general

DUAA June 2026: Every UK Business Now Needs a Formal Data Complaints Procedure

CA
ComplianceAlert Editorial·UK Regulatory Specialists
9 April 2026·9 min read

In this article

  1. What Is the Data Use and Access Act?
  2. Who Does the DUAA Apply To?
  3. What Is a "Formal Data Complaints Procedure"?
  4. What Are the Penalties for Non-Compliance?
  5. Sector-by-Sector: What DUAA Means for Your Business
  6. The Five Steps You Need to Take Before 19 June
  7. Frequently Asked Questions
  8. What Happens If You Don't Act?
  9. How ComplianceAlert Helps
  10. Key Takeaways

From 19 June 2026, every UK business that collects or processes personal data must have a formal, documented data complaints procedure in place — or risk ICO fines now aligned with GDPR-level penalties of up to £17.5 million or 4% of global turnover.

That's 71 days away. Most UK small businesses don't know it's coming.

The Data Use and Access Act (DUAA) received Royal Assent in 2025 and comes into full operational effect this June. Unlike GDPR, which was imported from the EU and widely reported, DUAA is domestic legislation with a quieter media profile — which means most SMB owners are walking into a compliance gap they haven't spotted yet.

This guide explains exactly what the DUAA requires, who it affects, what you need to do, and when.

What Is the Data Use and Access Act?

The Data Use and Access Act (DUAA) is the UK's replacement framework for parts of the retained GDPR and the Data Protection Act 2018. It doesn't rip up the existing data protection framework — most of the GDPR principles remain. What it does do is sharpen the enforcement teeth, clarify individual rights, and introduce new procedural obligations for businesses that handle personal data.

The headline change that most UK businesses are missing: from 19 June 2026, organisations must have a formal, documented complaints procedure specifically for data subjects — people whose data you hold. This isn't just a good-practice recommendation. It is a legal requirement. The ICO will be looking for evidence of it during audits and investigations.

Who Does the DUAA Apply To?

If your business:

  • Has a website that collects any personal data (including email addresses or cookies)
  • Holds a customer, supplier, or employee database
  • Sends marketing emails
  • Uses a CRM or booking system
  • Processes any payment data linked to an identifiable person

...then the DUAA applies to you. That covers the overwhelming majority of UK businesses, including sole traders, partnerships, and limited companies operating across every sector.

There is no employee-count threshold. A two-person bakery with an email list is as subject to this obligation as a 500-person professional services firm.

What Is a "Formal Data Complaints Procedure"?

Under DUAA, a formal data complaints procedure must include:

  1. A named point of contact for data complaints — not just a generic info@ address
  2. A documented process for receiving, logging, and responding to complaints
  3. A defined response timeline — in practice, 30 days aligns with existing data subject access request (DSAR) timelines
  4. Escalation routes — including how complainants can refer unresolved complaints to the ICO
  5. Written records of all complaints received and actions taken

The procedure must be accessible. The ICO has indicated that simply having a procedure buried in your privacy policy is insufficient — it should be findable independently, either as a standalone document or a clearly signposted section of your website.

Business owner reviewing data protection documents at a desk

What Are the Penalties for Non-Compliance?

This is where the DUAA raises the stakes significantly. Under the DUAA, ICO fines are now structured at two tiers:

  • Standard tier: Up to £10 million or 2% of global annual turnover (whichever is higher)
  • Upper tier: Up to £17.5 million or 4% of global annual turnover (whichever is higher)

For a small business with £1 million turnover, a standard-tier fine could be £20,000 — life-altering. For a business with £5 million turnover, a 2% fine is £100,000.

The ICO has signalled it intends to use the new framework proactively, not just reactively. That means you don't need to have caused a breach to be investigated — a formal complaint from a customer about how you handled their data request can trigger a full ICO inquiry.

💡 Not sure if your data practices are DUAA-ready? Take our free 3-minute Compliance Score quiz at compliancealert.co.uk/compliance-score — instant results, no sign-up needed.

Sector-by-Sector: What DUAA Means for Your Business

Hospitality and Retail

Customer booking systems, loyalty programmes, email marketing lists — all involve personal data. If a customer emails asking what data you hold about them, you now need a documented process for handling that request and a route for them to complain if you don't respond appropriately.

Healthcare and Professional Services

You already operate under GDPR and sector-specific data obligations (CQC, FCA, SRA). DUAA adds a procedural layer — you need the complaints procedure as a standalone, accessible document, not just embedded in your Data Protection Policy.

Construction and Manufacturing

Subcontractor data, employee records, CCTV footage — all personal data. The DUAA applies to employment data as well as customer data. If a worker or former employee asks for their data or complains about how you handled it, you need the procedure in place.

Accountants and Financial Services

You hold some of the most sensitive personal and financial data of any SMB sector. Your clients will increasingly expect to see your data complaints procedure as part of engagement letter due diligence. Having it documented is becoming a commercial expectation as well as a legal one.

The Five Steps You Need to Take Before 19 June

Step 1: Appoint a Named Data Contact

You don't need a Data Protection Officer (DPO) unless you meet the higher-risk thresholds. But you do need a named person — the business owner, an office manager, or a designated employee — whose name and contact details are associated with data queries. Document this formally.

Step 2: Write Your Data Complaints Procedure

Draft a standalone document (500–1,000 words is sufficient) that covers: how to submit a complaint, who receives it, the expected response timeframe, how the complaint is investigated, and how the outcome is communicated. Include the ICO's contact details as the escalation route. Keep it in plain English.

Step 3: Make It Accessible

Add a link to the procedure in your website footer alongside your Privacy Policy. If you don't have a website, the procedure should be available on request and referenced in your contract terms and email footer.

Step 4: Create a Complaint Log

Set up a simple spreadsheet or document to record: date of complaint, name of complainant, nature of the complaint, action taken, date of response, and outcome. You need to be able to demonstrate a record of complaints handled — even if that record is "zero complaints received".

Step 5: Review Your Privacy Notice

Your privacy notice (privacy policy) must now reference the existence of the complaints procedure and how to access it. If your privacy notice was last updated before 2025, it almost certainly needs updating to reflect DUAA compliance.

Frequently Asked Questions

Is the DUAA the same as GDPR?

No. GDPR principles are largely preserved, but the DUAA is UK domestic legislation that modifies and extends the framework. Key differences include the formal complaints procedure obligation, updated fine thresholds, and changes to legitimate interests assessments. Compliance with GDPR does not automatically mean compliance with DUAA.

Does the DUAA apply to sole traders?

Yes. Any business that processes personal data — regardless of size or legal structure — is subject to DUAA obligations, including the complaints procedure requirement.

What if a customer complains to the ICO directly?

The ICO can investigate a complaint even if the complainant has not first gone through your internal complaints procedure. However, demonstrating that you had a documented, accessible procedure in place is a significant mitigating factor in any ICO investigation — it shows good faith and operational competence.

When does the DUAA come into force?

The formal data complaints procedure obligation under DUAA comes into effect on 19 June 2026. That is 71 days from now. Businesses should aim to have procedures in place by June 1 to allow time for testing and communication.

Do I need a solicitor to write the complaints procedure?

No. The procedure needs to be clear and accessible, not legally complex. Most SMBs can draft an adequate procedure themselves, or use a compliance template. ComplianceAlert provides compliance document templates for Starter plan subscribers — see compliancealert.co.uk/documents.

What Happens If You Don't Act?

The ICO has stated publicly that DUAA enforcement will be proactive, not just complaint-triggered. In practical terms, this means:

  • If a data subject complains about you to the ICO, the first thing the ICO will check is whether you have a documented complaints procedure
  • Absence of a procedure is itself a compliance failure — separate from whatever triggered the original complaint
  • The ICO can issue a fine for procedural non-compliance even if no data breach occurred

The practical risk for most SMBs isn't a £17.5m fine — it's a corrective action notice, a formal warning on the ICO register, and the reputational cost of appearing in ICO enforcement news. For professional services firms and businesses that work with public sector clients, an ICO action is a significant commercial risk.

How ComplianceAlert Helps

ComplianceAlert monitors DUAA and ICO guidance in real time and sends you plain-English alerts when new requirements or enforcement updates apply to your sector. When the ICO publishes updated guidance on DUAA implementation — which it will do between now and June — you'll get a notification before your competitors do.

We also include compliance document templates (including a data complaints procedure template) with our Starter plan at £19/month.

The 7-day free trial includes full access to all monitoring and document templates — no credit card required.

Key Takeaways

  • The DUAA makes a formal, documented data complaints procedure legally mandatory from 19 June 2026
  • This applies to virtually every UK business that holds any personal data
  • ICO fines under DUAA reach up to £17.5m or 4% of global turnover
  • You need: a named contact, a written procedure, a complaint log, and public accessibility
  • 71 days to get this in place — the June 1 target gives you buffer

Start with Step 1 today: name the person who handles data complaints in your business and write it down. The rest follows naturally from that decision.

Try ComplianceAlert free for 7 days — monitor DUAA, ICO updates, and every other UK regulation that affects your business, automatically. No credit card required. compliancealert.co.uk

Stay ahead of UK regulations

ComplianceAlert monitors HSE, HMRC, ICO, CQC and more — and alerts you in plain English before changes cost you.

Try ComplianceAlert free for 7 days →

7-day free trial · No card needed · Free for 7 days · Cancel anytime

Have a question?

Talk to us about how ComplianceAlert can help your business. We reply within one business day.

Or call Alice free: 📞 Free call — +44 23 9433 0468 · hello@compliancealert.co.uk

Related articles

Section 21 Ends in 8 Days — The Last Thing Landlords Must Do Nowproperty

Section 21 Ends in 8 Days — The Last Thing Landlords Must Do Now

750,000 Retail Workers on Zero-Hours: The October 2026 Shift Notice Rights Employers Don't Know Aboutretail

750,000 Retail Workers on Zero-Hours: The October 2026 Shift Notice Rights Employers Don't Know About

Renters Rights Act May 2026: What Every Letting Agent Must Do Nowproperty

Renters Rights Act May 2026: What Every Letting Agent Must Do Now

← Back to all posts