Open Navigation
Request a callback
Employment

New Obligation for Data Processers: Complaints Information to be provided to Data Subjects

Harvinder Thiara
2 mins read 26/09/2025

As well the requirement to inform individuals about how you process their data and what you use it for, the Data (Use and Access) Act 2025 (DUAA) directs individuals to complain to you about your processing and requires you to have processes in place to address those concerns.

Previously an individual’s only route of redress for concerns about how their data was being handled was to complain directly to the Information Commissioner’s Office (ICO).  However, under the DUAA data subjects must now first raise their complaint with the data controller (i.e. the organisation handling their personal data) before escalating it to the ICO.

 

What does this mean in practice?

Organisations will be required to implement a formal complaints process for handling data protection concerns. This includes:

  • providing accessible means for individuals to submit complaints (e.g. an electronic form);

  • acknowledging receipt of complaints within 30 days;

  • taking appropriate steps to investigate and respond to complaints without ‘undue delay’;

  • keeping complainants informed of the progress and outcome of their complaint; and

  • maintaining a record of complaints (data audit purposes).

Although the commencement date for section 103 has not yet been confirmed organisations should take steps to ensure that these compliance requirements are addressed.  Not only are individuals already starting to raise more concerns (thank you AI), but the ICO is also being stricter with organisations about their processes and best practices.  To ensure continued compliance you should be considering:

  • How will you inform individuals about their rights – perhaps including reference to your complaints process in your privacy employee handbook or on your website.

  • Creating a complaints form that prescribes information that will be required to enable a complaint to be investigated.

  • How complaints should be submitted? On-line or in writing (email or post), or an online portal via your intranet or website?

  • How you will address complaints made by other means, such as by the phone?

  • What your complaints process will look like.  Who will be responsible for investigations? Should your data team be investigating themselves? Will there be a right of appeal?

 

Next Steps for organisations

  • Get ahead – review and update internal policies to include a clear data protection complaints procedure.

  • Train staff on how to recognise a complaint, and how to handle them in line with the changes.

  • Update your in-house systems to track, respond to, and report on complaints.

Although many will see this as another hurdle for businesses to overcome. It does create the enormous advantage of the ability to resolve complaints without them reaching the ICO.  It will also enable errors to be addressed and processes to be honed to create a more accountable and responsive data protection culture, building trust in how you deal with data.

 

Author

Sign up

Related News

The most important updates and how they affect you

View all

A New Labour Government: A Changing Landscape for Employment Law

As most of us expected, and we all now know, the Labour party won the General Election which took place on 4 July 2024. This change in government is going to mean a significant change to employment rights – probably sooner rather than later if Labour’s manifesto pledges are to be believed – and employers…

Read More

Skilled Worker Route

The new Skilled Worker Route will go live on 1 December 2020. This route replaces the Tier 2 Sponsorship scheme and is at the core of the new approach to UK immigration policy as the country prepares to leave the EU single market on 31 December 2020. The Home Office has now published an extensive…

Read More