Under the current UK data protection framework, individuals who believe their personal data has been mishandled have typically had one route for redress: submitting a complaint directly to the Information Commissioner’s Office (ICO).

However, the Data (Use and Access) Act 2025 (DUA Act) introduces a significant change. Section 103 of the DUA Act amends the Data Protection Act 2018 to insert a new requirement - data subjects must now first raise their complaint with the data controller (i.e. the organisation handling their personal data) before escalating it to the ICO.

What does this mean for organisations?

Organisations are now legally required to implement a formal complaints process for handling data protection concerns. This includes:

• providing accessible means for individuals to submit complaints (e.g. an electronic form);
• acknowledging receipt of complaints within 30 days;
• taking appropriate steps to investigate and respond to complaints without ‘undue delay’;
• keeping complainants informed of progress and outcomes.

In addition, the Secretary of State may introduce regulations requiring organisations to report the number of complaints received to the ICO. 

Why does this matter

This change aligns with broader principles of transparency in data protection legislation. It encourages organisations to resolve issues proactively and directly, enhancing accountability and improving trust and engagement with data subjects. It may also be the corollary benefit of reducing the number of direct complaints received by the ICO. 

While the DUA Act received Royal Assent on 19 June 2025, the commencement date for Section 103 is yet to be confirmed.  Organisations should begin preparing for compliance, but should also monitor updates from the ICO and DSIT for formal implementation timelines and any accompanying guidance.

Next steps for organisations

• Review and update internal policies to include a clear data protection complaints procedure.
• Train staff on how to handle complaints in line with the new requirements.
• Ensure systems are in place to track, respond to, and report on complaints.

Whilst some may see this as a pragmatic step to reduce the pressure on the ICO from data subjects’ complaints, arguably this is a proactive step towards a more responsive and responsible data protection culture and enables organisations to demonstrate good practice in line with the data protection principles and improve any areas through local feedback and accountability.