DUAA 19 June 2026 Deadline: Timeline & SME Action Plan
The transition period granted for the **Data (Use and Access) Act 2025 (DUAA)** ends on **19 June 2026**. Starting on this date, all UK organisations acting as data controllers must have active, publicly accessible channels for data protection complaints.
Why the 19 June 2026 Deadline is Critical
Under Section 103 of the DUAA (which inserts Section 164A into the Data Protection Act 2018), data complaints-handling is a statutory obligation. Organisations processing personal data must establish, publish, and maintain a documented complaints procedure.
Failing to have a complaints process may increase regulatory risk, ICO scrutiny, and the likelihood of escalation. Put a documented complaints process in place before customers or staff need to use it.
Checklist Requirements Prior to the Deadline
Before the deadline, data controllers must:
- Publish procedure text: Make the policy text publicly accessible on a dedicated page or privacy portal.
- Assign a complaints lead: Appoint a contact person or complaints lead responsible for logging and researching inquiries.
- Prepare internal logs: Set up a central complaints register (CSV/spreadsheet) to track dates and outcome details.
Bypass Solicitor Costs
Bespoke legal drafting can be expensive. This pack gives small organisations a practical starting point for £20. The deliverables include a customised PDF policy, website notices, acknowledgement and outcome email templates, and a pre-formatted register log spreadsheet.
Frequently Asked Questions
When does the DUAA complaints requirement start?
The duties come into force on **19 June 2026**.
Do sole traders or charities have a grace period?
No, the transition period ends for all controllers on 19 June 2026. Put your processes in place before this date.