From 19 June 2026, all organisations acting as data controllers are required to have in place an effective process to enable individuals to raise complaints about how their personal data is handled. Ashleigh Dibb looks at what this will mean in practice.
The Data (Use and Access) Act 2025 (DUAA) introduces an important obligation for organisations handling personal data. Organisations will be required to ensure that individuals can easily raise concerns, and that those concerns are properly acknowledged and addressed within appropriate timeframes.
Organisations with existing complaints procedures should not assume these will be sufficient. A thorough review of any existing policies will be necessary to ensure current processes meet the standards set by the DUAA.
Where no suitable procedures currently exists, organisations will need to create and implement a compliant procedure well in advance of the June 2026 deadline.
Documentation and transparency
While the DUAA does not expressly mandate a standalone written complaints policy, in practice organisations will be expected to document their procedures. This reflects the broader accountability principle under UK data protection law and will be important in demonstrating compliance.
Organisations should also consider:
- updating privacy notices to clearly inform individuals of their right to complain and how to do so;
- ensuring internal policies accurately reflect the complaints handling process; and
- maintaining appropriate records of complaints received and how they have been managed.
Contracts with third parties
Where processing activities are outsourced to third party service providers, contractual arrangements with these sub processors should be reviewed to ensure they adequately address complaints handling. In particular, agreements should:
- require processors to promptly notify the controller of any data protection complaint they receive; and
- oblige processors to provide reasonable assistance in investigating and resolving complaints.
This is essential to ensure controllers remain able to meet their legal obligations, even where processing is carried out on their behalf.
Staff training and awareness
The effectiveness of any complaints process will depend on staff understanding their responsibilities. It is therefore imperative that organisations:
- clearly identify who is responsible for handling data protection complaints;
- ensure all staff can recognise a data protection complaint, even where it is not expressly labelled as such; and
- provide clear internal guidance on escalation procedures.
Training on complaints handling should form part of wider data protection training programmes and be reviewed regularly.
Ashleigh Dibb is a solicitor in the Commercial team at Forbes Solicitors
