Complaints Handling Under the DUA Act: A Governance Test for Modern Organisations

• by Olivia Lawlor-Blackburn
• Advent IM Blog

The Data (Use and Access) Act does more than introduce new legal obligations — it quietly raises the bar on organisational accountability.

By making formal data protection complaints handling a regulatory requirement, the legislation shifts responsibility firmly back to organisations to resolve issues properly before they reach the regulator. This reflects a wider move in UK data governance: compliance is no longer just about policies existing, but about processes working in practice.

From June, the way complaints are acknowledged, investigated, recorded, and resolved will increasingly be viewed as a measure of an organisation’s overall data maturity.

The Information Commissioner’s Office has made clear through its guidance that complaints handling must be structured, accessible, and demonstrably effective — not informal or reactive.

For leadership teams, this creates a new operational risk area. Poor complaints handling can now trigger regulatory action in its own right, regardless of whether the original data issue was minor.

The organisations that will adapt most effectively are those that treat complaints not as interruptions, but as part of their governance framework — with defined ownership, trained staff, and clear workflows.

This is increasingly where training plays a strategic role. Programmes such as the DUA Act Training delivered by Advent IM focus on translating legal duties into processes teams can actually run day to day — bridging the gap between regulation and operations.

Practical Checklist: Is Your Complaints Handling Process DUA Act Ready?

Use this to review your current approach:

✅ Governance & Ownership

☐ Named owner for data protection complaints
☐ Clear escalation routes for complex cases
☐ Senior oversight or reporting mechanism

✅ Accessibility

☐ Complaints process easy to find on your website/intranet
☐ Multiple ways to submit complaints (email, form, post)
☐ Clear explanation of what happens next

✅ Response & Investigation

☐ Defined acknowledgement timeframe
☐ Standard investigation steps
☐ Guidance for staff handling complaints
☐ Consistent decision-making approach

✅ Documentation & Evidence

☐ Central record of complaints
☐ Outcomes documented clearly
☐ Lessons learned tracked and reviewed

✅ Training & Awareness

☐ Staff know when something is a complaint
☐ Teams understand legal obligations
☐ Refresher training in place

Final Thought

Organisations that embed strong complaints handling now will not only reduce regulatory risk but also gain clearer insight into where data practices need improvement.

Under the DUA Act, complaints are no longer a side process — they are a core part of compliance.

Discover more about our Data (Use and Access) Act Training here.