ARTICLE
7 October 2025

The Information Commissioner's Office (ICO) Launches Public Consultations On Data Protection Complaints

WL
Withers LLP

Contributor

Trusted advisors to successful people and businesses across the globe with complex legal needs
Two public consultations have been issued by the ICO on draft guidance for imminent amendments to UK GDPR rules made by the Data (Use and Access) Act 2025 ('DUAA').
United Kingdom Privacy

The Information Commissioner's Office (ICO) launches public consultations on data protection complaints

Two public consultations have been issued by the ICO on draft guidance for imminent amendments to UK GDPR rules made by the Data (Use and Access) Act 2025 ('DUAA').

The first consultation relates to the ICO's draft guidance on complaints for organisations relating to their use of personal data. Anyone who is dissatisfied with how an organisation has handled their personal information can raise a complaint under the upcoming amendments to the UK GDPR rules by the Data (Use and Access) Act 2025. The ICO's guidance states that all organisations must put in place adequate processes for handling data protection complaints by June 2026. The draft guidance details compliance options and sets out the new requirements. Organisations must:

  • Provide a way for people to make a data protection complaint;
  • Acknowledge receipt of complaints within 30 days;
  • Take 'appropriate steps' to respond to complaints, including keeping those who have made a complaint informed and making adequate enquiries; and
  • Inform those who have made a complaint of the outcome of their complaint, without undue delay.

The consultation closes on 19 October 2025.

The DUAA introduces the concept of 'recognised legitimate interests'. This is a new basis giving organisations the ability to use personal data for a set of pre-approved purposes. The second consultation relates to the ICO's guidance on this. Notably, it is distinct from the existing 'legitimate interests' basis set out in the UK GDPR. The new 'recognised legitimate interests' basis contains five pre-approved purposes for processing personal data. Annex 1 of the UK GDPR lists the purposes as:

  • Public Task Disclosure Request – Where an organisation may need to share personal data with another organisation that has requested it because they need it for their public task or official functions
  • National Security, Public security and defence - Where an organisation needs to use personal information to safeguard national security, protect public security or for defence reasons
  • Emergencies – Where personal data is used to respond to, or deal with, an emergency situation
  • Crimes – Where personal data is used to prevent, detect or investigate crimes, including the apprehension and prosecution of offenders.
  • Safeguarding – Where an organisation uses personal data to protect the physical, mental or emotional well-being of people who need extra support to do this or protect them from harm or neglect.

The consultation closes on 30 October 2025.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More