Search

How can we help?

Icon

The Data Use and Access Act 2025 – how to handle data protection complaints

The Data (Use and Access) Act 2025 (DUA Act) implements statutory obligations on data controllers. This article will focus on, in particular, the requirement for data controllers to ensure that, by June 2026, appropriate complaint procedures are put in place (s 103).

The Information Commissioner’s Office (ICO) has published draft guidance on complaint procedures to allow organisations time to prepare for and comply with the DUA Act. Such guidance was open to consultation but had closed on 19 October 2025.

When do data protection complaints arise?

Data protection complaints can arise from many situations and ultimately, come from individuals who are unhappy as to how their data was handled. Such situations may arise from those who:

  • are not satisfied with how their data subject access request (DSAR) was dealt with or the organisation’s response;
  • have been subject to a data breach or compromise; or
  • are generally dissatisfied as to how their data has been used, stored or kept etc.

What does the DUA Act say?

The DUA Act now states that data controllers must ‘facilitate the making of complaints… by taking steps such as providing a complaint form which can be completed electronically or by other means’ (s 103). Before the introduction of the DUA Act, the ICO reiterated the importance of internal discussion between the data subject and the organisation to solve complaints before such issues were escalated. However, the introduction of this statutory obligation reinforces the concept that complaints must be dealt with internally first.

This therefore means that organisations will need a robust complaints procedure in place to deal with complaints directly. The procedure should be simple, accessible and easy to find.  The ICO guidance includes examples of what organisations could do. This includes:

  • allowing complaints to be made on a form but submitted through various methods including, electronically, by email or by post;
  • allowing complaints to be made via live chat functions online;
  • utilising other online systems like a portal;
  • allowing complaints to be made by telephone; and
  • allowing complaints to be made to an individual.

Not only will the above help to ensure an effective complaints procedure is in place, but it can also help to invoke a sense of trust and understanding between the organisation and the individual making the complaint.

The introduction of this statutory obligation reinforces the concept that complaints must be dealt with internally first.

What else does the DUA Act say?

The DUA Act states that complaints must be acknowledged within 30 days of their receipt. Organisations must also deal with complaints ‘without undue delay’ and must ensure that:

  • appropriate steps are taken to deal with the complaint;
  • appropriate steps are taken to enquire into the complaint; and
  • individuals are kept informed about the progress and outcome of the complaint.

It is clear then, that even after complaints are made, organisations will need to continue to follow an internal process to ensure they comply with statutory obligations. Policies should therefore be put in place which set out a clear framework of the complaints process. Organisations will need to collectively decide who will be responsible for the handling of complaints but all appropriate staff members will need to be trained to know how to identify and escalate any such complaint made.

Record-keeping will also play a pivotal role throughout. Logs should be kept to ensure compliance with the above-mentioned statutory obligations which in turn, can also reassure data subjects with the knowledge that their complaint is being dealt with swiftly and appropriately. ‘Test runs’ of a complaint system could also prove advantageous to pinpoint any areas for improvement and to ensure that both policy and process are effective and fully functional.

Our team can assist you with all aspects of this change, from drafting a complaints form and updating policies  to providing training and advice on implementation, record keeping and dealing with complaints.

For further information on the ICO guidance, see here: Complaints guidance for organisations | ICO and feel free to contact a member of our data protection team with any queries you may have.

If you require further assistance on this topic, please do not hesitate to contact a member of our data protection team. 

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile
Madeleine Harding

Trainee Solicitor

View profile

+44 118 960 4693

About this article

  • Subject
    The Data Use and Access Act 2025 – how to handle data protection complaints
  • Author
    Madeleine Harding
  • Expertise
    Employment
  • Published
    26 November 2025
employmentboddy logo
clipboard logo HR Resources

Data Controllers and Data Processors factsheet

This factsheet is a guide for Data Controllers and Data Processors.

FIND OUT MORE

Read, listen and watch our latest insights

art
  • 05 January 2026
  • Immigration

UK Immigration changes in 2025: What to expect in 2026

This wrap-up brings together the key developments from across the year, highlighting what has changed, what is still evolving, and what organisations should be planning for as we move into 2026.
art
  • 22 December 2025
  • Corporate and M&A

Corporate law in 2025 and looking forward to 2026

2025 has been a transformative year, with a massive paradigm shift from ‘deregulation’ to ‘transparency and accountability’ at Companies House.
Pub
  • 22 December 2025
  • Privacy and Data Protection

GDPR Packages

Our comprehensive GDPR Packages are designed to help organisations navigate the complexities of data protection and ensure compliance with regulatory requirements.
art
  • 18 December 2025
  • Employment

Employment Law: Looking back at 2025 and what to expect in 2026

2025 has certainly been an interesting year for employment law. While the Employment Rights Bill has pulled much of the focus since it was introduced in October 2024, there have been other important updates this year as well.
art
  • 18 December 2025
  • Corporate and M&A

Deal Announcement: Clarkslegal’s corporate lawyers advise on the sale of Chatterbox Labs Limited to subsidiary of American tech giant

Clarkslegal’s corporate team, led by Senior Consultant Jon Chapman and supported by Senior Solicitor Emma Docking, advised the founders of Chatterbox Labs Limited on the sale of the AI security specialist to Red Hat, Inc., a wholly owned subsidiary of IBM.
art
  • 16 December 2025
  • Employment

Christmas Parties – Festive Fun or a New Year Hangover?

It’s Christmas party season! The office party is often a mixed blessing – an opportunity to boost morale and perhaps celebrate a successful year yet also a melting pot of workers letting their hair down, with potential for accidents, injuries, threats and claims.
See More