The Data (Use and Access) Act 2025: Preparing for the new Data Protection Complaints Handling Rules (Part 3)

Following on from our earlier briefings on the Data (Use and Access) Act 2025 (“DUAA”) (see here and here), this article forms Part 3 of an ongoing series from Burges Salmon’s Commercial & Technology team as the DUAA’s phased provisions come into force. See Part 1 for the key implications of DUAA on international transfers and Part 2 for the new rules around automated decision making.

This article outlines the new requirements for handling data subject complaints under DUAA and sets out the practical steps organisations should be taking now to prepare for these upcoming obligations. 

New data protection complaints handling rules

The DUAA introduces a new statutory right for data subjects to complain directly to controllers. This will require organisations to implement a formal data protection complaints procedure by 19 June 2026 (when the new rules take effect via secondary legislation). The key requirements include:

• providing accessible means for individuals to submit complaints;
• acknowledging complaints within 30 days of receipt;
• taking appropriate steps to investigate and respond to complaints ‘without undue delay’;
• keeping data subjects informed of the progress and outcome of their complaint.

The ICO published guidance last month on how organisations should handle data protection complaints in accordance with the new rules, which we have summarised below. The guidance takes the approach of distinguishing between mandatory legal requirements ('must'), recommended good practice ('should'), and optional steps ('could') to help organisations understand what compliance looks like in practice. 

What is a ‘data protection complaint’?

A data protection complaint is broad and includes any expression of dissatisfaction from an individual about how their personal data has been collected, used, stored, shared, or otherwise processed. 

The expression does not have to use legal terms or quote sections of legislation to count as a data protection complaint. The ICO guidance gives examples, including:

• the way you have responded to someone’s subject access request (SAR), or other rights request;
• the security measures you have used to store someone’s information (e.g. someone who has been impacted by a data breach, regardless of whether it is reportable to the ICO); or
• how you have collected or used someone’s personal information (e.g. where you have stored it, how long you have kept it for, or its accuracy).

What is not a “data protection complaint”?

It will not be a data protection complaint for these purposes if someone is complaining about the services an organisation is offering or another matter while exercising their data protection rights. 

The ICO gives examples of where this might arise. For example:

• a person may acknowledge you responded to their subject access request on time, but express dissatisfaction that you did not expedite it;
• an employee may raise a grievance issue, and also request copies of their personal information; or
• a person may complain about a customer service issue, and also request that you delete their information.

How should organisations prepare for receiving complaints?

Organisations must inform individuals of their right to complain directly to the organisation, as well as to the ICO, when their personal data is collected.  The usual place to highlight this is within the privacy notice provided when an individual’s personal data is first collected, and in any subject access request response letters. The ICO guidance also recommends having a written complaints procedure in place and making this available to individuals (i.e. on a website), but this is not a mandatory requirement. 

Organisations must give people a way to make a complaint directly to the organisation, and it is for the organisation to determine the method(s) for receiving complaints. The ICO suggests various methods of achieving this such as a complaint form, a designated email address or live chat function. Individuals may make a complaint through social media where you have an online presence. It is therefore important to consider how these complaints will be identified and managed. The ICO’s guidance is clear that you should ask for an alternative contact method since social media is not a secure way of providing information.

In practice, many organisations will have pre-existing complaints processes in place already and the data subject complaints process can be integrated into existing frameworks rather than managed through a standalone process. 

It is also important to recognise that individuals may complain through any channel, whether or not it forms part of your preferred or published procedure. All staff who may receive complaints should therefore be trained to recognise them and know where to escalate internally. Internal policies and training materials should be updated to reflect the new complaints rules and the mandatory response timeframes outlined above.

What do organisations need to do when it receives a complaint?

Organisations must acknowledge complaints within 30 days of receipt. The clock starts the day after the complaint is received regardless of what day of the week this is. 

When it comes to the deadline for the response, the ICO clarifies that if the deadline to respond falls on a weekend or public holiday, then you have until the next working day to provide the acknowledgement.

Organisations must then investigate and respond to the compliant “without undue delay”. This will broadly involve:

• gathering the information needed to investigate the complaint;
• making enquiries into the complaint;
• keeping the individual informed of the progress being made; and
• keeping a record of the complaint, the acknowledgement, the investigation, the outcome and any actions taken because of the investigation.

When communicating the outcome, the ICO guidance provides that organisations should:

• clearly explain what steps have been taken to resolve the complaint and any actions taken;
• explain why the organisation considers it has complied with applicable data protection laws; and
• inform the individual of their right to complain to the ICO and providing the ICO’s contact details. 

What practical steps should organisations be taking now?

With the new requirements taking effect on 19 June 2026, organisations should consider the following steps to ensure compliance with the new requirements:

• updating privacy notices and subject access request template responses to make clear that individuals have a right to complain directly to the organisation;
• implementing a formal complaints handling process for complaints to be received (or integrating this into any existing complaints handling process) to ensure that complaints can be handled in line with the new requirements and statutory timeframes;
• updating internal policies and training staff so they can recognise a data protection complaint, know where to escalate it internally, and understand the statutory timeframes that apply;
• developing a system for requesting further information, making clear when supporting documentation (such as reference numbers or ID evidence) may be required;
• maintaining clear records of all complaints received, the steps taken during the investigation, and the final outcome, to demonstrate compliance;
• reviewing contractual arrangements with processors to ensure they include appropriate provisions requiring timely notification of complaints and the co-operation needed to enable the organisation to investigate and respond to complaints.

For queries or advice on the content of this article,  please contact Hamish Corner, Lucy Pegler, Amanda Leiu or a member of Burges Salmon's Commercial & Technology team. 

This article was written by Jess Mant and Amanda Leiu.