The United Kingdom’s data protection landscape is undergoing its most significant transformation since the implementation of the Data Protection Act 2018, following the formal enactment of the Data (Use and Access) Act 2025 (DUAA). Among the most operationally demanding changes for employers and data controllers is the introduction of a new statutory right for individuals to lodge complaints directly with controllers regarding alleged infringements of the UK General Data Protection Regulation (UK GDPR). This shift, which becomes legally enforceable on June 19, 2026, marks a departure from the previous informal handling of internal grievances, mandating a structured, auditable, and transparent framework for dispute resolution.
Under the new regime, organizations operating within the UK must overhaul their privacy governance to accommodate the requirements of the new Section 164A of the Data Protection Act 2018. The reforms are designed to redistribute the regulatory burden currently carried by the Information Commissioner’s Office (ICO). By requiring individuals to raise concerns with the data controller in the first instance, the government aims to facilitate faster resolutions at the organizational level while allowing the ICO to focus its resources on high-risk systemic breaches and significant public interest cases.
The Evolution of the UK Data Framework: A Chronology
The Data (Use and Access) Act 2025 is the culmination of a multi-year legislative effort to modernize the UK’s post-Brexit data regime. The journey began shortly after the UK’s withdrawal from the European Union, as the government sought to create a "business-friendly" alternative to the EU GDPR while maintaining the high standards necessary for data adequacy.
In 2022 and 2023, the government introduced iterations of the Data Protection and Digital Information (DPDI) Bill. While these earlier versions faced delays due to political shifts and the 2024 General Election, the core principles were refined and integrated into what has now become the DUAA 2025. This Act represents a strategic pivot toward "demonstrable accountability," where the burden of proof for compliance rests heavily on the controller’s ability to show documented processes and responsive communication.
The timeline for implementation is critical. While the Act has received Royal Assent, the specific provisions regarding the new right to complain and the associated handling requirements are slated for commencement on June 19, 2026. This window provides organizations with a necessary period to audit their existing systems, train personnel, and update public-facing documentation.
Core Requirements of the New Complaints-Handling Framework
The DUAA 2025 introduces several prescriptive obligations that move beyond the general accountability principles found in the original UK GDPR. Organizations must now act as the primary adjudicators of their own data processing activities. The following legal requirements are now central to compliance:
- Facilitating Accessibility: Controllers are required to provide clear, accessible channels through which individuals can submit complaints. This means organizations cannot hide behind complex bureaucratic layers; the mechanism for complaining must be as easy to use as the methods used to collect the data.
- Mandatory Acknowledgment: Once a complaint is received, the controller must acknowledge its receipt within a strict 30-day window. This acknowledgment is not merely a courtesy but a statutory requirement that triggers the formal investigation process.
- Investigation and Outcome Communication: Controllers must take "appropriate steps" to investigate the concerns raised. Following the investigation, the outcome must be communicated to the individual without "undue delay."
- Signposting Rights: If a controller chooses not to take action on a request (such as a request for data erasure or rectification), they must inform the individual of their right to complain to the controller under Section 164A, as well as their secondary right to escalate the matter to the ICO under Section 165.
Supporting Data: The Impetus for Regulatory Reform
The decision to formalize internal complaints handling is backed by data suggesting a growing bottleneck at the regulatory level. According to recent ICO annual reports, the regulator receives tens of thousands of data protection complaints annually, a significant portion of which relate to Subject Access Requests (DSARs) and transparency issues. Historically, many of these complaints were submitted to the ICO before the individual had even attempted to resolve the issue with the organization in question.
By mandating a "controller-first" approach, the UK government anticipates a reduction in the ICO’s caseload by an estimated 20% to 30% over the first three years of the Act’s operation. For businesses, this means that while the administrative burden of handling complaints increases, the risk of immediate regulatory intervention decreases, provided the internal process is robust. However, the stakes remain high; a failure to manage the internal complaints process correctly can itself become a ground for ICO enforcement action.
Operational Impact on Employers and HR Departments
For employers, the DUAA 2025 creates a new dimension of risk in the employment relationship. Employees are among the most frequent "data subjects" to exercise their rights, often using data protection complaints as a tactical element in broader workplace disputes or litigation.
The ICO has clarified that the definition of a "data protection complaint" is exceptionally broad. It encompasses any expression of dissatisfaction regarding how personal data is handled. This includes concerns over:
- The accuracy of performance reviews stored in HR systems.
- The use of monitoring software for remote workers.
- The retention of recruitment records for unsuccessful candidates.
- The handling of sensitive health data during sickness absence.
Crucially, the ICO emphasizes that an individual does not need to use the phrase "data protection complaint" for the statutory obligations to apply. If an employee sends an email to their manager stating, "I don’t think you should have shared my medical note with the whole team," this must be recognized and routed into the formal Section 164A complaints-handling process.
Strategic Implementation: Steps for Compliance
To meet the June 2026 deadline, organizations must move away from fragmented or informal grievance procedures. A strategic response involves five key pillars:
1. Privacy Notice Revision
Organizations must audit their external and internal privacy notices. These documents must now explicitly detail the right to complain to the controller, provide clear contact information for doing so, and outline the expected timeframes for a response.
2. Standardizing the Intake Process
Whether a complaint arrives via a dedicated "privacy@" email address, a social media message, or a verbal comment to a supervisor, there must be a unified system for logging the entry. This ensures the 30-day acknowledgment clock is accurately tracked.
3. Integration with Subject Access Requests (DSARs)
The DUAA 2025 specifically amends Article 12 and Article 15 of the UK GDPR. Response templates for DSARs must be updated to include mandatory signposting. If an organization denies a request for data or provides a redacted set of documents, it must inform the requester of their right to challenge that decision via the internal complaints process before going to the ICO.
4. Staff Training and Culture
Because complaints can be made to any member of staff, frontline employees—particularly in HR and customer service—must be trained to identify a data protection concern. Training should focus on the "no wrong door" policy, where a complaint made to a junior staff member is correctly escalated to the Data Protection Officer (DPO) or the compliance team.
5. Audit Trails and Accountability
Under the principle of accountability, it is not enough to resolve a complaint; an organization must be able to prove it followed the correct procedure. Detailed records must be maintained, documenting the nature of the complaint, the steps taken during the investigation, the evidence reviewed, and the final rationale for the decision.
Official Responses and Expert Analysis
Legal experts have noted that while the DUAA 2025 is marketed as a "deregulatory" measure, it actually increases the procedural complexity for organizations. David Whincup, a prominent employment law specialist, suggests that while employers might welcome the chance to resolve issues before the ICO gets involved, the "formality and structure" now required will make complaints-handling a much more "visible and auditable aspect of organizational accountability."
The ICO has signaled its support for the reforms, viewing them as a way to empower individuals. In its recently published guidance, the regulator stated that treating complaints-handling as a core part of accountability helps build trust between data subjects and controllers. However, the regulator also warned that it will maintain a "watchful eye" on organizations that use these processes to obstruct or delay the exercise of individual rights.
Broader Impact and Global Implications
The introduction of Section 164A is a clear signal of the UK’s intent to forge a distinct path in data regulation. By emphasizing internal resolution, the UK is moving closer to models seen in other professional services sectors, such as financial services, where internal dispute resolution (IDR) is a mandatory precursor to ombudsman involvement.
For international organizations, this creates a dual-track compliance requirement. A multinational company operating in both London and Paris will now need a specific UK-compliant complaints procedure that differs from the more generalized requirements of the EU GDPR. This divergence highlights the need for global privacy frameworks that are flexible enough to accommodate local statutory nuances.
Furthermore, the success of this framework will likely influence the UK’s standing in future data adequacy reviews with the European Commission. If the internal complaints system is seen as an effective safeguard for data subjects, it will bolster the UK’s argument that its "reformed" regime provides essentially equivalent protection to the EU’s framework.
Looking Ahead to June 2026
As the commencement date approaches, the priority for UK controllers is readiness. The Data (Use and Access) Act 2025 does not just change the rules; it changes the relationship between the organization, the individual, and the regulator. By shifting the first line of defense to the controller, the UK government is betting on the idea that transparency and direct communication can resolve data disputes more efficiently than centralized regulation.
Organizations that fail to adapt risk more than just a backlog of grievances. They face the prospect of statutory breaches, increased ICO scrutiny, and a loss of trust from their most valuable stakeholders: their employees and customers. In the new era of UK data protection, the ability to handle a complaint effectively is now just as important as the ability to protect the data itself.
