ARTICLE
12 February 2026

New UK DUA Act Requirement To Have A Data Protection Complaints Process By June 19, 2026—what Do You Need To Do?

WT
Winston Taylor

Contributor

Winston Taylor logo

Whether you're leading the way, disrupting an industry, entering a new phase of growth, or launching a defining product—we're in the room with you. In the action. Sleeves rolled up.

With a rich history spanning both sides of the Atlantic, we are present in the major commercial centers that matter to our clients: the U.S., the U.K., Europe, Latin America, and the Middle East. Combining scale with the speed clients demand, our defining capabilities include major litigation, critical transactions, strategic IP, and private wealth.

Our team of over 1,400 lawyers works hand-in-hand across markets, sectors, practice areas, and client teams. All-in problem solvers, we bring the creativity to think differently, and the pragmatism to get things done when it counts the most.

Embedded in your business and sharing your ambition, we take the work personally. Shaping what we do and how we do it around your goals and needs, always one step ahead of the moment.

Explore Firm Details
On February 12, 2026, the Information Commissioner's Office (ICO) published updated guidance offering practical advice on how to comply with the requirements of s103 and Schedule 10 of the DUA Act to...
United Kingdom Privacy
Debbie Heywood
Debbie Heywood’s articles from Winston Taylor are most popular:
  • in European Union
  • in European Union
  • in European Union
  • with readers working within the Business & Consumer Services, Technology and Law Firm industries

All controllers caught by the Data (Use and Access) Act 2025 (DUA Act) need to have a data protection complaints process in place from June 19, 2026. 

How to comply

On February 12, 2026, the Information Commissioner's Office (ICO) published updated guidance offering practical advice on how to comply with the requirements of s103 and Schedule 10 of the DUA Act to: 

Give people a way of making data protection complaints

The ICO says this could be by providing appropriate contact details, having an online complaints portal or a live chat function—the means don't have to be data protection specific so a general complaints process will work; however, individuals are not required to use a particular option and may use any means to make complaints including by contacting employees or on social media. 

You should take into account that you may receive complaints from children in which case the response should be in plain, clear language they can understand. If you are subject to the ICO Children's Code, you must comply with standard 15 and should:

  • provide mechanisms to help children exercise their rights or make complaints

  • have mechanisms for children to indicate whether a complaint or request is urgent and why

  • actively consider information about urgency and prioritize accordingly

  • have procedures in place to allow for swift action where children indicate there is an ongoing safeguarding issue.

Inform people they have the right to complain

You must tell individuals that they have the right to complain both to you and to the ICO at the point at which their information is collected, and on response to a subject access request. The ICO suggests good practice might involve having a written complaints procedure and putting it on websites.

Acknowledge receipt within 30 days

This can be done in different ways, including automatic response, although the ICO suggests it is helpful to match the method of communication unless it's social media in which case you should ask for an alternative contact method in order to keep the information secure. The 30 day period starts the day after receipt of complaint regardless of whether that is on a weekend or bank holiday. If the last date for acknowledgment is a weekend or public holiday, the acknowledgment can be given on the next working day. The ICO recommends making a record of acknowledgment to demonstrate you've met your obligations to respond within the required timeframe. If you can resolve the complaint within the 30 day period, you are don't need to acknowledge receipt separately from the outcome of your investigation.

Take appropriate steps to respond including making appropriate enquiries, and keeping people informed, without undue delay

This obligation begins on receipt of the complaint and must be undertaken without an unjustifiable or excessive delay. This will depend on the circumstances including complexity and scale of the issue, and any harm the complainant is suffering as a result of the unresolved issue. You must make an appropriate level of enquiries and be able to justify the way you've handled a complaint. You must also keep the complainant updated on progress with timeframes and explaining any delays. You should keep records at all stages, but don't retain personal information longer than needed. 

Inform people of the outcome of their complaints without undue delay

You can provide information by any means but you should clearly explain what you've done to resolve the complaint and any actions taken. A review process for any contested decisions may be helpful. The ICO also recommends reviewing processes in order to prevent future complaints. 

What to do

If you don't already have complaints processes for data protection issues and more broadly, you will need to ensure you put everything in place to comply with the requirements taking effect from June 19 as soon as possible, particularly as the ICO recommends early compliance ahead of the official deadline. 

The ICO recommends a number of actions including:

  • Write a complaints procedure if you don't already have one. This could be published on your website or sent to people.

  • A complaints procedure could include information about how to make complaints, and what to expect from the process. Information could cover the methods for making complaints, any supporting evidence or information you need to investigate the complaint, what proof of ID you accept, and what type of proof or authority you accept if people complain on behalf of others. Your complaints procedure should use plain language and explain any jargon or technical terms.

  • If you have any doubts about a complainant's identity, you may need proof of ID before you respond. You should ask for this at the earliest opportunity but should not request more information than you need for this purpose.

  • If someone makes a complaint on behalf of someone else (for example, on behalf of a child), you must check they are authorized to act on the other person's behalf.

  • Consider whether there are any other applicable legal frameworks when handling complaints, such as equality and discrimination legislation.

  • Check your record-keeping system is fit for purpose.

  • Train your staff about data protection complaints.

  • If you are a joint controller, work out the process with the other joint controller(s). 

  • If you are required to share personal data in order to investigate a complaint, make sure you take the Data sharing code of practice into account.

  • Ensure you cover complaints handling in any data processor agreements. Processors should send any complaints they receive about personal data of which you are the controller to you, and should cooperate in helping you handle and respond to the complaint.

  • Keep records of the date you received the complaint, your acknowledgment, relevant conversations or documents, the outcome of the complaint, and any actions you took as a result of your investigation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Debbie Heywood
Debbie Heywood
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More