June 26, 2026
the-data-use-and-access-act-2025-and-the-new-statutory-framework-for-data-protection-complaints-in-the-united-kingdom

The United Kingdom is entering a new era of data governance following the formal enactment of the Data (Use and Access) Act 2025 (DUAA). This landmark piece of legislation represents the most significant overhaul of the nation’s data protection regime since the implementation of the Data Protection Act 2018 and the retained EU General Data Protection Regulation (UK GDPR). Among the various reforms introduced by the Act, one of the most operationally demanding for employers and data controllers is the introduction of a new statutory right for individuals to lodge complaints directly with controllers. Effective from June 19, 2026, this mandate shifts the primary responsibility for initial dispute resolution from the Information Commissioner’s Office (ICO) to the organizations themselves, requiring a fundamental restructuring of how businesses, particularly HR departments, manage data-related grievances.

The Shift Toward Controller-Led Dispute Resolution

The core of this legislative change lies in the new Section 164A of the Data Protection Act 2018. Previously, while individuals were encouraged to resolve issues with organizations before escalating them, there was no rigid statutory framework dictating how a controller must handle a complaint. The DUAA 2025 changes this by codifying the process. Under the new rules, data subjects—including current, former, and prospective employees—have a formal right to complain to a controller if they believe their personal data has been processed in a way that infringes upon the UK GDPR.

This reform is strategically designed to alleviate the regulatory burden on the ICO. By mandating that organizations provide accessible complaint channels and follow strict procedural timelines, the government aims to ensure that the majority of data protection concerns are resolved at the source. For employers, this means that the informal "open-door" policies or ad-hoc responses to privacy concerns will no longer suffice. Instead, they must implement "accessible" channels for complaints, acknowledge receipt within 30 days, investigate the matter thoroughly, and communicate the outcome without "undue delay."

Chronology of the Data Use and Access Act 2025

The path to the DUAA 2025 has been a multi-year journey characterized by the UK’s post-Brexit desire to create a "pro-growth, pro-innovation" data regime while maintaining the "adequacy" status required for seamless data flows with the European Union.

  • May 2018: The Data Protection Act 2018 and the EU GDPR come into force, setting the baseline for modern UK data law.
  • January 2021: Following the end of the Brexit transition period, the "UK GDPR" is established as a retained version of the EU regulation.
  • 2022–2023: The government introduces the Data Protection and Digital Information (DPDI) Bill. This bill undergoes several iterations and rounds of consultation but eventually stalls due to the timing of the 2024 General Election.
  • Late 2024: The new administration introduces the Data (Use and Access) Act 2025, which carries forward many of the administrative reforms of its predecessor while sharpening the focus on digital identity and smart data.
  • Early 2025: The Act receives Royal Assent, officially becoming law.
  • June 19, 2026: The specific provisions regarding the statutory right to complain and the mandatory handling processes for controllers come into full legal effect.

Quantifying the Regulatory Challenge: Data and Trends

The introduction of Section 164A is a direct response to the sheer volume of complaints handled by the ICO. According to the ICO’s 2023-2024 Annual Report, the regulator received nearly 40,000 data protection complaints from the public. A significant portion of these complaints related to Subject Access Requests (SARs) and the right of access, often in the context of employment disputes.

Analysis of ICO enforcement data suggests that a large percentage of these cases could have been resolved if the controller had a more robust internal grievance procedure. By formalizing this process, the government expects to reduce the ICO’s caseload by an estimated 20% to 30% over the first three years of implementation. However, this "efficiency" for the regulator translates into a heightened compliance cost for businesses. Economic impact assessments suggest that medium-to-large enterprises may need to increase their data protection compliance budgets by 10% to 15% to account for the specialized training and administrative overhead required to meet the June 2026 deadline.

Defining a Data Protection Complaint

One of the complexities of the new regime is the broad definition of what constitutes a "complaint." The ICO has clarified that a complaint does not need to be labeled as such to trigger the statutory obligations. If an individual expresses dissatisfaction regarding the handling of their personal data, the organization must treat it under the Section 164A framework. This includes concerns regarding:

  1. Subject Access Requests (SARs): Delays in responding or providing incomplete data.
  2. Transparency: Inadequate or confusing privacy notices.
  3. Data Accuracy: Failure to rectify incorrect personal records.
  4. Retention: Keeping employee data longer than is legally justifiable.
  5. Security: Minor breaches or perceived vulnerabilities in how data is stored.
  6. Marketing and Tracking: Issues related to the use of cookies or internal monitoring software.

Because these complaints can be submitted via any channel—including social media, verbal statements to HR, or formal emails—organizations must train frontline staff to recognize and escalate these interactions immediately to ensure the 30-day acknowledgment window is not missed.

Operational Imperatives for Employers

With the 2026 deadline approaching, legal experts and the ICO recommend a five-pillar approach to readiness.

1. Revision of Transparency Documents

Privacy notices are the first point of contact between a controller and a data subject. Under the updated Article 12(4) of the UK GDPR, controllers who decline to act on a data subject’s request (such as a request for erasure) must now inform the individual of their right to complain to the controller under Section 164A, in addition to their existing right to complain to the ICO. This requires a comprehensive audit of all privacy policies, employee handbooks, and automated response templates.

2. Formalization of Internal Procedures

Organizations must move away from fragmented complaint handling. A centralized "Data Complaint Log" is now an essential component of the accountability principle. This log must track the date of receipt, the nature of the complaint, the steps taken during the investigation, and the final resolution communicated to the individual.

3. Training and Cultural Shift

The most significant risk to compliance is a lack of awareness among non-specialist staff. HR teams and line managers are often the first to hear a data-related grievance. If a manager dismisses an employee’s verbal complaint about a "privacy intrusion" without routing it through the formal process, the company could be in breach of its statutory duty to acknowledge the complaint within 30 days.

4. Integration with Third-Party Processors

Many employers outsource their payroll, benefits administration, and IT services to third-party processors. If a complaint arises from an activity handled by a processor, the controller remains legally responsible for the outcome. Contracts must be reviewed to ensure that processors are contractually obligated to assist the controller in investigating and resolving complaints within the statutory timeframes.

5. Auditability and the ICO

The ICO has signaled that while it wants controllers to handle complaints first, it will become more aggressive in auditing how those complaints are handled. Organizations must be able to demonstrate not just that they resolved a complaint, but that their process was transparent and consistent. Failure to maintain an auditable complaints process could lead to regulatory action, even if the underlying data processing was lawful.

Broader Impact and Implications for the UK Data Landscape

The DUAA 2025 represents a delicate balancing act for the UK government. On one hand, it seeks to reduce "red tape" by allowing for more flexible record-keeping and moving away from the strict "Data Protection Officer" (DPO) requirement in some contexts (replacing it with a "Senior Responsible Individual"). On the other hand, the new complaints-handling regime adds a layer of prescriptive procedural law that did not exist before.

For international organizations, the DUAA 2025 introduces a potential point of divergence from the EU GDPR. While the EU GDPR grants individuals the right to lodge a complaint with a supervisory authority, it does not mandate a specific statutory process for complaining to the controller in the same way Section 164A does. Multinationals operating in both the UK and the EU will need to decide whether to adopt the UK’s more structured approach globally or maintain a UK-specific workflow.

Furthermore, the legal community is closely watching how the "undue delay" standard will be interpreted by the courts. While the 30-day acknowledgment is a hard deadline, the timeline for "resolution" remains subjective. In complex cases involving workplace surveillance or cross-border data transfers, investigations can take months. Employers will need to document their progress meticulously to prove that any delays were justified and not a result of administrative negligence.

Conclusion

The Data Use and Access Act 2025 marks a pivot toward a more self-regulatory but highly accountable data protection environment. By empowering individuals with a statutory right to complain directly to controllers, the Act forces organizations to take a more proactive and professional approach to data ethics. For employers, the period between now and June 19, 2026, is a critical window for infrastructure building. Those who successfully integrate these new requirements into their existing HR and compliance frameworks will likely see a reduction in costly ICO interventions and an improvement in employee trust. Conversely, those who treat these reforms as a mere "tick-box" exercise may find themselves facing both regulatory sanctions and a surge in litigation from a more informed and empowered workforce.

Tags:

Related News

detroit-club-hit-with-nearly-6-3m-in-race-retaliation-verdict

Detroit Club Hit With Nearly $6.3M In Race Retaliation Verdict

June 26, 2026 0
universal-trucker-gets-class-ok-in-ill-biometric-privacy-row

Universal Trucker Gets Class OK In Ill. Biometric Privacy Row

June 26, 2026 0

You may have missed

linkedins-august-2024-job-posting-guidelines-spark-debate-over-authenticity-and-monetization-in-recruitment-ecosystem

LinkedIn’s August 2024 Job Posting Guidelines Spark Debate Over "Authenticity" and Monetization in Recruitment Ecosystem

June 26, 2026 0
detroit-club-hit-with-nearly-6-3m-in-race-retaliation-verdict

Detroit Club Hit With Nearly $6.3M In Race Retaliation Verdict

June 26, 2026 0
the-empathy-paradox-why-business-leaders-see-compassion-while-employees-report-rising-toxicity-and-intimidation

The Empathy Paradox: Why Business Leaders See Compassion While Employees Report Rising Toxicity and Intimidation

June 26, 2026 0
saskatchewan-roughriders-revolutionize-talent-acquisition-with-workable-setting-a-new-standard-for-professional-sports-hr

Saskatchewan Roughriders Revolutionize Talent Acquisition with Workable, Setting a New Standard for Professional Sports HR

June 26, 2026 0
the-strategic-imperative-of-employee-incentive-programs-in-cultivating-engagement-and-driving-business-performance

The Strategic Imperative of Employee Incentive Programs in Cultivating Engagement and Driving Business Performance

June 26, 2026 0
strategic-transformation-and-the-evolution-of-corporate-learning-insights-from-the-forefront-of-global-workforce-development

Strategic Transformation and the Evolution of Corporate Learning: Insights from the Forefront of Global Workforce Development

June 26, 2026 0