A friendly guide to the Data (Use and) Access Act 2025— and what to do before the Data Protections Complaints Deadline of 19 June

If you’ve been hearing whispers about “DUAA” and quietly hoping it refers to a well-known singer, we’ve got bad news and good news. The bad news: it isn’t. The Data Use and Access Act 2025 is a real piece of legislation that’s reshaping the data protection landscape for every UK business. The good news: it’s not as scary as it sounds, and most of it is genuinely workable, if you know what’s coming.

This guide is written for founders and operators in fast-growing SMEs – the business where the team is small, the to-do list is long, and the last thing anyone wants is a bureaucratic curveball. Here’s what’s already in force, what’s landing in June, and what to do about it.

First, the DUAA headline

DUAA doesn’t replace UK GDPR or the Data Protection Act 2018. It builds on them and amends PECR (the marketing and cookies rules) along the way. It’s being rolled out in phases, which is helpful in some ways and confusing in others. The key date you absolutely cannot miss is 19 June – the new statutory deadline for having a data protection complaints process in place.

No exemptions. No exceptions. Whether you’re a five-person startup or a fifty-person scale-up, you need to be ready.

The phased rollout, in plain English

DUAA has been arriving in stages since June 2025. Here’s the quick tour:

  • Stage 1 (June 2025): Smart data schemes and changes to data subject access requests (DSARs).
  • Stage 2: Digital identity verification services and updates to children’s data protection.
  • Stage 3 (June 2026): Wider operational changes, including the new data protection complaints process by 19 June.
  • Stage 4 (later in 2026): Regulator restructuring and accountability changes, including to the ICO.

What’s already in force, and what it means for you

DSARs: a slightly less painful experience

If you’ve ever been on the receiving end of a data subject access request, you’ll know how much time it takes to of trawl through every system you own to find every email someone ever sent. The good news: you now only need to carry out reasonable and proportionate searches. You can push back on excessive or unfocused requests, and there’s a new “stop the clock” mechanism: where you can pause the one-month response deadline to request further information.

What to do: If you don’t already have a written DSAR policy, get one. Document your decisions every time. Liability sits in the process, not the outcome — so make sure you can show a regulator a clean audit trail.

Smart data schemes: relevant if you handle customer data in regulated sectors

Think of this as Open Banking, but expanded — covering energy, telecoms, insurance and more. Customers can request that their data be securely transferred to another provider. If you operate in one of these sectors, you’ll need systems that can send and receive structured data securely (email won’t cut it), supplier contracts that clearly assign responsibility, and a process for keeping a record of every transfer.

Digital identity verification: a small but useful change

From December 2025, certified providers under the government’s framework (overseen by the snappily-named Office for Digital Identities and Attributes) carry a trust mark. If you rely on identity checks for HR, customer onboarding or KYC, review your current providers and check they meet the new certification standards. Spoiler: the legal risk still sits with you, but the operational headache should be lighter.

February 2026 changes worth knowing about

  • Cookies: Slightly relaxed rules for low-risk uses like analytics. You may not need a banner for absolutely everything anymore.
  • PECR fines: Now aligned to GDPR levels. Translation: bigger penalties for marketing breaches.
  • Automated decision-making: Broader scope for when it can be used — with safeguards.
  • Recognised legitimate interest: A new lawful basis for processing data. Useful, but still requires careful judgment.
  • Soft opt-in for charities: Brings their marketing rules closer to the commercial position.

The big one: the new data protection complaints process (deadline 19 June)

This is the bit that affects every business, regardless of sector or size. From 19th June, you must have a documented process for handling data protection complaints. Here’s what the legislation says you must do:

  • Establish a written process for handling data protection complaints.
  • Acknowledge receipt within 30 days, and that’s calendar days, weekends and bank holidays included.
  • Respond without delay and keep the complainant updated on progress.
  • Inform the complainant of the outcome.

Why does this matter? Because the ICO is shifting the first-line triage of complaints back to businesses. The ICO received 40,000 in 2024-5 rising to 66,000 in 2025-6 and so going forward, when someone complains to the ICO, the first question they’ll ask is: “Have you raised this with the business first?”. The complainant will have to come back to you and will likely be more frustrated.

What counts as a data protection complaint?

Anyone who thinks you’ve infringed data protection law in how you’ve handled their personal data — or someone they’re acting for. That could be a complaint about a data breach, a DSAR response, how long you keep data, the accuracy of data, or how secure their data is.

Important: this is separate from a DSAR. DSARs are more generally about:

  • action (give me my data, correct it, delete it). Complaints are about resolution (you handled my data wrongly, and I want it sorted).

 If you’re not sure which one you’re looking at, you can ask the complainant to clarify.

What you need to put in place

  • A written complaints process. Adapt your existing complaints process if you have one.
  • Multiple submission channels. A complaints email address, a postal address, and a telephone number. Online portals and chat are fine — but any chatbot must be able to escalate to a human.
  • Accessibility. Think about audio and visual impairments, and whether you need multi-language options.
  • Updated privacy policy and notices. Your “rights to your data” section should clearly separate the right to complain from the existing rights (access, erasure, portability, etc.) and explain how to do it. Add the new contact details and make clear that complainants can escalate to the ICO if unhappy with your response.
  • An auditable log. Date received, who acted on it, what was sent, when. Stored securely, ready to hand over if a regulator asks.
  • An updated retention policy. Decide how long you’ll keep complaint records, and check it doesn’t conflict with HR, Finance or other regulatory retention rules.

Watch-outs the ICO will be looking for

  • Social media. Someone could complain via your LinkedIn, X or Instagram. Don’t try to verify or resolve it on the platform — redirect them to your formal complaints route.
  • Sub-processors. If a hosting provider, CRM or third-party tool holds data on your behalf, you may need access to that data to resolve a complaint. Check your data processing agreements and records of processing now — don’t get caught out by something that’s been deleted or anonymised.
  • Children. If you offer products or services to under-18s, you may receive complaints from children. You’ll need a child-friendly privacy notice, a way to assess the child’s competence to complain, safeguarding considerations, and (depending on age) parental consent.
  • Weaponised complaints. Aim to give one full, robust response and avoid endless back-and-forth.
  • Senior staff complaints. If your CEO normally signs off responses but the complaint is about them, who’s the deputy? Decide that before it happens.

Your 4-week DUAA action plan

With just four weeks until 19th June, here’s a sensible order of operations:

  • Set up a complaints team. Right-sized for your business — even two people is fine. You’ll need a primary contact and a backup for holidays and sickness.
  • Create a dedicated complaints email address. Route it to two people, not one.
  • Set up a secure folder. SharePoint, secure shared drive — wherever you can lock down access and keep an audit trail.
  • Draft templates. Acknowledgement, holding response, outcome — saves you reinventing the wheel each time.
  • Train your core team. On the timescales, the audit log, escalation paths, and how to triage DSARs vs. complaints vs. service complaints.
  • Brief the wider business. Everyone needs to know how to spot a complaint and where to send it.
  • Run a dummy complaint. Stress-test your process before it goes live. Does the email work? Does it route correctly?
  • Update your privacy policy, notices and retention policy. Don’t forget the email signature footer too — it’s a small but useful touch.
  • Add it to onboarding. New starters should know about the complaints process from day one.

And while you’re at it:  don’t forget data protection training

Quick reminder. You should ideally run data protection training every year. It needs to cover where to store data, how to spot a data breach, what to do if someone clicks a dodgy link on a Friday night, and now, the new complaints process. Keep a training log: when the ICO investigates a breach, they will ask on the report form when you last conducted data protection training.

The bottom line for SMEs

DUAA isn’t designed to trip you up. In several places, DSAR proportionality, recognised legitimate interest, relaxed cookie rules, it’s actually trying to make life easier. But it does come with more admin, more documentation and more process. For fast-growing businesses, the smart move is to build the new requirements into your existing operations now, while you’re small enough to do it cleanly. Trying to retrofit complaints handling, audit logs and updated policies onto a 50-person team six months from now is a much bigger job than doing it today.

The clock is ticking on 19 June. If you’d like a hand drafting your complaints approach, updating your privacy notice, or running data protection training for your team, we’re here to help – it’s literally what we do.