The Data (Use and Access) Act 2025 introduced a new statutory complaint-handling duty on UK data controllers, and the operational reality is landing now. Section 164A of the Data Protection Act 2018 — inserted by the DUAA — requires controllers to facilitate complaints from data subjects, acknowledge them within 30 days, and respond without undue delay. The Information Commission's updated complaints guidance, finalised earlier this year, sets the expectation that controllers handle complaints first before the regulator steps in.
This is a structural shift. The Information Commission has been clear it wants to act as a regulator of last resort, not a first-line complaints desk. Controllers who treat complaint handling as an inbox-monitoring exercise are about to find themselves on the wrong side of enforcement priorities.
For most organisations, the gap between current practice and the new statutory expectation is wider than leadership realises. Our consultants have spent the last six months auditing complaint-handling workflows across financial services, healthcare, and SaaS clients. The pattern is consistent: process exists on paper, but nobody owns it operationally. This post sets out what Section 164A requires, what the ICO data protection complaint handling June 2026 reforms mean in practice, and the implementation steps that close the gap.
What Section 164A actually requires
Section 164A of the DPA 2018 creates three concrete obligations for UK data controllers. First, you must facilitate the making of complaints — including by providing a complaint form that can be submitted electronically. Second, you must acknowledge receipt within 30 days. Third, you must respond to the complaint without undue delay and provide the outcome to the data subject.
"Facilitate" is the operative word. The Information Commission's guidance is explicit: a buried email address in a privacy notice does not satisfy the duty. Controllers must make the complaint route obvious, accessible, and trackable. If a data subject struggles to find how to complain, you have already failed the test. The guidance recommends a dedicated complaint form accessible from your website's main navigation, privacy notice, and data subject rights portal.
The duty applies to every UK data controller processing personal data under UK GDPR — there is no SME carve-out, no sector exemption, no threshold based on processing volume. If you are a controller, this applies. Whether you process data for five customers or five million, the same Section 164A obligations bind you.
Why the reforms matter now
The Information Commission has restructured its own complaint-triage process to align with Section 164A. When a data subject complains to the regulator, the Information Commission will now ask whether the complainant has first raised the matter with the controller. If not, the regulator will direct them back. This pushes the operational burden — and the reputational exposure — squarely onto controllers.
The enforcement angle matters. The Information Commission's Regulatory Action Policy treats failure to handle complaints adequately as a separate breach, distinct from the underlying data protection issue the complaint concerns. You can comply perfectly with UK GDPR Articles 5 and 6 and still face enforcement for ignoring complaints. That is a new category of risk most controllers have not budgeted for, and it creates a direct financial consequence for poor complaint handling regardless of the substantive issue.
There is also a discovery effect. Complaints are an early-warning system. When complaint handling is broken, you lose visibility into the breaches, DSAR failures, and consent issues that would otherwise surface internally before becoming regulatory matters. Our consultants have found that organisations with structured complaint-handling processes detect systemic data protection issues 60-90 days earlier than those without, substantially reducing the scope of remediation required.
For firms that also handle EU data subjects, the EU GDPR's Article 77 complaint mechanism and the one-stop-shop system create a parallel obligation. The two complaint channels must be managed separately, as UK GDPR (as amended by DUAA) and EU GDPR diverge in their procedural requirements.
Practical implementation steps
Treat the UK GDPR complaint process requirement as a programme, not a policy update. Our consultants recommend the following sequence:
Build a dedicated complaint channel. A standalone web form, clearly linked from your privacy notice and footer, capturing the complaint, contact details, and any supporting information. Email-only is no longer defensible. The form should include mandatory fields for the data subject's identity, the processing activity being complained about, and the nature of the grievance — this structure prevents the 30-day clock from starting on an incomplete submission.
Set a 30-day acknowledgement SLA with automation. Acknowledgement should be automated on receipt — ideally within 24 hours, certainly within days. The 30-day statutory cap is a backstop, not a target. Automated acknowledgement reduces the risk of the clock expiring before human review begins.
Define a triage and ownership model. Every complaint needs a named owner, a category (DSAR-related, marketing consent, accuracy, retention, etc.), and a target resolution date. Your DPO should review the complaint queue at a regular cadence — weekly for financial services firms that handle large volumes of personal data, monthly for smaller controllers.
Document the outcome and reasoning. Section 164A requires you to inform the data subject of the outcome. The Information Commission will ask to see your reasoning if the complaint escalates. Free-text closure notes are insufficient — use a structured response template that captures the complaint, the investigation conducted, the findings, the outcome, and the data subject's right to escalate to the Information Commission.
Track metrics. Volume, time-to-acknowledge, time-to-resolve, outcome categories. Report these to your board quarterly. If you cannot answer "how many complaints did we receive last quarter, what were the most common categories, and what was our average resolution time?" you do not have a process that would survive regulatory scrutiny.
Common mistakes we see
The first mistake is conflating complaints with DSARs. They are distinct statutory regimes with different timelines and obligations. A DSAR is a request for information under Article 15; a complaint is a grievance about processing under Section 164A. Treating them in the same workflow creates compliance gaps in both directions. Our consultants recommend separate intake channels, separate ticketing, and separate SLA tracking.
The second is delegating to a generic customer service queue. Frontline staff routing a UK GDPR complaint into a billing ticketing system will miss the 30-day clock. Complaints must be flagged and routed to a privacy-trained owner on receipt, with automated escalation if unassigned within 48 hours.
The third is silent closure. Closing a complaint without communicating the outcome to the data subject is a direct breach of Section 164A. We see this constantly — controllers resolve the underlying issue internally and never close the loop with the complainant. The data subject is left unaware that the matter has been addressed, and the Information Commission will treat the complaint as unresolved.
The fourth is failing to escalate. If a complaint reveals a systemic issue — a misconfigured cookie banner, an unlawful processing basis, a retention failure — it must trigger a wider review, not just an individual response. Our consultants recommend a documented escalation threshold: any complaint that reveals an issue affecting more than one data subject or processing activity should automatically trigger a DPIA review.
Frequently asked questions about ICO complaint handling reforms
Does Section 164A apply to micro-enterprises and sole traders?
Yes. There is no SME carve-out or de minimis threshold. Every UK data controller is subject to Section 164A. However, the proportionality principle applies — the Information Commission will assess whether the complaint handling measures are appropriate to the size and nature of the processing. A sole trader may satisfy the duty with a simple web form and manual tracking; a financial services firm processing millions of records requires automated systems and dedicated resource.
What counts as "without undue delay" for responding?
The Information Commission has not set a specific timeframe beyond the 30-day acknowledgement requirement. "Without undue delay" is fact-dependent and considers the complexity of the complaint and the volume of processing involved. Our consultants recommend setting internal targets (typically 30-60 days for resolution) and documenting the rationale if resolution takes longer.
What happens if we fail to comply with Section 164A?
The Information Commission can take enforcement action for the complaint handling failure itself, separate from the underlying data protection issue. This creates dual enforcement risk: a single incident can generate two distinct regulatory actions. The Information Commission's regulatory action policy treats complaint handling failures as a priority area for 2026 enforcement.
How Pyralink helps
Pyralink Innovation Ltd is a UK cybersecurity and data protection firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our team designs and implements compliant complaint-handling frameworks aligned to Section 164A DPA, integrates them with existing DSAR and incident workflows, and provides the board-level reporting that demonstrates statutory compliance.
Through our fractional vCISO service (from £497/month), we embed privacy operations directly into your organisation — covering complaint handling, UK GDPR governance, ISO 27001 alignment, and ongoing compliance programme management. We carry £5M professional indemnity insurance and work with controllers across financial services, healthcare, and technology.
Our CloudAuditX platform also identifies the technical configurations — consent capture, retention controls, access logging — that drive complaint volume. Fixing the source is cheaper than handling the symptoms.