The U.K.’s Data (Use and Access) Act has officially moved another privacy compliance obligation from best practice to legal requirement.
Organizations subject to U.K. data protection law must now give individuals a clear way to raise data protection complaints, acknowledge those complaints within 30 days, investigate appropriately, keep people informed, and communicate the outcome.
That may sound procedural. It is not.
This is one of those privacy changes that looks small on paper but matters a lot in practice. A weak complaints process is often where privacy problems get worse. A person asks why their data was used. Nobody answers. A customer asks why they are still receiving marketing. The inbox is not monitored. A former employee complains about inaccurate records. The request sits with customer support. A patient asks why a portal disclosed information to a third party. Nobody knows who owns the issue internally.
That is how small privacy issues become regulator complaints, legal claims, lost customers, and reputational damage.
The New DUAA Complaints Duty
The U.K. Information Commissioner’s Office says all organizations must now provide a clear way for people to raise a data protection complaint. They must acknowledge receipt within 30 days, investigate appropriately, and tell the complainant the outcome.
Emily Keaney, Deputy Commissioner for Regulatory Policy at the ICO, explained the purpose clearly:
“This is about good data protection becoming business as usual. A clear and fair complaints process helps people get their issues resolved and helps organisations identify and fix problems early.”
She added:
“We recognise that some businesses, especially smaller ones, may still be adjusting. Our role is to support you; provide clarity and help you build complaints handling into your day-to-day operations.”
And the line every business should pay attention to:
“Getting this right isn’t just about compliance – it’s about trust, transparency and good customer relationships.”
That is the correct framing. This is not just a technical U.K. data law update. It is a customer trust issue.
Privacy Complaints Are Different From Ordinary Customer Complaints
A data protection complaint is not the same thing as a general customer service complaint.
If someone complains that an order was late, that is usually customer service. If someone complains that the company used their personal information incorrectly, failed to respond to a subject access request, sent them unwanted marketing, retained their information too long, disclosed their data to the wrong recipient, failed to delete their data, or handled a breach poorly, that is a data protection complaint.
The ICO’s guidance makes clear that individuals do not need to use legal language. They do not need to cite the U.K. GDPR, the Data Protection Act, or the Data (Use and Access) Act. They may simply say something like:
Why do you still have my information?
Why am I receiving these emails?
Why did you share my data?
Why did you deny my access request?
Why is my account information inaccurate?
Why did your website collect this information?
Why was my data exposed in a breach?
If the concern is about how personal information was collected, used, stored, disclosed, secured, retained, deleted, corrected, or handled, organizations need to treat it as a potential data protection complaint.
The 30-Day Acknowledgement Requirement Matters
The most concrete requirement is the 30-day acknowledgement deadline.
Organizations must acknowledge receipt of a data protection complaint within 30 days. That does not necessarily mean the full investigation must be completed within 30 days. But the organization must confirm that the complaint has been received and will be looked into.
This is where many businesses will get caught.
Privacy complaints can arrive through different channels. They may come through a privacy inbox, customer support email, web form, chatbot, call center, social media account, sales representative, account manager, HR department, or local office. The person receiving the complaint may not recognize it as a privacy issue.
That is the operational challenge.
A company can have a perfect privacy policy and still fail if frontline employees do not know what to do when someone complains about their data.
The new requirement means organizations need routing. They need training. They need a monitored intake channel. They need a complaint log. They need ownership. They need a way to prove when the complaint was received, when it was acknowledged, what steps were taken, and what outcome was communicated.
Without that, the 30-day requirement becomes easy to miss.
This Is a Workflow Problem, Not Just a Policy Problem
Many organizations will respond to the DUAA complaints duty by adding a sentence to their privacy policy.
That is not enough.
Yes, the privacy notice should explain how people can raise a data protection complaint. It should give clear contact details and tell people what to expect. But the real compliance work happens behind the scenes.
Someone has to monitor the inbox.
Someone has to classify the complaint.
Someone has to verify identity where needed.
Someone has to gather facts.
Someone has to coordinate with vendors, processors, joint controllers, support teams, security, marketing, HR, legal, and IT.
Someone has to keep the complainant updated.
Someone has to decide the outcome.
Someone has to document the result.
This is why privacy compliance increasingly looks like operations. Regulators are not only asking whether a company has a policy. They are asking whether the company can execute the policy.
What Organizations Need to Do Now
Organizations subject to U.K. data protection law should treat the DUAA complaints requirement as an immediate process review.
The first step is to create a clear intake path. This can be a dedicated privacy email address, web form, portal, complaint form, or an existing complaints system adapted to include data protection complaints. The exact tool matters less than whether people can actually use it and whether the organization can manage the complaint once it arrives.
The second step is to update the privacy notice. Individuals should be told that they can complain directly to the organization about data protection issues. The notice should explain how to complain, what information to provide, and how the organization will handle the complaint.
The third step is to train staff. Customer support, sales, HR, account management, marketing, and anyone who receives external communications should know how to recognize a data protection complaint. They do not need to become privacy lawyers. They do need to know when to escalate.
The fourth step is to build a complaint register. The organization should track the date received, channel, complainant, subject matter, acknowledgement date, assigned owner, investigation steps, status, outcome, and any remedial action taken.
The fifth step is to create response templates. Acknowledgement templates, identity verification templates, update templates, outcome templates, and escalation templates can make the process faster and more consistent.
The sixth step is to connect the complaints process to DSAR and privacy rights workflows. Many data protection complaints will relate to subject access requests, deletion requests, correction requests, objection requests, marketing opt-outs, or other privacy rights. If those workflows are disconnected, complaints will fall through the cracks.
The seventh step is to involve vendors and processors. If a complaint relates to a processor, platform, marketing vendor, HR system, analytics tool, cloud provider, or outsourced support provider, the controller still needs a way to get information quickly. Vendor contracts and DPAs should support complaint handling.
Why This Matters for U.S. Companies Too
This is a U.K. law update, but U.S. companies should not ignore it.
Many U.S. businesses sell to U.K. customers, monitor U.K. users, run websites accessible to U.K. residents, process data for U.K. clients, or maintain subsidiaries, employees, users, or prospects in the U.K.
If a company is subject to U.K. data protection law, it needs to understand these complaint requirements. That is especially true for SaaS companies, ecommerce brands, healthcare technology vendors, fintech platforms, adtech companies, HR platforms, education technology companies, and businesses with U.K. users or customers.
The practical issue is that many U.S. companies already have DSAR processes for GDPR, U.K. GDPR, CCPA, and state privacy laws. But a complaint is not always the same as a rights request.
A DSAR asks the company to do something specific with data: provide access, delete, correct, opt out, restrict, or explain processing. A complaint may challenge how the company handled data in the first place. It may involve dissatisfaction with a prior response. It may raise concerns about consent, cookies, marketing, automated decision-making, profiling, data sharing, retention, security, or transparency.
That means companies should not assume their DSAR portal alone satisfies the complaint obligation. They need a complaint intake and investigation path as well.
Privacy Complaints Are Early Warning Signals
The best way to view this requirement is not as a burden. It is an early warning system.
When people complain about data protection, they are often identifying a real weakness inside the organization. Maybe the privacy notice is confusing. Maybe marketing opt-outs are not working. Maybe a vendor is sending emails after consent was withdrawn. Maybe the DSAR process is too slow. Maybe records are inaccurate. Maybe a website tracker is collecting more information than expected. Maybe a support team is asking for too much identification. Maybe a deletion request was never completed in a downstream system.
A company that handles these complaints well can fix issues before they turn into regulator referrals, litigation, public criticism, or customer churn.
A company that ignores them loses that chance.
This is why the ICO’s trust message matters. Complaints are not just a compliance obligation. They are direct feedback about whether the organization’s privacy program works in real life.
The Complaint Process Should Feed Back Into Governance
A mature privacy program does not treat complaints as isolated tickets. It uses them to improve the program.
If multiple people complain about marketing emails, the company should review consent records, suppression lists, CRM workflows, and third-party marketing vendors.
If multiple people complain about data access requests, the company should review DSAR intake, identity verification, deadlines, search processes, exemptions, and response quality.
If people complain about inaccurate data, the company should review data sources, synchronization rules, profile merging, account updates, and retention.
If people complain about tracking, cookies, pixels, or targeted advertising, the company should review consent banners, tag management, cookie disclosures, vendor lists, and whether non-essential trackers fire before consent.
If employees complain about HR data, the company should review employee privacy notices, HRIS access, retention, monitoring tools, and internal access controls.
The process should not end with “case closed.” It should produce operational improvements.
What a Strong DUAA Complaint Process Looks Like
A strong process should be simple for individuals and structured for the company.
Externally, people should be able to understand where to complain, what information to include, how the organization will acknowledge the complaint, how updates will be handled, and when they can escalate to the ICO if they remain dissatisfied.
Internally, the company should have clear ownership, escalation rules, deadlines, templates, recordkeeping, identity verification procedures, vendor coordination steps, and quality control.
The process should also account for complaints from children, complaints made through social media, complaints made on behalf of someone else, complaints mixed with customer service issues, complaints involving sensitive data, and complaints involving urgent harm.
That last point matters. Not every complaint carries the same risk. A complaint about an outdated mailing address may be simple. A complaint involving a data breach, children’s data, health information, employment decisions, financial data, stalking risk, domestic abuse risk, or automated decision-making may need urgent escalation.
Common Mistakes Companies Should Avoid
The first mistake is assuming that complaints only count if they go to the privacy inbox. The ICO guidance makes clear that people may complain through different channels. If the company receives it, the company needs to deal with it.
The second mistake is treating the 30-day acknowledgement period as a waiting period. The obligation to investigate does not begin after 30 days. The organization should begin making appropriate enquiries without undue delay.
The third mistake is failing to keep records. If the ICO later asks what happened, the organization needs evidence. A complaint log, acknowledgement copy, investigation notes, internal communications, vendor responses, and final outcome letter may all matter.
The fourth mistake is over-collecting ID. Organizations can verify identity where needed, but they should not demand excessive personal information when they already have enough information to identify the person.
The fifth mistake is failing to separate the data protection issue from a broader complaint. A customer may complain about service and data protection in the same message. The company still needs to handle the data protection component properly and without undue delay.
The sixth mistake is forgetting processors and joint controllers. If another party helps process the data, the company needs a way to coordinate quickly. The complaint clock should not stop because a vendor is slow.
This Is Another Push Toward Operational Privacy
The DUAA complaints requirement fits a broader trend in privacy regulation.
Privacy compliance is moving away from static documents and toward operational accountability. Regulators want companies to show that privacy rights are usable, complaints are handled, consents are honored, data maps are accurate, vendors are controlled, and policies match actual practices.
That is why the complaint process matters. It is a test of whether a company’s privacy program works when a real person challenges it.
A privacy policy can say the right things. A consent banner can look polished. A DSAR form can be live on the website. But when someone complains, the company has to prove it can respond.
That is where privacy programs succeed or fail.
Where Captain Compliance Fits In
Captain Compliance helps organizations turn privacy obligations into working processes.
That includes privacy notices, DSAR workflows, consent management, cookie disclosures, vendor disclosures, data governance support, and ongoing monitoring for privacy risk across websites and digital systems.
The DUAA complaints requirement is a reminder that privacy compliance is not only about what a company publishes. It is about what the company can actually do when a person exercises rights, raises concerns, or challenges how their personal information was handled.
For U.K.-facing businesses, the next step is straightforward: review your privacy notice, complaint intake, internal workflow, DSAR process, vendor contracts, and recordkeeping. Make sure people can complain. Make sure the complaint is acknowledged within 30 days. Make sure someone investigates. Make sure the outcome is documented and communicated.
Getting this right reduces escalation risk. More importantly, it shows customers, users, employees, and regulators that the company takes privacy seriously.
