Controllers should gear up for a material shift in how they engage with data subjects and the Information Commissioner’s Office (ICO). By June 2026 they must implement and publish a complaints-handling process to manage concerns raised by individuals that the controller has infringed UK GDPR obligations with respect to their personal data. This new obligation was introduced by the Data (Use and Access) Act 2025 (DUA) and is set out in section 164A of the Data Protection Act 2018 (as amended). The ICO has published draft guidance,(1) setting out its expectations for how controllers should promote, manage, and respond to complaints.