Why Compliance Alone Won’t Stop a...
Compliance with recognised cyber security standards is an important part of managing risk, but it should not be mistaken for...
Read MoreUpdate: 9 June 2026
This article has been updated to include further detail on the new statutory right for individuals to complain directly to controllers about alleged UK GDPR infringements, including the practical steps organisations should take ahead of the 19 June 2026 implementation date.
The Information Commissioner’s Office (ICO) has made it clear that its approach to the Data (Use and Access) Act 2025 (DUAA) is designed to mirror the legislation itself: phased, iterative and grounded in practical implementation. For organisations, this means that compliance cannot be treated as a single project with a fixed end date. Instead, it should be approached as an evolving programme of work that started in 2025 and continues into 2026.
The DUAA has not been brought into force all at once. Initial provisions commenced in August 2025, followed by a substantial second phase in February 2026. A final set of measures is expected to come into effect in June 2026. This staggered implementation is intended to give organisations time to adapt, but it also creates complexity. Different obligations apply at different times, and the regulatory expectations attached to them are developing in parallel.
The ICO’s guidance strategy reflects this timeline. Early publications focused on explaining what has changed at a high level, rather than prescribing detailed compliance steps. These materials are useful for identifying the key areas of impact, including amendments to the UK GDPR framework, changes to lawful bases for processing, and updates to data subject rights. However, they do not always provide the operational detail that organisations need to implement changes in practice.
More recently, the ICO has begun to publish more targeted and practical guidance, often focusing on specific compliance themes. One of the clearest examples is its work on data protection complaints handling. Under the DUAA, organisations will be required to implement formal internal processes for dealing with complaints relating to data subject rights and other UK GDPR infringements, with the requirement becoming mandatory in June 2026. The ICO has already issued guidance outlining expectations in this area, including the need for accessible procedures, clear response timelines and appropriate escalation mechanisms.
A key near-term priority is the new statutory right for individuals to complain directly to controllers about alleged infringements of the UK GDPR. From 19 June 2026, organisations must have a data protection complaints process in place, including a clear route for individuals to complain, acknowledgement within 30 days, appropriate investigation without undue delay, progress updates, and communication of the outcome.
Organisations should also update privacy notices, DSAR response templates and wider data subject rights communications to signpost both the right to complain to the controller and the continuing right to complain to the ICO. In practice, this means the handling of complaints should be treated as an auditable compliance workstream, supported by intake procedures, escalation routes, staff training, records of decisions and, where relevant, processor support arrangements.
The ICO has also placed significant emphasis on consultation as part of its guidance development process. Throughout 2025 and into 2026, it has sought stakeholder input on draft guidance in areas such as recognised legitimate interests, research provisions and aspects of automated decision making. For organisations, this creates both a challenge and an opportunity. Whilst draft guidance can introduce uncertainty, it also provides early visibility of the regulator’s thinking and allows organisations to anticipate future requirements before they are finalised.
From an operational perspective, the February 2026 implementation phase represented the point at which many organisations had to move from planning to execution. This phase included a number of substantive changes, such as revised rules on automated decision making, updates to subject access request handling, and the introduction of new lawful bases including recognised legitimate interests. These changes are not purely legal in nature. They require updates to internal policies, revisions to privacy notices, adjustments to data governance frameworks and, in many cases, changes to systems and workflows.
A further practical consideration is sequencing. Not all requirements carry the same level of urgency. Some obligations are already in force and require immediate attention, while others, such as the complaints handling framework, have a longer lead time but may require more significant organisational change. In practice, this means organisations need to prioritise their compliance activities carefully, balancing short-term legal risk against longer-term implementation effort.
The ICO has indicated that its enforcement approach during this transition will be proportionate and pragmatic. It recognises that organisations are operating in an environment where guidance is still being developed and refined. However, this should not be interpreted as a relaxation of expectations. The regulator has consistently emphasised that organisations should be taking active steps towards compliance and should be able to demonstrate progress if challenged.
In practical terms, organisations should now be focusing on several parallel workstreams. These include updating governance frameworks to reflect new legal concepts, reviewing data processing activities in light of lawful bases, and preparing for upcoming requirements such as formalised complaints handling. At the same time, organisations should establish processes for tracking ICO guidance updates and consultation outcomes, ensuring that their compliance approach remains aligned with the regulator’s evolving expectations.
Ultimately, the DUAA represents a shift in how data protection compliance needs to be managed. It is no longer sufficient to implement a static framework based on settled guidance. Instead, organisations must be prepared to adapt continuously as both the law and the regulator’s interpretation of it develop. Those that take a structured, programme-based approach to implementation, rather than a reactive or deadline-driven one, will be better positioned to manage both compliance risk and operational impact over the coming year.
AJC supports organisations in strengthening their data protection frameworks and responding to evolving regulatory requirements with confidence. Our Data Protection services help clients review governance arrangements, assess the impact of legislative and regulatory change, update policies and procedures, and build practical compliance programmes that reflect both legal obligations and operational realities.
Whether your organisation is reviewing lawful bases, updating privacy documentation, preparing complaints handling processes or strengthening broader data governance, AJC provides clear, proportionate support tailored to your needs.
Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.
Sources:
https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-use-and-access-act-2025/
Image accreditation: Mike Hindle (January 2023) on Unsplash.com+. Last accessed on 13th April 2026. Available at: https://unsplash.com/photos/a-black-and-white-photo-of-a-laptop-with-a-shield-on-it-YSgZGl_a_3Q
Compliance with recognised cyber security standards is an important part of managing risk, but it should not be mistaken for...
Read MoreSecurity updates are only effective if organisations can confirm they have been applied. This article looks at what the latest...
Read MoreA recent Dashlane security incident has raised important questions about password managers, master passwords and authentication controls. This article looks...
Read More