The Data Use and Access Act 2025: A new 'right to complain'

UK data protection law is set to introduce a new statutory right for individuals to complain directly to organisations about how their personal data is handled. This change, introduced under the Data Use and Access Act 2025, will apply to all organisations acting as data controllers under the UK GDPR, with no exemptions.

For organisations, this is more than a procedural adjustment. It represents a shift in how data protection concerns are expected to be raised, handled and resolved, and is likely to result in a significant increase in the volume of complaints received directly by organisations.  

While the changes will take effect from 19 June 2026, the Information Commissioner’s Office ('ICO') has already published new guidance 'How to deal with data protection complaints' (on 12 February 2026) and confirmed that 'even before these requirements are in force, we think that what’s set out in this guidance represents good practice'.

Understanding what this new right involves, and preparing for it now, will be key to managing risk, maintaining trust and avoiding regulatory escalation/possible reputational damage.

Who does this apply to?

The new right applies to all organisations acting as data controllers under the UK GDPR. There are no carve outs or exemptions; all data controllers will be required to have a process in place for dealing with data protection complaints.

What is the new right?

Individuals will have a statutory right to complain directly to an organisation about alleged infringements of data protection law relating to their personal data. This could include handling of subject access requests and data breaches for example.  Importantly, individuals will generally be expected to raise their complaint with the organisation first before escalating the issue to the Information Commissioner’s Office (ICO).

In practice, this likely means that complaints will be raised earlier and more frequently, and that a broader range of communications will be framed as data protection complaints, even when they are not labelled as such. It will also place greater scrutiny on how organisations identify, investigate and respond to complaints internally.

What will organisations need to do?

Organisations will be under a positive obligation to facilitate and manage data protection complaints. Specifically, they must:

1. Give individuals a way of making data protection complaints to you;
2.  Acknowledge complaints within 30 days of receipt;
3. Take appropriate steps to respond without undue delay (which means without an unjustifiable or excessive delay) including making enquiries and keeping the complainant informed; and
4. Inform the complainant of the outcome without undue delay. 

Why this matters for employers and organisations

In practice, many data protection issues arise in everyday interactions, such as HR queries, grievance processes, subject access requests, or informal correspondence from employees or customers. Under the new regime, organisations will need to be alert to whether a particular communication amounts to a data protection complaint, subject access request (DSAR), or potentially both.

Clear internal ownership will be essential. Staff members will need to know who is responsible for investigating complaints, who manages communications with the complainant, and how statutory timeframes are monitored and met. Failure to identify and handle complaints correctly could increase the risk of escalation to the ICO, regulatory scrutiny, and reputational damage.

What should organisations be doing now?

Now is a good time for organisations to review and refresh their privacy notices, terms and conditions, data protection policies and 'your rights' sections to ensure that they reflect the new right to complain. Subject access request response templates should also be updated to make clear that individuals have the right to complain directly to the organisation as controller, as well as the right to escalate concerns to the ICO.

Training will be essential as complaints can be made to anyone at the organisation or via social media. Staff should be supported to recognise what a data protection complaint might look like in practice – particularly when it is not labelled as such – and to understand how and when issues should be escalated internally. Organisations will also need to think carefully about internal ownership. Clear responsibility should be assigned for investigating complaints, managing communications with complainants and ensuring statutory timeframes are met.

Practical processes should be put in place to support this, including preparing template responses for acknowledgements, interim updates and outcome letters, and maintaining a central log of complaints. Where organisations work with data processors, those arrangements should also be reviewed to ensure processors understand how complaints should be handled and reported, and that lines of responsibility are clear.

Taking these steps now will help organisations respond consistently and confidently when the new right comes into force.  It could also avoid complaints to the ICO which can be time-consuming and carry reputational risk. 

How we can help

We regularly support employers and organisations with data protection compliance and dispute management. We can assist with:

• reviewing and revising your policies, privacy notices, complaints procedures and Tcs and Cs including gap analysis against the new obligations;
• drafting data protection complaints procedures and template documentation to assist streamlining the process;
• training staff to identify and escalate complaints, and supporting HR and legal teams with investigations and responses; and
• reviewing processor/joint controller arrangements to ensure responsibilities and reporting lines are clear and compliant.