UK companies have lower than a month to arrange for a significant new compliance obligation below the Information (Use and Entry) Act 2025 (DUAA). From 19 June 2026, organisations that course of private information shall be legally required to implement procedures for dealing with information safety complaints immediately from people.
The brand new guidelines are designed to encourage complaints to be resolved internally earlier than escalating to the ICO. They kind a part of the broader DUAA reforms which have already reshaped areas comparable to information topic entry requests (DSARs), automated decision-making, PECR enforcement, and lawful bases for processing.
As we beforehand highlighted in our evaluation of the DUAA rollout, companies that assume the reforms characterize a softening of UK GDPR obligations threat being caught out by stronger enforcement powers and elevated regulatory scrutiny. The incoming complaints-handling necessities are a sign of that.
A brand new operational burden for companies?
Underneath the brand new framework, organisations should present people with a transparent and accessible option to complain about how their private information has been dealt with. Complaints may relate to DSAR responses, cybersecurity failures, worker monitoring or issues about AI-driven decision-making.
The ICO steering makes clear that organisations can not solely depend on formal criticism channels. A criticism submitted by means of social media, buyer help, stay chat, or on to an worker should set off authorized obligations below DUAA.
For a lot of companies, particularly smaller ones, this represents a major shift. Casual or fragmented approaches to complaints dealing with is just not sufficient anymore. Corporations will want clear inner processes to make sure complaints are recognised, escalated, investigated, and documented correctly.
Strict timelines and record-keeping expectations
As soon as a criticism is obtained, organisations should acknowledge it inside 30 days and examine the matter instantly. Companies are additionally anticipated to maintain complainants knowledgeable all through the method and clarify the result clearly, together with any corrective motion taken.
The ICO has positioned particular emphasis on document protecting. Organisations ought to keep detailed logs displaying when complaints have been obtained, how they have been investigated, and what selections have been reached. These information may very well be requested throughout regulatory investigations.
This implies companies will want formal inner procedures, criticism monitoring methods, and employees coaching throughout departments together with HR, customer support, compliance, advertising, and IT.
Complaints may grow to be an enforcement set off
The modifications are particularly essential given the ICO’s expanded enforcement powers below DUAA. As we beforehand famous, the regulator can now compel interviews, require technical reviews, and demand entry to particular paperwork throughout investigations.
Poor complaints dealing with may grow to be proof of broader governance failures. Organisations that repeatedly miss deadlines, fail to research issues correctly, or can not exhibit accountability could face extra regulatory scrutiny.
That is particularly related for companies utilizing AI methods, automated decision-making instruments, in depth worker monitoring, or large-scale advertising and monitoring applied sciences.
Preparing
With the deadline quick approaching, organisations must be reviewing their privateness notices, updating complaints procedures, and coaching employees on the best way to recognise and escalate information safety issues.
For UK companies, privateness compliance is now a core governance difficulty that cuts throughout all departments. Organisations that put together early shall be higher positioned to handle complaints successfully and scale back escalation dangers.
