Tomorrow, June 19th: UK Makes Every Data Complaint Internal First – Jersey Officers, Don't Get Caught Out

From 19 June 2026: All UK Data Protection Complaints Must Be Handled Internally First – Jersey Compliance Officers, Here's Exactly What You Need to Do Now

Speed Read Summary

• From tomorrow (19 June 2026), UK data protection complaints must be handled internally first before anyone can go to the ICO. This is a new legal requirement under the Data (Use and Access) Act 2025 (DUAA).
• The rule is deliberately broad. Any complaint about how personal data has been handled, whether it arrives via social media, live chat, email, phone, or even an informal comment to a member of staff, now triggers strict obligations.
• Organisations must acknowledge complaints within 30 days, investigate without delay, keep people informed, explain outcomes clearly, and maintain proper records. All relevant staff must be trained to spot and escalate these complaints.
• For Jersey firms, the DUAA does not directly change Jersey law.
• However, it still applies if your organisation processes personal data of individuals in the UK (for example, UK clients, customers, or website users).
• In these cases, you must follow the new internal complaints process for UK data subjects.
• Even if you only deal with Jersey data, the Jersey Office of the Information Commissioner (JOIC) strongly encourages organisations to resolve complaints internally first. Firms that handle complaints poorly are more likely to face formal investigations.
• Bottom line:
• UK organisations face a hard deadline tomorrow. Jersey compliance officers should review their complaints process now, especially if they have any UK data subjects, to reduce regulatory risk and meet rising expectations on both sides of the water.

LONGER READ

From tomorrow (19 June 2026), UK data protection complaints must be handled internally first before anyone can go to the ICO.

This is a new legal requirement under the Data (Use and Access) Act 2025 (DUAA).

Timeline

• Tomorrow is the day everything changes for data protection complaints in the UK.
• From 19 June 2026, UK organisations (and any business subject to UK GDPR) must have a formal internal process in place to handle data protection complaints before individuals can escalate them to the ICO.
  • This is a legal requirement introduced by the Data (Use and Access) Act 2025 (DUAA), and
  • It applies far more broadly than many realise.

What's Changing and Why It Matters

• The DUAA amends the Data Protection Act 2018 to insert a new section 164A.
• Individuals must now raise data protection complaints directly with the organisation first.
• There are no exemptions.

What is a complaint

• A "complaint" is defined very widely: any concern from an individual (or someone acting on their behalf) that their personal data has been handled in a way that breaches data protection law.
• This includes messages received via:
• Social media
• Live chat
• Customer support emails or calls
• Website forms
• Even informal comments made to any member of staff
• All of these now trigger the same legal obligations as a formal written complaint.

ICO

• The ICO has already published detailed guidance on how to comply.
• The ICO published detailed guidance in February 2026 on how organisations should handle data protection complaints under the new DUAA requirements.
• The guidance covers processes, acknowledgement timelines, investigation steps, record-keeping, and staff awareness.
• The ICO has made clear that following the guidance now is considered good practice, even before the rules become mandatory on 19 June 2026.
• Source link: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/

Key mandatory requirements from 19 June 2026:

• Acknowledge every complaint within 30 days
• Investigate without undue delay
• Keep the complainant informed throughout
• Clearly explain the outcome
• Maintain detailed logs showing when complaints were received, investigated, and resolved
• Ensure staff across HR, customer service, compliance, marketing, and IT can recognise and escalate data protection complaints

Why Jersey Firms Still Need to Act

• Although the Data (Use and Access) Act 2025 (DUAA) is a UK law and does not directly apply to Jersey's Data Protection (Jersey) Law 2018, many Jersey organisations still have compliance obligations.

Here's why you need to pay attention:

• If your firm processes personal data of individuals in the UK (for example, you have UK customers, target UK clients, or monitor the behaviour of people in the UK), then UK GDPR applies to that processing.

UK data protection law has extra-territorial reach.

• This means it can apply to organisations based outside the UK, including in Jersey, even if you have no office or staff in the UK.

UK GDPR applies to your processing if you do either of the following:

• Offer goods or services to individuals in the UK (this includes free services), or
• Monitor the behaviour of individuals in the UK (for example, tracking website users, using cookies for profiling, or analysing behaviour for marketing purposes).

Common examples for Jersey firms include:

• Having UK-based clients or customers (especially in finance, legal, or professional services)
• Selling products online and shipping to the UK
• Running a website or app that targets UK users or accepts UK payments
• Using marketing or advertising aimed at people in the UK
• Tracking or analysing the online behaviour of UK visitors to your website

If any of the above applies to your organisation,

• Then UK GDPR governs how you handle the personal data of those UK individuals.
• As a result, the new DUAA complaints rules (internal handling before going to the ICO) also apply to any data protection complaints you receive from UK data subjects.

In simple terms: If you deal with UK people's data, you must follow the UK's new internal complaints process for those individuals, even if your business is based in Jersey.

• This means the new DUAA requirement to handle data protection complaints internally first also applies to complaints from UK data subjects.
• The Jersey Office of the Information Commissioner (JOIC) actively encourages individuals to try resolving complaints directly with the organisation before escalating to them.
• Organisations that handle complaints poorly or slowly are more likely to face formal JOIC investigations.
• Implementing a clear internal complaints process is now viewed as good practice and demonstrates strong accountability, something the JOIC looks at during regulatory action.

In short:

• Even if you're only subject to Jersey law, ignoring internal complaints handling increases your regulatory and reputational risk, especially if you have any UK data subjects.

What Jersey Compliance Officers Should Do

• If you process any UK personal data, you must implement a complaints process that meets the DUAA standards for those UK data subjects.

For all other processing, you should still take the following practical steps:

• Review and update your internal data protection complaints procedure so it is clear, documented, and easy to follow.
• Ensure complaints received through any channel (social media, email, chat, phone, etc.) are quickly identified and escalated to the compliance team.
• Train relevant staff across customer service, marketing, and operations to recognise and report data protection complaints.
• Keep proper records of complaints received, actions taken, and outcomes.
• Update your privacy notice to direct individuals to your internal complaints process while still informing them of their right to complain to the JOIC.
• If you handle UK data, make sure your process meets the specific DUAA requirements (30-day acknowledgement + investigation without undue delay).

Bottom Line

• For UK organisations, the deadline is tomorrow.
• For Jersey compliance officers, while the legal obligation is narrower, the smart move is to adopt strong internal complaints handling now, both to stay ahead of best practice and to protect your organisation if you deal with UK data subjects.
• Robust complaints processes are no longer optional in spirit. They are becoming a core part of demonstrating good data protection governance on both sides of the water.

Sources

• ICO official guidance on the new complaints process: https://ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints/
• ICO page on the Data (Use and Access) Act 2025: https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/
• Jersey Office of the Information Commissioner – How complaints are handled: https://jerseyoic.org/guidance/data-protection/investigating-complaints
• Preparing for the DUAA complaints procedure (Mayer Brown): https://www.mayerbrown.com/en/insights/publications/2026/02/preparing-for-the-data-use-and-access-act-2025-upcoming-complaints-procedure-requirement
• ICO guidance summary and key takeaways (Lewis Silkin): https://www.lewissilkin.com/en/insights/2026/02/19/handling-data-protection-complaints-under-the-duaa-key-takeaways-from-ico-guidan-102miuc
• Data (Use and Access) Act 2025 on legislation.gov.uk: https://www.legislation.gov.uk/ukpga/2025/18/contents

This article is for informational purposes and does not constitute legal advice. Organisations should seek specialist advice tailored to their specific circumstances.