The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, introduced a range of reforms to the UK's data protection landscape. Among the most operationally significant changes for organisations is Section 103, which mandates a formal data subject complaints procedure. With the compliance deadline of 19 June 2026 fast approaching, every organisation that processes personal data must act now to meet this obligation. The ICO has already signalled that compliance with these new provisions will be an area of focus, making early preparation essential.

What Section 103 Requires

Section 103 of the Data (Use and Access) Act 2025 inserts a new requirement into the Data Protection Act 2018. It obliges all organisations that process personal data to establish and maintain a written procedure for handling complaints from data subjects. This is not optional guidance from the ICO — it is now a statutory requirement backed by enforcement powers under Schedule 15 of the Act.

Before the DUAA, the ICO's guidance encouraged organisations to handle data subject complaints as part of broader accountability obligations under UK GDPR Article 5(2). Section 103 makes this expectation explicit and enforceable. The ICO can issue information notices, assessment notices, and enforcement notices against organisations that fail to establish or follow a compliant procedure.

The key obligations under Section 103 include:

  • A documented, published complaints procedure — data subjects must be able to find and understand how to submit a complaint about the processing of their personal data.
  • Timely acknowledgment and response — complaints must be acknowledged promptly and responded to within defined timeframes.
  • Clear escalation pathways — the procedure must explain what happens if the data subject is dissatisfied with the response, including their right to refer the matter to the ICO.
  • Record-keeping — organisations must maintain records of complaints received, actions taken, and outcomes, which the ICO may request during investigations.

Who Is Affected?

Unlike the mandatory DPO requirement under UK GDPR Article 37, which applies only to certain categories of organisation, Section 103 applies to all organisations that process personal data. This is a significant expansion of mandatory compliance obligations and catches many small and micro-businesses that previously had limited direct data protection duties beyond the core principles of UK GDPR.

Affected organisations include:

  • Small and medium-sized enterprises with any staff or customer data
  • Charities and non-profit organisations that hold donor or beneficiary records
  • Public sector bodies of all sizes, from parish councils to central government departments
  • Large enterprises already subject to comprehensive data protection obligations
  • Any organisation outside the UK that processes UK residents' personal data (extraterritorial scope mirrors UK GDPR Article 3)
  • Sole traders and partnerships that process customer or client personal data

There is no exemption based on organisation size, turnover, or volume of data processed. If you process personal data, you must comply. This is deliberately broad — Parliament intended to give every individual a guaranteed mechanism for raising data protection concerns, regardless of which organisation handles their data.

For organisations that already have a DPO, the burden of Section 103 is relatively light, as complaint handling naturally falls within the DPO's remit under UK GDPR Article 39. For organisations without a DPO — and particularly for SMEs — this represents a new compliance obligation that requires dedicated attention.

Implementation Deadline: 19 June 2026

The transitional provisions in the Data (Use and Access) Act 2025 give organisations one year from Royal Assent to implement the Section 103 complaints procedure. This means the compliance deadline is 19 June 2026. With this date now only days away, organisations that have not yet prepared their procedure are in a critical window.

Given that the ICO has been actively involved in shaping the data protection provisions within the Act, our team expects the ICO to begin enquiring about compliance from this date. Organisations that cannot demonstrate a compliant complaints procedure in place by June 2026 may face regulatory action, including information notices and enforcement measures under Schedule 15 of the DUAA.

Our consultants recommend that organisations do not wait for the deadline to pass. Proactive compliance — publishing the procedure before the deadline and ensuring staff are trained — demonstrates good-faith adherence to the new regime and is viewed favourably by the ICO in any subsequent investigation.

Practical Steps to Comply with Section 103

Implementing a Section 103-compliant complaints procedure involves several concrete steps:

  1. Review and update your privacy notice. Your privacy notice should clearly state how data subjects can submit a complaint about their personal data processing, including the channels available (email, web form, post).
  2. Dedicate a specific complaints procedure document. While many organisations reference complaints within broader policies, Section 103 requires a dedicated, standalone procedure that is easily accessible to data subjects.
  3. Assign responsibility. Identify who in your organisation will handle data subject complaints. For organisations with a DPO, this naturally falls within their remit. For others, appoint a named individual with the authority to investigate and respond.
  4. Set response timeframes. The Act does not prescribe specific timeframes, but the ICO's existing guidance suggests a best practice of acknowledging within 5 working days and providing a substantive response within 30 calendar days.
  5. Establish a record-keeping system. Whether a simple spreadsheet or a dedicated case management tool, you need to log each complaint, track its progress, and record the outcome.
  6. Train your team. Ensure staff who handle customer enquiries know how to identify and escalate a data subject complaint, as distinct from a general service complaint.
  7. Publish the procedure. Make the procedure available on your website, within your privacy notice, and — where relevant — in customer portals or apps.

Common Pitfalls to Avoid

From our experience helping organisations prepare for new regulatory obligations, we see several recurring mistakes:

  • Treating it as a tick-box exercise. A generic complaints policy copied from a template without adapting it to your organisation's specific processes will not withstand ICO scrutiny. The procedure must reflect how your organisation actually operates.
  • Failing to distinguish data subject complaints from customer service complaints. A customer complaining about late delivery is not the same as a data subject objecting to how their personal data is processed. These require different handling pathways.
  • Ignoring the escalation route. Every complaints procedure must inform data subjects of their right to complain to the ICO if they are unsatisfied with the organisation's response. Omitting this is a compliance failure in itself.
  • Delaying until the deadline. With the June 2026 deadline approaching, organisations that start now can implement thoughtfully. Those that wait risk a rushed, non-compliant procedure.

How Section 103 Interacts with Existing Obligations

Section 103 does not replace existing rights under UK GDPR — it adds to them. Data subjects retain their existing rights under UK GDPR Articles 15-22 to access, rectify, erase, restrict, object, and port their data. The new complaints procedure provides a structured mechanism for raising concerns about how these rights are handled.

The ICO has also confirmed that it expects organisations to integrate their Section 103 procedure with their broader accountability framework under UK GDPR Article 5(2). This means demonstrating not just that a procedure exists, but that it is followed in practice — with records, evidence of training, and demonstrable response times.

Relationship with the Mandatory DPO Requirement

It is important to understand that Section 103 and the mandatory DPO requirement under UK GDPR Article 37 are separate obligations. An organisation can be fully compliant with Section 103 without having a DPO — and conversely, having a DPO does not automatically satisfy Section 103.

However, for organisations that do have a DPO, the DPO's responsibilities under Article 39(1)(e) — dealing with enquiries from data subjects — naturally extend to managing the Section 103 complaints procedure. For organisations without a DPO, responsibility should be assigned to a named individual with data protection knowledge and the authority to investigate and respond to complaints.

The ICO's Role and Enforcement Approach

The ICO has been closely involved in shaping the data protection provisions within the Data (Use and Access) Act 2025. Our team expects the ICO to treat compliance with Section 103 as a priority area in its 2026-2027 regulatory action plan. The ICO's enforcement toolkit under the DUAA includes:

  • Information notices — requiring organisations to provide details of their complaints procedure and complaint records
  • Assessment notices — requiring organisations to submit to an ICO audit of their complaint handling processes
  • Enforcement notices — compelling organisations to implement or correct their complaints procedure within a specified timeframe
  • Monetary penalties — applicable where a failure to comply with a notice is serious, deliberate, or likely to cause substantial damage or distress

The statutory maximum penalty under the UK GDPR framework is significant turnover-based penalties at the top of the statutory scale, but this ceiling is reserved for the most serious infringements by the largest organisations. In practice, the ICO's response to most organisations is a reprimand, an enforcement notice, or an improvement notice rather than a headline fine — the priority is corrective action and demonstrable compliance, not maximum penalties.

How Our Consultants Can Help

Our team of data protection specialists can review your current complaints handling arrangements, develop a Section 103-compliant procedure, and integrate it with your broader UK GDPR compliance programme. As part of our fractional vCISO service, we provide ongoing compliance oversight that ensures your organisation stays ahead of regulatory changes like the Data (Use and Access) Act 2025.

Explore our vCISO and DPO services →

Get your free compliance readiness score →