The Data (Use and Access) Act 2025 (DUA Act) implements statutory obligations on data controllers. This article will focus on, in particular, the requirement for data controllers to ensure that, by June 2026, appropriate complaint procedures are put in place (s 103).
The Information Commissioner’s Office (ICO) has published draft guidance on complaint procedures to allow organisations time to prepare for and comply with the DUA Act. Such guidance was open to consultation but had closed on 19 October 2025.
When do data protection complaints arise?
Data protection complaints can arise from many situations and ultimately, come from individuals who are unhappy as to how their data was handled. Such situations may arise from those who:
- are not satisfied with how their data subject access request (DSAR) was dealt with or the organisation’s response;
- have been subject to a data breach or compromise; or
- are generally dissatisfied as to how their data has been used, stored or kept etc.
What does the DUA Act say?
The DUA Act now states that data controllers must ‘facilitate the making of complaints… by taking steps such as providing a complaint form which can be completed electronically or by other means’ (s 103). Before the introduction of the DUA Act, the ICO reiterated the importance of internal discussion between the data subject and the organisation to solve complaints before such issues were escalated. However, the introduction of this statutory obligation reinforces the concept that complaints must be dealt with internally first.
This therefore means that organisations will need a robust complaints procedure in place to deal with complaints directly. The procedure should be simple, accessible and easy to find. The ICO guidance includes examples of what organisations could do. This includes:
- allowing complaints to be made on a form but submitted through various methods including, electronically, by email or by post;
- allowing complaints to be made via live chat functions online;
- utilising other online systems like a portal;
- allowing complaints to be made by telephone; and
- allowing complaints to be made to an individual.
Not only will the above help to ensure an effective complaints procedure is in place, but it can also help to invoke a sense of trust and understanding between the organisation and the individual making the complaint.
What else does the DUA Act say?
The DUA Act states that complaints must be acknowledged within 30 days of their receipt. Organisations must also deal with complaints ‘without undue delay’ and must ensure that:
- appropriate steps are taken to deal with the complaint;
- appropriate steps are taken to enquire into the complaint; and
- individuals are kept informed about the progress and outcome of the complaint.
It is clear then, that even after complaints are made, organisations will need to continue to follow an internal process to ensure they comply with statutory obligations. Policies should therefore be put in place which set out a clear framework of the complaints process. Organisations will need to collectively decide who will be responsible for the handling of complaints but all appropriate staff members will need to be trained to know how to identify and escalate any such complaint made.
Record-keeping will also play a pivotal role throughout. Logs should be kept to ensure compliance with the above-mentioned statutory obligations which in turn, can also reassure data subjects with the knowledge that their complaint is being dealt with swiftly and appropriately. ‘Test runs’ of a complaint system could also prove advantageous to pinpoint any areas for improvement and to ensure that both policy and process are effective and fully functional.
Our team can assist you with all aspects of this change, from drafting a complaints form and updating policies to providing training and advice on implementation, record keeping and dealing with complaints.
For further information on the ICO guidance, see here: Complaints guidance for organisations | ICO and feel free to contact a member of our data protection team with any queries you may have.
If you require further assistance on this topic, please do not hesitate to contact a member of our data protection team.
