Organisations across the UK are being reminded that a significant new data protection requirement came into force on 19 June 2026. As a result of the Data (Use and Access) Act 2025 (DUAA), organisations acting as data controllers must have a clear and effective process in place for handling data protection complaints.
The requirement applies broadly, with no general exemptions based on organisation size or sector. As a result, even smaller organisations that process personal data should ensure they have an appropriate process in place.
Howes Percival provided a summary of some of the changes introduced by the DUAA, back in June 2025 which can be viewed here. We wanted to remind you that the new data protection complaints-handling obligations came into effect on 19 June 2026. The new law means organisations must:
1. Give people a clear way to raise a data protection complaint
- By way of examples, this can be through complaint form, email address, telephone number, portal or live chat.
- However you receive a complaint, you must accept it.
- If you have a social media account, people can make a complaint through there.
2. Acknowledge it within 30 days of receipt;
- Depending on how you received the complaint, you can acknowledge the complaint in different ways (i.e. if you received the complaint by post, you could send an acknowledgment letter whereas if you received it verbally, you could acknowledge this verbally).
- Keep a record of your acknowledgement to show you’ve met your obligations within the 30-day timeframe.
- The 30 days start the next business day after you receive the complaint.
3. Without undue delay, take appropriate steps to investigate and keep people informed; and
- Gather as much information as you need.
- Consider all circumstances of the complaint, for example by considering the complexity and scale of the issue, and any harm the complainant has suffered.
- In practice, it’s likely that you’ll keep the complainant up to date with timeframes and will explain any anticipated delays in your initial acknowledgment. However, you are obliged to keep them updated.
4. Tell the complainant of the outcome.
- Explain what you’ve done to resolve their complaint, and where appropriate, any actions you’ve taken as a result.
- Explain that they have a right to complain to the ICO and provide their contact details as good practice.
Charmaine Adebare comments:
The Data (Use and Access) Act 2025 means employees (and other individuals) can now raise data protection complaints directly with their employer. Therefore, employers must have effective systems in place for receiving, investigating and resolving these complaints.
With the compliance date having now passed, businesses, charities, public bodies and other organisations should review their existing data complaints arrangements now (if any) to ensure they meet the new legal standards and if a process is not currently in place should ensure this is implemented as soon as possible.
For any advice or guidance on ensuring compliance with the new legislation, please contact our Commercial, Technology and IP team. If you need help with drafting or updating any other policies and procedures, please contact a member of the Employment team.
The information on this site about legal matters is provided as a general guide only. Although we try to ensure that all of the information on this site is accurate and up to date, this cannot be guaranteed. The information on this site should not be relied upon or construed as constituting legal advice and Howes Percival LLP disclaims liability in relation to its use. You should seek appropriate legal advice before taking or refraining from taking any action.
