A New Statutory “Right to Complain” Under Data Protection Law

This article from author Emma Tuck (Mills & Reeve) discusses the UK’s new Data (Use and Access) Act 2025 (DUAA), which received royal assent on 19 June 2025. While some provisions simply codify existing principles from ICO guidance and case law interpreting the UK GDPR and Data Protection Act 2018 (DPA), the Act introduces notable changes that will affect almost all organisations processing personal data. One of the most significant is a new statutory right for individuals to formally complain if they believe their data protection rights have been infringed.

Under the DUAA’s new section 164A of the DPA 2018, individuals will first need to lodge their complaint directly with the data controller before escalating it to the ICO—soon to be renamed the “Information Commission.” This marks a shift from the current approach, where concerns can be taken straight to the regulator. The new process is expected to come into force between two and twelve months after Royal Assent, with many complaints anticipated to arise from disputes over data subject access requests.

For organisations, the change means implementing or adapting internal complaints procedures to meet the DUAA’s requirements. Controllers will need to acknowledge complaints within 30 days, investigate without undue delay, keep complainants updated, and communicate outcomes clearly. They must also make it easy to file complaints, for example by providing accessible online and offline forms. While public authorities familiar with FOIA or EIR review processes may adapt easily, private sector organisations may need to invest in new training, resources, and governance structures to meet these obligations…

CONTINUE READING…