For a lot of UK organisations, 19 June 2026 might change into an important date in DUAA’s implementation timeline. From that date, companies and different organisations processing private knowledge can be legally required to function a proper inside knowledge safety complaints process. People who imagine their knowledge rights have been infringed should be capable of complain on to the organisation earlier than escalating issues to the ICO
The brand new regime represents a significant shift within the UK’s method to knowledge safety enforcement. Reasonably than relying totally on regulator-led intervention, DUAA locations larger duty on organisations themselves to analyze, handle and resolve complaints shortly and transparently.
In apply, companies might want to acknowledge complaints inside 30 days, examine points with out undue delay, maintain complainants knowledgeable and clearly talk outcomes. The ICO has already signalled that the standard of an organisation’s complaints dealing with course of might affect its wider regulatory method.
For companies, that is a part of a broader shift towards operational accountability beneath DUAA, which is already reshaping areas similar to AI governance, automated decision-making, worldwide transfers and lawful processing.
With main reforms already in drive and the June 2026 complaints deadline approaching shortly, organisations will wish to evaluate their governance frameworks, inside procedures and employees readiness.
How is DUAA being rolled out?
DUAA turned legislation on 19 June 2025, however the reforms are being launched progressively in a phased course of.
Some technical adjustments began instantly, together with clarification round SAR searches. Additional reforms adopted all through late 2025, however essentially the most important implementation part arrived on 5 February 2026, when the vast majority of the brand new knowledge safety provisions got here into drive.
From that time on, organisations started working beneath up to date guidelines masking recognised authentic pursuits, automated decision-making, worldwide transfers, cookies and expanded ICO enforcement powers.
The following main milestone is now approaching on 19 June, when the necessary complaints dealing with necessities come into impact.
Additional reforms, together with governance adjustments remodeling the ICO into the brand new “Info Fee” construction, are anticipated later within the yr.
Why the complaints process requirement issues
The upcoming complaints regime might change into one of the operationally important points of DUAA. Below the brand new guidelines, individuals want to lift complaints instantly with organisations earlier than escalating issues to the ICO.
This implies companies will more and more change into the primary line of investigation, response and backbone for knowledge safety issues. The ICO has indicated that the standard of an organisation’s complaints dealing with course of will affect its regulatory method indicating that complaints dealing with is turning into a governance concern in addition to a customer support concern.
What’s going to depend as a knowledge safety grievance?
Not each sad electronic mail from a buyer or worker will fall inside that scope. However organisations might want to change into considerably higher at figuring out complaints that will set off the brand new DUAA obligations.
These embrace complaints about how SARs have been dealt with, issues round knowledge retention or accuracy, objections to monitoring or surveillance practices, dissatisfaction with safety measures, or challenges regarding AI-driven decision-making and knowledge sharing practices.
Points like customary customer support complaints or employment grievances might fall exterior scope until they particularly concern knowledge safety rights.
If there may be uncertainty, the ICO recommends clarifying instantly with the particular person whether or not they intend to lift a proper grievance.
The brand new necessary complaints course of
From 19 June, companies might want to present individuals with accessible and efficient methods to submit complaints on to them. Many companies already function buyer complaints processes however DUAA elevates sure knowledge safety complaints right into a extra formal regulatory framework with outlined procedural obligations.
Organisations can’t insist people use just one designated route. Complaints might arrive by means of atypical customer support emails, HR channels, reside chat capabilities, on-line varieties, social media interactions and even casual correspondence. This might create a sensible problem for companies as a result of complaints will must be recognised persistently throughout a number of groups and operational capabilities.
As soon as a grievance is obtained, the clock begins operating instantly. Organisations should acknowledge receipt inside 30 days, with the ICO clarifying that the timeframe begins the day after the grievance is obtained, together with weekends and public holidays. In apply, nevertheless, companies mustn’t view this as a snug response window. The duty to analyze begins instantly upon receipt of the grievance, no matter whether or not a proper acknowledgement has been despatched.
The requirement to behave “with out undue delay” introduces a level of flexibility, but additionally uncertainty. The ICO has indicated that expectations will rely upon the complexity of the grievance, the sensitivity of the information concerned, the size of the difficulty and the extent of potential hurt to the person. A comparatively simple grievance relating to knowledge retention practices might require solely restricted enquiries, whereas complaints involving AI techniques, monitoring applied sciences or large-scale disclosures might demand in depth inside investigations.
All through the method, organisations are anticipated to take care of transparency with complainants. This doesn’t essentially imply offering fixed updates or disclosing each inside investigative step. Nevertheless, people ought to be knowledgeable about anticipated timelines, delays and progress the place applicable.
The ultimate response should clearly clarify the organisation’s findings, any remedial motion taken and the complainant’s proper to escalate issues to the ICO if they continue to be dissatisfied.
Maybe most significantly, DUAA successfully turns complaints dealing with right into a documented accountability train. Organisations might want to preserve detailed data of complaints obtained, investigations performed, correspondence exchanged, choices reached and corrective actions taken. The ICO has made clear that these data might change into related throughout regulatory enquiries.
For a lot of companies, it will require a major operational shift. Complaints dealing with can now not sit solely inside customer support or authorized groups. As a substitute, organisations will want coordinated processes involving compliance, HR, IT, safety, operational management and senior governance capabilities.
What ought to companies be doing now?
Companies ought to deal with these weeks main as much as June 2026 as a preparation interval. One of many greatest challenges can be making certain complaints might be recognised and escalated persistently throughout the organisation. As famous, complaints might arrive by means of buyer assist groups, HR capabilities, compliance channels, electronic mail correspondence or atypical operational interactions. Organisations will due to this fact want clearer inside processes and higher coordination between departments.
Present privateness notices, grievance procedures and topic entry request response templates also needs to be reviewed and up to date. DUAA expects organisations to elucidate clearly how people can complain on to the organisation and the way issues can be dealt with.
Coaching can be equally vital. Employees throughout authorized, HR, IT, buyer assist and operational capabilities ought to perceive how you can determine complaints, escalate points and adjust to response timelines.
On the similar time, companies utilizing AI techniques and automatic decision-making instruments ought to evaluate governance preparations extra broadly. Whereas DUAA introduces larger flexibility in some areas, regulators proceed to count on organisations to reveal equity, transparency and significant oversight.
The ICO has indicated it intends to take a measured method through the transition interval, notably whereas steering continues to be growing. Nonetheless, expectations round accountability are clearly rising, and companies that start getting ready now can be considerably higher positioned as soon as the complaints regime formally takes impact.
A giant shift
With DUAA, the UK has tried to place itself as providing a considerably extra commercially versatile framework than the EU GDPR in areas similar to AI governance, automated decision-making, authentic pursuits and worldwide transfers.
Nevertheless, the reforms concurrently enhance expectations round operational governance and accountability. This complaints regime illustrates this.
DUAA shouldn’t be merely one other legislative replace. It represents a broader shift in how knowledge governance, accountability and regulatory engagement will function within the years forward.
