Technology & Innovation

How to handle Data (Use and Access) Act rules

By Becky White on Growth Business – Your gateway to entrepreneurial success In June 2026, new rules were introduced under the Data (Use and Access) Act. Becky White explains how to handle data complaints from now on The post How to handle Data (Use and Access) Act rules appeared first

  • Becky White
  • July 9, 2026
  • 0 Comments
Under the new rules for the Data (Use and Access) Act 2025, organisations that act as data controllers now need to have a clear process for handling data protection complaints. Businesses now need to give individuals a clear way to complain directly to them about how their personal data has been handled. They also need to acknowledge data protection complaints within 30 days, investigate them without undue delay, keep the complainant informed where appropriate, and tell them the outcome. Businesses should be updating privacy policies and templates; checking whether existing procedures are sufficient for data protection complaints; making sure the process works across the business; and building record-keeping into said process.

If you’re running a growing business, personal data is woven into almost everything you do. Every customer order, job application, marketing campaign, website visit and employee record you keep generates information that needs to be collected, stored and used responsibly.

From 19 June 2026, there has been a new reason to look more closely at how all of that information is managed. Under the Data (Use and Access) Act 2025, organisations that act as data controllers now need to have a clear process for handling data protection complaints.

Although this might sound like a technical change that sits with the compliance team, it affects anyone who might receive, recognise or respond to a concern about personal data, from HR and recruitment through to customer service, marketing, sales and even senior management. That’s because data protection complaints can take different forms and they may not even be labelled as a complaint.

Here are some examples:

Someone might complain that they are still receiving marketing emails after unsubscribing A job applicant might ask why their CV is still being held months after a vacancy has closed An employee might question how monitoring or performance data has been used A customer might be unhappy that their details were sent to the wrong address

None of those people may mention the UK GDPR or use the words ‘personal data’ or ‘complaint’ at all. However, each of those concerns could still raise a data protection issue, and if they do then the new requirements may apply.

What changed on June 19?

Businesses now need to give individuals a clear way to complain directly to them about how their personal data has been handled. They also need to acknowledge data protection complaints within 30 days, investigate them without undue delay, keep the complainant informed where appropriate, and tell them the outcome.

The 30-day period starts the day after the complaint is received. Weekends and public holidays are included in this timeframe, although if the final day falls on a weekend or public holiday, acknowledgement can be given on the next working day.

For businesses without a dedicated compliance team, that deadline comes around quickly. A complaint received through a generic inbox, social media message or phone call may not reach the right person straight away, and by the time it does, valuable time may already have been lost.

The Information Commissioner’s Office (ICO) will usually expect individuals to raise their complaint with the organisation first before taking it further. This creates a useful opportunity for businesses to resolve concerns early, but it also means they need to be ready to recognise and respond to complaints properly when they come in.

What counts as a data protection complaint?

A data protection complaint is, broadly, a complaint from someone who believes an organisation has breached data protection law in the way it has handled their personal data.

That could involve how personal information has been collected, used, shared, stored, secured, retained or deleted. It could also involve how a business has responded to a subject access request, how it has used cookies or tracking tools, or whether someone has been given clear enough information about what is happening to their data.

The complaint doesn’t need to use legal language to be classed as one, either. The individual doesn’t have to refer to the UK GDPR, quote their rights or label the issue as a data protection complaint. If the concern is about how their personal data has been handled, it should be recognised and dealt with through the right process.

Where complaints are most likely to arise

The highest-risk areas are often the parts of the business moving fastest and those that handle a lot of information relating to individuals. Marketing and e-commerce teams, for example, rely heavily on data such as email lists, cookies, retargeting campaigns, loyalty schemes and customer profiles. These can all create compliance risk should the consent records be unclear, unsubscribe requests are not actioned promptly, or privacy notices have not kept pace with what the business is actually doing.

For HR and recruitment teams, candidate data can sometimes be retained for longer than necessary. Employees may not fully understand how their information is being used for monitoring, absence management, performance tracking or workplace technology. Aggrieved employees may raise data subject access requests (DSARs) and then dispute how the DSAR process is handled. As businesses grow, informal processes that once worked well can quickly become difficult to manage.

Scale and transparency can be a challenge for tech and app-based businesses in particular. When data is collected automatically and at volume, individuals may feel they have little visibility or control. That can make complaints more likely when something goes wrong.

Healthcare, finance, education and professional services businesses may also face heightened sensitivity because of the nature of the information they handle. In those sectors, even a relatively small data protection complaint can carry a larger reputational risk.

What should businesses do now?

The good news is that compliance doesn’t need to be overcomplicated. Most businesses have some sort of complaints process in place already, so this change should mean making targeted adjustments, including:

Updating privacy notices and relevant templates. Customers and clients should know how to raise concerns directly with the organisation. Adding some simple wording to your privacy notices telling individuals who to contact about regarding their concerns would suffice.  Checking whether your existing internal processes clearly cover data protection complaints. People should know how to raise a complaint, where it should go internally, who owns the response and what deadline applies. Making sure the process works in practice across the business. Customer service, HR, recruitment, marketing, sales and social media teams don’t need to become data protection experts, but they do need to know when a concern about personal data should be escalated. Building record-keeping into the process. Businesses should be able to show when a complaint came in, when it was acknowledged, who reviewed it, what response was given and whether any follow-up action was needed.

Your priority is making sure that it’s clear, joined up and understood by the people most likely to receive complaints first.

Becky White is a senior solicitor (data protection) at law firm, Harper James.

How a major glitch by Companies House revealed an uncomfortable truth about business data – The Companies House incident highlighted the outdated way business data is handled in a time where fraud is rife. This is how we overcome it

Linking your communications is the key to better data and visibility – Data siloes are the biggest barrier to visibility. Unifying your communications will give you a much clearer overview – here’s how

This post was originally published on this site.