The DUAA Complaints Framework Is Now Enforceable: Every UK Data Controller Needs an Internal Front Door

A data subject fires off an email at 11 p.m. saying your company used their personal data without proper basis. Under the old regime, they could take that complaint straight to the Information Commissioner's Office the next morning. From 19 June 2026, they cannot. The Data (Use and Access) Act 2025 now requires individuals to bring the complaint to you first, and it requires you to have a formal, documented process ready to receive it.

What the Law Actually Changed

The DUAA received Royal Assent on 19 June 2025, according to Mayer Brown. It amends, but does not replace, the UK GDPR and the Data Protection Act 2018. Most of the Act's data protection provisions came into force on 5 February 2026 under the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026, as noted by both Clifford Chance and DLA Piper's Privacy Matters blog. The complaints-handling obligation was held back for a separate commencement date: 19 June 2026, exactly one year after Royal Assent. The core mechanism is a mandatory pre-complaint engagement requirement. According to Mintz, before an individual can lodge a complaint with the ICO, they must first raise the concern directly with the relevant data controller and allow a reasonable period for the controller to respond. The ICO has indicated that this period will typically be 45 days, though Mintz notes it may vary depending on the complexity of the matter. The practical effect is a first-instance triage layer sitting between the individual and the regulator, designed, as Mintz explains, to encourage early resolution and allow the ICO to focus its resources on more serious matters.

Who Is Covered and

What They Must Build DLA Piper's Privacy Matters blog is precise on scope: the DUAA introduces a formal complaints process requirement for all controllers, with no exceptions. That phrase matters in practice. Small charities, solo-founder startups, mid-sized employers, and global platforms all sit in the same category under this obligation. Squire Patton Boggs, writing on Employment Law Worldview, frames it as a new statutory right for employees to complain to controllers about UK GDPR infringements, which means the employment relationship alone can generate in-scope complaints entirely independent of any customer-facing data processing. Sidley's Data Matters blog offers a useful clarification on what actually triggers the process: not every communication from a data subject qualifies as a regulated complaint. Organisations need to distinguish routine queries and subject access requests from expressions of dissatisfaction about how personal data has been handled. Getting that distinction right keeps your process proportionate and avoids treating every inbound message as a formal compliance event. Sidley also notes that the DUAA requirement is supported by recent ICO guidance on how to prepare for and handle data protection complaints, which provides a practical reference point for building out internal procedures. On the documentation side, Mayer Brown advises that organisations should review their data protection practices, update policies and procedures, and treat DUAA compliance as an ongoing priority throughout 2026. Privacy notices also need updating, as Squire Patton Boggs confirms that organisations subject to the UK GDPR must reflect the new complaint-handling rights in their published notices from 19 June 2026.

Why This Hits Hardest During

a Cyber Incident The compliance layer described above operates in steady-state conditions. Now consider what happens when an organisation suffers a data breach. The ICO notification clock is already running. Affected individuals begin contacting the organisation. Some of those contacts will constitute formal complaints under the DUAA framework, not just worried enquiries. Without a documented internal complaints process in place, the organisation is simultaneously managing incident response, a regulatory notification, and an undefined volume of complaint obligations it has no procedure to handle. Mayer Brown notes that the ICO has signalled a measured approach to enforcement during this transition period, particularly where guidance is not yet finalised. That is worth reading carefully: measured does not mean absent. The same briefing makes clear that compliance should be treated as an ongoing priority, not deferred until an enforcement notice arrives. For security-adjacent teams, the practical implication is that incident response runbooks now need a complaints-handling branch: who receives formal data complaints during an incident, what the acknowledgement and response timeline is, and how those complaints interact with the ICO notification process running in parallel.

What Organisations Should Do Now

The obligation is already in force. The question is whether your internal process is documented, communicated, and tested. Based on the guidance surveyed across Mayer Brown, Mintz, Sidley, and Squire Patton Boggs, the practical checklist runs as follows. First, establish a defined channel for receiving data protection complaints, separate from general customer service queues. Second, document a response procedure that acknowledges the 45-day indicative window the ICO has set out and identifies who within the organisation owns each stage. Third, update privacy notices to reflect the new complaint right. Fourth, train anyone who handles inbound communications to recognise when a message crosses from routine query into regulated complaint territory. The ICO's published guidance on handling data protection complaints is the primary reference for calibrating that process. Organisations that already have mature subject access request workflows have a structural head start: the underlying data-mapping and response-ownership infrastructure is transferable. Those that do not should treat June 2026 not as a deadline already missed but as the point at which building the process became non-optional. The ICO's measured enforcement posture creates a short window of practical tolerance; it does not create permanent cover.