《2025年数据（使用和访问）法》和个人向控制者投诉的新权利：2026年6月19日之前组织需要做什么

What organisations need to do before 19 June 2026 June 1, 2026 The UK’s data protection framework continues to evolve following the enactment of the Data(Use and Access) Act 2025 (DUAA). One of the more operationally significant developmentsfor organisations is the introduction of a new statutory right for individuals to complain to The relevant provisions will apply from 19 June 2026, pursuantto the Data (Use and Access) Act 2025 (Commencement No.6) Regulations 2026. On or before that date, organisationssubject to the UK GDPR will need to update their privacy •Acknowledge complaints within 30 days of receipt •Take “appropriate steps” to investigate complaints(including making enquiries into their subject matter) •Keep complainants informed about the progress and Although individuals will retain their right to complain directlyto the Information Commissioner’s Office (which will becomethe “Information Commission” under other changes introducedby the DUAA) (ICO), the reforms are designed to ease theICO’s related regulatory burden and therefore to encourage •Inform individuals of their right to complain in their privacy •Maintain appropriate records relating to complaints and The ICO has also published guidance explaining thatorganisations should treat complaints handling as partof their broader accountability obligations and ensure These new obligations represent a significant formalisationand strengthening of regulatory expectations. In practice,complaints handling will become a more visible and auditable Importantly, the concept of a “data protection complaint”is broad. According to the ICO, complaints may arisein relation to any alleged infringement of the UK GDPR,including concerns relating to subject access requests, directmarketing, retention practices, transparency obligations, What is changing? The new right to complain and related complaints handlingrequirements are introduced through the new section164A of The reforms also introduce related changes to transparencyand individual rights request response requirements under The new right allows individuals to make a complaint to acontroller if they consider that the controller has infringed theUK GDPR when processing their personal data. Broadly, the In particular, Article 12(4) of the UK GDPR now requirescontrollers, where they do not take action on a requestmade by a data subject (such as a rectification, erasureor restriction request), to inform the individual not only oftheir right to complain to the ICO under section 165 of the •Provide at least one accessible way through whichindividuals can submit data protection complaints (for Articles 15(1)(ea) and (f) of the UK GDPR require controllers,as part of the information provided in response to a subject These amendments are operationally significant becausethey require organisations not only to maintain a compliantcomplaints process, but also to ensure that complaintsinformation and signposting are properly embedded Organisations should also put together, or review existingtemplates used in response to data subject rights requests In addition, the new section 164B of the DPA 2018 givesthe secretary of state the power to introduce regulationsrequiring controllers to provide the ICO with informationabout the number of complaints received over a certainperiod. Although no such reporting regime has yet been 2. Establish a formal complaints handling process Organisations should implement a documented process formanaging data protection complaints from intake through to Why this matters This should include: Many organisations already manage privacy-relatedcomplaints through existing customer service, legal or othercompliance functions. However, the new regime introduces •Mechanisms for receiving complaints through appropriate •Procedures for identifying and classifying complaints •Escalation pathways for high-risk or complex matters •Investigation and response procedures The ICO’s guidance makes clear that organisations shouldhave documented processes in place, train relevant staff •Record-keeping requirements •Oversight and governance arrangements The reforms are therefore likely to require organisations tomove away from informal or fragmented approaches tocomplaints handling. Complaints processes will need to be The ICO recommends ensuring that complaints are easy tosubmit, and that organisations can recognise complaints evenwhere individuals do not use formal terminology or expresslyrefer to “data protection” concerns. Controllers should alsorecognise that, as with other requests from individuals to What should organisations do now? With the commencement date approaching, organisationsshould assess whether their existing privacy governance Examples provided by the ICO include: In particular, organisations that are subject to the UK GDPRand processing personal data as controllers should consider •Providing a complaint form that individuals can submitto the contro