Despite the hype of some desperate consultants, eager to squeeze a few pennies out of cash-strapped organisations, the Data (Use and Access) Act 2025 isn’t filled with new obligations. It would be possible to ignore nearly all of it and not “break the law”. You’d probably miss out on a lot of opportunities, but it isn’t a big set of requirements. Virtually everything is an amendment to either GDPR, PECR or the Data Protection Act 2018, and if I was being positive, I would say that the DUAA offers opportunities, not obligations.

There is at least one serious obligation that all controllers must have in place. You might already be doing it, but it’s still important to make sure that you’re doing it right You have to have a complaints procedure for data protection issues. The ICO is putting a lot of faith in the success of this, so it’s worth making sure yours works.

Course includes:

• How does the complaints procedure have to work?

• Setting up an efficient and useful system – comparisons with FOI internal reviews

• Who should operate it? Should the DPO steer clear or take charge?

• What outcomes are people entitled to?

• What constitutes a ‘good’ or ‘compliant;’ response?

• How to deal with a complainant who isn’t happy with the outcome of the complaint

• How to manage the Commissioner’s irritation that complaints are still flowing from your organisation