A significant change to UK data protection law is now just weeks away. From 19 June 2026, every organisation that processes personal data will be legally required to have a formal process for handling data protection complaints under the Data (Use and Access) Act 2025 (DUAA).
While much of the discussion around DUAA has focused on wider reforms to UK data protection law, this new complaints-handling requirement is one of the most immediate and operationally significant obligations facing organisations.
For the first time, individuals will have a statutory right to raise data protection complaints directly with organisations, and businesses will be legally required to investigate, manage and respond to those complaints through a documented internal process before matters are escalated to the Information Commissioner’s Office (ICO).
The countdown is now on.
A fundamental shift
Historically, people dissatisfied with how an organisation handled their personal data could complain directly to the ICO. While many organisations already had internal processes for dealing with privacy concerns, there was no explicit legal requirement to maintain a dedicated data protection complaints framework.
That changes soon.
DUAA creates a formal right for people to complain directly to organisations about alleged infringements of UK GDPR. Under the new regime, organisations must provide a clear and accessible route for people to submit complaints, acknowledge complaints within 30 days, investigate concerns without undue delay, keep complainants informed throughout the process and communicate outcomes promptly.
Importantly, the ICO expects people to raise concerns with organisations first before escalating matters to the regulator. This means organisations will increasingly become the first line of resolution for privacy disputes.
Why businesses should care
For many businesses, the new law represents more than a simple administrative change.
Data protection complaints can arise from almost any aspect of personal data processing, including data breaches, subject access requests, marketing practices, retention periods, and profiling activities.
The ICO has made it clear that organisations cannot rely on informal approaches. Complaints handling must become a structured and transparent process capable of withstanding regulatory scrutiny.
Many businesses already have customer service complaint procedures, but these may not be sufficient to meet the new legal standard. Staff must be able to distinguish between a general customer complaint and a data protection complaint,especially as people are not required to use specific wording or submit complaints through designated channels.
A complaint may arrive through customer service, HR, social media, email, or even face-to-face interactions. If employees fail to recognise and escalate a complaint appropriately, the organisation could miss statutory deadlines.
The changes also place an emphasis on organisational accountability. Businesses will need to demonstrate not only that complaints were resolved, but also that they were acknowledged, investigated and communicated properly throughout the process.
Why law firms should be paying particular attention
The new requirements create both compliance challenges and commercial opportunities for law firms. Because they process large volumes of sensitive client, employee and third-party information, law firms must ensure they comply with the new obligations. Complaints relating to client confidentiality, subject access requests, retention periods, or cyber incidents could all fall within scope.
Many firms already operate complaints procedures for professional conduct and client service issues. But these processes may not adequately address the specific requirements of DUAA. Firms should review whether data protection complaints are clearly identifiable within existing frameworks and whether statutory timelines can be met consistently.
There is also a growing advisory opportunity. Businesses across all sectors will require support in understanding and implementing these changes. Law firms advising on data protection, employment, regulatory compliance, governance and commercial contracts could be engaging with clients now.
In particular, clients may need assistance reviewing privacy notices, updating complaint procedures, revising data processing agreements, training staff and establishing governance frameworks capable of meeting the new legal standard.
What businesses should do now
With the implementation date approaching, organisations should be conducting immediate readiness assessments.
The first priority is ensuring there is a clear and accessible mechanism for people to submit data protection complaints. Whether through online forms, dedicated email addresses, telephone channels or existing complaint systems, the process must be visible and easy to use.
Businesses should then review internal governance arrangements and determine who is responsible for receiving, investigating and escalating complaints. Accountability should be clearly assigned, and escalation routes should be documented.
Training is key. Employees need to understand what constitutes a data protection complaint and how it differs from other customer service issues or data subject rights requests.
Privacy notices, subject access request templates and other data protection communications should also be updated to inform individuals of their right to complain directly to the organisation.
Organisations should review record-keeping arrangements to ensure complaints can be tracked, monitored and evidenced. The ICO expects organisations to maintain records showing when complaints were received, how they were investigated, what decisions were made and what actions were taken.
Businesses that rely on third-party processors should also review contractual arrangements to ensure suppliers understand their role in supporting complaint investigations and notifying controllers when complaints are received.
What law firms should do now
Law firms should begin by reviewing their own compliance position. Existing complaints procedures should be assessed against the new statutory requirements to identify any gaps.
Firms should consider whether data protection complaints can be recognised and routed effectively across all practice areas and business functions, including HR, marketing, IT and client services teams.
Training programmes should be updated to ensure lawyers and support staff understand the new obligations and know how to respond when complaints arise.
Client-facing documentation, privacy notices and subject access request response templates should also be reviewed and updated where necessary.
Beyond internal compliance, firms should be engaging with clients now. Many organisations remain unaware that these requirements become mandatory in June 2026. Providing practical guidance and implementation support is an opportunity to strengthen client relationships while helping organisations avoid compliance failures.
A short window
From 19 June 2026, organisations will be judged not only on whether they comply with data protection requirements, but also on how effectively they respond when individuals believe those requirements have been breached.
For businesses, this means moving from informal complaint management to documented, legally compliant processes. For law firms, it means ensuring their own compliance while helping clients prepare for a regulatory change that will quickly become a visible test of organisational accountability.
With just weeks remaining before the new requirements take effect, organisations that have not yet reviewed their arrangements should treat preparation as an immediate priority.
