A new law directly impacting all UK businesses is coming into effect on 19 June, and companies have been urged by a leading legal practitioner to review the new responsibilities to ensure they remain compliant.
Thomas Swann, Associate Solicitor at Furley Page, believes that many businesses remain unaware of the new legal requirements coming into force as part of the Data (Use and Access) Act 2025 (DUAA).
The Act introduces key reforms to the UK data protection and digital information framework regime having received Royal Assent in June 2025. Several provisions in the Act came into effect in February, but further changes are taking effect from 19 June 2026 regarding complaints from data subjects.
Thomas said: “It often happens that different provisions in Acts take effect on a staggered timescale, which makes it hard for businesses to keep track and make sure they are compliant. The provision regarding complaints from data subjects is a perfect example of this, and the upcoming implementation deadline could easily have been missed, but non-compliance could have serious consequences.”
From 19 June, all organisations will be legally required to handle data protection complaints under the DUAA. The Information Commissioner’s Office (ICO), which regulates the new law, is particularly focussing on small and medium-sized enterprises in the run up to the deadline.
Under the new law all organisations must:
give people a clear way to raise a data protection complaint;
acknowledge any complaint within 30 days of receipt;
take appropriate steps to investigate and keep people informed without undue delay; and
tell the complainant of the outcome.
In parallel to the new laws coming into effect the ICO has been granted expanded enforcement powers and can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. These powers include criminal prosecution, non-criminal enforcement and audit.
Thomas continued: “In essence, the new law creates a right for data subjects to make a complaint directly to data controllers regarding infringements of data protection law. This right will exist alongside the existing ability to lodge complaints with the ICO.
“To comply, businesses need to implement a complaints procedure and review their data protection policies and practices to ensure that the changes in the new Act are correctly reflected. Importantly, businesses that have used the EU GDPR to govern data protection obligations should note that these new provisions in the UK GDPR do not exist in the EU GDPR.”
To find out more about the new requirements the ICO has produced guidance for businesses at www.ico.org.uk/for-organisations/how-to-deal-with-data-protection-complaints ,or for questions about what the changes mean for your business, contact Thomas on 01227 763939.
For more information about Furley Page please visit www.furleypage.co.uk. You can also follow the firm on LinkedIn and Facebook.
Before you go…
➡️ Have you joined the Kent Business Community yet? - https://kentbusinesscommunity.co.uk
➡️ Don’t miss the latest networking events near you - https://www.kentbusinessevents.co.uk
➡️ Do you have news or announcements you’d like to share about your business?
Contact us today - [email protected]
If you enjoyed this article, please subscribe and pass it on to another Kent business owner who might also like it! Thanks.
