ICO & Data Protection9 June 2026·8 min read

New Data Protection Complaints Law: What UK Regulated Businesses Must Do Before 19 June 2026

Professional reviewing compliance documentation

The Data (Use and Access) Act 2025 introduces a new statutory requirement for UK data controllers to maintain an accessible, documented complaints procedure. The deadline is 19 June 2026 — ten days away. The ICO issued an explicit "act now" warning in May 2026. There are no exemptions based on organisation size, sector, or number of data subjects. Here is exactly what your business needs to have in place before the deadline.

Deadline

19 June 2026

Complaints procedure requirements under the Data (Use and Access) Act 2025 are fully operative. No grace period beyond this date.

What the Data (Use and Access) Act 2025 Requires

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. Amongst its wide-ranging reforms to the UK data protection framework, the Act strengthens the rights of data subjects to raise concerns about how their personal data is handled — and places explicit obligations on data controllers to facilitate those complaints.

Under the new regime, any organisation that processes personal data — which means virtually every business operating in the UK — must have a complaints procedure that is:

  • Documented — the procedure must exist in writing, not simply as informal practice
  • Accessible — data subjects must be able to find and use it without unreasonable difficulty
  • Signposted in your Privacy Notice — your Privacy Policy must reference how to submit a complaint and must link to, or describe, the procedure
  • Time-bound — the procedure must specify response timelines (ICO guidance indicates acknowledgement within 5 working days and a full response within 30 days as best practice)
  • ICO escalation pathway included — data subjects must be informed of their right to escalate to the ICO at any stage, including before your internal procedure is exhausted

The ICO's updated guidance, published in May 2026, explicitly states that a complaints procedure that exists only in an internal staff handbook — and is not visible to data subjects — does not satisfy the requirement. It must be publicly accessible.

Who This Affects

The requirement applies to all data controllers. There is no exemption for small businesses, sole traders, or organisations that process only limited volumes of personal data. If you collect, store, or process personal data about any individual — a customer, a patient, a service user, an employee — you are a data controller and you must comply.

This covers all ten regulated sectors that ProPolicyForge serves:

Healthcare & Clinical
Care Homes & Social Care
Dental Practices
Construction & Trades
Education & Childcare
Hospitality & Food
Office & Corporate
Retail & Logistics
Software & Health Tech
Allied Health Professions

Notably, healthcare, social care, dental, and education providers face a heightened exposure. These sectors process special category data — health records, safeguarding information, educational records — which carries higher ICO enforcement priority when complaints are mishandled.

What a Compliant Complaints Procedure Looks Like

The ICO has been clear that a compliant procedure does not need to be lengthy or complex. What matters is that it exists, it is accessible, and it actually works. A compliant procedure covers four stages:

Stage 1 — Submission channel

Data subjects must have a clear way to submit a complaint. This should be a dedicated email address (separate from your general enquiries inbox), a web form, or a named postal address. A generic "contact us" page does not meet the standard unless it explicitly accepts data protection complaints and routes them appropriately.

Stage 2 — Acknowledgement

The organisation must acknowledge receipt of the complaint, confirm a reference number or tracking mechanism, and set out the timeline for a response. ICO guidance indicates acknowledgement within 5 working days as the expected standard.

Stage 3 — Investigation and response

The organisation must investigate the complaint and provide a full written response. The standard response window under the DUAA complaints regime is 30 calendar days from receipt. If a complaint is complex and requires more time, the organisation must notify the data subject before the 30-day window expires and provide a revised timescale.

Stage 4 — ICO escalation notice

Every complaints procedure must include a clear statement that the data subject has the right to escalate to the ICO at any time — they do not need to wait for the organisation's internal process to conclude. The ICO's contact details must be provided: ico.org.uk, 0303 123 1113, or ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Where the Procedure Must Be Published

This is the area where many businesses are currently non-compliant, even where a complaints procedure exists in some form. The ICO's May 2026 guidance specifies three publication requirements:

  • A standalone complaints page on your website — the procedure must be reachable within one or two clicks from your homepage, not buried in a legal documents section
  • Your Privacy Notice — Section 9 (or equivalent rights section) must reference the complaints procedure and provide a direct link or contact detail
  • Any response to a data subject rights request — if a data subject exercises their right of access, erasure, or rectification, your response must remind them of the complaints procedure if they are dissatisfied with your handling of the request

ICO warning (May 2026): The ICO has stated it will treat the absence of an accessible complaints procedure as prima facie evidence of non-compliance with data subject rights obligations. Where a complaint about data handling is subsequently made to the ICO and the organisation had no accessible complaints procedure in place, the ICO will treat this as an aggravating factor in any enforcement decision.

The Practical Risk of Non-Compliance

The consequences of failing to have a compliant complaints procedure are not theoretical. The ICO's enforcement approach under the DUAA 2025 regime is explicitly complaints-led — meaning that the most common trigger for an ICO investigation is a data subject lodging a complaint directly with the ICO because they could not find or use a complaints procedure with the organisation itself.

Under UK GDPR (retained and amended by the DUAA 2025), the ICO has the power to issue fines of up to £17.5 million or 4% of global annual turnover for serious infringements, and up to £8.7 million or 2% of annual turnover for other failures. While these maximum figures are reserved for the most serious cases, the ICO has demonstrated a willingness to issue meaningful fines to small and medium-sized businesses — including a care home operator, a dental practice chain, and a construction company — in the past two years.

For regulated businesses, the reputational risk runs alongside the financial one. A finding of non-compliance by the ICO will typically be published on the ICO's enforcement register. For healthcare providers, dental practices, and educational settings, a published ICO finding can affect CQC, GDC, or Ofsted inspection outcomes.

Your Pre-19 June Compliance Checklist

Dedicated complaints channel

Create a dedicated email address (e.g. complaints@yourdomain.com) or web form specifically for data protection complaints — separate from your general contact inbox.

Standalone complaints page

Publish a page at /complaints (or equivalent) on your website setting out all four stages of your procedure, timelines, and ICO escalation details.

Update your Privacy Notice

Add a reference to your complaints procedure in your Privacy Notice — specifically in the section covering data subject rights. Link directly to the complaints page.

Acknowledgement process

Ensure any complaint received via your form or email generates an acknowledgement (automated or manual) within 5 working days, including a reference number.

30-day response window

Document internally how complaints will be investigated and who is responsible for providing the written response within 30 days.

ICO details included

Confirm your complaints page includes the ICO's contact details and an explicit statement that data subjects can escalate to the ICO at any time.

Complaints log

Maintain a basic complaints register — date received, reference number, nature of complaint, outcome, and date resolved. This is an audit trail the ICO may request.

What About Existing Complaints Mentions in a Privacy Policy?

Many businesses have a line in their Privacy Policy stating something like "if you have a complaint, contact us at support@yourdomain.com." This does not satisfy the DUAA 2025 requirement for two reasons.

First, it does not describe a procedure — it provides a contact point but gives the data subject no information about what will happen next, what timelines apply, or what their escalation rights are. Second, the requirement is for a procedure that is accessible independently of the Privacy Policy, not embedded within it. A single line in a long legal document does not constitute an accessible complaints procedure.

Businesses in this position need to create a standalone procedure and update their Privacy Policy to reference it — not simply add more text to the Privacy Policy itself.

ProPolicyForge Users — What You Need to Know

ProPolicyForge has already updated its own complaints procedure ahead of the 19 June deadline. The dedicated complaints page is live at propolicyforge.com/complaints, the Privacy Policy has been updated with the correct references, and a dedicated complaints email address is in place.

For ProPolicyForge subscribers, your Compliance Obligations Register will include the 19 June complaints procedure obligation if you are in a sector where the ICO has issued sector-specific guidance. If you generate or update a Data Protection & UK GDPR Policy through ProPolicyForge after today, the generated document will reflect the DUAA 2025 complaints procedure requirement.

If you need a Data Protection Complaints Procedure document for your organisation, ProPolicyForge can generate one in minutes — specific to your sector, organisation size, and the channels you have in place.

Act Before 19 June

Generate a compliant Data Protection Complaints Procedure in minutes

ProPolicyForge generates UK GDPR and data protection policies aligned to the Data (Use and Access) Act 2025 — specific to your organisation, your sector, and your complaints channels.

Generate Your First Document Free

Disclaimer: This article provides general guidance only and does not constitute legal advice. Businesses should refer directly to ICO guidance at ico.org.uk and seek specialist legal advice for their specific circumstances. The deadline and requirements described reflect the ICO's published guidance as of June 2026.