UK data protection law has taken a meaningful step forward. The Data (Use and Access) Act 2025 (DUAA) received Royal Assent and became law on 19 June 2025, introducing targeted amendments to the UK GDPR, the Data Protection Act 2018, and PECR. The Act has been coming into force in stages, with most of the remaining data protection provisions taking effect on 5 February 2026, and the new complaints handling requirements following on 19 June 2026.

As an enterprise SaaS platform, SimplyDo is committed to ensuring our platform and processes not only meet but exceed these new obligations, and we've been preparing well ahead of the deadline.

What the Act introduces

The centrepiece change for most organisations is a new statutory duty around complaints handling. Section 103 of the DUAA introduces a formal requirement for organisations to implement a data protection complaints process, which becomes a legal requirement from 19 June 2026. The aim is to make it easier for individuals to raise concerns directly with organisations about how their personal data has been handled, and to resolve issues at an early stage, without the need to involve the ICO unless necessary.

Under this new regime, data subjects must first raise their complaint with the data controller before escalating it to the ICO. a fundamental change to the UK's complaint-handling landscape, creating an intermediate step between individuals experiencing concerns about their data and regulatory intervention.

The specific requirements are clear. Organisations must provide accessible means for individuals to submit complaints, acknowledge receipt within 30 days, investigate and respond without undue delay keeping the complainant informed of progress, and clearly explain the outcome once the complaint has been concluded. The 30-day acknowledgement period begins the day after receipt, regardless of whether that day falls on a weekend or bank holiday.

What this means for SimplyDo as a Data Processor

SimplyDo operates as a Data Processor. We handle personal data on behalf of our enterprise customers, who are the Data Controllers. The statutory complaints obligations under the DUAA fall directly on controllers; our role is to ensure we support our customers in meeting those obligations effectively, and to handle any complaints that arrive at our door appropriately.

In practice, this means we have protocols in place so that if an end-user raises a data protection concern directly with SimplyDo rather than with the enterprise customer on whose behalf we act, we can either forward that complaint or clearly direct the user to the right controller. We also maintain internal SLAs aligned to the 30-day acknowledgement window, ensuring nothing falls through the cracks.

What we've done

SimplyDo has been updating our platform, documentation, and internal processes proactively to make compliance straightforward for our customers. Our key measures include:

Dedicated complaints process

We have established a dedicated data protection complaints channel with a published contact address, a clearly signposted section within account settings, and automated acknowledgement configured in our support system to ensure the 30-day clock is met without manual intervention.

Transparency and documentation

Our privacy notices have been updated to make clear that users have a right to raise data protection complaints directly with SimplyDo and to the ICO. We've also published help centre articles explaining the new process, and our Data Processing Agreements (DPAs) for new enterprise customers have been updated to define clearly how complaints are handled and how information is shared where shared controller responsibilities apply.

Operational readiness

Our internal teams have been trained to recognise a data protection complaint even when a user doesn't frame it in legal terms. This allows the right escalation to happen regardless of how a concern is expressed. We've also reviewed and updated our internal SLAs to reflect the statutory timelines.

Our commitment

Data protection compliance isn't a one-off exercise — it's an ongoing commitment to the people who use our platform and the organisations that trust us to process their data responsibly. The DUAA represents a positive step towards greater accountability and transparency across the UK data ecosystem, and we're glad to be ahead of it. If you have questions about how SimplyDo's compliance measures affect your organisation, or if you'd like to review our updated DPA, please don't hesitate to get in touch with our team.

‍