UK DUAA: new privacy obligations

All organisations subject to the UK data protection regime, including the UKGDPR, now need to deal with new requirements introduced by the Data Use and Access Act.

Link

One of the first practical changes is already in force: new legal requirements on how organisations handle data protection complaints.

All organisations handling personal data must now provide people with a clear way to raise a data protection complaint, acknowledge it within 30 days, investigate it appropriately and communicate the outcome. 

Photo: freepik / pvproductions na Magnific

A complaint is often the first signal that something in the privacy operating model is not working properly:

➡️ an unanswered subject access request,

➡️ inaccurate personal data,

➡️ unclear privacy notices,

➡️ marketing without proper basis,

➡️ weak consent management,

➡️ poor handling of objections,

➡️ or lack of transparency around data use.

If such issues are not handled quickly and fairly, they can escalate into regulator complaints, reputational damage, customer distrust and broader compliance findings.

The ICO also notes that many businesses aware of DUAAt either do not know, or incorrectly think, that the law change does not apply to them.   They should already review their privacy framework, customer-facing processes, complaint handling workflows, training, evidence model and escalation paths.

From a GRC perspective, this should be translated into controls:

➡️ documented complaints procedure,

➡️ intake channels for individuals,

➡️ 30-day acknowledgement tracking,

➡️ investigation and response templates,

➡️ escalation to DPO / privacy team,

➡️ root cause analysis,

➡️ linkage with DSAR, marketing and accuracy processes,

➡️ reporting to management,

➡️ and audit evidence.

Author: Sebastian Burgemejster