DUAA Week One Closes and the Cyber Resilience Bill Enters the Lords: What UK Schools, Charities and SMBs Should Do in the Next 30 Days

It is Wednesday 24 June 2026. The new data protection complaints duty under Section 164A of the Data Protection Act 2018 — inserted by Section 103 of the Data (Use and Access) Act 2025, the DUAA — has been in force for three working days, and Week One closes on Friday. One block south in Westminster, the Cyber Security and Resilience (Network and Information Systems) Bill is sitting between its first reading on 17 June and a second reading still to be scheduled in the Lords. And five working days ago, the FortiBleed playbook landed on every UK organisation running a Fortinet firewall.

Three live regulatory and operational anchors, all converging on the same June fortnight, and all pointing at the same audience: UK schools, charities and small and mid-sized businesses sitting at the foot of the supply-chain pyramid. This post is a scorecard reading at the close of DUAA Week One, a status update on the Bill in the Lords, and a thirty-day plan that uses the DSIT Cyber Security Breaches Survey 2025/2026 numbers as the diagnostic baseline.

DUAA Week One: what the duty actually requires, three working days in

The Section 164A duty does not depend on a fresh ICO statement to be enforceable. From Friday 19 June it sits on every controller in the UK, with no exemptions for size or sector. Schools, multi-academy trusts, parish councils, registered charities, sole-trader accountants and high-street retailers are all in scope on identical terms.

The duty has four operative parts. First, the controller must provide an accessible channel for a data subject to raise a complaint about an infringement of UK GDPR or Part 3 of the DPA 2018, including an electronic route. Second, receipt has to be acknowledged within 30 days. Third, the matter has to be investigated without undue delay. Fourth, the complainant has to be told the outcome in a meaningful written response. The ICO's February 2026 guidance, lightly updated on 8 May, is the operating manual; post #21 walks through exactly what the public-facing complaints page has to contain.

Three working days in, the audit question is small and answerable: is the complaints route live, findable from the homepage, capturing every receipt with a timestamp, and firing an acknowledgement automatically? If the answer to any of those four is no on Wednesday afternoon, it needs to be yes by Friday lunchtime, before Week One closes. The first month of running numbers is the next board pack; the first acknowledgement that misses its 30-day clock is the first complaint to the ICO under the new regime.

The ICO has publicly signalled a measured approach during the initial transition period. That language is genuine but bounded. Measured does not mean indefinite, and the transition signal applies to areas where guidance is still settling, not to organisations that simply have not built a complaints route. Five working days into the duty, the ICO has not committed to a fixed grace period and the audience should not behave as though one exists.

The Cyber Security and Resilience Bill, now in the Lords

The Bill cleared its Commons third reading on Wednesday 10 June and was introduced to the House of Lords at first reading on Wednesday 17 June 2026 — one week ago tomorrow. Second reading is not yet scheduled. Bills introduced to the Lords in the third week of June typically receive a Lords second reading in the autumn session after the summer recess, with committee stage in the autumn and report stage and third reading in the early new year. Royal Assent later in 2026, with most operative provisions phased in across 2027 and 2028, is the working timetable.

That timetable matters for the audience for one practical reason. The Bill expands the scope of the existing Network and Information Systems Regulations, brings more digital service providers in scope, tightens the incident reporting clock, and codifies the supply-chain assurance question that post #20 walked through alongside GCHQ's Annual Lecture. Schools, charities and SMBs do not become regulated entities under the Bill by default; what they become is a more frequently-asked supplier, sitting downstream of regulated buyers who now have a statutory reason to ask sharper procurement questions. The first wave of those sharper questions will land in autumn 2026 procurement cycles, not 2028 implementation deadlines.

The breaches numbers UK schools, charities and SMBs are actually sitting on

The DSIT Cyber Security Breaches Survey 2025/2026, published on 30 April 2026, is now the freshest official statistical picture of the audience. The headline numbers do most of the work.

Forty-three per cent of UK businesses and 28 per cent of UK charities reported a breach or attack in the previous twelve months. The split by size matters more than the average: 65 per cent of medium businesses and 69 per cent of large businesses identified an incident, against 42 per cent of micro businesses and 46 per cent of small businesses. Phishing is by some distance the most common attack type, hitting 38 per cent of businesses and 25 per cent of charities. The Education annex reads more sharply still: 91 per cent of universities, 85 per cent of further education colleges and 60 per cent of secondary schools faced a breach or attack in the same window.

One number in the charity sample sits oddly against the others. The proportion of charities treating cyber security as a high priority dropped from 68 per cent in 2024/2025 to 60 per cent in 2025/2026, with low-income charities driving the decline (64 per cent down to 53 per cent for charities under £100,000 income). Boards reading their own scorecard against the survey will want to be sure that they are not part of the drop. The headline economy-wide costs are not abstract either: high-profile UK retail incidents around Easter 2026 were estimated at around £440 million in lost sales across M&S, Co-op and Harrods.

For a school, a trust, a charity or a small business reading these numbers in the third week of June, the diagnostic question is straightforward. If 60 per cent of secondary schools and 28 per cent of charities were caught last year, what is the running probability that a Section 164A complaint about a current incident lands in the inbox this quarter? The honest answer for most boards is: high enough to staff the page, the acknowledgement timer, the running log and the board-pack report-line this week, not next quarter.

The three jobs for the next thirty days

The picture above lines up cleanly with the three-capability frame NCSC CEO Richard Horne set out at the RUSI Annual Security Lecture on 17 June: understand your exposure, build defences on proven fundamentals, and recover quickly. Three jobs for the next thirty days, in that order.

Job one is understand exposure. That means a one-page exposure map. The map has three rows: edge devices and remote-access services (firewalls, SSL VPN, remote desktop, management interfaces — all of which the FortiBleed playbook just exercised in real conditions); identity (every administrative and remote-access account, with MFA status against each one); and the data protection complaints route (the live page, the acknowledgement timer, the running log). On a single A4 sheet, with a named owner per row, refreshed monthly. This sheet is the home of Action 1 of the Cyber Resilience Pledge — board-level cyber ownership.

Job two is build defences on proven fundamentals. By the end of next week, every administrative and remote-access account should be on multi-factor authentication. The Section 164A inbox itself should be on a phishing-resistant authentication route: a passkey on the inbox account, following the NCSC's April 2026 guidance, removes the most common path by which a complaints inbox becomes a second incident. Any internet-facing management interface stays restricted to a small allow-list or is taken off the open internet entirely, with the SSL VPN-to-ZTNA migration treated as a 90-day project rather than a January 2027 deferral.

Job three is recover quickly. By the end of the thirty days, the audience should be able to answer three small questions on demand: how long would it take us to restore the school management system, the donor CRM or the finance ledger from backup; can we verify that backups are unaltered; and do we have the supplier contact list at the top of the document, not buried inside an email thread. The same three questions sit in the worked operational example of the three June education incidents, where the institutions that recovered fastest were the ones that already had the answer.

The next ninety days: what the Bill, the survey and FortiBleed all ask the audience to do

Three working items earn the ninety-day slot. The first is the supply-chain shadow. Regulated buyers — councils, NHS trusts, multi-academy trusts, mid-tier banks, utilities — will refresh their procurement questionnaires through the summer in anticipation of the Bill's autumn Lords stages. The audience should be ready to answer questions about edge-device defaults, MFA enforcement, supplier breach notification timelines and incident reporting timing without scrambling. The top ten suppliers each organisation depends on get the same questionnaire returned in the same window.

The second is the FortiBleed clean-up. The four-day plan in the FortiBleed post — rotate credentials, enforce MFA, take the management interface off the open internet, review the logs for unfamiliar admin logins, new accounts, configuration drift, impossible-travel sessions and cleared log gaps — closes after a week. The ninety-day work is the structural one: move the SSL VPN to a Zero Trust Network Access route, retire any legacy local accounts that do not have a clear remote-access reason to exist, and rebuild the firewall rule base from a known-good template rather than from the production drift of the past two years.

The third is the DUAA Day-30 retrospective. By Sunday 19 July 2026, every controller will have one calendar month of running Section 164A numbers: complaints received, acknowledgement-clock compliance, complaints upheld, complaints rejected, and complaints escalated to the ICO. That number is the next board pack's headline line. It is also the first conversation the audience will have with their trustees, governors or directors about whether the complaints process is calibrated. If the running number is zero after thirty days, the explanation is either that the page is invisible or that the inbox is filtering acknowledgements into spam — not that the audience is uniquely complaint-free.

A note on what is not in this post

This is not a DUAA detail walkthrough — that work is in post #21. It is not a FortiBleed walkthrough — that work is in post #24. It is not a re-summary of Horne's RUSI lecture — that work is in post #23. What it is, is a Week-One scorecard reading written on the Wednesday afternoon of DUAA Week One: where the audience actually stands, what the survey numbers say about the running risk, and what the next thirty days look like before the Bill enters its Lords stages and the autumn procurement cycle starts in earnest.

The honest version of the next thirty days is short. Confirm the complaints page is live and findable, by Friday. Run the FortiBleed checklist on every edge device, by Friday. Get MFA on every administrative and remote-access account, by next Wednesday. Build the one-page exposure map, by next Friday. Refresh the supplier questionnaire and send it to the top ten, by mid-July. And bring the running Section 164A numbers to the next board meeting, by 19 July at the latest.

If that picture matches what you are reading on your own monitors this Wednesday afternoon, the next call is procedural, not strategic. If it does not, that is the call to make this week. Our cyber resilience service is shaped around exactly this thirty-day picture, and a discovery conversation takes thirty minutes.

— Boris Didov