The Data (Use and Access) Act 2025: preparing for the new data protection complaints regime

The Data (Use and Access) Act 2025 (DUAA) introduces a number of reforms to the UK’s data protection framework.

While many changes are already in effect, one important requirement takes effect from 19 June 2026. From this date, organisations must have a formal process in place for handling data protection complaints.

Businesses that don’t already have a clear and operational complaints process for data protection matters should start preparing now.

What is changing?

The DUAA introduces a new statutory right for individuals to complain directly to organisations about how their personal data has been handled. Before escalating a complaint to the Information Commissioner’s Office (ICO), individuals must first be given the opportunity to raise the issue with the organisation itself.

The aim is to encourage early resolution of data protection concerns and improve transparency and accountability around data handling.

What is a data protection complaint?

A data protection complaint is defined broadly. It includes any expression of dissatisfaction about how an organisation has collected, used, stored or shared personal data.

This may include complaints relating to:

• The handling of a subject access request or other data subject rights request
• Concerns arising from a personal data breach
• The lawful basis on which personal data is processed.

Importantly, individuals don’t need to use legal terminology or refer to data protection legislation for an issue to qualify as a complaint. Organisations are expected to identify and treat complaints appropriately, regardless of the channel or format used.

Key requirements from 19 June 2026

Organisations must be able to demonstrate that they:

• Provide an accessible way for individuals to submit data protection complaints, such as a complaints form, email address or telephone number
• Acknowledge complaints within 30 days of receipt
• Take appropriate steps to investigate and respond without undue delay, keeping complainants informed of progress
• Clearly communicate the outcome of the complaint, including information about escalation to the ICO where relevant.

What should businesses be doing now?

Although the new regime doesn’t take effect until 19 June 2026, the ICO expects organisations to prepare in advance. Key steps include:

• Reviewing privacy information: ensure privacy notices clearly explain the right to make a data protection complaint and how to raise one
• Reviewing complaints processes: ensure procedures allow complaints through multiple channels, are easy to find and use and apply to all individuals
• Internal procedures and training: ensure staff can recognise data protection complaints and understand escalation procedures
• Record keeping: maintain records of complaints received, how they were handled and outcomes, to demonstrate compliance.

To prepare for the new complaints‑handling requirements, organisations should review privacy notices, complaints procedures and internal processes to ensure they are fit for purpose ahead of June 2026.