Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Data (Use and Access) Act 2025: new statutory rules on handling data protection complaints from 19th June 2026

18 May 2026 England and Wales 4 min read

Background and scope

The Data (Use and Access) Act 2025 ("DUAA") received Royal Assent on 19th June 2025 and its requirements are now being phased in.

New rules relating to the handling of data protection complaints are due to come into force on 19th June 2026. The new rules will apply to controllers only, and cover complaints by individuals relating to alleged failures to comply with the UK GDPR or with Part 3 of the Data Protection Act 2018.

The Information Commissioner’s Office (“ICO”) has set out guidance on the new requirements.  

Some of the key rules are summarised below.

Processes

Controllers must have clear and effective processes in place for handling data protection complaints from individuals, including to allow people to complain directly to them. Complaints must be accepted regardless of how they are submitted, including via social media. Controllers must ensure individuals are informed of their right to complain in privacy notices and when responding to requests to exercise data protection rights.

Timelines

Once a complaint is received, the controller must acknowledge it within 30 days. The statutory clock begins on the day after receipt, including where the complaint is received on a weekend or public holiday. The organisation must begin enquiring into the complaint without undue delay and must carry out an investigation that is reasonable and proportionate to the nature and complexity of the issues raised, and the impact on the individual.

Where an investigation is ongoing, the complainant must be kept informed of progress and any anticipated delays. The outcome of the complaint must be provided without undue delay, and cannot be withheld pending resolution of a wider complaint covering other matters.

Third party requests

In the case of complaints submitted by third parties on behalf of data subjects, organisations must verify that the third party is authorised to act before investigating the complaint. Where complaints involve children, organisations must assess whether the child has sufficient competence to exercise their rights and should ensure that communications directed to children are provided in clear, age‑appropriate language. Organisations in scope of the ICO Children’s Code should also ensure that they are familiar with the complaints-handling requirements set out in that document.

Practical steps for organisations

  • Internal procedures and training: While there is no requirement to publish a data protection complaints policy, many organisations will need written internal procedures, supported by staff training, to ensure they can comply with the new rules.
  • Privacy notices: Update privacy notices to clearly explain individuals’ right to complain to the organisation.
  • Complaint records: Keep records of when complaints are received, how and when they are acknowledged, the steps taken during the investigation, and the final outcome (the ICO can request these records).
  • Record-keeping system: Check that you have a clearly organised and labelled record‑keeping system in place so you can quickly locate the information needed to investigate complaints.
  • Processor/joint controller arrangements: Consider whether arrangements with processors and joint controllers support the new regime, particularly where complaints may need to be escalated or investigated collaboratively.

How we can help

We have produced a detailed flyer on the new data protection complaints requirements, and associated ICO guidance. Please contact us if you would like to receive a copy, or if you need advice on these upcoming rules.

Article co-authored by Zahra Mahmood. 

More insights
Data Protection & Freedom of Information

Explore more

Publication United Kingdom

Regulation nation?

15 Jan 2026 1 min read
Event United Kingdom

IP Insights webinar series 2026

03 Jun 2026
Expert Guide International

Data protection and cybersecurity laws in the United Kingdom

40 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.