Preparing for the UK DUA Act’s new complaints handling regime: ICO guidance and practical steps for organisations (UK)

The UK Data (Use and Access) Act 2025 (DUA Act) introduces a statutory requirement for all organisations to implement a formal data protection complaints process by June 2026. Under the new regime, complaints must be addressed internally before they can be escalated to the Information Commissioner’s Office (ICO). In parallel, the ICO has launched a consultation on draft guidance, open from 21 August to 19 October 2025, that explains what organisations must, should, and could do to comply.

This article examines (1) the statutory and regulatory framework arising from both the DUA Act and the ICO’s guidance, and (2) practical steps organisations must take to implement their internal complaint-handling processes accordingly.

The new complaints handling framework

The regime imposes two core duties: (a) creating and publicising a complaints process, and (b) operating that process effectively in practice.

(a) Establishing a complaints process

The legal duty derives from Section 103 of the DUA Act, which inserts a new Section 164A into the Data Protection Act 2018. This provision requires all controllers to ‘maintain and operate a complaints process’ that individuals can use to raise data protection concerns directly with the organisation. The process must be transparent, accessible, and publicised in a way that data subjects are reasonably able to find and use.

The ICO’s draft guidance expands on these requirements and stresses that organisations must:

• Make the complaints process easy to locate (e.g. linked prominently from privacy notices and websites);
• Explain clearly how complaints will be handled, including timeframes; and
• Ensure the process is available to all individuals, not only customers or employees.
• Facilitate the making of complaints, including by providing an electronic complaint form and alternative routes (e.g. email and post).

The ICO also states organisations should provide multiple channels (such as online forms, email, or postal options) and could offer dedicated contact points or FAQs to guide complainants. The emphasis is on accessibility and clarity, avoiding unnecessary procedural hurdles.

(b) Operating the complaints process in practice

Once established, the process must be actively managed. The DUA Act requires controllers to acknowledge complaints within 30 days, to take appropriate steps without undue delay (including making enquiries and keeping the complainant informed), and to communicate the outcome without undue delay. While the Act itself does not fix a maximum statutory timeframe, the ICO’s draft guidance proposes that organisations must provide outcomes within three months, unless exceptional circumstances apply.

The ICO guidance further requires organisations to:

• Record and track complaints, including outcomes and remedial actions;
• Communicate decisions in plain, accessible language; and
• Inform individuals of their right to escalate to the ICO if dissatisfied.

The ICO also sets out ‘should’ and ‘could’ expectations: organisations should embed complaints oversight within existing governance structures (e.g. DPO reporting lines), and they could publish anonymised complaint statistics to demonstrate transparency and accountability.

The DUA Act makes clear that a complaint cannot be referred to the ICO until the organisation’s internal process has been used, unless the ICO considers there are exceptional grounds to intervene directly. This represents a shift in enforcement culture, making organisations the first line of resolution before regulatory escalation.

Practical steps to implement complaint-handling processes

To meet the DUA Act’s new requirements, organisations must not only create a functioning complaints process but also (a) support it with a documented policy and process and (b) embed the policy and process in the organisation’s corporate governance.

(a) Establishing or updating the complaints policy and processes

Organisations must:

• Adopt a written complaints-handling policy (statutory compliance framework). The policy should: 
  - Set out the organisation’s approach to receiving, handling and resolving data protection complaints;
  - Define responsibilities, escalation routes and timelines consistent with ICO expectations;
  - Provide an internal governance framework so staff follow consistent procedures and accountability is clear; and
  - Deliver external transparency and accessibility by informing individuals, customers, suppliers and other third parties how to raise a complaint, using plain language and multiple submission routes (e.g. email, web form, postal). This must be reflected in privacy notices, websites, and, where relevant, in contractual terms.
• Ensure integration with data subject rights handling: The complaints process must dovetail with DSARs and other rights requests to avoid duplication or conflicting timelines.
• Prepare templates and records: Standard acknowledgement, holding, and outcome letters should be in place, alongside a central log to track complaints, actions taken, and outcomes.
• Implement the operational processes required by the policy: Once the policy is adopted, organisations must ensure it functions in practice. Processes include complaint submission methods, acknowledgement within 30 days, keeping the complainant informed and providing the outcome without undue delay, internal escalation, and complaint logging.
  - If no policy or process exists: both must be built from scratch, with the policy setting the framework and the processes operationalised accordingly.
  - If a policy/process exists: conduct a gap analysis of your existing customer complaints policy for instance against the DUA Act and ICO guidance, then review how it should be integrated or adapted in line with the organisation’s existing customer complaints procedures.
• Mapping and integrating with existing complaints processes: Most consumer-facing businesses already operate complaints-handling frameworks for customer service or sectoral regulation. These should be reviewed and mapped against the DUA Act requirements to determine whether to adapt the existing structure or create a parallel channel dedicated to data protection issues. Integration will usually be preferable, provided that data protection complaints are clearly signposted and routed to the appropriate function. Privacy notices, DSAR policies and complaints documentation should be aligned to avoid inconsistent messaging. This approach minimises duplication while ensuring that data protection complaints receive appropriate legal attention.

(b) Embedding governance, training and oversight

Organisations should:

• Assign responsibility: Designate the DPO, privacy lead or compliance team as owner of the process, with authority to escalate systemic risks.
• Deliver staff training: Train staff likely to receive complaints (customer-facing, HR, IT, operations) to identify and escalate them.
• Maintain record-keeping and monitoring: Keep auditable logs, track compliance with statutory and guidance timelines (acknowledgment within 30 days; outcome provided without undue delay), and review systemic issues.
• Enhance governance and reporting: Provide regular reports on complaints volumes and outcomes to senior management or audit committees.
• Test and validate: Run simulations or ‘mystery complaints’ before June 2026 to verify that the process and policy function effectively in practice.

The duty to operate a data protection complaints process is now enacted in the DUA Act, with commencement expected in late 2025 and compliance required by June 2026. The ICO’s draft guidance gives a clear steer, but notable gaps remain - particularly the absence of detail on how processors should handle misdirected complaints. Organisations should use the lead-in period to update policies, align existing frameworks, and prepare governance so they are ready once the regime comes fully into force.