Data Use and Access Act complaints process
The practical small-business question is simple: can someone complain about how you handle their personal data, and can you show how you acknowledge, investigate, and respond?
What does the DUAA complaints process mean?
The Data Use and Access Act updates UK data protection law. For small businesses, one immediate practical point is the requirement to have a process for handling data protection complaints.
What should a small business have in place?
- A clear public route for data protection complaints.
- Website or privacy policy wording that explains the route.
- An internal procedure for reviewing and responding.
- A way to acknowledge complaints within 30 days.
- A simple log of complaints, updates, outcomes, and closure dates.
Does this replace GDPR or ICO fee registration?
No. This is a focused complaints-process workflow. It does not replace wider UK GDPR obligations or ICO fee registration where those apply.
Do you need to publish an ICO number?
No. The DUAA complaints-process requirement is about giving people a clear route to complain, acknowledging and responding to complaints, and keeping evidence of the process. ICO fee references and private ICO correspondence should be kept in internal admin records.
