New rules under the Data (Use and Access) Act 2025 will require stronger internal complaint-handling processes and introduce tougher ICO investigatory powers.
Changes Coming: New Data Complaints Processes and Enhanced Scrutiny under the Data (Use and Access Act) 2025
One of the most significant changes for organisations under the Data (Use and Access) Act 2025 ("DUAA") relates to the complaints handling obligations which will be placed on data controllers and expanded investigatory powers given to the Information Commissioner's Office ("ICO"). Here, we summarise the key changes which organisations should be aware of.
We await the definitive date when these provisions will become enforceable law - however, the ICO's guidance suggests that the DUAA will come into force over the next 12 months.
1. Mandatory Data Complaint-Handling Processes
Under the DUAA, organisations which are handling personal data as data controllers will need to implement effective internal data complaint mechanisms. This includes simplifying the process of making complaints, such as providing simple, electronic forms and alternative channels for submitting complaints.
There will also be an obligation for businesses to acknowledge complaints within 30 days of receipt and resolve them “without undue delay”. Appropriate steps must also be taken in responding to the complaint (including making appropriate enquiries and providing updates on progress) and informing the complainant of the outcome.
These processes must be followed before complaints are made to the ICO, which means that there will likely now be greater scrutiny of organisations who do not have adequate data governance processes in place in the event of any complaint to the ICO. Complaints to the ICO will also continue to be easy and free-of-charge, increasing the likely burden on data controllers to ensure that they are managing complaints in a fair and transparent manner.
2. Expanded Investigatory Powers of the Regulator
Data controllers could also be required to notify the ICO of the number of complaints received. It is therefore more important than ever that data controllers proactively review and strengthen their data governance frameworks to help minimise the number of complaints they receive. High numbers of complaints could encourage the Regulator to investigate an organisation's practices further.
Under the DUAA, the ICO will have increased powers and will be able to issue:
- Information notices requiring documents from data controllers.
- Assessment notices compelling data controllers to commission and pay for forensic reports.
- Interview notices mandating individual attendance and any non-compliance can increase penalties or lead to prosecution.
The ICO's penalty timelines have also been tightened, with final penalty notices requiring to be issued within six months of a notice of intent, or as soon as reasonably practicable afterward. The ICO must also notify the organisation if it decides not to impose a penalty.
3. New Transparency and Oversight Obligations
The ICO will be significantly restructured and the regulator will now become the Information Commission rather than the ICO. Data controllers will therefore need to ensure all documentation reflects this change.
On 30 June 2025, the ICO announced Paul Arnold will be the first CEO of the future Information Commission.
Other changes to the Information Commission should be fairly invisible to businesses, but there will be additional obligations on the ICO to publish:
- Annual reports including KPIs, the nature of complaints/investigations, case durations, and powers used; and
- Details of enforcement actions taken.
Next steps
To help navigate these upcoming changes, organisations should take proactive steps to ensure they are fully prepared. These include:
- Reviewing and updating existing complaints processes, privacy notices, policies and templates to reflect the changes.
- Implementing a new complaints protocol to align with the new regime.
- Updating training modules and providing up-to-date training to staff on the changes, particularly in terms of how to recognise and escalate complaints.
- Preparing for potentially deeper ICO investigations, including auditing processes and procedures, designating technical leads and considering if there are any budget needs for commissioned reports which may be requested by the ICO budget for commissioned reports.
- Reviewing and auditing current data governance practices, and remediating any gaps in compliance.
Please do not hesitate to get in touch with our Data Protection team if you would like more information on how we can help in these areas.
