Are the New Complaint Provisions the Most Impactful Changes in the Data (Use and Access) Act? 

Over the past week, I’ve read 30 or 40 blogs on the Data (Use and Access) Act 2025 (“DUA”). Many of them expertly written by leading legal professionals who offer detailed analysis of the legislation. But most focus squarely on the law itself, rather than its practical implications for privacy practitioners. 

 From my perspective, the most impactful changes in the DUA for privacy practitioners are: 

• The new right of complaint, 
• The soft opt-in for charities, and 
• The changes to the Privacy and Electronic Communications Regulations (PECR) including updates on cookies, definitions, and fines. 

 Of course, there are other significant changes including updates to subject access request (SAR) timelines, information searches, legitimate interests, purpose limitation, and scientific research processing. But in many respects, these changes align with existing good practice.so the Act largely offers clarification and certainty rather than entirely new obligations. 

 By contrast, the new complaint right may represent a more fundamental shift in data protection practices. 

 From ICO First… to Controller First 

Under the UK GDPR, data subjects have rights that affect either the processing of their data (e.g. the right to object or restrict) or the data itself (e.g. the rights to erasure or rectification), as well as the right of access (e.g. via SARs or data portability). 

 They’ve always had a right to lodge a complaint with the ICO (Article 77 UK GDPR) if they believed their personal data was being processed unlawfully. But crucially, the burden for investigating and acting on that complaint lay with the ICO. 

 The DUA changes that dynamic. Under Section 103 of the DUA, a data subject now has a statutory right to make a complaint directly to the controller if they believe there has been an infringement of the UK GDPR or Part 3 of the DPA 2018. While the ICO already encourages complainants to approach controllers first, this new provision formalises that expectation and elevates it to a legal requirement for controllers to respond. 

 What Does This Mean for Controllers? 

This shift means that data controllers must: 

 Update privacy notices to reflect the new right of complaint, 

• Implement clear internal mechanisms for receiving and responding to complaints, 
• Train relevant staff to respond to the right, and 
• Be prepared to respond within 30 days . 

And the volume and nature of these complaints? That remains an open question. It’s currently hard to say how this right will be utilised by data subjects. As data protection is so broad complaints will be wide and varied and may well prove difficult for some organisations to handle.  

 Will the complaints received directly differ from those historically made to the ICO? Data subjects may start raising issues such as: 

• Inadequate security on portals, 
• Undeclared restricted transfers, 
• Vague or confusing lawful bases in privacy information. 

 Previously, many individuals may not have pursued such concerns with the ICO but with a formal avenue now open through the controller, will more choose to act? 

 A Potential Game-Changer: Section 164B 

Another noteworthy (if not yet in force) provision is Section 164B, which would require controllers to report the number of complaints received to the ICO. While not currently active, this could be implemented by the Secretary of State, meaning the legal mechanism is already in place. 

 If enacted, it will add a further layer of accountability and data controllers should be preparing for that possibility now. 

 A Huge Shift Or A Minor Concern?  

In my view, this change represents a seismic shift in power toward the data subject in given them “free reign” as to what they can complain to the controller which could lead to masses of requests and it being used as a tool to process further complaints in a faster manner. 

However, it is also a greatly beneficial tool in allowing data subjects to truly trust in the organisations that handle their personal data and makes their voice feel heard where their personal data is involved. 

 The right to complain, now enforceable directly with the controller, places data subjects at the heart of accountability and requires organisations to respond not only to their data but to their dissatisfaction.