The Data (Use and Access) Act 2025: A Transformative Shift in the UK’s Data Protection Landscape

The Data (Use and Access) Act 2025 (DUAA) represents a significant overhaul of the UK’s data protection framework. While many provisions are already in effect, a crucial update will take place on 19 June 2026. This date marks a turning point for organizations across the UK as they must align their complaints procedures with the new DUAA requirements.

Understanding the New Complaints Framework

The DUAA introduces a structured mechanism for data subjects—individuals whose personal data is processed—to voice their grievances directly to data controllers. This shift places a spotlight on how organizations manage complaints, using a controller-led approach that necessitates treating all expressions of dissatisfaction as regulated complaints.

Defining a "Complaint"

Under the DUAA, not every communication from a data subject qualifies as a complaint needing adherence to the new procedures. For example, complaints may concern:

• Responses to data subject rights requests.
• Security measures for safeguarding personal data.
• Methods of processing personal data, such as retention practices or inaccuracies.

Conversely, issues like employee grievances or specific deletion requests related to customer service are typically outside this framework. When in doubt, organizations are encouraged to clarify whether the individual intends to file a formal complaint.

Key Requirements for Organizations

Organizations must meet specific obligations when a complaint is lodged:

1. Data subjects must be enabled to submit complaints directly to a controller regarding perceived breaches of UK data protection laws.
2. Controllers are required to acknowledge receipt of complaints within 30 days.
3. Upon receiving a complaint, controllers must act promptly by:
   • Investigating the complaint and keeping the complainant informed.
   • Communicating the outcome of the investigation.

Practical Steps for Compliance

Many organizations may already have data protection complaint policies in place, which could simplify the transition to the new requirements. However, here are crucial steps that organizations should take to ensure compliance:

Designing the Complaints Mechanism

Organizations have the flexibility to select how they receive complaints, whether through a designated complaint form, dedicated email address, phone line, online portal, or even live chat functions. The key points include:

• Existing tools may be adapted to fit the new framework; there’s no need for brand-new resources.
• Complaints must be acknowledged irrespective of the method used for submission, similar to data subject rights requests.

Informing Stakeholders

It’s essential for organizations to inform individuals about their right to complain, both in their privacy notices and responses to subject rights requests. Current privacy language might need review and enhancement to ensure clarity.

Documenting Procedures

While not mandatory, having a written complaints procedure can demonstrate compliance. Publicly sharing this procedure may ease operational burdens by guiding individuals through the necessary channels, thereby setting clear expectations.

Updating Internal Processes

Organizations should refine processes for handling complaints, including:

• Establishing timelines for responses that meet the “without undue delay” requirement.
• Confirming the identity of complainants, especially if complaints are submitted on behalf of others.
• Keeping comprehensive records throughout the complaint process.
• Training staff to recognize and escalate complaints appropriately.
• Reviewing existing agreements to ensure proactive collaboration on complaints.

Guidance from the ICO

The Information Commissioner’s Office (ICO) has offered valuable insights into implementing the DUAA’s requirements. Here are some highlights:

1. Acknowledgment: Complaints must be acknowledged within 30 days, extending to the next working day if the deadline lands on a weekend or public holiday.

2. Timely Investigation: Organizations should start investigating complaints immediately upon receipt. Factors like complexity and potential harm will inform what constitutes undue delay.

3. Update Complainants: Keeping individuals updated on timelines and potential delays enhances transparency without overwhelming them with details of every investigative step.

4. Maintain Records: Comprehensive records of complaints—including dates, correspondence, outcomes, and any remedial actions—support compliance monitoring and might be requested by the ICO.

5. Conclude and Communicate: Providing the outcome without unjustifiable delay is critical. Organizations should clearly explain findings and any actions taken. If a complainant remains dissatisfied, they should be reminded of their right to escalate to the ICO.

Direct Complaints to the ICO

If individuals choose to approach the ICO first, organizations typically are not obligated to take further action unless contacted. However, the ICO generally advocates for complainants to first engage with the organization, mirroring a broader regulatory shift favoring “controller-first” resolution approaches.

Preparing for the Deadline

With the looming June 2026 deadline, organizations must reassess their complaint-handling frameworks against the DUAA’s specifications and ICO guidelines. The focus should be on clearly identifying complaints across all communication channels, ensuring prompt investigations, and meticulously tracking compliance efforts.

Timely preparation will be crucial in mitigating regulatory scrutiny and avoiding operational hiccups when the new regime is enacted.