DUA Act amendment on data protection complaints takes effect

New legal requirements concerning how UK organisations handle data protection complaints came into force on 19 June 2026. Introduced under Section 103 of the Data (Use and Access) Act 2025 (DUA Act), the provision amends Section 164A of the Data Protection Act 2018, requiring controllers to implement a mechanism or procedure in which data subjects can make complaints to the controller about any concerns they have over the processing of their personal data. 

Organisations are subsequently required to acknowledge any complaint received within 30 days, conduct an appropriate investigation, and communicate the outcome. 

The 19 June date also marks the 12-month anniversary of the DUA Act passing into law. With the new complaints procedure now in effect, all outstanding provisions are now in force.

In a related post, Emily Keaney, Deputy Commissioner for Regulatory Policy at the ICO, provided an update on the anniversary of the DUA Act, outlining the areas of support the regulator has focused on and its new powers. Over the past year, the ICO produced guidance in 13 high-priority areas and conducted 11 consultations that received over 300 responses.

The DUA Act also grants the ICO significant new powers. These include the power to compel witnesses to attend interviews and to request reports from approved persons. In addition, the maximum fines under the Privacy and Electronic Communications Regulations (Pec Regulations) have risen to £17.5 million or 4% of global turnover, aligning them with the penalties under the UK General Data Protection Regulation (GDPR).

Looking ahead, Keaney explains that the ICO will continue to publish updated guidance throughout the summer and is also commencing work on a new statutory code of practice specifically addressing artificial intelligence (AI) and automated decision-making (ADM). 

Training announcement: Freevacy provides comprehensive training for new and existing practitioners on the changes introduced by the DUA Act to the UK General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA18), and the Privacy and Electronic Communications Regulations 2003 (PEC-Regulations). Our courses are always up to date and provide a forum for learning and discussing how to ensure your data protection processes remain compliant. Find out more.