UK Data (Use and Access) Act 2025: Update and New Compliance Challenges

“Right to Complain” will come into force 19 June 2026

Authors:

At a Glance

The UK Government recently passed secondary legislation to bring almost all the remaining provisions of the Data (Use and Access) Act 2025 (DUAA) into force.
The UK’s Information Commissioner's Office (ICO) has also published guidance on the new right for data subjects to complain to data controllers about infringements of the GDPR or DPA.
As set out in our previous alert, the DUAA amends the UK General Data Protection Regulation (UK GDPR) and aims to ease the compliance burden for UK businesses and encourage scientific research and innovation. While the UK cannot depart significantly from the GDPR without losing its adequacy status for international data transfers, the DUAA’s changes introduce some welcome flexibility but also additional complications for businesses wishing to standardise their approach across all of their European operations.

Measures Newly in Force

From 5 February, the following provisions of the DUAA are in force:

The definition of “scientific research” in the UK GDPR is broadened to include certain commercial activities, alongside changes to rules around consent and purpose limitation to ease the administrative burden for organisations undertaking scientific research in the UK.
Relaxed rules for automated decision-making (ADM) involving nonsensitive data.
Increased fines for breaches of the electronic marketing rules under the UK Privacy and Electronic Communications Regulations (PECR) (maximum £17.5 million or 4% of global annual turnover, whichever is higher), with additional enforcement powers for the ICO in relation to PECR.
Relaxed rules for cookie consent, which will not be required now for cookies (or similar technologies) considered to be of low-privacy risk.
There is a new list of “recognised legitimate interests”, which provide a lawful basis for processing personal data under the UK GDPR without the need for the full legitimate interest assessment.
The international transfers regime under the UK GDPR now requires that controllers and the UK government undertake a new “data protection test” which should determine whether the standards of data protection will not be “materially lower” than those available in the UK (rather than meeting the “essentially equivalent” standard previously set for transfer impact assessments).
Further clarifications are provided relating to data subject access requests.

Right to Complain

The new “right to complain” to data controllers will come into force on 19 June 2026.

The right to complain requires that controllers:

Facilitate complaints (e.g., provide a dedicated portal or email address, and a complaints form).
Acknowledge complaints within 30 days.
Respond to complaints in full “without undue delay”.
Keep complainants informed of progress and outcomes regarding their complaints.

Data subjects can complain about how data controllers have handled their personal information (or the personal information of someone on whose behalf they are acting). This could include complaints relating to the handling of requests for information, the security measures used for data implicated in a data breach, or more broadly how an organisation has collected or used their personal information.

ICO Guidance

The ICO recently published guidance on what data controllers can do to ensure compliance, and it sets out the measures that businesses should consider implementing, including:

Setting up or adapting a formal complaints process for submitting data protection complaints (e.g., a specific complaint form, online complaints portal, or chat function). This includes consideration of how to accept complaints through alternative means such as social media, how to verify the identity of complainants, and how to handle specific categories of complainants, such as children. There is an active requirement for controllers to provide a specific means for submitting complaints, so it will not be sufficient to merely passively accept complaints however they are made.
Drafting standalone policies (or updating existing policies) to cover the new complaints process and informing data subjects about this right (e.g., how complaints are submitted, timelines, steps for investigation, and communication of outcomes).
Conducting a gap analysis of existing complaints and Data Subject Access Request (DSAR) policies and integrating complaints handling processes to avoid duplication and mitigate risks of prejudice in respect of responses to either data protection complaints or DSARs.
Training staff on the new requirements and policies, and allocating responsibility for management and oversight.
Reviewing records management practices to meet the required standard of response to a complaint and continuing to meet general records management requirements under the GDPR. This includes recording, analysing, and responding to the outcomes of complaints investigations to show that lessons are learned, and procedures are updated to the extent that this is required.
Reviewing contractual arrangements with joint controllers and/or processors to ensure requirements (including timelines) can be met.

Practical Impact

This new right gives more power to data subjects and may lead to higher overall volumes of complaints and scrutiny of practices, and ultimately increased litigation. There is a particular risk in the employment context that this may be used as a delaying or information-gathering tactic, as has frequently been the case with the use of DSARs as a pre-litigation tool.

There is some uncertainty about the standard of disclosure and where the bar will be set in practice. Given the broader spread of issues to which a complaint may relate, this will ultimately (and likely) require more significant volumes of disclosures than is currently the case.

There will also likely be greater disruption in the event of a data breach. Controllers will be required to manage both regulatory notifications and submissions, and simultaneously engage directly with individual data subjects who have made complaints.

Next Steps

Now that the bulk of the DUAA’s changes are in place, to the extent they have not already, businesses should:

Review and update internal policies and published privacy notices.
Refresh the approach to international data transfers, including making use of the ICO’s new guidance on conducting Data Protection Tests (formerly known as transfer risk assessments) when considering the standards of data protection in destination jurisdictions.
Review marketing strategies to account for changes to PECR.
Consider whether there are opportunities to change how personal data are processed by the organisation due to changes in the rules around ADM and recognised legitimate interests, including use in AI systems.
Review supplier contracts to ensure that provisions such as the requirement to provide “meaningful information” to data subjects about the operation of ADM systems in use can be complied with.
Start preparing the groundwork ahead of the new right to complain coming into force on 19 June.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.