DUA: data protection complaints process explained & how to prepare

With the final phase of the Data (Use and Access) Act 2025 (DUA) coming into force on 19 June 2026, organisations should now focus on one of its most immediate and operationally significant changes — the introduction of a formal data protection complaints process.

While this is a compliance requirement, its impact is broader. A well-designed complaints framework can help organisations to identify issues early, reduce regulatory risk and strengthen trust with customers and stakeholders. Conversely, poor complaint handling may increase the likelihood of escalation to the Information Commissioner’s Office (ICO) and expose organisations to scrutiny.

Here, Eleanore Beard and Paddy Fearnon from our data protection team delve into the key changes and explain how businesses should prepare.

Key changes under the DUA complaints process

The DUA introduces a statutory right for individuals to raise data protection complaints directly with organisations before approaching the ICO.

This reflects a deliberate shift towards a more controller-led complaints model, with the aim of resolving issues at source and reducing the burden on the regulator. 

What is a data protection complaint under the DUA?

A data protection complaint arises where an individual believes that an organisation has infringed data protection law in the way it handles personal data.

Typical examples include concerns relating to:

• responses to data subject access requests (DSARs)
• the security of personal data or suspected breaches
• how personal data is used, retained or shared.  

Importantly, complaints don’t need to be labelled as such. Organisations will need to ensure that staff can recognise complaints in practice, regardless of how they’re communicated.

Core compliance requirements

From 19 June 2026, all organisations acting as data controllers must:

• provide a clear and accessible mechanism for submitting complaints
• acknowledge receipt within 30 days
• take appropriate steps to investigate and respond promptly
• keep individuals informed of progress
• communicate the outcome without delay.  

There are no exemptions. These requirements apply across all sectors. 

How to comply with the DUA

Although many businesses already operate complaints processes, the DUA requires a more structured, transparent and data‑specific approach.

Key actions to take include:

• Reviewing and updating privacy notices to inform individuals of their right to complain.
• Ensuring that complaints processes are easy to find and navigate (e.g., via websites or portals).
• Training staff to identify and escalate data protection complaints.
• Implementing robust record-keeping, including tracking complaints, responses and outcomes. 

In many cases, existing frameworks can be adapted but organisations should ensure that they fully align with the new statutory requirements.

What a compliant process looks like

In practice, a compliant complaints framework may include:

• Dedicated complaints email address or online form, clearly signposted in privacy materials.
• Internal workflow that assigns responsibility to a named team or data protection lead.
• Triage system to distinguish complaints from general queries or service issues.
• Documented process for investigation, escalation and outcome communication.

This type of structured approach not only supports compliance but also helps ensure consistency and auditability, both of which are likely to be scrutinised if complaints escalate.

Enforcement risk & regulatory scrutiny

The new process is expected to become the primary route for resolving complaints, with individuals generally required to engage with organisations before approaching the ICO. 

As a result, organisations’ handling of complaints will be more visible and may directly influence:

• whether a matter is escalated to the ICO
• the ICO’s assessment of an organisation’s compliance
• potential enforcement outcomes.

Poor processes or any failure to engage effectively with complainants may increase regulatory risk, particularly where issues appear systemic or poorly managed.

Why early preparation matters

The DUA complaints regime represents more than a procedural update. It reflects a broader shift towards accountability, transparency and early resolution of data protection concerns.

Organisations that take a proactive approach now by reviewing, testing and embedding their complaints processes will be better placed to manage risk, maintain trust and demonstrate compliance.

How we can support

With the June deadline fast approaching, many organisations are reviewing their existing arrangements and identifying gaps.

We’re supporting clients with:

• Reviewing and updating data protection complaints policies and procedures.
• Aligning complaint-handling with existing DSAR and data governance frameworks.
• Providing targeted, practical support, including rapid reviews and sense-checks. 

We offer bespoke data protection management and data protection compliance training to help guide your journey to compliance.

Our team includes Data Protection Practitioners and senior commercial solicitors who understand your operating environment and regulatory drivers.

Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form.