As of 19 June 2026, there is a new compliance job on every UK organisation's desk, and a lot of businesses have not noticed it yet. Under the Data (Use and Access) Act 2025, every organisation that processes personal data must now have a proper process for handling data-protection complaints: a clear way for people to raise one, an acknowledgement within 30 days, and a documented response. There is no exemption for small businesses, and "we'll deal with it if someone complains" is no longer good enough.
If that sounds like an administrative formality, it is worth being precise about what it actually requires, because the rule is less about having a policy and more about being able to prove you followed one. This is where it stops being a legal-team problem and becomes a documents-and-records problem.
What the DUAA actually changed
The Data (Use and Access) Act 2025, or DUAA, received Royal Assent in June 2025 and its data-protection provisions have been commencing in stages through 2026. Rather than replacing UK data law, it refines it: tidying up areas such as recognised legitimate interests, adjusting the rules on automated decision-making, and, most relevant here, putting the handling of data-protection complaints onto a statutory footing.
The headline date is 19 June 2026, when the complaints-handling duty takes effect. From that point, the expectation is not just that you respond to complaints, but that you have a defined, documented and evidenced process for doing so.
What you must now have in place
In plain terms, the new duty breaks down into a handful of concrete requirements:
- An easy way to complain. People must be able to raise a data-protection complaint with you directly, ideally through a simple route such as an online form, before they escalate to the ICO.
- A published, documented procedure. The process should be written down, visible to customers and staff, and clear about who is responsible.
- Acknowledgement within 30 days. You must acknowledge a complaint within 30 days of receiving it, then investigate and respond without undue delay.
- A record that you did all of this. You need to be able to show, for each complaint, when it was received, acknowledged, investigated and closed, and what the outcome was.
That last point is the one that catches organisations out. The rule is satisfied not by intention but by evidence, and a verbal "yes, we looked into it" is not evidence.
What your complaints log should capture
A defensible complaints record does not need to be complicated, but it does need to be consistent. At a minimum, each entry should capture:
| Field | Why it matters |
|---|---|
| Date received | Starts the 30-day acknowledgement clock and proves your timeline. |
| Complainant & nature of complaint | Shows what was raised and lets you spot recurring issues. |
| Date acknowledged | Evidences that you met the 30-day statutory deadline. |
| Investigation & actions taken | Demonstrates a genuine, proportionate review, not a rubber stamp. |
| Outcome & date closed | Closes the loop and shows the complaint was resolved. |
| Owner | Assigns clear responsibility, which the Act expects. |
It is part of a bigger accountability shift
The complaints duty does not sit on its own. A consistent theme runs through the DUAA: compliance now means documented, structured processes rather than informal ones. Organisations are expected to assess and record their reasoning where data use might not be obvious, to keep records that show how decisions were reached, and, where they use automated tools for profiling or decision-making, to be transparent, allow human review and let people challenge the outcome. In every case the common thread is the same. You need a trail.
Why this is really a documents problem
Most businesses already intend to handle complaints properly. What trips them up is the machinery: spotting the complaint, routing it to the right person, hitting the 30-day deadline while people are on leave, and then being able to find the whole history months later when the ICO or an auditor asks. Do that in inboxes and spreadsheets and the gaps appear quickly. A complaint sits unread, an acknowledgement is late, the log is updated from memory, and the evidence you need simply is not there.
The organisations that will find 19 June 2026 a non-event are the ones that treat a complaint as a tracked record with a deadline and an owner, not an email someone hopefully picks up.
How DocFlow turns the rule into a process you can prove
This is exactly the kind of structured, evidenced workflow DocFlow is built for. Because every document and request is captured and classified on the way in, a data-protection complaint can be handled as a first-class, auditable process:
- Capture every complaint in one place. Intake from a form or inbox creates a tracked record, so nothing slips between people or systems.
- Automate the deadline. Workflow automation routes each complaint to the right owner and enforces the 30-day acknowledgement, flagging anything at risk of slipping before it does.
- Keep an immutable audit trail. Every step, received, acknowledged, investigated, closed, is recorded on a tamper-evident, timestamped log, so you can evidence the timeline rather than reconstruct it.
- Find any complaint in seconds. When the ICO or an auditor asks, retrieval is a search, not an archaeology project.
- Apply retention automatically. Complaint records are kept for as long as you need them and no longer, in line with the same retention principles that apply to the rest of your data.
It is the same approach that underpins broader compliance tracking in DocFlow, and it runs UK-hosted, on-premise or fully self-hosted, so even your most sensitive complaint records never leave your control. Our Trust Centre sets out how everything is protected.
The new complaints rule is not the hardest compliance task you will face this year, but it is one of the easiest to fail quietly, because the failure only shows up when someone asks for the evidence. Put a documented, automated process behind it now, and that question becomes a five-minute answer instead of a scramble.