UK Complaints Procedure Deadline Arrives: What Organisations Must Have in Place by 19 June

On 19 June 2026, new statutory requirements under the Data (Use and Access) Act 2025 (DUAA) come into force, requiring all UK data controllers to establish formal procedures for handling data protection complaints. The obligation is introduced by Section 103 of the DUAA, which inserts a new Section 164A into the Data Protection Act 2018 - creating, for the first time, a statutory duty to operate a complaints process and a corresponding right for individuals to complain directly to controllers.

The requirements are specific. Controllers must acknowledge complaints within 30 days of receipt, take appropriate steps to investigate and respond without undue delay, and keep data subjects informed of the progress and outcome of their complaint. Complaints must be accepted regardless of how they are submitted - including via social media, email, letter, or in person. Controllers must also ensure that individuals are informed of their right to complain in privacy notices and when responding to requests to exercise data protection rights.

The most structurally significant change is the introduction of a mandatory pre-escalation step. Under the new regime, data subjects must first raise their complaint with the controller before escalating it to the Information Commissioner's Office (ICO). This represents a shift from the current position, where individuals can complain to the ICO directly without first approaching the organisation concerned. The ICO published guidance on 12 February 2026 - entitled "How to deal with data protection complaints" - setting out its expectations for how controllers should implement the new requirements.

For organisations operating in the UK, the deadline is not optional and the obligations are not discretionary. Failure to maintain a compliant complaints procedure could itself constitute a breach of UK data protection law, independent of any underlying data protection failure that prompted the complaint.

Acompli perspective: The 19 June deadline is days away. Organisations that have not yet implemented a formal complaints process need to act immediately. The requirements are procedural but substantive - and they will shape how the ICO assesses controller accountability going forward. Ensuring your records of processing reflect the complaints procedure, that your privacy notices reference the right to complain, and that your risk management framework includes a complaints-handling workflow are the immediate priorities.