The DUAA Deadline That Catches Builders Off Guard: It Is Not About Your Data Practice, It Is About Your Process

Most organisations handling UK user data have spent 2025 and early 2026 worrying about the right things: lawful bases, data minimisation, transfer mechanisms. What several of them have not clocked is that the Data (Use and Access) Act 2025 inserted a separate, procedural obligation into UK law, one that has nothing to do with whether your underlying data practices are clean. The requirement is simple to state and surprisingly easy to miss: by 19 June 2026, every data controller subject to UK data protection law must have a documented, operational process for receiving and handling complaints from individuals about how their personal data is used. No exemptions. No grace period for small organisations. No carve-out for platforms that have never received a formal complaint.

What the Law Actually Requires Section 103 of

the Data (Use and Access) Act 2025 inserts new section 164A into the Data Protection Act 2018, according to Hunton Andrews Kurth. That provision requires each controller to implement a mechanism or procedure whereby data subjects can make complaints relating to their personal data. The DUAA itself received Royal Assent on 19 June 2025, making the complaints obligation enforceable exactly one year later, as confirmed by Katten Muchin Rosenman on JDSupra. The ICO published detailed operational guidance on 12 February 2026, following a public consultation that received more than 85 responses, according to the ICO's own news release. That guidance distinguishes between what controllers must do (the statutory floor), should do (good practice), and could do (a more robust approach). The must tier is where your legal exposure sits. The ICO's guidance specifies the core operational steps: give individuals a clear way to submit a complaint, acknowledge receipt within 30 days, take appropriate steps to respond without undue delay, keep the complainant informed throughout, and communicate the outcome, according to ZwillGen's analysis of the ICO guidance. Those steps have to be documented and demonstrable. The ICO has signalled a measured approach to enforcement during the transition period, particularly where its own guidance is not yet finalised, according to Mayer Brown. But measured is not the same as absent, and the guidance on complaints handling has been available since February 2026.

Why the Process Gap Is

the Real Risk Here is the counterintuitive part. An organisation can have a genuinely defensible data practice, lawful basis documented, retention schedule in place, subject access requests handled promptly, and still face direct enforcement exposure on 19 June 2026 if it has no formal complaints procedure. The procedural requirement is standalone. A data subject who believes their data has been mishandled, whether or not they are right, now has a statutory right to lodge that complaint with the controller first, before escalating to the ICO. The intent, as described by Hunton, is to ensure complaints are considered by the controller before reaching the regulator. If there is no procedure in place to receive that complaint, the organisation has failed a discrete legal obligation regardless of what the underlying data practice looks like. ZwillGen frames this precisely: the change does not require a brand new privacy programme, but it does require organisations to ensure complaints are recognised, routed, acknowledged, investigated, and resolved in a way that can be shown to the ICO if needed. That last clause carries real weight. The ICO can ask to see your process. If you cannot produce one, that absence is itself the violation. For education platforms and edtech builders specifically, where you are almost certainly processing personal data of students, parents, and staff under UK GDPR, you are a controller. The no-exemptions language in the ICO guidance, confirmed by both Bratby Law and DLA Piper's Privacy Matters, means platform size, sector, or prior compliance history does not create a safe harbour.

What Builders and

Compliance Teams Should Do Now The practical build here is not complicated, though it requires deliberate effort rather than a checkbox. According to Mayer Brown, organisations still have a window to review data protection practices, update policies and procedures, and prepare for the complaints-handling obligations. Concretely, that means: designating who receives complaints (a named inbox, a form, or a documented channel), setting an internal acknowledgement workflow that meets the 30-day window, documenting the investigation steps, and creating a template for communicating outcomes to complainants. The ICO's guidance, published in February and updated in May 2026, walks through each stage and is publicly available at no cost. For regulated organisations, Bratby Law flags an additional layer worth auditing: if you are subject to Ofcom or FCA complaints rules, the DUAA obligation overlaps with those existing frameworks, creating a compliance interaction that needs mapping. That is a narrower population, but edtech companies with embedded financial products or regulated communications services should not assume their sector regulator's complaints process automatically satisfies section 164A. The ICO's Deputy Commissioner for Regulatory Policy noted in May 2026 that smaller organisations are less likely to have existing complaints-handling procedures in place, and specifically urged them to read the guidance and take the straightforward steps needed to comply. That is not a threat; it is a reading list. The guidance exists, the deadline is fixed, and the requirement has no exemptions. For anyone building products that touch UK user data, the question is no longer whether this applies. It is whether your process can survive a regulator asking to see it.