Businesses selling goods or services to customers located within the UK should be aware of a new compliance requirement that may apply to them, irrespective of whether they are established in the UK or elsewhere in the world.
The Data (Use and Access) Act 2025 (DUAA) introduces several amendments to the UK’s data protection regime, including a new section 164A to the Data Protection Act 2018 that introduces a statutory right for individuals to raise data protection complaints directly with a business before escalating them to the Information Commissioner’s Office (ICO).
Previously, businesses were not expressly required to have an internal complaints process. As a result, all businesses must implement an appropriate complaints-handling procedure by 19 June 2026.
Although businesses may have previously handled data protection complaints on an informal basis, from 19 June 2026 they will be required to do the following:
Businesses must clearly inform individuals that they have the right to make a complaint and explain, in simple and easy-to-understand terms, how the complaint process works. This information should also be included in the businesses’ privacy notice.
The way in which businesses implement this is up to them, but they can take one of the following actions:
Within 30 days of receiving a complaint, businesses must confirm receipt of the complaint. This 30-day period begins the day after receipt, and if the final day falls on a weekend or public holiday, extends until the next working day.
Under the new provision, data controllers are required to ''take appropriate steps to respond'' to the complaint ''without undue delay''. This means conducting a reasonable investigation to assess the issues raised. The law does not set a defined time period, the time needed to resolve the complaint will vary depending on its complexity and circumstances.
In addition, complainants must be kept informed about the progress of their complaint throughout the process, particularly where the investigation is likely to take an extended period.
Once a complaint has been examined, businesses must let the complainant know the result as soon as possible, meaning there should be no unjustified or ''excessive delay''. If the complaint can be reviewed and settled within 30 days, it is acceptable to send a single communication that both acknowledges receipt and communicates the outcome. The explanation of the outcome should set out clearly and in astructured manner how the data protection issue has been resolved, including any measures that have been taken.
If the complainant remains dissatisfied with the outcome, you may want to give them more detailed information and further explain how you reached your decision. You should also inform the complainant of their right to escalate to the ICO and provide the ICO’s contact details.
It is important to note that, although the ICO will ask individuals to raise their complaint with the business first, individuals can complain to the ICO at any point before, during or after making a data protection complaint.
We help businesses navigate the complex and rapidly changing world of data protection and AI regulation, building trust and supporting growth. With sanctions and regulatory frameworks continually evolving, we keep a close watch on new rules so our clients do not have to. Where necessary, we also work alongside businesses’ in-house legal teams to highlight the legal changes that matter, adapt internal policies and processes, and ensure ongoing compliance for operations in both the UK and Europe.