Preparing for the Data (Use and Access) Act 2025: Upcoming Complaints Procedure Requirement

The Data (Use and Access) Act 2025 reshapes the UK data‑protection landscape by layering new obligations onto the UK GDPR, DPA 2018 and PECR. Its design balances innovation with stronger individual rights, introducing recognised legitimate interests, tighter automated‑decision‑making safeguards and higher ICO fines. While most reforms took effect on 5 February 2026, the legislation’s full impact will unfold as organisations adapt to the expanded enforcement toolkit and the upcoming compliance milestones.

Section 103 creates a statutory complaints‑procedure requirement that must be operational by 19 June 2026. The process must be universally accessible, acknowledge complaints within 30 days and aim to resolve them within three months, providing clear updates and a plain‑language decision. Practical steps include drafting a written policy, establishing multiple submission channels, preparing template communications, and aligning the complaints workflow with existing DSAR handling to avoid duplicated effort. Staff training and a central log are essential for consistent execution and senior‑level reporting.

Strategically, the mandatory complaints framework signals a shift toward proactive regulator‑consumer interaction. Early compliance not only mitigates the risk of ICO penalties—potentially up to £17.5 million or 4 % of global turnover—but also reinforces trust in data‑driven services. As the ICO finalises its guidance in winter 2025/26, organisations should monitor updates closely and embed flexibility into their processes. Embedding a robust complaints mechanism now positions firms to navigate future data‑governance reforms and maintain competitive advantage in a privacy‑focused market.