Data Protection Complaints Handling: The New Legal Duty Is Now Live
By
In line with our promise to keep our network abreast of the UK Data Use and Access Act as it comes into full force, we’re providing an overview of the most recent changes and how they could affect you and your UK public sector organisation
What's Changed
The Data (Use and Access) Act (DUAA) has been in partial commencement since Royal Assent, but 19 June 2026 triggered the 12-month commencement milestone, bringing all outstanding provisions into force. Among them: a formal legal duty on complaints handling that applies to every organisation that processes personal data.
The new requirements are straightforward, but non-negotiable:
- Provide a clear, accessible route for individuals to raise a data protection complaint
- Acknowledge the complaint within 30 days
- Investigate it appropriately
- Communicate the outcome to the complainant
This isn't guidance or best practice. It's law. And the ICO has made plain it will use its new enforcement powers where necessary for serious cases.
Importantly, this applies to public sector organisations just as much as private ones. Any body that processes personal data — NHS trusts, local authorities, central government departments, regulators — is in scope. Public bodies often have sector-specific complaints frameworks already, but these don't substitute for the data protection complaints duty. Both must be satisfied.
The Awareness Gap Is Striking
Here's the number that should concern every DPO and compliance lead: ICO research published alongside the announcement found that more than two in three businesses aware of the DUAA either don't know or incorrectly believe the complaints provisions don't apply to them.
That's a significant exposure. Especially given that the ICO's new powers under the DUAA include the ability to compel witnesses to attend interviews, request reports from approved persons, and — under PECR — levy fines of up to £17.5 million or 4% of global turnover for private sector organisations. Public authorities face a separate fine cap of £17.5 million, though in practice the ICO has tended to issue reprimands to public bodies first; enforcement is increasing.
The regulator's tone is supportive for now: "Our role is to support you; provide clarity and help you build complaints handling into your day-to-day operations," said Emily Keaney, Deputy Commissioner for Regulatory Policy. But that support exists alongside a clear signal that the ICO can, and will, act on serious cases.
What Good Practice Looks Like
The ICO has published practical guidance covering the complaint scenarios organisations most commonly encounter — SARs, inaccuracies in personal data, marketing preferences. It's worth a thorough read, not just a skim.
In operational terms, most organisations will need to audit three things:
1. Discoverability. Can an individual actually find out how to complain? Is it buried in a privacy notice, or is it genuinely accessible?
2. Triage and acknowledgement. Is there a process that reliably captures complaints and triggers a 30-day acknowledgement? Manual inboxes monitored intermittently won't cut it.
3. Escalation and outcome communication. Do complaints get investigated with appropriate rigour — and does the complainant receive a meaningful response, not just a holding reply?
The ICO's view is that organisations handling complaints promptly and fairly are less likely to see issues escalate to the regulator. That's not just a compliance argument — it's a practical one.
The Bigger Picture
The complaints duty is one piece of a broader DUAA implementation that has been rolling out over the past year. The ICO has completed 13 high-priority guidance areas following 11 consultations generating over 300 responses. More guidance is coming through the summer, including a new statutory code of practice on AI and automated decision-making.
For data professionals, the immediate priority is clear: check your complaints process against the new requirements, plug any gaps, and document that you've done so. The ICO's guidance is detailed and practically grounded — use it.
The regulatory environment is maturing quickly. Organisations that treat complaints handling as a compliance checkbox will find themselves at greater risk than those that build it into the fabric of how they manage personal data.
