The introduction of the Data Use and Access Act 2025 (DUAA 2025) marks a significant shift in the way organisations must deal with data protection concerns. For the first time, individuals now have a statutory right to raise a data protection complaint directly with the organisation they believe has mishandled their information, before escalating the matter to the Information Commissioner’s Office (ICO).
This new obligation will inevitably have implications for all businesses, law firms included. Clients, employees, or third parties are now entitled to expect that their concerns will be acknowledged, investigated, and responded to within clear statutory timeframes.
Whilst the requirement to establish a formal complaints-handling process may appear to be yet another compliance burden, in reality it is also an opportunity. Firms now have a structured mechanism for resolving issues internally, demonstrating transparency, and maintaining trust. Equally, however, a failure to comply will expose firms to regulatory enforcement by the ICO, and possibly also disciplinary action by the Solicitors Regulation Authority (SRA). There is therefore a clear risk that reputational damage may flow from mishandling sensitive data.
The Regulatory Jigsaw
The requirement for businesses to have a complaints policy and associated procedures is to be found in the DUAA 2025, which requires organisations to create a formal mechanism for acknowledging, investigating, and responding to complaints. The Act sets out timescales, including the need to acknowledge complaints within thirty days and to provide written outcomes without undue delay. It also allows for the possibility of mandatory reporting of complaints data to the ICO.
The second layer is the continuing framework provided by the UK GDPR and the Data Protection Act 2018. These remain the backbone of data protection compliance in the UK. Firms must still ensure that data is processed lawfully and fairly, that it is accurate and not retained longer than necessary, and that it is kept secure. Failures to comply with these principles may lead to fines of up to £17.5 million or 4 per cent of global turnover. The complaints mechanism introduced by the DUAA therefore operates alongside these wider obligations, offering firms an early opportunity to address problems before they escalate.
The third layer is the professional framework established by the SRA. Solicitors are subject to Principles requiring them to act with integrity, maintain public trust and confidence, and act in the best interests of clients. Paragraph 7.3 of the Code of Conduct requires cooperation with regulators, including the ICO. The failure to deal properly with complaints about data protection may therefore amount not only to a breach of data protection law but also to amount to professional misconduct.
Why a Data Protection Complaints Policy Matters
The need for a formal complaints policy extends well beyond legal compliance. In the first instance, the existence of such a policy ensures adherence to the DUAA’s statutory requirements. However, its benefits also include the preservation of client trust. Errors will inevitably occur, but when clients see that concerns are dealt with promptly and fairly, confidence in the firm can often be maintained. The opposite is also true: a lack of responsiveness is likely to damage relationships far more than the original mistake.
A transparent and structured complaints process also offers reputational protection. Regulators can impose penalties, but the reputational fallout of mishandling sensitive information may be more damaging still. A robust policy signals to clients, employees, and regulators that the firm takes accountability seriously. Complaints can also be a valuable source of learning. Analysing them allows firms to identify weak points in their systems, training, or procedures, and to make improvements that reduce future risks.
Finally, the existence of an accessible and fair complaints policy supports a healthy internal culture. Employees are more likely to raise legitimate concerns if they trust the process. This openness helps firms identify and resolve risks before they escalate and demonstrates a commitment to accountability at all levels.
What a Good Policy Should Contain
A well-drafted policy should begin with a clear statement of its purpose and scope. It must set out that its purpose is to provide a fair and transparent process for handling complaints about the use of personal data. It should also identify who may raise complaints, including clients, prospective clients, employees, contractors, and other third parties.
The policy should define what constitutes a data protection complaint, providing examples such as the unauthorised disclosure of data, failure to correct inaccurate information, retention of data beyond what is necessary, or the failure to respond to a subject access request. For employees, complaints might relate to the handling of personnel files, the monitoring of communications, or the misuse of sensitive records.
Accessibility is a critical component. Complaints should be capable of being raised in writing, by email, or verbally, and staff should be trained to escalate them immediately to a designated Data Protection Manager or equivalent. Reasonable adjustments should be made to accommodate the needs of vulnerable individuals.
Timeliness is equally important. While the DUAA allows thirty days to acknowledge a complaint, best practice is to respond within five working days and to issue a substantive response within one month. Where more time is required in complex cases, the complainant should be informed of the reasons for the delay.
The principles of impartiality and confidentiality should also be embedded. Complaints should be investigated by someone not directly involved in the matter to avoid conflicts of interest, and information should only be shared with those who need to know. The policy must also make clear how outcomes will be communicated. If a complaint is upheld, the firm should explain what corrective action has been taken, such as rectifying records, updating procedures, or providing further training. If it is not upheld, the reasoning should be clearly explained and the complainant informed of their right to approach the ICO.
Handling Complaints in Practice
In practical terms, complaints from clients or third parties should be logged and escalated immediately. Investigations may involve reviewing files, interviewing staff, or conducting technical checks, and progress should be communicated to the complainant. A written outcome must be provided within the statutory timeframe.
Employee complaints may follow a slightly different path. They can be raised through HR or directly with the Data Protection Manager, and investigations may involve reviewing personnel records or consulting managers. Importantly, the policy should confirm that employees will not face detriment for raising concerns.
Record-keeping is central to effective complaints handling. Firms should maintain a Data Protection Complaints Register recording the details of each complaint, the outcome, and any remedial action taken. Standard templates should also be adopted for acknowledgement and outcome letters to ensure consistency, clarity, and compliance with legal requirements.
Integrating with Wider Firm Policies
A data protection complaints policy cannot be developed in isolation. It must be integrated with the firm’s wider framework of policies and procedures, including the general complaints process, the data breach response plan, HR grievance procedures, and risk management policies. This ensures that individuals receive a coordinated response where complaints overlap. For example, a client who raises concerns about both service quality and data handling should receive a single, coherent response rather than being directed through multiple channels.
Training and Awareness
The success of a complaints policy depends on whether staff know how to apply it. Training is therefore essential. All staff, including partners, solicitors, and support staff, should be trained to recognise data protection complaints, to understand how to escalate them, and to appreciate the timescales that apply. Induction programmes should cover the basics, and refresher training should be provided regularly. Managers should receive more detailed training on how to investigate complaints and report findings.
The Risks of Non-Compliance
The consequences of non-compliance are significant. From the ICO, firms theoretically risk administrative fines of up to £17.5 million or 4 per cent of turnover – although in practice any fine imposed on most law firms is likely to be substantially less than that. From the SRA, failures in data protection may lead to disciplinary action, ranging from conditions on practising certificates to referral to the Solicitors Disciplinary Tribunal. Reputational harm may also follow, with the loss of client confidence often proving more damaging than regulatory penalties. Internally, staff who fail to follow the policy may face disciplinary measures under the firm’s own procedures.
Embedding Continuous Improvement
A complaints process should be seen as a tool for continuous improvement rather than a static requirement. Complaints data should be reviewed annually to identify trends and recurring issues. Policies should be updated in light of experience, new guidance from the ICO, or legislative change. Senior management should receive reports on complaints received and lessons learned, embedding accountability into the firm’s wider compliance culture.
Practical Steps for Senior Leaders
To embed a policy successfully, senior leaders should ensure that a Data Protection Manager or Compliance Officer is appointed to oversee the process. A central complaints register should be maintained and standard templates for correspondence adopted. All staff must be trained, and clients should be informed of the policy, for example through client care letters or the firm’s website. Mock complaints can be used to test the robustness of the process. Finally, regular reports should be made to management so that the handling of complaints contributes to strategic oversight of risk and compliance.
Conclusion
The DUAA 2025 has fundamentally changed the responsibilities of solicitors’ firms in relation to data protection complaints. What was once a matter of best practice is now a statutory requirement. For law firms, the stakes are particularly high, given the sensitivity of the data they handle and the professional standards to which they are held.
An effective Data Protection Complaints Policy should not be regarded merely as an administrative necessity. Properly designed and embedded, it is a strategic tool that supports compliance, preserves client trust, protects reputation, and strengthens the firm’s culture of accountability. Senior leaders who embrace the new requirements and use them as an opportunity for improvement will not only avoid regulatory and reputational risks but will also enhance the confidence of clients and employees alike.
Infolegal has produced a comprehensive guidance note dealing with Implementing a Data Protection Complaints Policy, as well as a Data Breach Complaints Template Policy which includes a template Data Protection Complaint Investigation Report, a template Data Protection Complaints Register and two template complaints letters. It has also produced data protection training courses aimed both at partners/directors and senior staff and a separate course aimed at junior and support staff.
These are available to all Infolegal subscribers via the Infolegal InfoHub.
For more information, or to gain access to the various materials, contact enquiries@infolegal.co.uk