New data protection complaints procedure requirements
09 April 2026
From 1 June 2026, under the UK’s Data (Use and Access) Act 2025 (DUAA), organisations will be legally required to have a publicly accessible process for handling data protection complaints made by data subjects.
The change gives individuals a straightforward way to raise concerns if they believe their personal data has been mishandled; for example, a suspected data breach, inappropriate use or retention of their data, or worries about automated decision‑making and AI.
Organisations should also have internal procedures for managing those complaints.
What the complaints process must include
Under the DUAA, your external process and internal procedure must:
give people a way of making data protection complaints to you – examples include an online form or complaints portal,
provide data subjects with information about how the complaint will be handled.
clearly explain what information an individual needs to provide, such as proof of identity;
acknowledge the complaint within 30 days;
provide a response or request further information without undue delay;
keep the individual regularly informed about the progress of the investigation; and
issue a final outcome promptly.
The law allows individuals to raise complaints in many different ways, including informal ones. They are not obliged to use any form or portal that you provide. This means organisations should be alert to comments, messages, or interactions that might represent a complaint – even if the individual doesn’t label it as such.
Why this matters: mandatory first step before ICO involvement
Importantly, your organisation’s complaints process becomes the first mandatory step before an individual can escalate a concern to the Information Commissioner’s Office (ICO) about potential breaches of the UK GDPR, the Data Protection Act 2018, or the Privacy and Electronic Communications Regulations 2003. This puts additional weight on organisations to ensure their processes are robust, transparent and capable of resolving issues early.
Once a complaint has been acknowledged (and clarified where needed), the organisation must investigate the matter without undue delay, maintain open communication with the individual, and provide a clear and timely outcome.
The outcome should outline:
how the investigation was carried out,
what information was considered,
the conclusion reached, and
the reasoning behind it.
If the individual is still unhappy and approaches the ICO, your handling of the matter – including the clarity and fairness of your investigation – may be scrutinised.
Who must comply?
The DUAA requirements apply to all UK data controllers and non‑UK organisations if they fall under the UK GDPR, such as those offering goods or services to, or monitoring the behaviour of, individuals in the UK.
What should organisations do now?
To prepare for these obligations coming into force, organisations should consider taking the following steps:
Create or update your data protection complaints process and internal procedures
Ensure they meet all legal requirements and public-facing information is easy for people to find and use. Consider placing it prominently on your website and linking it through your privacy notices.
Strengthen your investigation processes
Your approach must withstand scrutiny if an individual later asks the ICO to review your handling of the complaint.
Assign responsibility
Identify a person or team to oversee complaints handling and ensure the process is followed consistently.
Train your staff
Make sure personnel can recognise a data protection complaint and know what to do if they receive one. You should include information about complaint handling in any internal data protection training you give your staff.
Review and update contracts with third parties
Ensure that agreements with third-party controllers and processors provide you with appropriate protection in relation to notification and assisting in the handling of complaints.
Keep thorough records
Maintain a log of:
all complaints received
how each was handled
the outcome reached.
These records help ensure consistent decision‑making and may be requested by the ICO.
How we can help
Whether you are a UK or overseas organisation processing the personal data of UK citizens, our experts can assist with all of the above, including:
supporting you in complying with the new complaints process requirements.
advising you in relation to any complaints that you might receive from data subjects;
assisting you if you are investigated by the Information Commissioners Office;
helping you to develop, update or audit your existing privacy and data protection framework and support you in compliance with legislation;
draft or review contracts with third party processors or controllers.
Willans Data Protection Servicesprovides organisations operating on a multi-national basis with UK and Article 27 Representative solutions, Data Protection Officer services and GDPR training solutions.
Disclaimer: All legal information is correct at the time of publication but please be aware that laws may change over time. This article contains general legal information but should not be relied upon as legal advice. Please seek professional legal advice about your specific situation - contact us; we’d be delighted to help.
It is nearly seven years since the General Data Protection Regulation (GDPR) came into force. However, it is as important as ever that data protection compliance doesn’t fall off the…
On 24 May, the ICO published its updated guidance for businesses and employers on responding to data subject access requests (commonly referred to as ‘SARs’ or ‘DSARs’). Based on the…
Less paperwork for organisations, fewer data collection pop-ups for the wider public, and more than £4 billion saved over next 10 years – these are just a few outcomes that…
By clicking Accept you are agreeing to the use of all cookies which will allow us to provide you with the most relevant experience when visiting or re-visiting this website. This means that your personal preferences will be remembered when you use this website. You can change your consent or choose specific settings by clicking "Cookie Settings". By clicking "Reject All" we will not use any non-essential cookies. Essential cookies will still be used for the website to function properly. Please see our cookie policy and privacy notice for more information about how we process your personal data.
Our website uses cookies to improve your experience while you navigate through our website. Out of these cookies, the cookies that are categorised as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyse and understand how you use our website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies but it may affect your browsing experience on our website. You can find our cookie policy here.
Necessary cookies are absolutely essential for our website to function and enable core functionality such as security and accessibility. These cookies do not store any personal information. You can block these cookies by changing your browser settings, but this may affect how the website functions.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
__cf_bm
30 minutes
This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
mgref
1 year
This cookie is set by Eventbrite to deliver content tailored to the end user's interests and improve content creation. It is also used for event-booking purposes.
yt-player-headers-readable
never
The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-installed
session
The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id
never
YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period
session
The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app
session
The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name
session
The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY
never
The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat
1 minute
This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_s
1 year
This cookie is associated with Shopify's analytics suite.
G
1 year
Cookie used to facilitate the translation into the preferred language of the visitor.
vuid
2 years
Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
VISITOR_INFO1_LIVE
6 months
YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA
6 months
YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC
session
Youtube sets this cookie to track the views of embedded videos on Youtube pages.
View profile
View profile
