The United Kingdom’s data protection landscape is undergoing a significant transformation with the full implementation of the Data (Use and Access) Act 2025 (DUAA), a legislative milestone that fundamentally alters how organizations must interact with individuals regarding their personal data. Central to this evolution is the introduction of a new statutory right for individuals, including employees, to lodge formal complaints directly with data controllers concerning alleged infringements of the UK General Data Protection Regulation (UK GDPR). Effective from June 19, this shift moves beyond previous informal expectations, establishing a rigid, auditable framework that mandates how organizations must acknowledge, investigate, and resolve data-related grievances.
For employers across the UK, the DUAA represents more than a minor administrative adjustment; it is a formalization of regulatory expectations that places the burden of first-instance resolution squarely on the shoulders of the data controller. While individuals retain the right to escalate matters to the Information Commissioner’s Office (ICO), the new regime is designed to divert the initial flow of complaints away from the regulator and toward the source of the data processing. This change necessitates an immediate overhaul of internal privacy governance, ranging from the revision of privacy notices to the implementation of sophisticated tracking systems and staff training programs.
The Legislative Foundation: Section 164A and the DPA 2018
The primary mechanism for this change is the insertion of Section 164A into the Data Protection Act 2018. This amendment, introduced via the DUAA, creates a structured legal pathway for individuals to challenge how their data is handled. Under the new provisions, a "data protection complaint" is defined broadly, encompassing any concern that a controller has failed to comply with the UK GDPR.
Historically, while many organizations maintained informal channels for addressing privacy concerns, there was no uniform statutory requirement governing the process of those internal complaints. The DUAA changes this by requiring controllers to provide accessible complaint channels, acknowledge receipt of a complaint within a strict 30-day window, and take "appropriate steps" to investigate the matter. Furthermore, controllers must communicate the outcome of the investigation to the complainant without undue delay. This formalization is intended to ensure that data protection becomes a visible and auditable aspect of organizational accountability, rather than a secondary consideration handled sporadically by legal or HR departments.
Chronology of the UK Data Reform Movement
The implementation of the DUAA is the culmination of a multi-year effort by the UK government to refine its post-Brexit data protection strategy. Following the UK’s departure from the European Union, the government sought to create a "pro-growth, pro-innovation" data regime that maintained high standards of protection while reducing the administrative burden on both the regulator and businesses.
- 2018: The Data Protection Act 2018 is enacted, alongside the direct application of the EU GDPR in the UK.
- 2021-2022: The UK government launches the "Data: A New Direction" consultation, seeking views on how to diverge from certain aspects of the EU GDPR to benefit the UK economy.
- 2023: The Data Protection and Digital Information (DPDI) Bill is introduced to Parliament, proposing significant changes to the role of the ICO and the rights of data subjects.
- 2024: Following legislative refinements and a focus on "Use and Access," the framework evolves into the Data (Use and Access) Bill.
- 2025: The Data (Use and Access) Act 2025 is officially enacted, setting the stage for the June 19 enforcement of the new complaint-handling provisions.
- June 19, 2026: The statutory requirements for complaint handling and updated transparency obligations become legally binding for all UK controllers.
Statistical Context: The Regulatory Burden on the ICO
The drive toward internalizing complaint resolution is largely informed by the sheer volume of data protection disputes currently reaching the ICO. According to recent regulatory reports, the ICO receives tens of thousands of complaints annually. In the 2023-2024 fiscal year alone, the regulator handled over 35,000 data protection cases. A significant majority of these complaints—often exceeding 40%—relate to Subject Access Requests (DSARs), where individuals feel that organizations have either failed to provide information or have provided incomplete data.
By mandating a formal internal complaint process, the government aims to reduce the ICO’s caseload by ensuring that "low-level" or "procedural" disputes are resolved at the organizational level. Data suggests that a substantial portion of complaints escalated to the ICO are resolved with a finding that the organization should have simply communicated more clearly with the individual. The DUAA codifies this communication, forcing organizations to address grievances before they become regulatory investigations.
Key Changes to Individual Rights and Transparency
The DUAA introduces specific amendments to the UK GDPR that directly affect how organizations communicate with data subjects. Specifically, Article 12(4) of the UK GDPR has been amended. Previously, if a controller decided not to take action on a request (such as a request for data erasure or rectification), they were required to inform the individual of their right to complain to the ICO. Under the new law, the controller must now also inform the individual of their right to lodge a complaint with the controller itself under Section 164A.
Similarly, Articles 15(1)(ea) and (f) have been updated regarding Subject Access Requests. When an organization responds to a DSAR, it must now explicitly signpost both the right to complain to the ICO and the right to complain to the organization. This dual-notification requirement ensures that the internal complaint mechanism is highly visible to the data subject at the very moment they may feel their rights have been overlooked.
Defining the Scope of a Data Protection Complaint
The ICO has clarified that the definition of a "complaint" under the DUAA is intentionally broad. Organizations cannot avoid their obligations by claiming a grievance was not "labeled correctly." A complaint may be triggered by any expression of dissatisfaction regarding:
- Subject Access Requests: Delays in response or perceived incompleteness of the data provided.
- Direct Marketing: Unsolicited communications or failure to honor "opt-out" requests.
- Retention Practices: Concerns that data is being kept longer than necessary or for unauthorized purposes.
- Transparency Obligations: Vague or misleading information in privacy notices.
- Security Incidents: Allegations of data breaches or insufficient technical safeguards.
- Lawful Basis: Challenges to the organization’s legal grounds for processing specific categories of data.
The ICO’s guidance emphasizes that complaints can be made through any channel, including social media, verbal conversations with HR, or formal written letters. This requires staff across all departments—not just the Data Protection Officer (DPO)—to be trained in identifying and routing these grievances appropriately.
Operational Impact and Industry Reactions
Legal analysts and HR professionals have noted that while the "notionally greater chance" of resolving complaints internally is a positive development, the administrative cost of compliance will be non-trivial. David Whincup, a prominent employment law expert, observes that the change introduces a degree of formality and structure that was previously missing in the law. Employers may find that the new requirements lead to a more "litigious" internal environment, where every minor data dispute is treated with the gravity of a formal grievance.
Business advocacy groups have expressed cautious support for the reforms, noting that a streamlined ICO might be able to focus more effectively on serious, large-scale data breaches. However, small and medium-sized enterprises (SMEs) have voiced concerns regarding the 30-day acknowledgment rule and the need for documented audit trails, which may strain limited administrative resources.
A Compliance Roadmap for Organizations
To meet the June 19 deadline, organizations are advised to follow a structured readiness plan:
1. Privacy Notice Revision
Organizations must audit all external and internal privacy notices. These documents must now clearly explain how an individual can make a complaint to the controller, what information should be included in the complaint, and what the expected timelines for resolution are.
2. Template Updates
Response templates for DSARs, rectification requests, and erasure requests must be updated to include the mandatory signposting to the Section 164A complaint right. Failure to include this information could be considered a procedural breach of the UK GDPR.
3. Implementation of Tracking Systems
The statutory requirement to acknowledge complaints within 30 days necessitates a robust logging system. Organizations should implement a centralized dashboard to track the date of receipt, the nature of the complaint, the steps taken during the investigation, and the final outcome communicated to the individual.
4. Cross-Departmental Training
Because a data protection complaint can be raised with anyone from a receptionist to a senior manager, comprehensive training is essential. HR and customer service teams, in particular, must be equipped to recognize the "substance" of a data complaint even when the specific terminology is not used.
5. Vendor and Processor Alignment
Controllers should review their Data Processing Agreements (DPAs) with third-party vendors. If a complaint relates to data handled by an outsourced processor (such as a payroll provider or a cloud storage firm), the controller will need the processor’s full cooperation to investigate and resolve the matter within the statutory timeframes.
Broader Implications and Global Context
The DUAA marks a distinct point of divergence between the UK and the EU. While the EU GDPR encourages internal resolution, it does not mandate a statutory framework as prescriptive as the UK’s Section 164A. International organizations operating in both jurisdictions will now face a bifurcated compliance environment, where UK-based employees have a more structured internal complaint right than their colleagues in the EU.
Ultimately, the Data (Use and Access) Act 2025 seeks to foster a culture of "demonstrable accountability." By forcing organizations to deal with the consequences of their data processing decisions directly, the UK government hopes to improve transparency and trust in the digital economy. For employers, the message is clear: data protection is no longer a silent compliance task, but a public-facing commitment to responsiveness and rigorous internal oversight. Organizations that fail to adapt their processes before the June 19 commencement risk not only regulatory scrutiny from the ICO but also a breakdown in trust with their most valuable asset: their workforce.
