A new legal duty has taken effect that applies to every UK organisation that handles personal data — with no exemptions for size. If you hold customer or staff data, this affects you.
What's changed
As reported by Tech Times, from Friday 19 June a duty under the Data (Use and Access) Act 2025 requires all data controllers to formally acknowledge data-protection complaints within 30 days and to investigate them without undue delay. Previously, handling of such complaints was inconsistent; now it's a clear legal obligation, and failing to respond properly can send the complainant straight to the regulator.
Why it matters to you
This isn't just a concern for big companies. A disgruntled customer, ex-employee or member of the public can raise a data complaint with any business — and the clock starts ticking the moment they do. Most small organisations simply don't have a defined process for receiving, logging and responding to these complaints, which is where avoidable trouble starts.
What to do
- Create a simple complaints process. Decide who receives data-protection complaints, how they're logged, and how you acknowledge them within 30 days.
- Keep records of each complaint and your response — evidence matters if the ICO ever asks.
- Publish a contact route so people know how to raise concerns with you directly.
- Brief your team so a complaint isn't missed in an inbox.
Getting this in place is straightforward, and it's far cheaper than a regulatory headache later.
This is general information, not legal advice — for your specific obligations, check with a suitably qualified professional.
Worried about how any of this applies to your organisation? Get in touch and we'll talk it through — no jargon, no pressure.
Source: UK Data Protection Complaints Law Kicks In Friday With No Exemptions — Tech Times