparation period. One of the biggest challenges will be ensuring complaints can be recognised and escalated consistently across the organisation. As noted, complaints may arrive through customer support teams, HR functions, compliance channels, email correspondence or ordinary operational interactions. Organisations will therefore need clearer internal processes and better coordination between departments.
Existing privacy notices, complaint procedures and subject access request response templates should also be reviewed and updated. DUAA expects organisations to explain clearly how individuals can complain directly to the organisation and how concerns will be handled.
Training will be equally important. Staff across legal, HR, IT, customer support and operational functions should understand how to identify complaints, escalate issues and comply with response timelines.
At the same time, businesses using AI systems and automated decision-making tools should review governance arrangements more broadly. While DUAA introduces greater flexibility in some areas, regulators continue to expect organisations to demonstrate fairness, transparency and meaningful oversight.
The ICO has indicated it intends to take a measured approach during the transition period, particularly while guidance is still developing. Nevertheless, expectations around accountability are clearly increasing, and businesses that begin preparing now will be significantly better positioned once the complaints regime formally takes effect.
A big shift
With DUAA, the UK has attempted to position itself as offering a somewhat more commercially flexible framework than the EU GDPR in areas such as AI governance, automated decision-making, legitimate interests and international transfers.
However, the reforms simultaneously increase expectations around operational governance and accountability. This complaints regime illustrates this.
DUAA is not simply another legislative update. It represents a broader shift in how data governance, accountability and regulatory engagement will operate in the years ahead.
