In brief
- The Data (Use and Access) Act 2025 (DUAA) introduces a new statutory requirement for organisations to implement internal data protection complaints processes from 19 June 2026.
- Individuals will be expected to raise complaints directly with organisations first, before escalating issues to the ICO.
- Organisations must ensure complaints are handled through clear, accessible procedures, with timely acknowledgement, investigation and response.
Setting the background
A significant change to UK data protection law will come into force on 19 June 2026, introducing a new statutory complaints handling framework for organisations.
The changes are introduced by the DUAA, which amends the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). As part of these reforms, organisations will be required to establish and operate an internal complaints-handling process. Individuals must use this process before escalating concerns to the Information Commissioner's Office (ICO).
We previously discussed the wider implications of the DUAA and its key reforms to UK data protection law. If you would like to explore the other key changes that have been introduced, you can read our overview here.
What is changing?
The DUAA introduces a new section 164A into the DPA 2018, creating a statutory right for individuals to raise data protection complaints directly with organisations.
Previously, while individuals had the right under Article 77 UK GDPR to lodge complaints with the ICO, there was no express legal requirement for organisations to maintain a dedicated internal complaints process. The new section 164A regime formalises this obligation.
From 19 June 2026, organisations must ensure they have an appropriate complaints handling process in place. ICO guidance provides that organisations should:
- give individuals a clear and accessible means of submitting a data protection complaint;
- acknowledge complaints within 30 days of receipt;
- investigate and respond to complaints “without undue delay”, keeping complainants informed throughout the process; and
- notify complainants of the outcome without undue delay.
The reforms also change the complaints pathway for individuals. Rather than approaching the ICO in the first instance, individuals will be expected to raise their complaint with the relevant organisation before escalating the matter to the ICO. This reflects the ICO's broader aim of encouraging complaints to be addressed and resolved directly wherever possible.
What steps should organisations take?
With the commencement date approaching, organisations should review their existing data protection governance arrangements to ensure they can meet the new requirements.
In practice, this is likely to involve:
- updating privacy notices and template responses to inform individuals of their right to make a data protection complaint, including when personal data is collected and when responding to data subject rights requests;
- ensuring complaints are identified and acknowledged within the 30-day period, including where received electronically;
- reviewing internal policies, procedures and staff training to ensure complaints are recognised, investigated and handled consistently; and
- reviewing processor arrangements to ensure contracts require processors to notify and support controllers where complaints are received.
For many organisations, these changes may involve refining existing processes rather than creating entirely new ones. Nevertheless, early preparation will be important to ensure compliance and avoid operational challenges once the new requirements take effect.
How Mishcon de Reya can help
If you would like advice on updating privacy notice wording or implementing compliant complaints handling procedures, do not hesitate to get in touch with our Data experts.