Data (Use and Access) Act 2025 Complaints Regime

The UK’s Data (Use and Access) Act 2025 (DUAA) introduces a new requirement for organisations, including notaries, to implement formal data protection complaints procedures. Individuals must now raise concerns directly with the organisation before escalating to the Information Commissioner’s Office.

The complaints-handling requirements become mandatory on 19 June 2026.

For notaries, who routinely handle sensitive personal data, this brings several key implications. Practices will now need clear, accessible, compliant channels, defined response timelines and proper record-keeping systems.

Complaints must be handled promptly and transparently, with clear communication of outcomes and escalation rights. Failure to comply could result in enforcement action imposed by the ICO, reputational damage and increased regulatory risk.  

The ICO has released detailed guidance outlining the core duties for data controllers clarifying what the ICO expects to see in practice. The guidance addresses both the introduction of the new process and the update required to existing complaints procedures to ensure compliance with the new requirements.

Notaries should act early by reviewing existing procedures, updating privacy notices, and training staff. While the new regime adds compliance obligations, it also presents an opportunity to strengthen client trust through improved transparency and responsiveness.