For many businesses, conversations about compliance have recently focused on AI, automation and cybersecurity. Yet one of the most significant changes to UK data protection law is arriving on 19 June, and many organisations are still unprepared.
The Data (Use and Access) Act 2025 (DUAA) introduces important reforms to the UK’s data protection framework, with new complaint-handling obligations coming into force from 19 June. These changes affect every organisation that processes personal data, regardless of size or sector.
If your business collects customer information, manages employee records, runs marketing campaigns, or simply operates a website, these changes matter.
What Is Changing?
The DUAA is the most significant update to UK data protection law since the introduction of UK GDPR. While many of its provisions have already been implemented, the next phase focuses on how organisations handle data protection complaints.
From 19 June, organisations will be expected to have a clear and effective process for dealing with complaints relating to personal data. This formalises what was previously considered good practice and places greater responsibility on businesses to address concerns before they reach the regulator.
In practical terms, organisations should ensure they can:
- Receive and recognise data protection complaints through accessible channels.
- Acknowledge complaints promptly.
- Investigate concerns without unnecessary delay.
- Keep complainants informed throughout the process.
- Provide a clear written outcome and explain escalation rights where appropriate.
Why This Matters for SMEs
Many small and medium-sized businesses assume data protection complaints are rare or only relevant to larger organisations. In reality, complaints can come from a wide range of individuals, including:
- Customers
- Employees
- Job applicants
- Contractors
- Website visitors
A complaint may not even be labelled as a “data protection complaint.” It could arrive via email, social media, a contact form, or as part of a wider customer service issue.
Without a documented process, businesses risk delayed responses, inconsistent handling, and increased regulatory scrutiny.
The ICO Is Paying Attention
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has published guidance to help organisations prepare for the new requirements. Businesses should review their current procedures and ensure staff understand how to identify and escalate data protection concerns appropriately.
For organisations that have not reviewed their privacy and compliance framework recently, this is an ideal opportunity to conduct a broader health check.
Useful resources:
Four Steps Businesses Should Take Now
Before 19 June, we recommend that businesses:
- Review Your Existing Policies
Ensure your privacy notice and internal procedures accurately reflect how complaints are handled.
- Create a Documented Complaints Process
A clear written procedure helps staff respond consistently and demonstrates accountability.
- Train Your Team
Anyone who may receive a complaint – including customer-facing staff, HR teams, and marketing personnel – should understand what constitutes a data protection complaint and how it should be escalated.
- Keep Clear Records
Maintaining records of complaints, investigations, and outcomes can help demonstrate compliance and identify recurring issues before they become larger problems.
Don’t Wait Until a Complaint Arrives
The businesses that navigate these changes most successfully will be those that take action before they are required to respond to a complaint.
Data protection compliance is no longer just about having a privacy policy on your website. It is about demonstrating that your organisation can respond effectively, transparently, and lawfully when concerns arise.
At Thrive Law, we help businesses build practical, commercially focused compliance frameworks that work in the real world – not just on paper.
Book a Free 30-Minute Data Protection Call
If you’re unsure whether your business is ready for the 19 June changes, now is the time to find out.
Rebecca works with businesses across the UK to simplify data protection compliance, reduce regulatory risk, and implement practical processes that support growth.
Whether you need a review of your existing policies, advice on complaint handling procedures, or guidance on the wider impact of the Data (Use and Access) Act 2025, a short conversation can help you understand your next steps.
Book your FREE 30-minute consultation with Rebecca today
Don’t wait until a complaint lands in your inbox. Get ahead of the changes and make sure your business is ready for the new data protection landscape.
For more information email our team on : enquiries@thrivelaw.co.uk
