# TheDutyDesk > The UK platform for handling personal-data obligations — complaints, subject-access requests, breach reporting and the audit trail every regulator now expects. A product of Paradex Computing Limited (UK company 03786457). ## What we cover - [What we cover](https://thedutydesk.co.uk/what-we-cover): Six obligations mapped to statute, with status labels (Live from 19 June 2026 | On the platform | Available | On the roadmap) ## For your role - [For founders and small teams](https://thedutydesk.co.uk/for-founders): The 30-day duty for sole traders, sub-50-staff businesses and owner-operators — no compliance department needed. Starter from £199, SME from £600, set up in 30 minutes. - [For DPOs and Heads of Compliance](https://thedutydesk.co.uk/for-dpos): Purpose-built for s.164A; UK-hosted, audit-grade, ICO-export-ready. For organisations with 250+ staff and dedicated compliance functions. - [For enterprise](https://thedutydesk.co.uk/for-enterprise): From £25,000/year. Dedicated residency. Bespoke integrations. SAML SSO. Security questionnaires answered. ## The duty - [DUAA pillar](https://thedutydesk.co.uk/duaa): The 30-day complaint duty under s.164A of the Data Protection Act 2018, inserted by the Data (Use and Access) Act 2025 - [Section 164A — full annotated text](https://thedutydesk.co.uk/duaa/section-164a-text): The complete text of section 164A of the Data Protection Act 2018 with plain-English reading of each sub-section, practical implications, and TechArticle + Legislation schema - [The 30-day rule](https://thedutydesk.co.uk/duaa/30-day-rule): The practical operation of the 30-day acknowledgement clock — what counts as day one, what an acknowledgement requires - [Who does it apply to](https://thedutydesk.co.uk/duaa/who-does-it-apply-to): Scope of the duty — every UK data controller, regardless of size or sector - [The ICO evidence pack](https://thedutydesk.co.uk/duaa/ico-evidence-pack): What an ICO evidence bundle contains and why a Zendesk CSV is not sufficient ## Pricing - [Pricing](https://thedutydesk.co.uk/pricing): Starter £199/yr (under 10 staff), SME £600/yr (10–250 staff), Business £5,000/yr (250–1,000 staff), Enterprise from £25,000/yr (1,000+ staff). 14-day free trial on every paid plan. ## Trust - [Data residency](https://thedutydesk.co.uk/trust/residency): All customer data hosted in the UK (AWS eu-west-2, London) - [Sub-processors](https://thedutydesk.co.uk/trust/sub-processors): Active sub-processor list — AWS, Resend - [Certifications](https://thedutydesk.co.uk/trust/certifications): ISO 27001 and SOC 2 status - [Sample evidence pack](https://thedutydesk.co.uk/trust/sample-evidence-pack): What an ICO-ready evidence bundle looks like ## Insights - [Insights index](https://thedutydesk.co.uk/insights): Plain-English articles on UK data protection news, the Data (Use and Access) Act 2025, and what it means for your organisation. - [Six months of the Data (Use and Access) Act: where things stand](https://thedutydesk.co.uk/insights/duaa-six-months-duty-briefing): DUAA timeline round-up — what has taken effect, what is still coming, and what to do before 19 June 2026. Last reviewed: 2026-06-07. - [The 30-day complaints duty: no exemptions, no exceptions](https://thedutydesk.co.uk/insights/complaints-duty-no-exemptions): Every UK organisation must acknowledge data-protection complaints within 30 days. No size threshold. What you need in place. Last reviewed: 2026-06-07. - [The right to complain: what schools and trusts must have ready](https://thedutydesk.co.uk/insights/schools-trusts-right-to-complain): The data-protection complaints duty applies to schools and trusts from 19 June 2026. What to put in place. Last reviewed: 2026-06-07. - [Goodbye ICO, hello Information Commission: what changes for you](https://thedutydesk.co.uk/insights/ico-becomes-information-commission): The ICO is becoming the Information Commission under DUAA governance changes. What stays the same, what changes. Last reviewed: 2026-06-07. - [Cookies just got easier: the consent exceptions explained](https://thedutydesk.co.uk/insights/new-cookie-exceptions): Some low-risk cookies no longer need a consent pop-up following ICO's April 2026 final guidance. Last reviewed: 2026-06-07. - [The Reddit fine: why children's data is everyone's problem now](https://thedutydesk.co.uk/insights/age-assurance-reddit-fine): ICO fined Reddit £14.47m over children's data and age-assurance failures. What it signals for any business that handles data from under-18s. Last reviewed: 2026-06-07. - [A simpler reason to use data: recognised legitimate interests](https://thedutydesk.co.uk/insights/recognised-legitimate-interests): New DUAA lawful basis that skips the balancing test for a short list of purposes. What it covers, where it applies. Last reviewed: 2026-06-07. - [Letting software decide: automated decisions under UK GDPR](https://thedutydesk.co.uk/insights/automated-decisions-article-22): The near-ban on fully automated decisions has been replaced by a system of safeguards. What changed, what to put in place. Last reviewed: 2026-06-07. - [Your cookie banner is now a board-level risk: fines up to £17.5m](https://thedutydesk.co.uk/insights/pecr-fines-17-5-million): PECR maximum fine raised from £500k to £17.5m under DUAA. What changed and the cheap fixes that remove most risk. Last reviewed: 2026-06-07. - [You no longer have to search everything for a data request](https://thedutydesk.co.uk/insights/reasonable-proportionate-dsar): DUAA introduces a 'reasonable and proportionate' search standard for DSARs. What it means day to day. Last reviewed: 2026-06-07. - [Subject access requests: you can now stop the clock](https://thedutydesk.co.uk/insights/dsar-stop-the-clock): New rules allow pausing the one-month DSAR clock for identity confirmation or clarification. How it works in practice. Last reviewed: 2026-06-07. - [Inside the regulator's new approach to fines](https://thedutydesk.co.uk/insights/ico-enforcement-settlement): The ICO's overhauled enforcement approach includes early settlement discounts. What it means and why cooperating quickly is now worth real money. Last reviewed: 2026-06-07. - [The Data (Use and Access) Act is live: seven changes every UK business should know](https://thedutydesk.co.uk/insights/duaa-part-5-live-seven-changes): Seven DUAA changes that took effect 5 February 2026, in plain language. Last reviewed: 2026-06-07. - [Sending data abroad: the 'data protection test' explained](https://thedutydesk.co.uk/insights/international-transfers-data-protection-test): ICO's January 2026 consolidated international transfers guidance introduces a clearer 'data protection test'. Last reviewed: 2026-06-07. - [EU data adequacy renewed to 2031 — what it means if you send data to Europe](https://thedutydesk.co.uk/insights/adequacy-renewed-to-2031): European Commission renewed UK adequacy on 19 December 2025. What the renewal covers, the small-print catch, and what it means for UK businesses. Last reviewed: 2026-06-07. ## Editorial - [About TheDutyDesk](https://thedutydesk.co.uk/about): TheDutyDesk is a product of Paradex Computing Limited (company 03786457), registered in England and Wales. Platform purpose, resources, and trust information. - [Editorial standards](https://thedutydesk.co.uk/about/editorial-standards): Every factual claim cites the source text or official ICO guidance. Byline: TheDutyDesk Editorial. ## Primary sources - [Sources index](https://thedutydesk.co.uk/sources): Every regulatory document cited on the site, with SHA-256 hashes (population in progress)