How does the Data (Use and Access) Act 2025 change complaint handling?
ProvePrivacy have prepared the DUAA Complaint Management Guide to support the recent changes in the Data (Use and Access) Act 2025. It introduces mandatory internal procedures for handling data protection complaints. Every controller must establish a formal process by 19 June 2026. This transition essentially creates an internal ombudsman service within the office of the DPO.
What is a Data Protection Complaint?
A Data Protection Complaint is a formal expression of concern regarding personal data handling. It may be that a complaint is a disguised request under a different data subject right, such as the right to object, so you must be prepared to change your approach.
What is the ProvePrivacy twelve step guide for complaint responses?
Organisations must adopt a structured workflow to meet the requirements of Section 103. This guide ensures compliance with the new statutory timelines and transparency obligations.
Step 1. Build Reporting Routes.
Building frictionless reporting routes is important because it will make the life of the data subject easier and ultimately will improve their experience. This will reflect well on you, your team and your organisation.
What is the best approach to enable DUAA complaint reporting?
Organisations should provide a direct electronic contact route, a dedicated email address is a great start, so long as the inbox is monitored. Providing an internal electronic form is better, this will help colleagues to report in a manner that provides much of the information you need. Better still an electronic that is easy for individual data subjects to use, it may seem counter intuitive, as if you are encouraging complaints, but it will provide a better experience for data subjects and improve their experience of your service and your organisation. to use.
Step 2. Provide Thirty Day Acknowledgement.
Send a formal confirmation within thirty days of receipt. Thirty days is a requirement of the regulation but we would suggest this is the first thing that you do following the receipt of the complaint. Establishing a connection with the data subject allows for you to follow up. This acknowledgement does not need to provide a resolution to the complaint, so it is a clear advantage to do this sooner, rather than later.
Step 3. Authenticate the Requester.
Verify the identity of the person making the complaint. In the same way as with DSAR and other data subjects rights, you need to know that you are discussing a complaint with the correct individual, if you can authenticate the requester at the earliest stage, it will help you to respond to the complaint quickly.
Step 4. Document Initial Intake.
Record all details in a unified digital platform to ensure visibility. If you have implemented an electronic reporting platform, this will be easier that if you rely on email submissions. Gather the circumstances of the complaint, try to understand the data subjects view and gain clarification on matters that are not clear.
Step 5. Assess the Allegation.
Identify which legislative requirements the individual considers to be breached. – Understand the circumstances, but document these also, this could be important in later demonstrating compliance with your obligations. This creates a clear baseline to inform your final response.
Step 6. Consider other Data Subject Rights.
Ensure that you consider the true complaint in the context of the regulation. It is entirely possible and likely that you will receive a request for a different data subjects rights as a complaint. Ensure that you identify this early in order that it gives you the time to respond accordingly. Build a procedure to escalate the change in incident type (e.g. from complaint to DSAR) so that you do not loose time needed for response.
Step 7. Initiate Internal Enquiries.
Conduct substantive investigations into relevant data processing activities. Ensure that you engage with your teams to understand what has happened. Try to foster a blame-free culture, you will discover more and everyone will be happier for it. Document your findings, again this evidences your process which is important if there is ever an escalation. Good documentation can be the difference between a fine and supervisory advice.
Step 8. Send Periodic Updates.
Keep the individual informed during long or complex investigations. Whilst you have 30 days to provide an acknowledgement, there is not specific timeframe in which you need to respond. Our advice is to treat a complaint like any other data subjects rights and respond swiftly, but if you can’t keep them informed. It would be good practice to inform them of progress at least monthly for long running complaints.
Step 9. Draft the Outcome.
Decide if an infringement occurred and determine the necessary remedy. In determining the remedy, you are likely to need to work with others in your organisation. It is not unusual for complainants to seek financial compensation, ensure that you build a fair triage process which provides your team with the authority to compensate. Not being able to show your thinking on remediation is likely to result in dis-satisfaction and onward escalation to the supervisory authority.
Step 10. Issue Results Promptly.
Tell the individual the final outcome without undue delay. The regulation is not clear on what ‘undue delay’ is and you may well wish to add a timescale. Our view is that if you cannot evidence why a complaint remained unanswered then your delay is probably too long.
Step 11. Clarify Escalation Rights.
Explain how to contact the Information Commission if they remain dissatisfied.
Step 12. Archive Audit Evidence.
Store records for potential regulatory inspections or technical reports. Records should be able to evidence when a complaint was recieved and when you acknowledged it. How you assessed the circumstances and what you did to investigate. You should be able to identify how you came to your decision as well as how and when you communicated with the data subject. Without any of this advice you are vulnerable to supervisory intervention.
Why is the thirty day acknowledgement period critical?
The thirty day window is a fixed statutory requirement under the new law. Failure to acknowledge a complaint within this timeframe is a breach of the regulation. This deadline encourages teams to move from reactive responses to automated workflows.
The Information Commission can now require organisations to report on complaint volumes. High volumes or missed deadlines may trigger an Interview Notice. DPOs must use robust logging to defend their compliance posture.
How can the ProvePrivacy platform automate complaint logging?
The ProvePrivacy platform provides the essential architecture for the modern day mandate. It replaces manual spreadsheets with a centralised digital environment for complaint management. This automation allows lean teams to maintain control over statutory response times.
The platform hosts the electronic forms required by the new legislation. It automatically tracks the thirty day acknowledgement window for every case. This ensures that DPOs can provide the technical reports regulators may demand.
Using the ProvePrivacy platform transforms the DPO into the internal ombudsman that they will need to become under the DUAA. It facilitates better collaboration between internal teams and this unified approach mitigates the risk of operational sloppiness in rights management.
Sources:
- UK Government Legislation: https://www.gov.uk/guidance/data-use-and-access-act-2025-data-protection-and-privacy-changes#content
