The Data (Use and Access) Act 2025: Preparing for the new complaints regime

The Data (Use and Access) Act 2025 (DUAA) introduces an important obligation for organisations handling personal data.

From 19 June 2026, all organisations acting as data controllers are required to have in place an effective process to enable individuals to raise complaints about how their personal data is handled.

What does this mean in practice?

Organisations will be required to ensure that individuals can easily raise concerns, and that those concerns are properly acknowledged and addressed within appropriate timeframes.

Organisations with existing complaints procedures should not assume these will be sufficient. A thorough review of any existing policies will be necessary to ensure current processes meet the standards set by the DUAA.

Where no suitable procedures currently exists, organisations will need to create and implement a compliant procedure well in advance of the June 2026 deadline.

Documentation and transparency

While the DUAA does not expressly mandate a standalone written complaints policy, in practice organisations will be expected to document their procedures. This reflects the broader accountability principle under UK data protection law and will be important in demonstrating compliance.

Organisations should also consider:

updating privacy notices to clearly inform individuals of their right to complain and how to do so;
ensuring internal policies accurately reflect the complaints handling process; and
maintaining appropriate records of complaints received and how they have been managed.
Contracts with third parties

Where processing activities are outsourced to third party service providers, contractual arrangements with these sub processors should be reviewed to ensure they adequately address complaints handling. In particular, agreements should:

require processors to promptly notify the controller of any data protection complaint they receive; and
oblige processors to provide reasonable assistance in investigating and resolving complaints.
This is essential to ensure controllers remain able to meet their legal obligations, even where processing is carried out on their behalf.

Staff training and awareness

The effectiveness of any complaints process will depend on staff understanding their responsibilities. It is therefore imperative that organisations:

clearly identify who is responsible for handling data protection complaints;
ensure all staff can recognise a data protection complaint, even where it is not expressly labelled as such; and
provide clear internal guidance on escalation procedures.
Training on complaints handling should form part of wider data protection training programmes and be reviewed regularly.

Get in touch

With the implementation date approaching, organisations should begin preparing now.

Taking proactive steps will help minimise compliance risk and ensure complaints are handled efficiently, consistently, and in line with the new legal framework.

If you would like to discuss how these changes may affect your organisation, or require support in developing a compliant complaints procedure, please contact our data protection team.