The Data (Use and Access) Act 2025 (“DUAA”) has made a number of changes to the UK’s data protection regime, many of which have already come into force. From 19 June 2026, organisations will need to implement or update their data protection complaints procedure to align with the new DUAA requirements which provide a mechanism for complaints made directly to a controller. This new requirement is supported by recent guidance from the UK Information Commissioner’s Office (“ICO”). This marks a shift towards a more formalised, controller-led complaints-handling framework, requiring organisations to treat certain expressions of dissatisfaction as regulated complaints with defined procedural obligations.