UK Data Use and Access Act: New Complaints Process Effective June 19, 2026

By Cynthia J. Larose, Christopher J. Buontempo

The UK Data Use and Access Act (“DUAA”) introduces significant reforms to the UK’s data protection landscape, including a restructured complaints process for individuals seeking to raise data protection concerns with the Information Commissioner’s Office (“ICO”). If you don’t already have a process in place to receive – and act on – data privacy complaints and you are subject to the UK GDPR, you’ll need to heed the upcoming June 19, 2026 deadline.

Implications for Organizations

Mandatory Controller Engagement Requirement

One of the most significant changes under the DUAA is the introduction of a mandatory pre-complaint engagement requirement. Before lodging a complaint with the ICO, individuals must first raise their concerns directly with the relevant data controller and allow a reasonable period for the controller to respond. The ICO has indicated that this period will typically be 45 days, although this may vary depending on the complexity of the matter.

This requirement is designed to encourage early resolution of disputes between individuals and organizations without regulatory intervention, and to allow the ICO to focus its resources on more serious matters.

The new complaints framework has several practical implications for organizations that process personal data:

Robust Internal Complaints Handling
Organizations should review and strengthen their internal processes for handling data protection complaints. Having a clear, accessible, and efficient complaints procedure will be critical, as complainants must engage with controllers before approaching the ICO.

Timely Responses
Controllers should ensure they can respond to complaints within the expected 45-day window. Failure to respond promptly may result in escalation to the ICO and potential reputational damage.

Documentation
Maintaining thorough records of complaints received, responses provided, and resolutions achieved will be important for demonstrating compliance if a matter is subsequently referred to the ICO.

Privacy Notice Updates
Organizations should consider updating their privacy notices to include information about their complaints handling process and the new requirements for individuals to engage with the controller before contacting the ICO.

Training
Staff who handle data protection inquiries and complaints should be trained on the new framework and the organization’s updated procedures.

Key Changes to the Complaints Process

ICO Discretion to Decline Complaints

The DUAA grants the ICO expanded discretion to refuse to investigate complaints in certain circumstances. The ICO may decline to take further action where:

The complainant has not first engaged with the controller as required;

The complaint is vexatious, frivolous, or an abuse of the complaints process;

The complaint has been or could be more appropriately dealt with by another body;

The matter is the subject of ongoing or concluded legal proceedings; or

Investigating the complaint would not be a proportionate use of the ICO’s resources.

Acknowledgement and Response Timeframes

The DUAA imposes new obligations on the ICO regarding the handling of complaints. The ICO must acknowledge receipt of a valid complaint within a specified timeframe and must provide the complainant with an outcome or progress update within a reasonable period. The ICO is expected to publish guidance on the specific timeframes that will apply.

Appeals and Escalation

Individuals who are dissatisfied with the ICO’s handling of their complaint may seek judicial review of the ICO’s decision. The DUAA does not introduce a formal internal appeals mechanism within the ICO, but complainants may request a review of the ICO’s decision before pursuing court action.

Next Steps

The ICO has published detailed guidance on the operation of the new complaints process, including the specific timeframes and procedures that will apply.  You should also contact your UK/EU Representative to determine what new services will apply and how your website users should contact them.

Contact

For more information about the UK Data Use and Access Act and its implications for your organization, please contact your Mintz relationship attorney or a member of our Privacy & Cybersecurity Practice.

Subscribe To Viewpoints

Published

    • Viewpoint Topics

  • Privacy & Cybersecurity

    • Professionals

  • Cynthia J. Larose
  • Christopher J. Buontempo

    • Related Practices

  • Privacy & Cybersecurity

    • Authors

    Cynthia J. Larose

    Cynthia J. Larose

    Member / Co-Chair, Privacy & Cybersecurity Practice

    Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.
    Christopher J. Buontempo

    Christopher J. Buontempo

    Member

    Christopher J. Buontempo is a Mintz corporate attorney and a Certified Information Privacy Professional (CIPP). He has significant experience handling issues relating to technology, data privacy and security, brand protection, contract negotiation, licensing, and product development.