Preparing for the Data (Use and Access) Act 2025: Upcoming Complaints Procedure Requirement
- Oliver Yaros,
- Ellen Hepworth,
- Alasdair Maher,
- Rebecca Keay,
- Shannon Balnaves (trainee solicitor)
The Data (Use and Access) Act 2025 (“DUAA”) represents a significant reform to the UK’s data protection framework. Most of the remaining data protection provisions came into force on 5 February 2026, bringing major changes to how organisations handle personal data.
With the main provisions now in force and the requirement for organisations to implement a formal procedure for handling and addressing complaints about the use of personal data approaching on 19 June 2026, businesses have a window of opportunity to review their data protection practices, update policies and procedures, and prepare for the new complaints-handling obligations.
The Information Commissioner’s Office (“ICO”) has signalled a measured approach to enforcement during this transition period, particularly for areas where guidance is not yet finalised. However, compliance with the DUAA changes should be treated as an ongoing priority throughout 2026.
What is the DUAA?
The DUAA became law on 19 June 2025, introducing comprehensive reforms to the UK’s data protection landscape. The Act amends, but does not replace, the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), and the Privacy and Electronic Communications Regulations (“PECR”).
The legislation is designed to promote innovation and economic growth while maintaining robust protections for individuals and their data rights. Key reform areas include new approaches to automated decision-making, recognised legitimate interests, international data transfers, and cookie rules, alongside increased enforcement powers for the ICO.
Our prior Legal Update, The Data (Use and Access) Act, provides further information on the changes introduced by DUAA.
Key Dates and Commencement Timeline
The DUAA is being implemented in stages through a series of commencement regulations. The following table summarises the key milestones:
|
Date |
Provisions Coming into Force |
|
19 June 2025 |
DUAA receives Royal Assent. Initial technical provisions, including clarification that controllers need only conduct a “reasonable and proportionate search” for subject access requests, come into force. |
|
20 August 2025 |
Commencement No. 1 Regulations bring into force Part 1 (Smart Data), new ICO statutory objectives, and amendments to personal data breach notification under PECR to align with UK GDPR timelines (72 hours). |
|
5 September 2025 |
Commencement No. 3 Regulations bring into force section 79 (legal professional privilege exemption for subject access requests) and section 88 (national security exemption). |
|
30 September 2025 |
Commencement No. 2 Regulations bring into force section 124 (retention of information by internet service providers in connection with a child’s death). |
|
17 November 2025 |
Sections 89 and 90 (joint processing by intelligence services and competent authorities) come into force. |
|
1 December 2025 |
Commencement No. 4 Regulations bring into force most of Part 2 (Digital Verification Services). |
|
5 February 2026 |
Commencement No. 6 Regulations bring into force the majority of Part 5 data protection reforms, including: new “recognised legitimate interests” lawful basis, new framework for automated decision-making, updated international transfer rules, cookie rule amendments, and expanded ICO enforcement powers (including fines of up to £17.5 million or 4% of global turnover under PECR). |
|
19 June 2026 |
The mandatory complaints procedure requirement (Section 103) comes into force, organisations must have a compliant data protection complaints process in place by this date. |
|
Later in 2026 |
ICO governance reforms and transition to the new “Information Commission” structure. |
The Upcoming Complaints Procedure Requirement: What You Need to Know
One of the most significant new obligations under the DUAA is the requirement for all organisations to establish a formal data protection complaints procedure by 19 June 2026. This provision is introduced by Section 103 of the DUAA, which inserts a new Section 164A into the DPA 2018.
Under this new regime, data subjects must first raise their complaint with the data controller before escalating it to the ICO. This represents a fundamental change to the UK’s complaint-handling landscape, creating an intermediate step between individuals experiencing concerns about their data and regulatory intervention.
Organisations are now legally required to implement a formal complaints process that includes the following elements:
- Organisations must provide accessible means for individuals to submit complaints, including an electronic complaint form and alternative routes such as email and post. The process must be available to all individuals, not only customers or employees.
- Complaints must be acknowledged within 30 days of receipt.
- Organisations must take appropriate steps without undue delay, including making reasonable enquiries into the complaint and keeping the complainant informed of progress. While the DUAA does not fix a maximum statutory timeframe for outcomes, ICO draft guidance proposes that organisations should provide outcomes within three months, unless exceptional circumstances apply.
- Decisions must be communicated in plain, accessible language, and individuals must be informed of their right to escalate to the ICO if dissatisfied.
- The complaints process must be easy to locate, prominently linked from privacy notices and websites, with clear explanations of how complaints will be handled and expected timeframes.
Practical Guidance for Compliance
With the majority of DUAA provisions now in force and the complaints procedure deadline approaching on 19 June 2026, organisations should take the following steps to ensure compliance and readiness:
- Adopt or Adapt a Written Complaints-Handling Policy: Develop a policy that sets out the organisation’s approach to receiving, handling, and resolving data protection complaints. The policy should define responsibilities, escalation routes, and timelines consistent with ICO expectations, and provide an internal governance framework so staff follow consistent procedures.
- Establish Accessible Submission Channels: Implement multiple complaint submission methods, including an electronic form, email, and postal options. Ensure these are clearly signposted in privacy notices, on websites, and where relevant, in contractual terms.
- Prepare Templates and Records: Develop standard acknowledgement, progress update, and outcome letters. Establish a central log to track complaints, actions taken, and outcomes.
- Coordinate with DSAR Handling: Ensure the complaints process dovetails with data subject access requests and other rights requests to avoid duplication or conflicting timelines.
- Deliver Staff Training: Train staff likely to receive complaints (including customer-facing, HR, IT, and operations teams) to identify and escalate data protection complaints appropriately.
- Establish Governance and Reporting: Provide regular reports on complaints volumes and outcomes to senior management or audit committees.
- Track ICO Guidance: The ICO is continuing to produce new and updated guidance to give organisations certainty. Final complaints guidance for organisations is expected Winter 2025/2026.
Should you have any questions about the DUAA, its implications for your organisation, or require assistance preparing for compliance, please do not hesitate to contact us.
