ICO launches two public consultations on amendments to the Data (Use and Access) Act 2025 (DUAA)

by | Sep 10, 2025 | Data Use and Access Act 2025, DUAA, ICO public consultations

In our previous blog we discussed the Data (Use and Access) Act 2025 (DUAA) and what it means for organisations. The ICO has since launched two public consultations to shape the final guidance on upcoming amendments to the DUAA.

The consultations focus on:

• A new data protection complaints process; and
• The new lawful basis of “recognised legitimate interests.”

The consultations close on 19 October 2025 and 30 October 2025, respectively.

Looking at the handling of data protection complaints first, the ICO is keen for organisations to try and resolve complaints with individuals before they lodge a complaint with the ICO. To help achieve this aim, the DUAA requires all organisations to have a data protection complaints process in place by June 2026.

As part of this process, organisations must ensure they:

• provide a clear process for individuals to make data protection complaints;
• acknowledge complaints within 30 days of receipt;
• respond promptly and keep complainants informed throughout; and
• communicate the outcome without undue delay.

The consultation seeks to understand whether additional clarity is needed to help organisations comply with the above.

The second consultation relates to the concept of ‘recognised legitimate interests’. The DUAA introduces new processing activities which carry the presumption of legitimacy.

These public interest activities include:

• Crime prevention
• National and public security
• Safeguarding
• Emergency response
• Sharing personal data to help other organisations perform their public tasks.

The ICO’s draft guidance intends to support organisations by explaining how they may rely on the new legal basis and how the above conditions differ from the existing “legitimate interests” basis for data processing. The consultation seeks to understand whether further clarity is needed in this area.

How can employers prepare for changes under the DUAA?

Employers managing complex or large data subject access requests (DSARs) will inevitably feel the strain of completing a DSAR, to then have a complaint land on their desk. Of course it is not just DSARs which may invite complaints. Inadvertent data breaches can attract complaints from staff or customers/clients so it is important that all staff are reminded of their obligations when handling personal data to help reduce complaints.

Employers are understandably concerned that data protection obligations are about to become more onerous. To get ahead of the curve, employers are encouraged to:

• Review existing policies – what do you currently have in place and does this include a complaints policy?
• Review your existing reasons for processing data under the GDPR’s legitimate interest category and consult the guidance / seek advice on whether one of the new recognised legitimate interests can be relied upon.
• Offer refresher training to staff so they feel equipped to manage data protection issues and are aware of upcoming changes.
• Watch out for our further updates on this area.

If you would like to submit feedback on the consultations you can do so via the following links:

The consultation on handling complaints closes on 19 October 2025.
The consultation of recognised legitimate interests closes on 30 October 2025.

Lousha Reynolds
Refreshing Law
8 September 2025