From 19 June 2026, organizations, including U.S. companies, will need to comply with the new formal process for handling data protection complaints where they act as controllers under UK data protection law.
This is one of the more practical changes introduced by the UK Data (Use and Access) Act 2025 (“DUAA”), and it is easy to underestimate. It does not require a brand new privacy program. But it does require organizations to make sure complaints are recognized, routed, acknowledged, investigated, and resolved in a way that can be shown to the Information Commissioner’s Office (“ICO”) if needed.
The UK government describes the change simply: the DUAA requires organizations to handle complaints from individuals concerned that the way their information is used breaches data protection law, including by providing a way to complain and informing the individual of the outcome. The ICO’s guidance adds the operational detail: organizations must give people a way to make data protection complaints, acknowledge receipt within 30 days, take appropriate steps to respond without undue delay, keep people informed, and tell them the outcome without undue delay.
What Counts as a Data Protection Complaint?
A data protection complaint does not need to sound like one. The complainant does not need to cite the UK GDPR, identify a statutory provision, or use legal language. If someone says, in substance, that the organization mishandled their personal information, that may be enough.
That means complaints may show up as concerns about:
- a Data Subject Access Request or other rights request;
- a data breach or security issue;
- collection, use, retention, accuracy, or storage of personal information; or
- broader concerns about compliance with data protection law.
The tricky part is that data protection complaints often travel in disguise. A customer service complaint, HR grievance, account dispute, or deletion request may include a data protection complaint buried inside it. The ICO says that if an organization is unsure whether someone is making a data protection complaint, it should ask for clarification.
The Process Cannot Live Only in the Privacy Inbox
Organizations can invite people (for example, in the “Contact Us” section of a Privacy Policy) to use a preferred complaints route, such as a form, portal, email address, phone line, or other designated channel. But they cannot require individuals to use that route. The ICO is clear that people may complain “in any way they choose,” including by contacting employees or other parts of the organization, and the organization must accept the complaint however it is received.
That single point has most of the operational bite of the new requirements, as it requires teams beyond Legal or Privacy – such as customer support, HR, trust and safety, sales, community, social media, and other front-line teams – to have a complaints workflow and accompanying training. These teams must know when to escalate something that looks like a data protection complaint.
Social media deserves special attention. The ICO says organizations should consider how they will handle complaints received through social channels, while recognizing that social media is generally not a secure way to exchange personal information.
The 30-Day Clock Is Only the Beginning
Organizations must acknowledge receipt of a complaint within 30 days. The clock starts on the day after the complaint is received, including where that day falls on a weekend or public holiday. If the final day falls on a weekend or public holiday, the organization has until the next working day to acknowledge.
But this is not a 30-day waiting period. The ICO says the obligation to investigate begins when the complaint is received, not after the acknowledgement is sent. Organizations must investigate the complaint without undue delay, taking into account the complexity, scale, and impact of the complaint.
In practice, the acknowledgement should not become the main event. The process should move quickly to triage, ownership, investigation, updates, and outcome.
Privacy Notices Need an Update
Organizations must tell people they can complain directly to the organization, as well as to the ICO. The ICO says this should be done when personal information is collected, such as in a privacy notice, and when responding to a subject access request.
That likely means updating:
- external privacy notices;
- employee and applicant privacy notices;
- data subject rights response templates; and
- help center or support language, where relevant.
The notices should state that individuals may raise data protection complaints with the organization, explain how to do so, and describe what to expect from the process. They should also specifically refer to the right of individuals whose personal data is handled under UK data protection law to complain to the ICO (instead of a generic description of the right to complain to a supervisory authority).
Standalone Policy? Not Necessarily.
The ICO does not require a separate, standalone data protection complaints process. Organizations may adapt existing complaints processes, privacy rights procedures, or governance frameworks, as long as the data protection requirements are met.
That is good news for organizations with mature DSAR or privacy operations workflows. But simply re-labelling a DSAR process will not be enough if the process does not cover complaints-specific requirements under the new DUAA, from first receipt to final outcome, including intake through any channel, 30-day acknowledgement, investigation without undue delay, progress updates, outcome letters, escalation paths, and maintaining records of complaints.
Processors and Joint Controllers Should Not Ignore This
The new statutory complaint-handling obligations apply directly only to controllers, but the new requirements affect processors as well. The ICO says controllers should have an agreement in place with their processors covering how complaints will be handled. Processors should be contractually obligated to help controllers investigate, send complaints to controllers, and provide necessary information upon request of the controller to handle the complaint.
This is especially important for SaaS, cloud, HR tech, adtech, analytics, and other service-provider models where a complaint may land with the processor even though the customer is the controller. Contracts and playbooks should account for that handoff.
Processor and joint-controller arrangements may need to be reviewed to ensure they support complaint escalation and collaborative investigation.
Records, Records, Records
The ICO expects organizations to keep records of when complaints are received, acknowledgements sent, relevant conversations and documents, outcomes, and actions taken as a result of the investigation. There is no prescribed specific retention period, so organizations should define one in their internal retention schedule, taking into account that these records are likely to be requested if the ICO later investigates a complaint. Complaint logs can also help identify recurring issues, broken workflows, problematic disclosures, product friction, or training gaps, and thus should be reviewed regularly even absent a regulatory investigation.
Bottom Line and Practical Steps
The DUAA complaints change is the kind of operational requirement that can create friction quickly if organizations wait until the first complaint arrives.
Organizations should consider:
- updating privacy notices and rights response templates to explain how individuals can complain;
- mapping all likely intake channels, not just privacy inboxes;
- training front-line teams to recognize and escalate data protection complaints;
- building a 30 day acknowledgement control;
- documenting investigation steps, updates, outcomes, and remediation;
- checking whether existing DSAR or complaints workflows can be adapted;
- reviewing processor, customer, and joint-controller arrangements; and
- preparing short acknowledgement and outcome templates.
These measures, taken together, will help organizations to spot a complaint, route it to the right team, respond on time, investigate proportionately, explain the outcome, and prove what happened.