Quietly included in the Data (Use and Access) Act 2025 is a new complaints-handling duty for organisations, coming into force on 19th June 2026. This article explains the changes and how organisations can prepare.

Published: 23 April 2026
Authors: Kate Brimsted

Unassumingly tucked away amongst the many detailed provisions of the Data (Use and Access) Act 2025 (‘DUAA’) is the new complaints-handling duty for organisations, now inserted as section 164A of the Data Protection Act 2018 and coming into force on 19th June 2026. This article examines what is known about the new complaints regime, the difference it could make for individuals and organisations, and how organisations can prepare.

What’s changing & when?

The UK’s data protection regime already included a panoply of individual ‘data subject’ rights - from the right of access (the ‘DSAR’) to rectification to deletion - and, strictly speaking, the present change is not a new right for individuals. What is changing is the arrival of a new statutory duty on controllers to run a compliant internal complaints process along prescribed timelines.

As the Information Commissioner’s Office (‘ICO’) summarises it in its ‘how to deal with data protection complaints’ guidance dated 12th February 2026 (the ‘ICO Guidance’), data protection law now says that organisations must:

• give people a way of making data protection complaints to them; • acknowledge receipt of complaints within 30 days of receiving them
• without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed
• without undue delay, tell people the outcome of their complaints

1. Making the complaint

From 19th June 2026, controllers have specific additional responsibilities in responding to general data protection complaints received from individuals. There is no prescribed language, nor legal terms which an individual needs to use to make a valid general complaint. An individual simply needs to ‘consider that, in connection with [their personal data] there is an infringement of the UK GDPR (or Part 3 of the UK DPA for law enforcement processing)’ by the controller. Although in practice complaints are often generated from (for example) overdue DSAR responses, a complaint doesn’t need to relate to an infringement of any data subject rights.

The complainant does not need to act reasonably, nor to be well-informed about what data protection law requires (why should they be?). They simply need to consider that the organisation, essentially, is breaching data protection law in a way that is connected with their personal data, and therefore with them (or someone they act on behalf of).

The infringement being complained of does not need to be causing a complainant any material or non-material damage (the trigger for a compensation right under Article 82 UK GDPR). A general data protection complaint could potentially be raised if a privacy policy is considered to lack the proper transparency, e.g. a complainant does not understand where their data are being sent or what they are being used for (a criticism that could fairly be levelled at a number of consumer-facing privacy policies). The potential for DUAA’s general data protection complaint duty to become a tactical instrument in the hands of the aggrieved customer or employee should not be underestimated.

2. Facilitation

Every organisation in scope of UK data protection law must facilitate the making of these general complaints ‘by taking steps such as providing a complaint form which can be completed electronically and by other means’ (emphasis added). That is not prescriptive language, and the ICO Guidance states that, whilst an organisation must give people a way to make general complaints directly, the specific method used is discretionary.

Examples could include:

• providing a complaint form that people can submit electronically or in writing by email or post
• providing an email address for people to send complaints to (this could be signposted by a simple update to the existing public-facing privacy policy)
• allowing people to make complaints over the phone or via an online complaints portal
• having a live chat function with the option to escalate to a human, if needed

So, there is no need to spin up a web form in order to comply; if existing complaints tools can be adapted, then so much the better. The ICO acknowledges that for organisations with an online presence, people may choose to complain via social media. The ICO Guidance notes that responding via social media is not a secure way of providing information, and recommends that organisations ask for an alternative contact method before providing any substantive response (which will include personal data to some degree). It is unclear whether it would be compliant for an organisation receiving a general data protection complaint via social media (or other channels), to direct the maker of the complaint to re-submit it via the organisation’s alternate designated complaints communication channel.

The ICO Guidance reflects some of the complexities well-established under the data subject rights regime:

• it may be appropriate to ask for proof of ID from the complainant before responding
• proof of authority to act must be obtained from a complainant expressly complaining on behalf of another, before investigating the complaint (let alone responding)
• transparent arrangements should be in place between joint controllers, concerning which is responsible for acknowledging, investigating and/or responding
• arrangements with processors (forwarding complaints to the controller, assisting with the investigation and/or response, etc) should accommodate any required assistance the organisation may need to process general data protection complaints

3. Acknowledgment in 30 days

If a controller receives a general data protection complaint, it must acknowledge receipt within 30 days beginning on the day the complaint is received. The ICO Guidance interprets this as meaning ‘30 days start the day after you receive the complaint’, and that allowance can be made if the last day to acknowledge falls on a weekend or public holiday. The ICO’s worked example is of a data protection complaint received on Thursday, 5th June [2025]. The 30 days do not start until the start of Friday, 6th June and this means 30 days end at the end of Saturday, 5th July. However, as this would fall on a weekend, the organisation would have until the end of Monday, 7th July to acknowledge the complaint.

4. Investigating & responding

An organisation must also without undue delay (1) take appropriate steps to respond to the complaint; and (2) inform the complainant of the outcome of the complaint. The DUAA provides guidance on what ‘taking appropriate steps to respond’ should look like. The controller clearly needs to take some action, including ‘making inquiries into the subject matter of the complaint, to the extent appropriate’ and ‘informing the complainant about progress on the complaint’. The ICO Guidance states that the obligation to investigate the complaint starts when the complaint is received; the 30 day acknowledgment window should not be treated as a pause.

According to the ICO Guidance, the investigation phase should comprise:

• gathering information needed to consider the complaint, including asking the person making the complaint for more information if it is not clear what the complaint is about. (This may play into the hands of the vexatious complainant - see below)
• making enquiries, including speaking to relevant staff members. Progressing the investigation and providing the outcome to the complainant should occur ‘without undue delay’ which the ICO interprets as meaning ‘without an unjustifiable or excessive delay’. Whether the time taken is justifiable in practice will depend upon factors like the complexity of the complaint, its scale (e.g. if longer term) and whether actual harm is being suffered by the complainant as a result of the unresolved issue.

It is, in principle, acceptable for organisations to adapt their existing processes to handle general data protection complaints. However, in practice, organisations may receive mixed complaints that are not confined to data protection issues. In such cases, aligning response times for data protection complaints with those set by other frameworks or sector-specific guidance (for example, in the financial services sector) will not automatically be appropriate. Where possible, organisations should complete their data protection complaint processes sooner, rather than delaying them to match non-data protection timelines.

The ICO recognises that organisations are not required to take steps that would be unreasonable or disproportionate in the circumstances. Accordingly, an organisation’s obligations to respond and to make inquiries are qualified by what is appropriate in each case. In some instances, complaints could be wholly misconceived or nonsensical, justifying a proportionately minimal response effort.

5. Keeping people informed

It is unclear how frequently complainants should be kept informed about the progress of the investigation or what the content of such updates should be. The ICO Guidance suggests this will be more about updates on timeframes and explaining any delays, rather than giving an account of the steps taken so far (which is some relief). This element of the duty on organisations only seems relevant where a complaint could take some time to resolve. It may be possible to close some complaints within the 30 day initial acknowledgment window; in such a case, the ICO Guidance states there is no requirement to provide an acknowledgement and outcome separately, and providing progress updates appears moot.

6. The response

The communication medium is up to the organisation, and it may be most convenient to resolve over the phone (while keeping appropriate records – see below). The response itself should, according to the ICO’s Guidance:

• ‘explain what you’ve done to resolve their data protection complaint and, where appropriate, any actions you’ve taken as a result’
• ‘if you think that you’ve complied with data protection law, explain this in detail to the complainant and provide enough information to help the complainant understand how you’ve reached your conclusion’.

The reality may be that an organisation is unable to resolve the complaint to the individual’s satisfaction (particularly if the complainant is acting disingenuously). In this situation, the ICO makes a couple of potentially onerous suggestions: (1) provide more detail to the complainant to clarify the decision; or (2) consider a review process for unresolved complaints. Finally, the ICO could be a good point to remind the complainant they have the right to complain to the ICO, and provide contact details.

7. Recordkeeping

Based on the ICO Guidance, it is recommended that controllers keep a record of the following:

• the date the data protection complaint was received; • the acknowledgement (including date sent)
• any relevant conversations and documents
• the outcome of the complaint
• any actions taken as a result of the investigation
• the number of data protection complaints received, as well as recurring themes and trends.

The ICO can request a copy of such records, which it may decide to do if after 19th June 2026 it is receiving a significant number of complaints from individuals that an organisation has been ignoring or mishandling general complaints made to it, or failing to acknowledge them in time. The DUAA introduced a placeholder for further regulations to be made requiring a controller to (proactively) notify the Commissioner of the number of complaints made to it over specified periods. Currently there is no indication of when such regulations are expected; however, organisations would be prudent to maintain a register of their general complaints.

Which kinds of organisations can expect the most heat and why?

Organisations that are likely to require the greatest investment in effort and preparation are high-volume, consumer-facing or public-facing entities, such as retail banks, utilities, telecommunications providers, large online platforms, public sector service providers, and those that already handle significant volumes of data subject access requests (‘DSARs’).

Other organisations that may face similar challenges include large employers and complex corporate groups, particularly in sectors where restructurings, disputes, or collective issues are common. In these contexts, employees and their representatives may frame workplace grievances as general data protection complaints, or combine both into ‘mixed’ complaints.

Finally, organisations operating within complex regulatory environments in addition to data protection, such as financial services firms (subject to the Financial Conduct Authority or the Financial Ombudsman Service (‘FOS’)), local authorities (subject to Ombudsmen), and the health and education sectors (with their own regulators), may encounter particular difficulties when handling mixed complaints. These challenges can include questions of forum selection, conflicting timelines, and the need to ensure consistent messaging across regulatory regimes.

Pain points

Even though the legal changes introduced by DUAA are fairly modest, in practice, pain points for organisations will arise from how the new duty plays out in terms of volume, human behaviour and existing pressures. The table summarises some areas for consideration (it is by no means exhaustive).

Could this be the next DSAR wave?

As some readers will remember, DSARs were used extensively during the PPI mis-selling challenges and in litigation contexts, placing intense strain on banks’ processes (Lloyds Bank reported receiving 600,000 to 800,000 weekly PPI queries in the run up to one particular deadline in 2019). General data protection complaints, especially if leveraged by claims management firms or campaign groups, could play a similar role: a relatively low cost low effort way to apply pressure, obtain information and generate regulatory ‘noise’ around institutions or organisations likely to receive high volumes of complaints from the public, or employees (see above).

Perhaps the most significant risk comes from being caught unprepared. This could lead to missed acknowledgements, inconsistent responses, commercial pressure to ‘pay off’ persistent complainants, tactical use of complaints in parallel forums, and even the growth of shadow IT, as staff try to cope using unapproved tools (OpenClaw, anyone?).

There is likely to be no substitute for investing in proportionate processes, updating privacy notices and adopting internal procedures with clear triage steps, maintaining sensible logs and considering some carefully governed automation. Organisations that take this approach can avoid tripping themselves up and could even find that general data protection complaints become a useful early warning system, rather than the next data protection compliance crisis.

This article first appeared in Volume 26, Issue 5 - April / May 2026 of the Journal of Data Protection