The final significant data protection changes under the Data (Use and Access) Act 2025 (DUAA) are now upon us. If you run a business that handles personal data, and almost every business does, there is one provision in particular that you need to have in place:
Do you have a formal complaints handling procedure for data subjects?
This is not a technicality. It is a new statutory obligation, and it completes the DUAA’s phased roll-out of reforms to UK data protection law.
What Is the DUAA and Why Does It Matter?
On 19 June 2025, the UK Parliament enacted DUAA, marking the most significant UK data protection reform since the UK GDPR. Rather than overhauling the current regime, the DUAA introduces targeted amendments to the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
The DUAA does not replace those laws, but it makes changes to them to make the rules simpler for organisations, encourage innovation, help law enforcement agencies to tackle crime, and allow responsible data-sharing while maintaining high data protection standards.
For an overview of all the changes, please read: An Overview of the Data (Use and Access) Act 2025
Mandatory Complaints Procedures
Section 103 introduces a new statutory complaints handling duty, and the ICO has stated that organisations must have a compliant complaints process in place by June 2026.
In practical terms, what does this require? The Act has created a statutory right for individuals to raise data privacy-related complaints directly with organisations. Organisations will be required to facilitate the creation of a formal complaints mechanism, such as an online form, acknowledge receipt of complaints within thirty days, and take appropriate steps to investigate each complaint without undue delay.
This is in addition to a data subject’s existing right to complain to the Information Commission, the new name for the data protection regulator which replaces the UK Information Commissioner’s Office under the Act.
Before this change, an individual whose data was mishandled could go straight to the regulator. Now, they must be able to complain to your organisation first, through a defined process that your organisation is legally required to have in place.
“The new statutory right to complain shifts greater responsibility onto organisations to resolve data protection concerns before they reach the regulator. Businesses should view this not simply as a compliance exercise, but as an opportunity to strengthen customer confidence by demonstrating that privacy concerns are taken seriously, investigated properly and resolved transparently.”
Richard Hull, Data Protection Solicitor, JPP Law
What Should Your Business Do Now?
If your business does not yet have a formal complaints procedure in place, or you are unsure whether your existing process meets the new standard, make this a priority.
At a minimum, your complaints process should include an accessible route for individuals to submit a complaint, written acknowledgement within thirty days, and a clear procedure for investigating and resolving complaints without undue delay. The process should be documented, communicated clearly to data subjects, and reviewed regularly.
This is also a good moment to consider your broader data protection compliance position. JPP Law’s Data Protection Solicitors offer a Data Protection Audit service, through which we review your existing policies, procedures and practices against current legal requirements and identify any gaps. If you would like to understand where your business stands ahead of the June deadline, that is a practical place to start.
Speak to a Data Protection Solicitor
Businesses that have not yet put a compliant process in place need to act without delay.
If you would like advice on what the data protection changes mean for your business specifically, or if you need a data protection solicitor to review your data protection compliance position, we are here to help. Book an introductory call to speak with a member of our team.
