The main changes to the UK data protection regime made by the Data (Use and Access) Act 2025 (DUA Act) came into force on Thursday 5th February 2026. One key provision though is due to commence on 19th June 2026; the requirement for Data Controllers to have a complaints procedure to handle data protection complaints.
A new section 164A into the Data Protection Act 2018 requires Data Controllers to:
- give Data Subjects a way of making data protection complaints;
- acknowledge receipt of complaints within 30 days of receiving them;
- without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep Data Subjects informed; and
- without undue delay, tell Data Subjects the outcome of their complaints
Following a consultation, which closed in October last year, the ICO has published its guidance explaining the new requirements and informing Data Controllers of what they must, should and could do to comply.
Data protection expert, and guest on the first Guardians of Data podcast, Jon Baines writes on his personal blog that in declining to suggest how long controllers should normally take to respond to data subject complaints, the ICO has missed an opportunity to provide regulatory clarity.
Listen to the Guardians of Data Podcast for the latest news and views on developments in GDPR, AI, cyber security and FOI.
If you are looking to implement the changes made by the DUA Act to the UK data protection regime, consider our very popular half day workshop.
The newly updated UK GDPR Handbook (2nd edition) includes all amendments introduced by the DUA Act, with colour-coded changes for easy navigation and links to relevant recitals, ICO guidance, and caselaw that help make sense of the reforms in context. We have included relevant provisions of the amended DPA 2018 to support a deeper understanding of how the laws interact.
