Thu 13 Nov 2025

Data complaints: Is your organisation preparing for changes to UK law?

New rules under the Data (Use and Access) Act 2025 are set to reshape how organisations handle data protection complaints in the UK.

Introduction

Individuals already have the ability to submit complaints when they believe an organisation has breached its obligations under data protection law or has otherwise not handled personal data correctly. However, the introduction of the Data (Use and Access) Act 2025 (DUAA) is changing the way organisations are required to handle and respond to data-related complaints in the UK, creating a divergence from the approach in Europe. The Information Commissioner's Office (ICO) has published draft guidance on what these new requirements mean for organisations and how they can begin to prepare for the change.

Who can submit complaints?

Complaints can be made by people who:

  • Are unhappy with the response to their subject access request or another information request
  • Have been impacted by a personal data breach
  • Are not happy with the way their personal information has been used

How to receive complaints

Organisations will be required to provide people with a way to make data protection complaints directly to them.

There are a number of ways complaints can be received depending on the resources available to organisations. In the draft guidance, the ICO provides some examples: electronic form, email, post, over the phone, or through an online portal or live chat function.

The draft guidance also notes that children have the same rights to complain as adults. If a child wishes to complain, organisations must assess the child’s capacity to understand their rights. Organisations should ensure they have mechanisms in place to allow children to make complaints, ways to let children indicate whether their complaint is urgent, and procedures to take swift action if advised of an ongoing safeguarding concern.

Creating a complaints procedure

To increase transparency, the ICO advises organisations to create a written complaints procedure that is published on their websites. These procedures should use clear language explaining how people can make complaints, the timeframe in which they can expect a response, and an overview of the process.

Further considerations should include whether there are additional legal frameworks to comply with, whether there are effective record-keeping systems in place, and any additional training staff may require.

Receiving a complaint

The ICO’s guidance also highlights the steps that should be taken once a complaint is received. First, organisations must acknowledge the complaint within 30 days of receipt. This response can be tailored depending on how the complaint was submitted. For example, if a complaint is received through an online portal, acknowledgement could be sent automatically.

Regardless of how a complaint is submitted, it is beneficial for organisations to record when complaints are received and update this as the investigation progresses to ensure timelines are adhered to.

Investigating a complaint

Upon receipt of a complaint, organisations must investigate without undue delay. The ICO clarifies in the draft guidance that this means as soon as possible. Organisations must also be able to show that they made the appropriate level of inquiries when handling the complaint. This can include:

  • Investigating the relevant facts
  • Speaking with relevant members of staff
  • Comparing the information on file with the complaint
  • Referring to the organisation’s terms, policies and standards

If more information is required, this should be requested from the complainant without delay. It may also be helpful to ask for a preferred outcome to help reduce the scope of the investigation. The data subject must be kept informed as the investigation progresses, and when a decision is reached, they must be told the outcome as soon as possible. It is important that this is relayed in clear language. If a complainant is unhappy with the outcome, they should be made aware that they can complain directly to the ICO.

Summary

Organisations should begin preparing for the changes to complaints requirements by:

  1. Considering how complaints will be accepted and received from individuals
  2. Preparing written data complaints processes that comply with the requirements of the DUAA and its timescales
  3. Carrying out staff training and implementing internal processes

Taking these steps now will help ensure organisations are ready to meet the new legal requirements efficiently and effectively.

This article was co-authored by Eve Gunson, Trainee Solicitor in MFMac's Commercial team.

Related Insights

View All

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice