New statutory requirements for internal data protection complaints processes took effect on 19 June 2026, completing a suite of changes introduced by the Data (Use and Access) Act 2025. The Act, which received Royal Assent on 19 June 2025 and has been implemented in phases, amends the UK General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR). The latest provisions give individuals a statutory right to raise complaints directly with organisations before escalating matters to the Information Commissioner’s Office.
Complaint Process Overhaul
Businesses must now establish and maintain a formal procedure for handling data protection complaints from the public. The process must include at least one accessible channel for submitting complaints, such as an online form or a dedicated email address. Complaints must be acknowledged within 30 days of receipt, investigated without undue delay, and responded to in a timely manner, with the complainant kept informed of progress throughout. Organisations are also required to keep appropriate records of complaints and their resolution.
The public remain encouraged to raise a complaint with the organisation first before contacting the ICO, although the watchdog retains discretion to intervene in exceptional circumstances. The ICO has published guidance on these new requirements. Businesses should therefore review their privacy notices and template responses to ensure individuals are informed of their right to make a data protection complaint, including details of when personal data is collected and how organisations respond to data subject rights requests.
Internal procedures and staff training need to reflect that complaints must be identified and acknowledged within the 30-day window. Contracts with suppliers should be reviewed to ensure they alert the business to any complaints and assist in their resolution. Most businesses will already have existing processes in place, but the new rules present an opportunity to review all procedures for compliance.
Other Key Reforms Under the Act
The Data (Use and Access) Act 2025 also introduces significant changes to how organisations can use personal information across a range of areas.
Automated decision-making. An organisation can now use personal information to make significant automated decisions about an individual if it can demonstrate a legitimate interest that outweighs the impact on the person’s rights and freedoms. This does not apply to protected information such as race, ethnic origin or sexual orientation, where stricter controls remain. Safeguards including transparency, meaningful human intervention and an accessible mechanism for challenging outcomes are still required.
Direct marketing ‘soft opt-in’ for charities. Since 5 February 2026, a charity that has collected a supporter’s details because the person has supported or expressed interest in its work can send direct marketing emails to them, unless the data subject asks not to receive them. The sender must be a legally recognised charity, the sole purpose must be to further its charitable objectives, and an opt-out must have been provided at the point of collection and in every subsequent communication. The ICO has published updated guidance on this provision.
Archiving in the public interest. An organisation can now give out the personal information of a data subject when it is needed for archiving in the public interest, even if the individual only gave consent for a different use. Processing for archiving purposes must be distinguished from day-to-day business operations, and safeguards must be in place to minimise adverse impacts on living individuals.
National security exemption. Law enforcement agencies, such as the police, do not have to follow some of the usual rules about how they use personal information if it is necessary to protect national security. Under designation notices, law enforcement agencies and intelligence services working together on joint operations can operate under the same intelligence service rules, provided the Secretary of State authorises it.
Cookies. An organisation no longer needs an individual’s consent to set certain cookies where the intrusion of privacy is limited. This applies to statistical cookies that collect data for statistical purposes, appearance cookies that adapt a website’s appearance based on user preferences (such as language), and emergency assistance cookies that determine geolocation for help. For statistical and appearance cookies, organisations must still provide a clear and free opt-out mechanism. Consent remains unnecessary for cookies that are strictly necessary for a service to function. Fines for breaches of PECR, including cookie consent failures, are now aligned with UK GDPR penalties, carrying a maximum of £17.5 million or 4 per cent of global annual turnover.
Children and online services. Organisations providing online services likely to be used by children must explicitly consider their heightened protection needs. This aligns with the ICO’s Age-Appropriate Design Code. Services must incorporate children’s higher protection matters into their data protection by design and default, and businesses should conduct risk assessments and Data Protection Impact Assessments to identify and mitigate potential harms.
Re-use of personal information for research, archiving and statistics. The Act clarifies when personal information can be re-used for scientific research, archiving in the public interest or statistical purposes. An organisation no longer needs to inform the individual if doing so would involve a disproportionate effort, but it must still protect individuals’ rights in other ways and explain what it is doing by publishing details on its website. The definition of scientific research has been broadened to include commercial and technology-driven research, such as AI development.
Recognised legitimate interests. The Act introduces a new lawful basis for processing personal data called “recognised legitimate interests”, which applies to pre-approved purposes such as safeguarding national security, protecting public security, crime prevention and responding to emergencies. For these purposes, the need for a balancing assessment between the organisation’s interests and the individual’s rights is removed.
International data transfers. A “data protection test” has replaced the previous “essentially equivalent” standard. Transfers to a third country are permitted if its data protection safeguards are “not materially lower” than the UK’s.
ICO powers. The Information Commissioner’s Office has gained new enforcement powers, including the ability to compel witnesses and request reports. Fines under PECR are now aligned with UK GDPR penalties as noted.
What Businesses Should Do
Organisations should familiarise themselves with all the changes introduced by the Act to ensure full compliance. If they provide online services that children are likely to use, they must review whether enough is being done to consider their needs. Complaints procedures should be reviewed and updated to reflect the new statutory right and associated requirements. Businesses should also examine whether the changes allow them to streamline any data processes, potentially enabling greater innovation.
Privacy notices and staff training should be updated accordingly. Contracts with suppliers and processors should be reviewed to ensure they align with the new obligations. A cookie audit is advisable to check website practices and banners comply with the updated PECR regulations. Organisations should continue to monitor guidance issued by the ICO as the phased implementation of the Data (Use and Access) Act 2025 progresses.
