Pillar guide · Last updated June 2026
DUAA data protection complaints procedure
From 19 June 2026, every UK data controller must operate a formal process for individuals to raise data protection complaints directly — before escalating to the ICO. This guide explains what the law requires and how to implement it.
What changed under the DUAA?
Section 103 of the Data (Use and Access) Act 2025 inserts section 164A into the Data Protection Act 2018. For the first time, controllers have a statutory duty to facilitate complaints about infringements of UK GDPR or Part 3 of the DPA 2018.
Previously, individuals could complain directly to the ICO. The DUAA creates a controller-first route: organisations get the opportunity to resolve issues before regulatory escalation.
The four core requirements
- Accessible channel — Provide at least one way to submit complaints electronically (e.g. web form or email). Accept complaints via any channel staff receive them.
- 30-day acknowledgement — Acknowledge receipt within 30 calendar days. The period starts the day after receipt (including weekends and bank holidays).
- Investigate without undue delay — Begin enquiries immediately, not after the acknowledgement window. Keep the complainant informed of progress.
- Communicate the outcome — Tell the complainant the outcome without undue delay, including their right to complain to the ICO if dissatisfied.
30-day acknowledgement: how the clock works
The ICO provides a worked example: if you receive a complaint on Thursday 5 June, the 30 days begin on Friday 6 June. If the final day falls on a weekend or bank holiday, you have until the end of the next working day.
Investigation should start as soon as the complaint is received — the ICO expects enquiries to begin immediately, not after acknowledgement is sent.
Records you should keep
- Date the complaint was received
- Acknowledgement and when it was sent
- Correspondence with the complainant
- Investigation steps taken
- Final outcome and any remedial actions
The ICO may request these records if a complaint is escalated or during regulatory review.
Privacy notices and signposting
You must tell people they can complain to you (as well as to the ICO) in your privacy notice and when responding to subject access requests. Use clear, plain language.
How ComplaintsDesk maps to each requirement
- Intake — Branded public form + manual case creation for other channels
- Acknowledgement — Auto emails + 30-day countdown with alerts
- Investigation — Status workflow, notes, attachments, assignee
- Outcome — Editable outcome letter templates with send log
- Records — Immutable audit trail + ICO export (PDF/CSV)
- Privacy notice — Snippet generator for your existing policy
Get the free procedure template
Get the free template and early access when ComplaintsDesk launches.
Configure PUBLIC_EMAIL_ENDPOINT to enable direct email capture.
DUAA complaints FAQ
When did the DUAA complaints obligation take effect?
The data protection complaints handling requirements under the Data (Use and Access) Act 2025 took effect on 19 June 2026.
Do small businesses need a complaints procedure?
Yes. Every UK data controller must have a process for handling data protection complaints. There is no exemption based on size or sector.
What counts as acknowledgement?
You must confirm you received the complaint and that you will look into it. An auto-confirmation email sent promptly can count if it meets that requirement.
Can complaints arrive by phone or social media?
Yes. Individuals can complain through any channel. You must accept the complaint and log it in your process, even if they do not use your web form.
How does ComplaintsDesk help?
ComplaintsDesk provides intake forms, 30-day acknowledgement tracking, investigation workflows, letter templates, and ICO-ready audit exports mapped to DUAA requirements.