Right to Complain
From 19 June 2026, individuals in the UK have a new right to complain about how their personal data is processed. For UK tech startups, this is a timely reminder that privacy compliance is not just about having a privacy notice on your website. You also need practical processes behind it.
What is changing?
The Data (Use and Access) Act 2025 (known as the DUAA) is aimed at making the UK data protection framework more practical, support innovation and reduce unnecessary compliance friction. As part of this reform, it introduced key changes relating to data subject rights, the use of cookies, and legal basis available for using personal data. Many of these changes have already come into effect already. You can learn more about the DUAA on the ICO's website.
The most recent change coming into effect on 19 June 2026 is the right for individuals to complain directly to organisations if they think their personal data has not been handled properly.
This could include complaints about:
- how personal data is collected or used;
- a response to a subject access request;
- deletion or objection requests;
- use of personal data in AI tools;
- marketing emails or tracking;
- security concerns after a data breach;
- children’s data;
- inaccurate or unfair use of personal data.
In other words, privacy complaints are becoming more formal.
The new right to complain
From 19 June 2026, organisations must be able to:
- give individuals a clear way to raise a data protection complaint;
- acknowledge complaints within 30 days;
- take appropriate steps to investigate without undue delay;
- keep individuals informed where needed; and
- tell the individual the outcome of their complaint.
This does not mean every startup needs a complex complaints portal or a dedicated privacy team. But it does mean you need a simple, reliable process.
What this means for UK tech startups
For many startups, privacy compliance starts with a privacy notice. While this is still important, the new right to complain shows why the notice needs to connect to real operational processes.
Your privacy notice should explain how individuals can raise privacy concerns with you. That could be through a privacy email address, support form, help centre, live chat or another clear route. You should also make sure your team knows how to recognise a privacy complaint.
A complaint may not use legal wording. It may look like:
- “Why are you using my data?”
- “Delete my account and everything you hold about me.”
- “Your AI tool produced something wrong about me.”
- “I never agreed to these emails.”
- “What data did you collect from my child?”
- “You ignored my access request.”
These messages could arrive through support, sales, social media, live chat or a founder’s inbox. If no one spots them, the business may miss the deadline or fail to investigate properly.
Practical steps to take now
Startups should keep this simple and consider:
- updating privacy notices to explain the right to complain;
- provide a clear contact route for privacy complaints;
- create a basic internal complaints workflow/guidance;
- train support and customer-facing teams to spot privacy issues;
- prepare acknowledgement and outcome templates;
- keep a record of complaints, deadlines, investigations and responses;
- check whether special handling is needed for AI, children’s data, regulated data or security incidents.
This is particularly important for startups building products involving AI, user-generated content, children, health, finance, legal services, employment data or other higher-risk use cases. A privacy complaint does not mean the company has done something wrong. But a poor or delayed response can quickly turn a manageable issue into a regulatory or reputational problem.
Why this matters
The new right to complain reflects a broader shift in UK data protection compliance. Regulators and users increasingly expect companies to explain what they do with personal data, respond properly when challenged and shows that privacy is embedded into the way the product operates.
For startups, this should not be treated as a box-ticking exercise. A good privacy complaints process can help identify unclear product flows, weak privacy notices, poor consent journeys, risky AI features or gaps in customer support.
It is also becoming part of commercial trust. Customers, investors and enterprise buyers increasingly expect startups to have basic privacy governance in place.
How Flow Legal can help
Flow Legal helps startups create tailored legal documents and compliance workflows in a quick, simple and cost-effective way. This includes a tailored privacy notice generated that is based on your product, customers, data use, suppliers and risk profile.
As your company and the law changes, Flow Legal ensures your documents and processes are compliant and up to date.