The United Kingdom’s data protection landscape is undergoing its most significant transformation since the implementation of the Data Protection Act 2018. With the enactment of the Data (Use and Access) Act 2025 (DUAA), the government has introduced a series of reforms designed to streamline data usage while simultaneously formalizing the rights of individuals. Among the most operationally demanding changes for organizations is the introduction of a new statutory right for individuals to lodge complaints directly with data controllers. Effective from June 19, this mandate requires employers and other data-processing entities to establish rigorous, transparent, and auditable internal systems for handling grievances related to personal data.
This legislative shift moves the UK further toward a bespoke data regime that, while maintaining high standards of protection, seeks to reduce the administrative burden on the Information Commissioner’s Office (ICO). By requiring individuals to engage with the data controller in the first instance, the DUAA 2025 aims to resolve disputes at the source, effectively turning organizations into the primary arbiters of their own data compliance. For employers, this means that the informal handling of staff concerns regarding privacy is no longer sufficient; a failure to meet the new statutory requirements for complaint handling could lead to regulatory scrutiny and potential enforcement action.
Historical Context and the Road to the DUAA 2025
The Data (Use and Access) Act 2025 is the culmination of several years of legislative effort to reform the UK’s data protection framework following its departure from the European Union. Initially proposed in various forms—most notably as the Data Protection and Digital Information (DPDI) Bill—the reform process saw several iterations under different administrations. The primary objective has consistently been to create a "post-Brexit dividend" by reducing "red tape" for businesses while ensuring that the UK maintains its "adequacy" status with the EU, allowing for the continued free flow of data across borders.
The DUAA 2025 retains the core principles of the UK General Data Protection Regulation (UK GDPR) but introduces pragmatic adjustments. One of the central pillars of this new strategy is the "Accountability Framework," which shifts the focus from box-ticking exercises to demonstrable outcomes. The new complaints-handling right, enshrined in Section 164A of the Data Protection Act 2018 (as amended by the DUAA), is a critical component of this framework. It reflects a regulatory philosophy that encourages private resolution of disputes, mirroring processes found in the financial services and telecommunications sectors.
The New Statutory Right: Section 164A Explained
Under the previous regime, individuals felt empowered to bypass the data controller and complain directly to the ICO if they felt their rights were being infringed. While this remains a legal possibility, the DUAA 2025 formalizes the internal complaint route to ensure it is the path of least resistance.
Section 164A grants individuals the right to complain to a controller if they believe the controller has infringed the UK GDPR in the processing of their personal data. This is not merely a suggestion of best practice; the Act imposes specific legal obligations on the controller. Organizations must now provide easily accessible channels for these complaints and are legally required to acknowledge receipt within 30 days. Furthermore, they must investigate the complaint and communicate the outcome—along with information about the individual’s right to escalate the matter to the ICO—without undue delay.
This formalization is intended to benefit both parties. For the individual, it provides a structured process with guaranteed timelines. For the employer, it offers a "second chance" to rectify errors, such as a mishandled Subject Access Request (SAR) or an accidental data leak, before the regulator intervenes. However, this also increases the "visibility" of an organization’s compliance efforts. If an organization fails to handle a complaint correctly under Section 164A, that failure itself becomes a secondary infringement that the ICO can investigate.
Broad Scope of Data Protection Complaints
A common misconception among employers is that "data protection complaints" only involve major security breaches or "hacking" incidents. However, the ICO’s updated guidance clarifies that the scope is far broader. A complaint under the new Act can arise from any alleged infringement of the UK GDPR. This includes, but is not limited to:
- Subject Access Request (SAR) Delays: Employees frequently complain when employers fail to provide copies of their personal data within the statutory one-month timeframe.
- Transparency and Privacy Notices: Concerns that an employer is not being clear about how employee data is used, especially regarding monitoring or AI-driven performance tracking.
- Retention Practices: Grievances regarding how long an organization keeps the data of former employees or unsuccessful job applicants.
- Direct Marketing: Issues involving the use of personal contact details for internal or external marketing without a valid lawful basis.
- Cookies and Tracking: Complaints regarding the use of tracking technologies in the workplace or on corporate websites.
- Security Incidents: Concerns about unauthorized access to payroll information, medical records, or home addresses.
By defining "complaint" so broadly, the Act ensures that almost any interaction where an individual feels their data has been mishandled falls under the new structured response requirements.
Supporting Data: The Regulatory Burden on the ICO
The drive toward internal complaint resolution is fueled by the sheer volume of cases handled by the Information Commissioner’s Office. According to recent ICO annual reports, the regulator receives tens of thousands of data protection complaints annually. A significant portion of these relates to matters that could—and should—have been resolved between the individual and the organization.
Data from the 2023-2024 period indicates that nearly 40% of complaints sent to the ICO are closed with "no further action" because the organization had already resolved the issue or the complaint was premature. By mandating a formal internal process, the DUAA 2025 seeks to filter out these cases, allowing the ICO to focus its resources on high-risk systemic failures and large-scale data breaches. For organizations, this means the ICO will likely become less tolerant of controllers who do not have a robust Section 164A process in place, as these controllers contribute directly to the regulator’s backlog.
Operational Impact and Implementation Timeline
The implementation of these changes requires a multi-departmental effort, involving Legal, HR, IT, and Customer Service teams. The "go-live" date of June 19 serves as a hard deadline for organizations to have their processes in order.
1. Privacy Notice and Documentation Updates
The most immediate task is the revision of privacy notices. Under Article 12(4) and Article 15 of the UK GDPR (as amended), organizations must now explicitly inform individuals of their right to complain to the controller under Section 164A. This information must be included in general privacy notices and specifically signposted when an organization refuses to take action on a rights request (such as a request for erasure or rectification).
2. Standardizing the Intake Process
Organizations must ensure that complaints can be recognized regardless of the channel through which they arrive. A complaint does not need to be labeled "Data Protection Complaint" to trigger the statutory obligations. An email to an HR manager stating, "I’m unhappy that my sick leave details were shared with the whole team," is legally a data protection complaint. Staff must be trained to recognize and route these communications to a central handling point.
3. Tracking and Auditing
The 30-day acknowledgment rule necessitates a robust tracking system. Organizations will need to log the date of receipt, the nature of the complaint, the steps taken during the investigation, and the final resolution. This log serves as vital evidence of "accountability" should the ICO ever request an audit of the firm’s data practices.
Reactions and Analysis of Implications
Legal experts and privacy advocates have expressed a range of reactions to the DUAA 2025. While business groups generally welcome the move toward internal resolution as a way to avoid the "stigma" of a formal ICO investigation, privacy advocates warn that it places a significant burden on individuals to "self-police" their data rights against potentially well-resourced corporations.
From an employment law perspective, the new right is expected to be used frequently in the context of workplace disputes. It is common for employees in the midst of a grievance or disciplinary process to submit a SAR or a data-related complaint as a tactical move. The DUAA 2025 formalizes this tactic, requiring employers to manage these complaints within a strict legal framework even if they believe the complaint is being used as a distraction from other performance issues.
Furthermore, the requirement to acknowledge complaints within 30 days is a relatively tight turnaround for smaller organizations without dedicated data protection officers (DPOs). This may lead to an increased reliance on outsourced privacy services or specialized software to manage the influx of queries.
Future Outlook: A New Standard of Accountability
The introduction of the right to complain to the controller is more than just a procedural change; it represents a new standard of organizational accountability in the UK. By June 19, the "wait and see" approach to data privacy will no longer be viable. Organizations that fail to implement these changes risk not only statutory penalties but also a breakdown in trust with their employees and customers.
As the UK continues to diverge from the EU GDPR in subtle but impactful ways, the DUAA 2025 sets a precedent for a more "regulated self-regulation" model. The success of this model will depend on whether organizations view these new requirements as a mere compliance hurdle or as an opportunity to improve their data governance and build a more transparent relationship with the individuals whose data they process.
Looking ahead, the ICO is expected to monitor the implementation of Section 164A closely. If the volume of "premature" complaints to the regulator does not decrease, further prescriptive guidance or stricter enforcement of internal handling failures is likely. For now, the priority for all UK-based controllers is clear: update notices, train staff, and prepare for a more vocal and empowered data subject.
