NEW

  • Insights
  • May 14, 2026

New data protection requirement – are you ready?

Share this page: LinkedIn X

Background

Section 103 of the UK Data (Use and Access) Act 2025 (the “DUAA“) requires an organisation to put in place a procedure for dealing with individuals’ complaints about the handling of their personal data. While it is not a legal requirement for an individual to first complain to the organisation, the Information Commissioner’s Office (ICO) has for a long time encouraged individuals to first contact the organisation before contacting the ICO.

Section 103 DUAA comes into force on 19 JUNE 2026 and introduces new sections 164A and 164B into the Data Protection Act 2018 (the “DPA“). The new duties in section 164A(3) and (4) of the DPA 2018 apply only in relation to a complaint that is received by the controller on or after 19 June 2026.

Anyone who considers that an organisation has mishandled their personal data and infringed data protection legislation can file a complaint. The complaint does not need to use legal language or refer to the UK GDPR, the DPA or DUAA, but a complaint is not the same as exercising the individual’s right.

An organisation must:

1. Have a data protection complaint-handling process.

  • The legislation focuses on having and running a process, not on producing a particular complaints policy. The organisation must be able to explain and evidence how complaints are received, handled, escalated and resolved.
  • The organisation should review its existing privacy notices (both external and internal)and data protection policy to ensure they clearly explain:
    • that individuals have a right to complain about the handling of their personal data;
    • how they can do so; and
    • what they can expect once a complaint is submitted.
  • Alternatively, it could adopt a standalone Data Protection Complaints policy. This isn’t legally required but would provide a single, clear reference point.

2. Facilitate the means for individuals to make complaints either electronically (such as a complaints form) or by other means (s 164A(2)).

  • The organisation should review any data subject request procedures it has in place and assess if they can be updated to cover data protection complaints.
  • Section 164A doesn’t specify how individuals need to be provided with the means to make complaints, only that electronic means must be an option.
  • Electronic submissions could be accepted via email and/or through a complaints form on the firm’s website. The organisation could create a specific complaints email address and mailbox and create automated responses to acknowledge receipt.

3. Acknowledge receipt of the complaint within 30 days of receiving it (s 164A(3)).

  • The organisation must acknowledge receipt of a data protection complaint within 30 days of receiving it, regardless of the channel through which it was submitted.
  • The acknowledgement should confirm that the complaint has been received and explain, at a high level, what will happen next. The ICO guidance confirms that automated acknowledgements are permissible, provided they are reliable and monitored.

4. Without undue delay: (i) take appropriate steps to respond to the complaint; and (ii) inform the complainant about the outcome (s 164A(4)).

  • Appropriate steps will depend on the nature of the complaint but may include making internal enquiries, reviewing relevant records and liaising with relevant teams.
  • The organisation is also expected to keep the complainant updated on progress (s 164A(5)). There is no fixed statutory deadline for issuing a substantive response, but delays must be justified and proportionate to the complexity of the issue.

5. Demonstrate compliance with the accountability requirements under Article 5(2) of the UK GDPR.

  • In practice, this means maintaining an audit trail, including:
    • records of complaints received;
    • how and when they were acknowledged;
    • steps taken to investigate and respond; and
    • the outcome communicated to the complainant.
  • The organisation should review its data protection breaches and complaints register(s) and log to ensure this information is captured.

6. Staff training

  • An organisation must ensure that relevant staff are able to recognise, handle and appropriately escalate data protection complaints as part of their day-to-day operations.
  • Training should be proportionate to the role. For example:
    • HR, IT and client-facing staff should be trained to spot and route complaints; and
    • those responsible for actually responding to complaints should understand the statutory timeframes and investigation requirements.

Action Points

  1. Draw up a Data Protection Complaints process – although there is no legal requirement for a specific policy document, this is recommended for operational clarity. Organisations may also wish to have consistency with its general complaints process/policy (if any).
  2. Create a Data Protection Complaints register – enabling the logging of details such as dates of receipt of complaints, acknowledgement date, response dates and other relevant comments.
  3. Communicate the new Data Protection Complaints process internally.
  4. Providing training to staff so that they can recognise a DP Complaint and know to invoke the Data Protection Complaints process.

How can Wedlake Bell help?

The Wedlake Bell Team will be pleased to support clients’ compliance with the Data Protection Complaints requirements, such as:

  • Gap analysis and readiness reviews against the new legal requirements.
  • Drafting or updating Data Protection Complaints procedures, including integration with existing complaints or data protection policies or HR processes.
  • Complaints handling toolkits, including providing template acknowledgement letters, holding responses, outcome templates and complaints registers.
  • Website and privacy notice reviews to ensure complaint rights are clearly signposted.
  • Staff training and guidance, focused on recognising and handling data protection complaints.
  • Bespoke advice on complex or high‑risk complaints, including those involving data breaches, DSAR disputes or regulatory escalation.
  • Ongoing support and retainer arrangements, including dealing with complaints on client’s behalf.

This article is for general information purposes only and does not constitute legal advice or a comprehensive statement of the law. Specific legal advice should always be sought in relation to individual circumstances.

Meet the team:

View the whole team

Related insights

    • Insights
    • Jul 14, 2025

    AI in the workplace: What employers need to know

    Introduction – What is AI? Artificial intelligence (AI), or, broadly computer systems that perform tasks which typically require human intelligence, is rapidly transforming the modern workplace, offering new efficiencies and capabilities across recruitment, investigations, and everyday decision-making. However, as organisations

    More about AI in the workplace: What employers need to know
    • News
    • Sep 29, 2022

    The UK’s online safety bill: The Day we took a stand against serious online harms or the Day we lost our freedoms to platforms and the state?

    In this paper for Journal of Data Protection & Privacy, Alexander Dittel discusses the UK’s Online Safety Bill, which is intended to protect vulnerable individuals online, although at the risk of promoting surveillance techniques and mandating proactive content removal by

    More about The UK’s online safety bill: The Day we took a stand against serious online harms or the Day we lost our freedoms to platforms and the state?

View more