The Data (Use and Access) Act (DUAA) has introduced a new, comprehensive complaint-handling regime for UK data protection, effective as of 19 June. According to Kathryn Wynn and Malcolm Dowden of Pinsent Masons, this framework mandates that businesses manage all forms of UK GDPR infringement—not just data breaches—through integrated, auditable processes, or risk significant regulatory scrutiny from the Information Commissioner’s Office (ICO).
Why the new DUAA complaint regime changes business operations
The DUAA updates move beyond simple internal policy; they create a legal imperative for how firms interact with individuals. According to Malcolm Dowden, the regime requires organizations to accept complaints through any channel an individual chooses, including social media, chatbots, or phone calls. This shift means a “dedicated form” on a company website is no longer sufficient for compliance. Firms that fail to capture and resolve these complaints risk being flagged by the ICO for procedural failures, which the regulator has increasingly targeted in recent enforcement actions.
How to avoid the “silo trap” in complaints management
Handling data protection complaints in isolation is a significant operational risk. Kathryn Wynn and Malcolm Dowden warn that data protection duties often overlap with other mandatory frameworks, such as the Financial Conduct Authority’s (FCA) Consumer Duty or the DISP framework for financial services. By keeping data protection teams separate from general customer service governance, firms risk missing deadlines or failing to provide consistent information to regulators. A “joined-up” approach is essential to ensure that a complaint about automated decision-making is handled with the same rigor as a standard service grievance.
What happens when Subject Access Requests (DSARs) trigger complaints?
Data Subject Access Requests (DSARs) are a primary flashpoint for the new regime. Kathryn Wynn notes that procedural errors during high-volume or complex DSARs frequently lead to complaints. To mitigate this, organizations should review their contractual terms with third-party suppliers. Ensuring that service providers are contractually obligated to assist during the complaint process can prevent the bottlenecking of information when a formal inquiry is launched.
Frequently Asked Questions
- Does this affect all data protection complaints? Yes. The regime applies to any form of infringement under the UK GDPR, extending well beyond personal data breaches.
- Can the ICO penalize me for having a bad process? Yes. According to Malcolm Dowden, the ICO views procedural deficiencies in training and record-keeping as compliance failures, regardless of whether a major data breach occurred.
- What if we use a third-party vendor? Your organization remains responsible. Experts suggest updating contracts to ensure vendors provide the necessary documentation and support when a complaint arises.
Is your compliance team ready for the new DUAA requirements? Subscribe to our regulatory newsletter for monthly updates on UK GDPR enforcement and practical compliance guides for your legal department.
