A new statutory “right to complain” under data protection law

Privacy and data protection law took a step forward on 19 June 2025, when the Data (Use and Access) Act 2025 (DUAA) received royal assent.  

Some of the new Act’s provisions effectively codify on a statutory basis principles which are now relatively settled concepts under guidance issued by the Information Commissioner’s Office (“ICO”) and the Courts as they have interpreted the UK General Data Protection Regulation (“UK GDPR”) and its legislative sibling, the Data Protection Act 2018 (“DPA 2018”). However, there are some important changes which data controllers - being any organisation or entity which processes personal data (so, in reality, any organisation or entity) - need to prepare for. 

One such important change is the introduction by the DUAA of a new (formal) right to complain for data subjects who are concerned that their rights under the UK GDPR (and certain aspects of the DPA) have been infringed. The precise date when the new right will come into force will be confirmed in as yet unpublished regulations, but is expected in the 2-12 month period following Royal Assent. While potentially that could extend to a range of matters, in reality, we suspect it is likely many of those complaints will arise from an organisation’s response to a data subject access request.

Currently, dissatisfied data subjects can route their concerns directly to the ICO, which has statutory remit to investigate and adjudicate on whether the data controller has complied with data protection law. That will change under the DUAA when a new section 164A of the DPA 2018 takes effect. Individuals need then to first lodge a complaint with the data controller. Only after the controller responds to the complaint can they escalate it to the ICO (or more precisely, the “Information Commission”, which will replace the office of the Information Commissioner under the DUAA). 

What does this mean in practice for organisations? 

In the immediate now we strongly recommend you consider what processes you have in place for dealing with complaints, and how they align with the specific requirements of the new legislative requirements under the DUAA. For example:

• Complaints by data subjects need to be acknowledged within 30 days
• ”Appropriate steps” to investigate the complaint must be taken “without undue delay”. The DUAA confirms that appropriate steps includes “making enquiries into the subject matter of the complaint, to the extent appropriate” and “informing the complainant about progress on the complaint.”
• Once the investigation has concluded, the complainant should be informed of the outcome.

More specifically, new section 164A of the DPA 2018 confirms that “A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means”.

Internal complaints procedures on these broad lines will be familiar to organisations deemed to be public authorities subject to the Freedom of Information Act (“FOIA”) and/or the Environmental Information Regulations 2004 (“EIR”), which have been subject to similar requirements to undertake “internal reviews” of their initial handling of requests for information for some time - although the timescales for concluding the new complaints regime under the DPA are (on its face) more generous than the (non-statutory) expectations of the ICO under the FOIA/EIR. 

However, for other organisations, this will be entirely new territory and is likely to involve some thinking through of the appropriate resourcing, training and possible governance considerations of the new procedure which they will need to put into place.  

Although the new right to complain represents an additional layer of administrative burden for controllers, it is possible that an effective process will weed out legitimate concerns before they are referred to the ICO - a process which some controllers feel uncomfortable about, in terms of being under the direct lens of the regulator. From the complainant’s perspective, the further stage may equally be a source of frustration in terms of potentially delaying an ultimate ICO outcome – and thus any disclosure, for example, that they wish to pursue. 

All in all, careful consideration of how organisations are going to operate the process is imperative - not least given that the DUAA also enables the Secretary of State to introduce regulations requiring controllers to notify the ICO of the number of complaints made under the new mechanisms. 

Please do contact us if you need assistance in preparing for the new complaints scheme taking effect.