Search

How can we help?

Icon

The Data Use and Access Act 2025 – how to handle data protection complaints

The Data (Use and Access) Act 2025 (DUA Act) implements statutory obligations on data controllers. This article will focus on, in particular, the requirement for data controllers to ensure that, by June 2026, appropriate complaint procedures are put in place (s 103).

The Information Commissioner’s Office (ICO) has published draft guidance on complaint procedures to allow organisations time to prepare for and comply with the DUA Act. Such guidance was open to consultation but had closed on 19 October 2025.

When do data protection complaints arise?

Data protection complaints can arise from many situations and ultimately, come from individuals who are unhappy as to how their data was handled. Such situations may arise from those who:

  • are not satisfied with how their data subject access request (DSAR) was dealt with or the organisation’s response;
  • have been subject to a data breach or compromise; or
  • are generally dissatisfied as to how their data has been used, stored or kept etc.

What does the DUA Act say?

The DUA Act now states that data controllers must ‘facilitate the making of complaints… by taking steps such as providing a complaint form which can be completed electronically or by other means’ (s 103). Before the introduction of the DUA Act, the ICO reiterated the importance of internal discussion between the data subject and the organisation to solve complaints before such issues were escalated. However, the introduction of this statutory obligation reinforces the concept that complaints must be dealt with internally first.

This therefore means that organisations will need a robust complaints procedure in place to deal with complaints directly. The procedure should be simple, accessible and easy to find.  The ICO guidance includes examples of what organisations could do. This includes:

  • allowing complaints to be made on a form but submitted through various methods including, electronically, by email or by post;
  • allowing complaints to be made via live chat functions online;
  • utilising other online systems like a portal;
  • allowing complaints to be made by telephone; and
  • allowing complaints to be made to an individual.

Not only will the above help to ensure an effective complaints procedure is in place, but it can also help to invoke a sense of trust and understanding between the organisation and the individual making the complaint.

The introduction of this statutory obligation reinforces the concept that complaints must be dealt with internally first.

What else does the DUA Act say?

The DUA Act states that complaints must be acknowledged within 30 days of their receipt. Organisations must also deal with complaints ‘without undue delay’ and must ensure that:

  • appropriate steps are taken to deal with the complaint;
  • appropriate steps are taken to enquire into the complaint; and
  • individuals are kept informed about the progress and outcome of the complaint.

It is clear then, that even after complaints are made, organisations will need to continue to follow an internal process to ensure they comply with statutory obligations. Policies should therefore be put in place which set out a clear framework of the complaints process. Organisations will need to collectively decide who will be responsible for the handling of complaints but all appropriate staff members will need to be trained to know how to identify and escalate any such complaint made.

Record-keeping will also play a pivotal role throughout. Logs should be kept to ensure compliance with the above-mentioned statutory obligations which in turn, can also reassure data subjects with the knowledge that their complaint is being dealt with swiftly and appropriately. ‘Test runs’ of a complaint system could also prove advantageous to pinpoint any areas for improvement and to ensure that both policy and process are effective and fully functional.

Our team can assist you with all aspects of this change, from drafting a complaints form and updating policies  to providing training and advice on implementation, record keeping and dealing with complaints.

For further information on the ICO guidance, see here: Complaints guidance for organisations | ICO and feel free to contact a member of our data protection team with any queries you may have.

If you require further assistance on this topic, please do not hesitate to contact a member of our data protection team. 

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile
Madeleine Harding

Trainee Solicitor

View profile

+44 118 960 4693

About this article

  • Subject
    The Data Use and Access Act 2025 – how to handle data protection complaints
  • Author
    Madeleine Harding
  • Expertise
    Employment
  • Published
    26 November 2025
employmentboddy logo
clipboard logo HR Resources

Data Controllers and Data Processors factsheet

This factsheet is a guide for Data Controllers and Data Processors.

FIND OUT MORE

Read, listen and watch our latest insights

art
  • 20 November 2025
  • Immigration

The Innovator Founder Visa: What It Is & How Recent Home Office Changes Empower Student Entrepreneurs

The UK’s Innovator Founder visa is designed to attract ambitious entrepreneurs who can build innovative, viable, and scalable businesses in the UK.

art
  • 18 November 2025
  • Employment

Employment Rights Bill – Enhanced protections for pregnant women and new mothers

The Employment Rights Bill will make it unlawful to dismiss pregnant women, mothers on maternity leave and mothers who return to work for at least six months after they return to work, expect for specific circumstances.
art
  • 12 November 2025
  • Employment

GDPR: Who are data controllers and processors?

Controllers and processors have a different set of responsibilities, and have various responsibilities when dealing with data breaches.
Pub
  • 11 November 2025
  • Corporate and M&A

The Autumn Budget 2025: Key considerations for business buyers and sellers

Join Stuart Mullins and Nicky Goringe Larkin as they discuss some of the likely implications of the Autumn Budget 2025 for those looking to buy and sell businesses.
art
  • 11 November 2025
  • Corporate and M&A

Directors Duties: Honesty and Goodfaith 

In June the Court of Appeal found that a director had failed to comply with their statutory duty.
art
  • 11 November 2025
  • Litigation and dispute resolution

Renters’ Rights Act

We have been closely monitoring the progress of the Renter’s Rights Bill whilst it has been going through Parliament given the major reforms it proposed to the residential rental market in England.
See More