Top tips for handling data protection complaints as introduced by Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (DUAA 2025) (1) mandates that all organisations implement a formal complaints handling process. This requirement applies to both the general processing undertaken under the UK General Data Protection Regulation (UK GDPR) (2) and law enforcement processing undertaken under Part 2 of the Data Protection Act 2018 (DPA 2018) (3). The complaints process must be clearly documented, offering users a simple, effective way to raise concerns. Failure to comply could not only lead to legal repercussions but may also erode trust in your organisation.

The DUAA 2025 underscores the importance of integrating data protection complaints into your broader customer service framework. It’s not just about being compliant; it’s about actively creating accessible, user-friendly routes for individuals to express their concerns. Handling data protection complaints effectively and transparently can go a long way in fostering trust and demonstrating your commitment to privacy.

Here are a few tips to help you get started on your compliance journey:

1. Define what counts as a data protection complaint. You should specify what a complaint is. Broadly, under data protection legislation, a complaint is any dissatisfaction about how you process (collect, access, use, share or store etc.) someone’s personal data, including responses to information-rights requests.

2. Offer multiple easy channels to submit a complaint. Under Section 164A(2) of the Data Protection Act 2018 (DPA 2018) (2), you must facilitate the making of these complaints by providing a form which can be completed electronically and by other means. You should therefore consider making the following channels available to make complaints:

• An online complaint form;

• A dedicated complaints email address for submissions emailed in, or electronic copies of the complaint form to be emailed to;

• A postal address for written submissions or submission of completed offline complaint forms

• A telephone hotline for verbal complaints

You should be consistent in what information is captured though every channel. Your procedures could rely on the same form being completed, or by instructing your teams to follow templates and scripts. It is a good idea to ensure every channel clearly asks for: name, contact details, description of the issue, and any evidence.

3. Verify Complainant Identity Quickly. If in doubt as to whether the complainant is who they say they are, in the interest of preventing unauthorised disclosure you should pause and confirm entitlement before investigating. You should determine the level of ID verification required. It’s a good idea to do this based on the sensitivity of the matter, and whether the complaint is being made on behalf of the data subject. For example, you could set your standard for data subjects as accepting passports or driving licences, and for authorised third-party representatives, additionally asking for proof of the data subject’s valid consent.

4. Acknowledge receipt within 30 Days. As per Section 164A(3) of DPA 2018, you must send a formal acknowledgement within 30 calendar days of receiving a complaint.

5. Investigate and respond without undue delay. The Data (Use and Access) Act 2025 (DUAA 2025) amendments call for the complaint to be handled without undue delay which includes making enquiries into the subject matter of the complaint (Section 164A(5)(a) DPA 2018). This means that you should work on it and aim to conclude your investigation soonest. In practice however, you could set yourself a Service Level Agreement to work towards, for example following the benchmark for other data subject’s rights, like 20 working days (or one calendar month). If you need more time or clarification, inform the complainant before the deadline. You must keep them updated on your progress and any stumbling blocks (Section 164A(5)(b) DPA 2018).

6. Communicate the outcome clearly. You must inform the complainant of the outcome of the complaint (Section 164A(4)(b) DPA 2018). You should deliver your final decision in writing (email by default, unless they request otherwise). This is so that you have a record of exactly what was communicated. If the complainant requests that the response be delivered verbally, make sure you have kept an accurate and detailed record of what was said, and offer to follow up the conversation with a notification of the outcome in writing. In any case, explain your findings, any remedial steps, and the individual’s  rights (including the right to internal review or ICO escalation).

7. Provide an internal review option. As with any other data subject’s right, you should allow complainants to request a second-opinion review. Where this is requested, another team member must complete this review within an agreed timeframe (again, to standardise it with other rights, you could adopt the 20 working days (or one month) timeframe).

8. Guide them to the ICO if needed. If the complainant remains unhappy, share the Information Commissioner’s Office (ICO) details and ask them to escalate the matter further in this way. You must then ensure that you have resources allocated to liaise with the ICO and address any of their queries.

9. Tackle disruptive complaints. Most of the complaints you receive will be genuine. However, it could be useful to consider how you would handle ingenuine complaints, should you receive them.

10. Log and learn from every complaint. Record each complaint, outcome and any escalations. Communicate lessons learned to those who need to learn from them. Use anonymised complaint data for internal reporting, evaluation and training, and for external reporting to regulators, if required. Under the DUAA 2025 amends, further provisions may be made to allow regulators to request metrics on data protection complaints (Section 164B DPA 2018).

11. Assign clear roles and responsibilities. You should be clear on who in the organisation is ultimately accountable for compliance with these requirements, and to whom the responsibility for implementing any necessary changes has been delegated. You should also be clear about any oversight roles in place to monitor and ensure implementation of any changes. Once the responsibilities have been assigned, you should train all staff to report complaints promptly received to them to the correct place. As with any data protection matter, it may come into any part of the business so your staff must know where to forward it.

By following these top tips you’ll not only meet legal obligations under the UK GDPR, DPA 2018 and DUAA 2025 but also demonstrate transparency, fairness and respect for individuals’ data rights.