Data (Use and Access) Act 2025: Changes to Data Subject Access Requests and NEW right to complain to the controller

On 19 June 2025, the Data (Use and Access) Act 2025 (DUAA) received Royal Assent, which has begun the overhaul of the UK's data governance framework.

Under UK GDPR, individuals already have the right to make a data subject access request (DSAR) which is fundamental to individuals’ control of their data but can place significant administrative demands for many businesses. The DUAA reforms DSAR with the idea making the DSAR process easier for organisations, whilst still protecting people and their rights.

DUAA also adds a new requirement for data controllers to have a complaints-handling process for data subjects who believe their data rights have been violated.

Data Subject Access Requests

On DSAR's the DUAA 2025 clarifies a number of areas:

Grounds for refusal or limitation

The data controller's obligation, when responding to a DSAR, is to complete a "reasonable and proportionate" search to provide personal data when requested. This aligns with existing ICO guidance and something that has been good practice for some time, codifying what was already occurring in practice

This could help when dealing with aggressive data subjects by allowing more flexible and proportionate responses. This should reduce administrative burden and cost of responding to a DSAR, making things easier for organisations.

Timeframes and extensions

The standard timeframe for responding to DSARs remains one month, but the DUAA clarifies the circumstances where this period can be extended by a further two months, such as if the request is complex or if you receive several requests from the individual. This flexibility puts a more realistic and manageable expectation on organisations, especially as dealing with complex or numerous requests.

The DUAA also allows data controllers to “stop the clock” when waiting for further information or ID verification. The time will be paused until such information is provided as they cannot proceed without it, reducing the burden when delays are out of the organisation's control.

The Act introduces a codification of the Legal Professional Privilege (LPP) exemption from the right of subject access, where information that is subject to LPP is exempt. If a competent authority was to claim the exemption, it must inform the person who has made the request about its decision, its reason for making it, their right to complain to the ICO and their right to apply to the court to have the decision overturned.

NEW - Complaints

The DUAA introduces a new right for data subjects to complain to the data controller if they consider that the controller is not complying with UK data protection rules

The individual must first complain to the organization holding their data before potentially escalating to the Information Commissioner's Office (ICO). The data controller must acknowledge the complaint within 30 days and respond appropriately. There is also a possibility that the Secretary of State may use powers under DUAA to require organizations to report the number of complaints received to the ICO.

Further guidance from the ICO can be expected on this new requirement, but broadly implementation would require:

• Internal complaints process: Controllers should have a formal process for handling complaints about data protection issues.
• Acknowledgement and response: Controllers must acknowledge receipt of a complaint within 30 days and respond without undue delay.
• Accessibility: Controllers are encouraged to provide an electronic form for making complaints to improve accessibility.

If you want any assistance with implementing the new requirements under DUAA or in relation to data protection issues generally get in touch with our expert data and tech team.