title: "DUAA FAQ: Data (Use and Access) Act 2025 — What UK Businesses Need to Know" slug: faq-duaa-data-use-access-act-2025 date: 2026-04-01 author: ComplianceAlert sector: all tags: [DUAA, data protection, ICO, UK GDPR, compliance, June 2026] description: "The Data (Use and Access) Act 2025 introduces new obligations for UK businesses by June 19, 2026. Here's everything you need to know — in plain English." faq: true

DUAA FAQ: What UK Businesses Need to Know Before June 19

The Data (Use and Access) Act 2025 (DUAA) is live. The June 19, 2026 deadline is approaching. And almost no UK SME knows what it requires.

Here are the answers to the questions we're hearing most often.

---

Q: What is the Data (Use and Access) Act 2025?

The DUAA is new UK legislation that updates and supplements the UK GDPR. It was passed in 2025 and introduces several new requirements — the most significant for small businesses being the mandatory formal data protection complaints procedure, which must be in place by June 19, 2026.

---

Q: Does the DUAA apply to my business?

If you are a "data controller" — meaning you decide how personal data is collected and processed — the DUAA applies to you. In practice, this covers almost every UK business. If you have:

• A customer database or CRM
• A mailing list or email marketing list
• Employee records
• Patient or client records
• Any form of loyalty scheme or membership database

...you are a data controller and the DUAA applies.

---

Q: What exactly do I need to have in place by June 19, 2026?

You need a formal, written data protection complaints procedure. This must include:

1. How individuals (customers, employees, patients) can raise a data protection complaint with you
2. Timescales for acknowledging the complaint
3. How you will investigate and respond
4. The pathway for escalating an unresolved complaint to the ICO

The procedure must be written down, accessible to the people it covers, and demonstrably in place before the deadline.

---

Q: We already have a Privacy Policy. Does that count?

Not on its own. A Privacy Policy tells people what data you collect and how you use it. A data protection complaints procedure tells them what to do if something goes wrong.

Your complaints procedure can be included within your privacy notice or as a separate document — but it must contain the specific elements above. Most existing privacy policies don't include a complaints escalation pathway or resolution timescales.

---

Q: What does the ICO say about enforcement?

ICO published final guidance on the DUAA in early 2026. Their language is explicit: compliance with the complaints procedure requirement is mandatory, not advisory. ICO has signalled that enforcement will follow for non-compliant data controllers.

The fine for serious ICO violations under UK GDPR (which the DUAA supplements) can be up to £17.5 million or 4% of global annual turnover, whichever is higher. While maximum fines are typically reserved for serious data breaches, an absent complaints procedure can be the starting point for a compliance notice that escalates.

---

Q: Is healthcare higher-risk under the DUAA?

Yes, significantly. Healthcare providers (GPs, dental practices, pharmacies, care homes, mental health services) process "special category data" — health information, which has enhanced protections under UK GDPR. The DUAA's complaints procedure requirement applies with additional weight to special category data controllers.

Healthcare providers also face CQC scrutiny, which increasingly checks data governance alongside clinical standards.

---

Q: How long does it take to put the complaints procedure in place?

For most small businesses, writing a compliant complaints procedure takes 2-4 hours. The document itself is typically 1-3 pages. The main work is:

• Deciding who owns incoming data complaints (a named role or email address)
• Defining your acknowledgement timescale (5 business days is standard)
• Setting a resolution target (typically 30 calendar days)
• Documenting the ICO escalation pathway

ComplianceAlert's document templates include a DUAA-ready data complaints procedure. Available at compliancealert.co.uk/documents.

---

Q: I have a small shop with a Mailchimp list. Is that really in scope?

Yes. If you hold email addresses and use them to contact people, you are a data controller. The DUAA applies. Your complaints procedure doesn't need to be complex — but it does need to exist.

---

Q: What about sole traders?

Sole traders who process personal data (client databases, mailing lists, invoicing records) are data controllers and must comply. There is no size exemption.

---

Q: Where can I get a template for the complaints procedure?

ComplianceAlert offers free compliance document templates including a DUAA-ready data protection complaints procedure at compliancealert.co.uk/documents (free with Starter plan, no sign-up required for preview).

---

Not sure if your business is compliant? Take our free 3-minute Compliance Score quiz — instant results, no sign-up required.

👉 compliancealert.co.uk/compliance-score

---

This FAQ is for general guidance only and does not constitute legal advice.