UK businesses have less than a month to prepare for a major new compliance obligation under the Data (Use and Access) Act 2025 (DUAA). From 19 June 2026, organisations that process personal data will be legally required to implement procedures for handling data protection complaints directly from individuals.
The new rules are designed to encourage complaints to be resolved internally before escalating to the ICO. They form part of the wider DUAA reforms that have already reshaped areas such as data subject access requests (DSARs), automated decision-making, PECR enforcement, and lawful bases for processing.
As we previously highlighted in our analysis of the DUAA rollout, businesses that assume the reforms represent a softening of UK GDPR obligations risk being caught out by stronger enforcement powers and increased regulatory scrutiny. The incoming complaints-handling requirements are an indication of that.
A new operational burden for businesses?
Under the new framework, organisations must provide individuals with a clear and accessible way to complain about how their personal data has been handled. Complaints could relate to DSAR responses, cybersecurity failures, employee monitoring or concerns about AI-driven decision-making.
The ICO guidance makes clear that organisations cannot only rely on formal complaint channels. A complaint submitted through social media, customer support, live chat, or directly to an employee may still trigger legal obligations under DUAA.
For many businesses, especially smaller ones, this represents a significant shift. Informal or fragmented approaches to complaints handling is not enough anymore. Companies will need clear internal processes to ensure complaints are recognised, escalated, investigated, and documented properly.
Strict timelines and record-keeping expectations
Once a complaint is received, organisations must acknowledge it within 30 days and investigate the matter right away. Businesses are also expected to keep complainants informed throughout the process and explain the outcome clearly, including any corrective action taken.
The ICO has placed specific emphasis on record keeping. Organisations should maintain detailed logs showing when complaints were received, how they were investigated, and what decisions were reached. Those records could be requested during regulatory investigations.
This means businesses will need formal internal procedures, complaint tracking systems, and staff training across departments including HR, customer service, compliance, marketing, and IT.
Complaints could become an enforcement trigger
The changes are especially important given the ICO’s expanded enforcement powers under DUAA. As we previously noted, the regulator can now compel interviews, require technical reports, and demand access to specific documents during investigations.
Poor complaints handling could become evidence of broader governance failures. Organisations that repeatedly miss deadlines, fail to investigate concerns properly, or cannot demonstrate accountability may face more regulatory scrutiny.
This is especially relevant for businesses using AI systems, automated decision-making tools, extensive employee monitoring, or large-scale marketing and tracking technologies.
Getting ready
With the deadline fast approaching, organisations should be reviewing their privacy notices, updating complaints procedures, and training staff on how to recognise and escalate data protection concerns.
For UK businesses, privacy compliance is now a core governance issue that cuts across all departments. Organisations that prepare early will be better positioned to manage complaints effectively and reduce escalation risks.
