The Data Protection Complaints Regime Switches On 19 June 2026. Here's What UK Schools, Charities and SMBs Should Have In Place By Friday Week.

On Friday 19 June 2026, a new statutory duty under the Data (Use and Access) Act 2025 switches on. From that morning, every UK organisation that holds personal data — every school, multi-academy trust, charity, club, partnership and small business — must have a working complaints-handling process for data protection complaints. Not a policy on a shelf. A process people can actually use, with a clock running from the moment a complaint lands.

The new duty sits in a new Section 164A of the Data Protection Act 2018, inserted by the Data (Use and Access) Act when it received Royal Assent on 19 June 2025. The substantive requirement was held back by twelve months so organisations had time to prepare. That window closes in under two weeks. The Information Commissioner's Office published its final guidance, "How to deal with data protection complaints", on 12 February 2026, and has spent the months since signalling that it expects controllers to be ready on the day.

There are no carve-outs for size, sector or volume. A 12-pupil tutoring company that holds a parent's email is a controller. A 9-staff charity that processes donor records is a controller. A 4-person plumbing business that keeps customer details on a phone is a controller. All of them are inside Section 164A. The complaints duty is the single most universal data-protection obligation introduced in the UK since UK GDPR took its final form in 2021.

What the law actually requires from 19 June

Section 164A applies to controllers — the organisation that decides why and how personal data is processed. In schools, that is the governing body or trust. In charities, it is the trustees. In SMBs, it is the company. Processors (your IT provider, your cloud back-up, your payroll bureau) are not directly in scope, but their contracts will need to support your obligations.

A "data protection complaint" is any complaint from an individual that alleges your organisation has not complied with UK GDPR or with Part 3 of the Data Protection Act 2018. It does not have to be labelled as such. A parent asking the school office why her child's photograph appeared in a newsletter is one. A donor messaging a charity to ask why fundraising calls continue after they unsubscribed is one. A customer phoning a tradesperson to ask what was done with their address is one. You do not get to wait for the word "GDPR" to appear.

The duty has five operative parts. First, you must facilitate complaints — that means providing an electronic form on your website, plus at least one alternative route (email or post is the usual pair). Second, you must accept complaints however they arrive — phone, social media, in person, a note pushed under the office door — and channel them into your process. Third, you must acknowledge a complaint within 30 days of receipt. The statutory clock starts the day after the complaint arrives, including weekends and public holidays. Fourth, you must investigate without undue delay and keep the complainant informed of progress. Fifth, you must give a clear outcome and tell the complainant about their right to escalate to the ICO if they are not satisfied. Throughout, you must keep records of what arrived, when, what you did, and what you decided. The ICO may ask to see those records.

There is no statutory requirement to publish a full complaints policy as a separate document, but the process must be easy to find. In practice, that means a clearly named page (most organisations are using "How to make a data protection complaint" or similar), linked prominently from the privacy notice and the website footer, with the electronic form and the alternative route on it.

The next 13 days: what to put in place before Friday week

The minimum viable position by 19 June is a public-facing complaints page, a defined inbox, a named owner, an acknowledgement template and a simple log.

Build the page first. It needs a one-line description of what counts as a data protection complaint, the electronic form (a contact form works), an email address as the alternative route (often privacy@ or dpa-complaints@), and a short note that you will acknowledge within 30 days and tell the complainant about their right to go to the ICO if they are unhappy with the outcome. Link it from the privacy notice, the website footer, and any parent portal, donor area or customer login.

Pick the inbox and the owner. A shared mailbox monitored by at least two people beats a personal address that goes unmonitored on annual leave. The owner runs the investigation — in small organisations this is usually the same person who already runs subject access requests. Make sure incoming mail is not silently filtered to spam.

Write the acknowledgement template. Three short paragraphs: confirm receipt, name the owner, give an indicative timescale.

Set up the log. A single spreadsheet with seven columns — date received, route, complainant, summary, date acknowledged, actions taken, outcome — is sufficient and matches what the ICO would ask to see. Six years' retention from the date of the complaint is the working assumption.

Brief the people who answer the phone, the email and the social-media accounts. They do not need to know the law — they need to know that anything that smells like a data protection complaint goes straight to the named inbox and is not handled informally.

That is the floor. Most ReadyToday-sized organisations can stand it up in an afternoon if the website is editable in-house, or in three or four working days if the page change goes through an agency.

The next 60 days: tighten the process and connect it to what you already do

By the end of July the process needs to be running as if it has always existed. Three things in particular tend to fall over in the first month.

The first is the 30-day acknowledgement clock. It does not pause for the summer holidays, half-term, the end of the financial year, or the founder being on leave. Build a delegate so the inbox is monitored every working day.

The second is the supplier question. Most data protection complaints that arrive at small organisations are really about something a supplier did — the marketing platform that sent the wrong email, the booking system that exposed a name, the homework app that retained a photograph. You are still the controller. Review your top five supplier contracts for a named data protection contact, an incident-response timescale, and a commitment to support complaint investigations. This is the same supplier-due-diligence muscle that the Cyber Resilience Pledge asks for and that last month's <a href="/resources/blog/canvas-lms-breach-2026-what-uk-schools-universities-smbs-should-do">Canvas LMS breach</a> made obvious.

The third is the link to subject access requests. Many DUAA complaints will arrive bundled with — or shortly after — a subject access request. The same owner should run both. The log can be the same spreadsheet with an extra column. The same supplier contacts will be involved. Do not build a parallel universe.

Two adjacent jobs save real time later. Refresh the privacy notice so it points at the new complaints page and uses plain language about the right to complain to your organisation first, then to the ICO. And refresh your <a href="/resources/blog/cyber-resilience-pledge-2026-what-uk-smbs-charities-schools-should-do">Cyber Resilience Pledge</a> alignment so that board-level cyber ownership (Action 1) explicitly includes oversight of data protection complaints. The trustees and governors are the controller; this belongs on their dashboard.

The next 90 days: prove the process works, then make it boring

By the end of August the goal is a process that the person who built it could hand to a successor in 20 minutes.

Run a tabletop. Three plausible complaints — one from a parent or service user, one from a former employee or volunteer, one from an unhappy ex-supplier — talked through end to end. Time the acknowledgement, walk the investigation, write the outcome letter. Note where the process bent. Fix it. The exercise is the same shape as the <a href="/resources/blog/one-year-on-from-ms-supplier-risk-what-uk-smbs-charities-schools-should-do">supplier-incident tabletop</a> recommended after the M&S, Co-op and Harrods stories: a low-cost rehearsal that finds the gaps before a real incident does.

Connect the complaints log to the board pack. A single row each quarter — number received, average days to acknowledge, number escalated to ICO, themes — is enough to keep the trustees and the senior leadership team awake to the standing exposure.

Add the complaints process to the joiner pack and the contract terms with new suppliers. The cheapest time to lock in good behaviour is at the front door.

And finally, harden the authentication on the inbox and the log. The single mailbox that receives every data protection complaint your organisation gets is, by definition, a high-value target. Passkeys on the owner accounts is the right answer here, in line with the <a href="/resources/blog/ncsc-passkeys-april-2026-what-uk-schools-charities-smbs-should-do">NCSC's standing recommendation</a>. Privileged accounts that can read the log should be a small, named set.

Where this sits in the wider regulatory weather

It would be easy to read the DUAA complaints duty as an isolated administrative ask. It is not. It is the data protection regulator's contribution to the same conversation that <a href="/resources/blog/gchq-moment-of-consequence-2026-what-uk-schools-charities-smbs-should-do">GCHQ's Annual Lecture</a> set out in May and the Cyber Security and Resilience Bill puts onto the statute book later this year — that cyber and data protection duties are moving from "the big players' problem" to "everyone's problem". The Bill's supplier-cascade obligations will reach the ReadyToday audience indirectly, through procurement. The ICO's complaints duty reaches them directly, by statute, on Friday 19 June.

Five practical takeaways:

• Stand up a public-facing data protection complaints page by Friday 19 June, with an electronic form, an email address, a named owner and a one-line note about the 30-day acknowledgement and the right to escalate to the ICO.
• Treat any complaint about data — by any route, in any wording — as a Section 164A complaint until you have decided otherwise. The clock starts the day after it arrives.
• Run the complaints process out of the same owner, the same log and the same supplier contacts you already use for subject access requests. Do not build a parallel universe.
• Put the standing number on the board pack quarterly — received, acknowledged, escalated, themes — so the controller (trustees, governors, directors) can see it.
• Harden the inbox: monitored by at least two named people, passkeys on the owner accounts, log access kept to a small named set. This is now a high-value target.

If you want a second pair of eyes on the page, the inbox, the log and the supplier contracts before Friday week, that is exactly the kind of short, time-bounded job our <a href="/services/cybersecurity-resilience">cybersecurity and resilience</a> work is built for. A <a href="/contact/discovery">30-minute discovery call</a> will get you a one-page plan to close the gap by 19 June.