ICO Guidance on the Data (Use and Access) Act (DUA): What You Need to Know

The Information Commissioner’s Office (ICO) has released guidance on handling data protection complaints in line with the requirements from the Data (Use and Access) Act (DUAA) which are set to come into force on 19 June 2026.

Whilst most of the reforms brought about by Part 5 of the DUAA took effect on February 5, organisations have longer to prepare for the complaint requirements and the ICO’s guidance supports organisations on achieving best practice ahead of time.

What does the DUAA change regarding data protection complaints?

Whilst the ICO has previously expected organisations to address data protection complaints received from individuals, this has not been backed up by any legal obligation.

Following the changes under the DUAA, individuals now have the legal right to submit a complaint to an organisation about the handling of their personal data and organisations must implement processes and procedures to facilitate this.

What are the key requirements for handling data protection complaints in line with the DUAA and ICO guidance?

The ICO’s latest guidance outlines the following key steps organisations must take to meet the complaint requirements under the DUAA:

• Provide individuals with a way of making data protection complaints;
• Acknowledge data protection complaints within 30 days of receipt;
• Take appropriate steps to respond to complaints without undue delay, including making appropriate enquiries and keeping complainants informed; and
• Provide people with complaint outcomes without undue delay.

For organisations with existing complaints procedures, only minor changes are likely needed to reflect the DUAA requirements, but organisations lacking an established complaints process will now be expected to implement a substantive procedure.

This article highlights the key areas of focus for organisations in preparation for the DUAA complaints provisions coming into force and summarises recommendations for best practice based on the ICO’s guidance.

What constitutes a data protection complaint?

Not every complaint that is linked to data protection matters constitutes a data protection complaint. Where an individual complains about an organisation’s services or other matters whilst also exercising data protection rights this does not count, e.g. an employee raises a grievance and at the same time makes a subject access request.

The ICO’s guidance clarifies that data protection complaints arise where an individual complains specifically about an organisation’s handling of their personal data, whether this be about the handling of a subject access request (SAR) or quality of data security.

As with other personal data rights requests, individuals do not have to use legal terms of quote the legislation to make a data protection complaint. Where unsure if an individual is making a data protection complaint, organisations should seek clarification.

What must we do to prepare for handling data protection complaints?

Give people a way to make complaints

The starting point is to ensure that your organisation gives people a way to raise a data protection complaint. The ICO’s guidance allows organisations flexibility to choose which channels are most approach, whether through a complaint form, email address, telephone number, online portal, live chat facility or in person (if operating offline).

There is no requirement to set up a separate tool for receiving data protection complaints and organisations can rely on existing complaints channels and adapt these to include data protection complaints. As per the ICO’s SAR guidance, individuals are not obliged to follow the set process and can complain using any method of their choice. Nonetheless having a set complaints process is important for accountability.

Organisations with online presence should also consider how to handle complaints received through social media and bear in mind that liaising with complainants through social media is not secure and an alternative contact method should be sought.

Those within the scope of the ICO’s Age Appropriate Design Code should satisfy the requirements for handling complaints from children outlined at standard 15 of the Code, ensuring children can easily make and escalate complaints.

Inform people of their right to complain

Organisations are already required to inform individuals of their right to submit a complaint to the Information Commissioner at the point of collection of their personal data through a privacy notice and also when responding to SARs.

Following the DUAA, organisations must now also inform individuals of their right to make a data protection complaint to the organisation itself. Organisations should update privacy notices accordingly to inform data subjects of their right to complain and the organisation’s complaints process including a contact point.

Those processing personal data for law enforcement purposes must also inform individuals of their right to complain at other junctures, including when refusing other rights requests.

Implement a complaints procedure

The ICO’s guidance makes clear that for best practice, organisations should implement a complaints procedure if they do not already have one. It should use plain language (avoid legal jargon), be published online and be made available to individuals at the earliest opportunity to ensure they are aware of how to raise complaints.

It is recommended that a written process includes the set method for receiving complaints; the supporting evidence needed to investigate; the proof of ID and third-party authority accepted as well as information on communicating timescales (acknowledgement within 30 days), updates and outcomes.

Whilst it is acceptable to integrate data protection complaints into overarching complaints procedures and a standalone process is not required, organisations must ensure outcomes are issued on data protection complaints without undue delay. So, when responding as part of a wider complaint connected to other issues, if able to provide an outcome on the data protection aspect sooner, you must do so.

Review record keeping and training

Guidance on record keeping reiterates not only the importance of having up to date, clearly organised and labelled systems so information can be found quickly and effectively, but also to provide evidence of the following:

• Date complaints were received
• Acknowledgements sent
• Relevant conversations and documents
• Complaint outcomes
• Actions taken as a result

Not only does strong record keeping support compliance with the Art.5(2) UK GDPR Accountability principle by demonstrating compliance should the ICO or other industry bodies investigate, it is also beneficial for identifying recurring trends and underlying compliance issues.

In terms of training, all staff should as part of their overall data protection training be brought up to speed on recognising data protection complaints and knowing where to direct complaints internally when received.

Review Joint Controller and Processor arrangements

For Joint Controllers, emphasis is on having transparent arrangements in place given the timescale starts as soon as the complaint is received by a Controller so all parties must be clear on what to do, including in terms of:

• whether to have a central point of contact for complaints,
• how to inform people of where to complain and
• responsibilities for investigating complaints and liaising with complaints.

Controller-Processor data processing agreements should cover arrangements for handling data protection complaints. The typical role of Processors remains to provide assistance, including on complaint investigations and by supplying relevant information, with Controllers retaining the obligation for complaint handling.

How do we ensure best practice in the end-to-end process?

Acknowledging the complaint

You must acknowledge receipt of a data protection complaint within 30 days and the ICO’s guidance clarifies that an auto-acknowledgement will suffice.

This timeframe begins the day after the complaint is received, even if this falls on a weekend or public holiday. However, if the last day to acknowledge falls on a weekend or public holiday, you have until the next working day.

A practical approach is emphasised, for instance there is no need to provide an acknowledgement and outcome separately if you are able to provide a complaint outcome within 30 days, or if contacting the complainant to ask for proof of ID an additional acknowledgement is not needed.

The same complainant ID and third-party authority verification protocols apply as for other personal data rights requests, meaning you should:

• seek proof of ID at the earliest opportunity if in doubt
• not request further evidence if already in possession of sufficient information
• verify third party authority by requesting power of attorney or a signed letter of authority from the complainant they are acting on behalf of; and
• abstain from investigating the complaint until valid authority is received.

Conducting the investigation

Organisations must make enquiries into data protection complaints without undue delay, starting from when the complaint is received and not after the 30 day acknowledgement period ends.

This process generally involves fact finding, speaking to relevant staff, comparing the complaint information with that held and checking if organisational standards were upheld, and the ICO’s guidance recommends asking the complainant for more information if necessary as well as managing their expectations.

The ICO’s guidance recognises that complaints will vary in complexity, scale and harm, meaning a blanket timeframe for resolving complaints is not expected. Instead, focus should be on the specific circumstances of the complaint (and your organisation) and making reasonable and proportionate enquiries based on this.

Providing updates and outcomes

Giving timely progress updates to complainants is emphasised in the ICO’s guidance, with the priority on explaining timeframes for resolution and any expected delays.

As with investigating complaints, outcomes must also be issued without undue delay, which according to the guidance means ‘without an unjustifiable or excessive delay.’ Outcomes should include explanation of steps taken to resolve the complaint and actions taken as a result, and where you think you have complied with data protection law this should be explained in detail.

An internal review process for complainants unhappy with the outcome is recommended. It is also best practice to inform individuals of their right to complain to the ICO, which individuals have the right to do so at any point notwithstanding any internal review process.

Conclusion

The complaints requirements introduced by the DUAA can be viewed as formalising what the ICO has long expected from organisations in terms of addressing data protection complaints. The standards emphasised in the ICO’s latest guidance on complaints largely mirrors those expected when handling other personal data rights requests.

Indeed, the ICO will be aiming for a reduction in the number of complaints brought to it following the DUAA changes. The regulator has an established policy of diverting complaints to organisations in the first instance where the issue has not previously been raised with the organisation directly, and it now has a legal basis for doing so.

This latest guidance also coincides with the ICO’s publication of its complaint handling framework which is centred on prioritising high-value cases where the ICO can have the most significant impact, an objective more realisable if less time can be spent on lower impact matters and those where internal complaints procedures have not been utilised.

Moving forward, organisations can expect to be held to a higher standard in terms of complaint handling. Not having formal procedures in place will amount to a breach of the DPA, may trigger complaints from data subjects and will be looked on with greater scrutiny by the ICO.

Implementing a formalised end-to-end data protection complaints procedure ensures best practice and will be looked on far more favourably by the ICO should any concerns be raised or investigations initiated. Data Protection People has already supported many organisations in this regard. If your organisation requires assistance in this area, please reach out to us.