Beginning June 19, 2026, the new statutory right to complain introduced into UK data protection law by the Data (Use and Access) Act 2025 (DUAA) will take effect. As introduced by section 103 of the DUAA, section 164A of the Data Protection Act 2018 now requires each controller to implement a mechanism or procedure whereby data subjects can make complaints to the controller relating to their personal data. A key purpose behind this new right is to ensure complaints are lodged with and considered by the controller before they are escalated to the UK Information Commissioner’s Office (ICO). The ICO has published detailed guidance on complying with this new obligation and handling complaints. Below is a summary of the main requirements and practical tips for compliance.  

What is a complaint?

In this context, a complaint is a complaint by a data subject who believes there has been a breach of UK data protection law relating to their personal data. A data subject may submit a complaint, for example, if they do not believe their data subject rights request has been properly handled, or if they believe their data has been accessed without authorization due to insufficient security measures.

What must the controller do to comply with the new obligation?

Facilitating the making of a complaint

The new provisions require the controller to “facilitate the making of complaints” by data subjects. The law does not define how a controller must do this; it is for the controller to determine the most suitable method for their business. Possible methods include providing a complaint form, directing complaints to a specific email address, or maintaining a complaints portal. If a controller already has a method for receiving complaints, it can leverage the existing method subject to ensuring it complies with the new requirements. The method for making the complaint must be communicated to data subjects at the time of data collection (most likely via the privacy policy) and when responding to a data subject access request. The ICO requires “clear and plain language” be used to do so.

Importantly, while a controller may make a method available in compliance with its obligations under the law, this does not mean a data subject has to use the method; a data subject may make a complaint via a different method, and the controller is still required to accept and handle the complaint in accordance with the new provision.

Acknowledge the complaint

The new provisions require the controller to acknowledge receipt within 30 days of receiving the complaint. As with the method for receiving complaints, how a controller acknowledges receipt is for it to decide. This could be done, for example, by an automated email response if the method for receiving complaints is a dedicated mailbox.

Investigating the complaint

The new provision requires the controller to “take appropriate steps to respond” to the complaint “without undue delay” meaning it must investigate the complaint, making the appropriate enquiries, without undue delay. The time it takes to conduct an investigation will depend on the complexity and nature of the complaint and while the law does not set a defined time period, best practice would be for a controller to have a goal time period which it aims to meet for each complaint in order to demonstrate it is operating without undue delay. The law also requires that a complainant be kept informed of the progress of the complaint. This obligation will be particularly relevant if the investigation is taking a long time.

Responding to the complaint

The new provisions require a controller respond to the complainant with the outcome of the investigation “without undue delay.” This response should set out what has been done to resolve the complaint and, where relevant, any actions taken as a result. Alternatively, if the investigation shows that there has been no breach of the law, the response should explain this.

Practical tips for compliance

To comply with the new requirements, controllers should consider taking the following steps:

• Choose the preferred method for submitting complaints and implement it accordingly.
• Update all privacy notices to explain how a data subject can make a complaint using the complaint method. As a reminder, this right to complain applies to all data subjects, including employees.
• Prepare a complaints handling procedure for personnel, setting out the steps required by law (as explained above) and other key considerations such as recognizing a complaint, confirming the identity of the complainant, and escalating a complaint. A controller may also wish to prepare a complaint handling procedure to be accessible by data subjects explaining how a complaint can be made and what to expect.
• Provide training to personnel who are more likely to receive and/or handle complaints.
• Maintain a record or log of all complaints received, including the relevant dates for a complaint and details of the outcome of the investigation.

At Hunton, we assist clients in complying with these new requirements in a variety of ways, including updating privacy notice language and preparing complaints handling procedures. If you would like to discuss these requirements, please reach out to a member of our team.