UK GDPR Right to Complain: Changes on June 19, 2026 and What Organisations Must Do

From June 19, 2026, Section 103 of the Data (Use and Access) Act 2025 gives individuals a new statutory right to raise data protection complaints directly with the organisations that process their personal data. The right is introduced by inserting Section 164A into the Data Protection Act 2018. Previously, the established statutory complaints route was to the Information Commissioner's Office (ICO) under Article 77 of UK GDPR, and organisations had no statutory obligation to run a formal complaints procedure. The DUAA 2025 removes Article 77 as a direct individual right; individuals must now raise complaints with the organisation first. The ICO retains discretion to intervene directly in exceptional circumstances, but the previous guarantee of ICO consideration without first approaching the organisation no longer applies. Organisations without defined complaint handling procedures in place by June 19 will be in breach from the moment the first complaint arrives.

What the Right to Complain Requires

Individuals can submit a data protection complaint directly to any organisation acting as a data controller over their personal data. Organisations must provide at least one accessible means for individuals to do so, acknowledge receipt within 30 days, investigate without undue delay, keep the complainant informed of progress, and inform them of the outcome. If the organisation's response does not satisfy the individual, they can contact the UK ICO, which retains discretion to investigate. There is no statutory deadline for the individual to do so. The direct complaint right does not replace the UK ICO's supervisory role; it makes the organisation the required first stop.

An organisation that acknowledges a complaint and then goes silent has not met its obligation, even if it eventually resolves the issue.

What Changes From June 19 2026

Before June 19, 2026, individuals had the right to complain to the ICO under Article 77 of UK GDPR, but no statutory right to demand that organisations handle complaints directly. The DUAA 2025 removes Article 77 as a direct individual right and replaces it with the new s.164A framework. Many organisations dealt with data-related queries informally, with no legal obligation to acknowledge, investigate, or report back on the outcome. From June 19, that obligation is statutory and the organisation is the required first stop.

Complaint volumes handled internally are likely to rise. Individuals who previously filed with the ICO, or did not complain at all because the ICO route felt burdensome, now have a lower-friction path. The ICO will also expect to see evidence of the organisation's complaint handling when reviewing any escalation. An organisation that cannot show it received the complaint, investigated it, and communicated throughout will face a harder conversation with the regulator.

What Organisations Need to Do Before June 19

The law requires at least one accessible means for individuals to submit complaints. A dedicated email address or a form on the privacy notice page meets this standard; a generic contact link buried in footer text does not. The ICO's guidance also makes clear that complaints submitted via any channel, including informal contact or social media, must be accepted and handled, not only those arriving through the designated form. Before any complaint arrives, assign a named owner to that channel. Without one, complaints arriving by email, web form, or through a data subject rights inbox may not reach anyone with authority to investigate. For organisations with a DPO, the DPO is the natural owner. Smaller organisations need to identify who handles data protection queries and confirm that person has access to the systems needed to investigate.

Investigation cannot be ad hoc. Teams need to know which records to pull, who has authority to make decisions, and what the expected timeline is. For consent-related complaints, that means being able to retrieve the consent record for a specific user: what they were shown, when, what choice they made, and whether subsequent processing matched that choice. UniConsent users can retrieve this directly from the dashboard, filtered by date range or domain, with the banner version, the user's explicit choice, and the tag suppression result all tied to a timestamp. For consent-related complaints, this turns what would otherwise be an open-ended investigation into a direct lookup. Acknowledgement must happen within 30 days of receipt; the investigation and substantive response must follow without undue delay. Setting internal targets that keep the full process within one month is consistent with ICO guidance on data subject rights timelines.

If an investigation takes time, the complainant needs a progress update before the final response. An acknowledgement at intake followed by silence does not meet the obligation, even if the issue is eventually resolved. A brief update at around two weeks prevents the complaint from going silent and reduces the risk of premature ICO escalation.

Document every step: the initial complaint, the acknowledgement, investigation actions, and the response. This record is the organisation's evidence if the ICO reviews the handling on escalation. Also update your privacy notice. Most notices describe only the ICO complaint route; from June 19, the notice must also explain how to submit a complaint to the organisation directly, the expected response timeline, and the right to escalate to the ICO if not satisfied.

Consent Records and Complaint Investigation

Many data protection complaints concern consent: whether the organisation collected it properly, whether it honoured withdrawal, or whether it processed data in ways the individual did not expect. For these complaints, the investigation depends entirely on the quality of consent records held.

When a complaint arrives claiming that tracking continued after the individual declined cookies, the question is factual: does the consent log show a denial for that user, and does the tag suppression record confirm that tracking stopped? Without detailed records, the organisation cannot answer precisely, and a response built on assumption is unlikely to close the complaint at the organisation level.

UniConsent CMP Consent Audit Trail allows you to link consent logs with authenticated user IDs and stores consent records at the individual session level, including the banner version displayed, the user's explicit choice, whether a Global Privacy Control signal was present and honoured, and the tag behaviour that followed. If a UK user submits a complaint claiming their data was processed without valid consent, the UniConsent dashboard provides the specific record needed to investigate that claim. For organisations that also process data under GDPR for EU users, the same records support complaint investigations under both frameworks.

About UniConsent

UniConsent is a certified Google CMP Gold tier partner, certified IAB TCF CMP for EU and Canada, and certified Microsoft UET CMP. As part of Transfon's privacy-first User Experience Platform, UniConsent serves tens of millions of users per day, providing a seamless privacy experience for both users and publishers. Contact us to learn more: hello@uniconsent.com