In brief
Setting the background
A significant change to UK data protection law came into force on 19 June 2026, introducing a new statutory complaints handling framework for organisations.
The changes are introduced by the DUAA, which amends the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). As part of these reforms, organisations will be required to establish and operate an internal complaints-handling process. Individuals must use this process before escalating concerns to the Information Commissioner's Office (ICO).
We previously discussed the wider implications of the DUAA and its key reforms to UK data protection law. If you would like to explore the other key changes that have been introduced, you can read our overview here.
What is changing?
The DUAA introduces a new section 164A into the DPA 2018, creating a statutory right for individuals to raise data protection complaints directly with organisations.
Previously, while individuals had the right under Article 77 UK GDPR to lodge complaints with the ICO, there was no express legal requirement for organisations to maintain a dedicated internal complaints process. The new section 164A regime formalises this obligation.
From 19 June 2026, organisations must ensure they have an appropriate complaints handling process in place. ICO guidance provides that organisations should:
The reforms also change the complaints pathway for individuals. Rather than approaching the ICO in the first instance, individuals will be expected to raise their complaint with the relevant organisation before escalating the matter to the ICO. This reflects the ICO's broader aim of encouraging complaints to be addressed and resolved directly wherever possible.
What steps should organisations take?
Organisations should review their existing data protection governance arrangements to ensure they can meet the new requirements.
In practice, this is likely to involve:
For many organisations, these changes may involve refining existing processes rather than creating entirely new ones.
How Mishcon de Reya can help
If you would like advice on updating privacy notice wording or implementing compliant complaints handling procedures, do not hesitate to get in touch with our Data experts.
Author:
Ana-Maria Curavale, Associate, Mishcon de Reya LLP