A important change to UK knowledge safety legislation is now simply weeks away. From 19 June 2026, each organisation that processes private knowledge shall be legally required to have a proper course of for dealing with knowledge safety complaints underneath the Knowledge (Use and Entry) Act 2025 (DUAA).
Whereas a lot of the dialogue round DUAA has centered on wider reforms to UK knowledge safety legislation, this new complaints-handling requirement is without doubt one of the most quick and operationally important obligations going through organisations.
For the primary time, people may have a statutory proper to boost knowledge safety complaints straight with organisations, and companies shall be legally required to research, handle and reply to these complaints by a documented inner course of earlier than issues are escalated to the Data Commissioner’s Workplace (ICO).
The countdown is now on.
A basic shift
Traditionally, individuals dissatisfied with how an organisation dealt with their private knowledge may complain on to the ICO. Whereas many organisations already had inner processes for coping with privateness issues, there was no express authorized requirement to keep up a devoted knowledge safety complaints framework.
That adjustments quickly.
DUAA creates a proper proper for individuals to complain on to organisations about alleged infringements of UK GDPR. Beneath the brand new regime, organisations should present a transparent and accessible route for individuals to submit complaints, acknowledge complaints inside 30 days, examine issues with out undue delay, hold complainants knowledgeable all through the method and talk outcomes promptly.
Importantly, the ICO expects individuals to boost issues with organisations first earlier than escalating issues to the regulator. This implies organisations will more and more grow to be the first line of decision for privateness disputes.
Why companies ought to care
For a lot of companies, the brand new legislation represents greater than a easy administrative change.
Knowledge safety complaints can come up from nearly any facet of non-public knowledge processing, together with knowledge breaches, topic entry requests, advertising and marketing practices, retention intervals, and profiling actions.
The ICO has made it clear that organisations can not depend on casual approaches. Complaints dealing with should grow to be a structured and clear course of able to withstanding regulatory scrutiny.
Many companies have already got customer support grievance procedures, however these will not be ample to fulfill the brand new authorized normal. Workers should be capable of distinguish between a basic buyer grievance and a knowledge safety grievance,particularly as individuals are not required to make use of particular wording or submit complaints by designated channels.
A grievance could arrive by customer support, HR, social media, e mail, and even face-to-face interactions. If workers fail to recognise and escalate a grievance appropriately, the organisation may miss statutory deadlines.
The adjustments additionally place an emphasis on organisational accountability. Companies might want to reveal not solely that complaints had been resolved, but additionally that they had been acknowledged, investigated and communicated correctly all through the method.
Why legislation corporations must be paying explicit consideration
The brand new necessities create each compliance challenges and business alternatives for legislation corporations. As a result of they course of massive volumes of delicate consumer, worker and third-party info, legislation corporations should guarantee they comply with the brand new obligations. Complaints referring to consumer confidentiality, topic entry requests, retention intervals, or cyber incidents may all fall inside scope.
Many corporations already function complaints procedures for skilled conduct and consumer service points. However these processes could not adequately tackle the precise necessities of DUAA. Corporations ought to overview whether or not knowledge safety complaints are clearly identifiable inside current frameworks and whether or not statutory timelines could be met persistently.
There may be additionally a rising advisory alternative. Companies throughout all sectors would require help in understanding and implementing these adjustments. Legislation corporations advising on knowledge safety, employment, regulatory compliance, governance and business contracts could possibly be partaking with purchasers now.
Specifically, purchasers might have help reviewing privateness notices, updating grievance procedures, revising knowledge processing agreements, coaching workers and establishing governance frameworks able to assembly the brand new authorized normal.
What companies ought to do now
With the implementation date approaching, organisations must be conducting quick readiness assessments.
The primary precedence is making certain there’s a clear and accessible mechanism for individuals to submit knowledge safety complaints. Whether or not by on-line kinds, devoted e mail addresses, phone channels or current grievance programs, the method have to be seen and straightforward to make use of.
Companies ought to then overview inner governance preparations and decide who’s answerable for receiving, investigating and escalating complaints. Accountability must be clearly assigned, and escalation routes must be documented.
Coaching is vital. Staff want to know what constitutes a knowledge safety grievance and the way it differs from different customer support points or knowledge topic rights requests.
Privateness notices, topic entry request templates and different knowledge safety communications also needs to be up to date to tell people of their proper to complain on to the organisation.
Organisations ought to overview record-keeping preparations to make sure complaints could be tracked, monitored and evidenced. The ICO expects organisations to keep up information exhibiting when complaints had been acquired, how they had been investigated, what selections had been made and what actions had been taken.
Companies that depend on third-party processors also needs to overview contractual preparations to make sure suppliers perceive their position in supporting grievance investigations and notifying controllers when complaints are acquired.
What legislation corporations ought to do now
Legislation corporations ought to start by reviewing their very own compliance place. Present complaints procedures must be assessed towards the brand new statutory necessities to establish any gaps.
Corporations ought to think about whether or not knowledge safety complaints could be recognised and routed successfully throughout all follow areas and enterprise features, together with HR, advertising and marketing, IT and consumer companies groups.
Coaching programmes must be up to date to make sure legal professionals and help workers perceive the brand new obligations and know how one can reply when complaints come up.
Consumer-facing documentation, privateness notices and topic entry request response templates also needs to be reviewed and up to date the place mandatory.
Past inner compliance, corporations must be partaking with purchasers now. Many organisations stay unaware that these necessities grow to be obligatory in June 2026. Offering sensible steering and implementation help is a chance to strengthen consumer relationships whereas serving to organisations keep away from compliance failures.
A brief window
From 19 June 2026, organisations shall be judged not solely on whether or not they adjust to knowledge safety necessities, but additionally on how successfully they reply when people consider these necessities have been breached.
For companies, this implies transferring from casual grievance administration to documented, legally compliant processes. For legislation corporations, it means making certain their very own compliance whereas serving to purchasers put together for a regulatory change that may rapidly grow to be a visual take a look at of organisational accountability.
With simply weeks remaining earlier than the brand new necessities take impact, organisations that haven’t but reviewed their preparations ought to deal with preparation as a right away precedence.
![From T+1 to T+0: What Occurs When Submit-Commerce Goes On-Chain [Stable Summit New York Fireside Recap]](https://coininsight.co.uk/wp-content/uploads/2026/06/Gemini_Generated_Image_lhquhblhquhblhqu-120x86.png)
