Search

How can we help?

Icon

The Data Use and Access Act 2025 – how to handle data protection complaints

The Data (Use and Access) Act 2025 (DUA Act) implements statutory obligations on data controllers. This article will focus on, in particular, the requirement for data controllers to ensure that, by June 2026, appropriate complaint procedures are put in place (s 103).

The Information Commissioner’s Office (ICO) has published draft guidance on complaint procedures to allow organisations time to prepare for and comply with the DUA Act. Such guidance was open to consultation but had closed on 19 October 2025.

When do data protection complaints arise?

Data protection complaints can arise from many situations and ultimately, come from individuals who are unhappy as to how their data was handled. Such situations may arise from those who:

  • are not satisfied with how their data subject access request (DSAR) was dealt with or the organisation’s response;
  • have been subject to a data breach or compromise; or
  • are generally dissatisfied as to how their data has been used, stored or kept etc.

What does the DUA Act say?

The DUA Act now states that data controllers must ‘facilitate the making of complaints… by taking steps such as providing a complaint form which can be completed electronically or by other means’ (s 103). Before the introduction of the DUA Act, the ICO reiterated the importance of internal discussion between the data subject and the organisation to solve complaints before such issues were escalated. However, the introduction of this statutory obligation reinforces the concept that complaints must be dealt with internally first.

This therefore means that organisations will need a robust complaints procedure in place to deal with complaints directly. The procedure should be simple, accessible and easy to find.  The ICO guidance includes examples of what organisations could do. This includes:

  • allowing complaints to be made on a form but submitted through various methods including, electronically, by email or by post;
  • allowing complaints to be made via live chat functions online;
  • utilising other online systems like a portal;
  • allowing complaints to be made by telephone; and
  • allowing complaints to be made to an individual.

Not only will the above help to ensure an effective complaints procedure is in place, but it can also help to invoke a sense of trust and understanding between the organisation and the individual making the complaint.

The introduction of this statutory obligation reinforces the concept that complaints must be dealt with internally first.

What else does the DUA Act say?

The DUA Act states that complaints must be acknowledged within 30 days of their receipt. Organisations must also deal with complaints ‘without undue delay’ and must ensure that:

  • appropriate steps are taken to deal with the complaint;
  • appropriate steps are taken to enquire into the complaint; and
  • individuals are kept informed about the progress and outcome of the complaint.

It is clear then, that even after complaints are made, organisations will need to continue to follow an internal process to ensure they comply with statutory obligations. Policies should therefore be put in place which set out a clear framework of the complaints process. Organisations will need to collectively decide who will be responsible for the handling of complaints but all appropriate staff members will need to be trained to know how to identify and escalate any such complaint made.

Record-keeping will also play a pivotal role throughout. Logs should be kept to ensure compliance with the above-mentioned statutory obligations which in turn, can also reassure data subjects with the knowledge that their complaint is being dealt with swiftly and appropriately. ‘Test runs’ of a complaint system could also prove advantageous to pinpoint any areas for improvement and to ensure that both policy and process are effective and fully functional.

Our team can assist you with all aspects of this change, from drafting a complaints form and updating policies  to providing training and advice on implementation, record keeping and dealing with complaints.

For further information on the ICO guidance, see here: Complaints guidance for organisations | ICO and feel free to contact a member of our data protection team with any queries you may have.

If you require further assistance on this topic, please do not hesitate to contact a member of our data protection team. 

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile
Madeleine Harding

Trainee Solicitor

View profile

+44 118 960 4693

About this article

  • Subject
    The Data Use and Access Act 2025 – how to handle data protection complaints
  • Author
    Madeleine Harding
  • Expertise
    Employment
  • Published
    26 November 2025
employmentboddy logo
clipboard logo HR Resources

Data Controllers and Data Processors factsheet

This factsheet is a guide for Data Controllers and Data Processors.

FIND OUT MORE

Read, listen and watch our latest insights

art
  • 16 December 2025
  • Employment

Christmas Parties – Festive Fun or a New Year Hangover?

It’s Christmas party season! The office party is often a mixed blessing – an opportunity to boost morale and perhaps celebrate a successful year yet also a melting pot of workers letting their hair down, with potential for accidents, injuries, threats and claims.
art
  • 10 December 2025
  • Privacy and Data Protection

The 12 Data Protection Mistakes of Christmas

As the festive season approaches, it is not just last-minute shopping and office parties that can catch organisations off guard; data protection slip-ups are just as common.
Pub
  • 04 December 2025
  • Immigration

UK Immigration: What to expect in 2026 for employers

Join our UK immigration specialists, Ruth Karimatsenga and Monica Mastropasqua, as they explore the key updates and how they affect your business in 2026.
Pub
  • 04 December 2025
  • Corporate and M&A

Autumn Budget 2025 Breakdown: Key takeaways for business buyers and sellers

Join Stuart Mullins and Nicky Goringe Larkin as they delve into the key updates from the Chancellor’s announcement, with a focus on what matters most for businesses looking to buy and sell.
art
  • 03 December 2025
  • Corporate and M&A

Why is carrying out a legal Due Diligence investigation necessary during an proposed acquisition?

Merging with or acquiring another company is a high-stakes endeavour. The purpose, process and common areas of investigation during a M&A transaction.

art
  • 02 December 2025
  • Employment

All I Want for Christmas… Is No Tribunal Claims!

Before the festivities begin, it is worth unwrapping the key risks and understanding how employers can protect their staff, their reputation and their sanity, while still delivering a thoroughly enjoyable evening.
See More