UK GDPR Update: What the Data (Use and Access) Act 2025 Means for Organisations

The Changes

Any concern raised by an individual about how their personal data is handled, whether it relates to access requests, accuracy, retention, or security, must now be treated within a structured complaints framework.

Organisations will be required to:

• provide a clear and accessible way for individuals to raise complaints;
• acknowledge complaints within 30 days;
•  investigate and respond without undue delay; and
•  keep complainants informed throughout.

What it means in practice

This is more than a procedural update, as it requires organisations to embed complaints handling into their data protection governance.

To prepare, organisations should:

1.   Formalise a complaints process - with a clear internal procedure that defines how complaints are logged, assessed, escalated, and resolved.

2.   Train staff - ensure employees can recognise what constitutes a data protection complaint and know how to escalate it appropriately.

3.   Update privacy notices - privacy information must explain how individuals can raise a complaint and what they can expect from the process.

4.   Maintain records - keep an audit trail of complaints received, how they were handled, and outcomes reached. This will be critical in demonstrating compliance.

5.   Align with DSARs and incident processes - complaints often overlap with data subject access requests (“DSARs”) or breach responses, so processes should be combined to avoid inconsistencies.

Why it matters

This change signals a clear regulatory direction:organisations are expected to take greater ownership of data protectionconcerns at an early stage. A well-handled complaint can reduce escalationrisk, reputational damage, and potential enforcement action.

In brief:  The Data (Use and Access) Act 2025

Alongside this upcoming requirement, organisations should be aware of several updates under the Data (Use and Access) Act 2025that came into force on 5 February 2026, including:

• a new category of “recognised legitimate interests”;
• more flexible DSAR response rules;
• increased PECR fines;
• relaxed restrictions on certain AI-driven decisions;
• a broader definition of scientific research; and
• enhanced expectations around children’s data protection.

For more information on how our Corporate & Commercial Team can assist with navigating these changes, and how they may impact your organisation, please contact us via emailat info@leathesprior.co.uk or by telephone at 01603 610911.