Recent legislation will update and modernise the UK’s digital information framework. To help organisations understand and comply with the forthcoming changes, the Information Commissioner’s Office (ICO) is consulting on two new pieces of guidance.
As covered in our previous insight (available here), the Data (Use and Access) Act 2025 (DUAA) aims to foster innovation and growth while simplifying compliance for organisations. The ICO has launched consultations on draft guidance on two aspects of the amendments made by the DUAA, specifically relating to data protection complaints and the new “recognised legitimate interest” lawful basis for processing personal data. The ICO is seeking feedback to inform and finalise each guidance note.
Consultation 1: draft complaints guidance for organisations
The DUAA creates a formal statutory right for individuals to raise complaints directly with organisations, including employers, if they believe the organisation has breached their data protection rights. Previously, individuals could take complaints straight to the ICO. Under the DUAA, they must first submit their complaint to the data controller (i.e. the organisation or employer).
The DUAA sets out some parameters for the process, including that organisations must:
- acknowledge receipt of complaints within 30 days of receiving them;
- without undue delay, take appropriate steps to respond to complaints, including making relevant enquiries and keeping individuals informed; and
- inform individuals of the outcome of their complaint without undue delay.
Only after receiving a response from the data controller may the individual escalate the matter to the ICO (which will become the “Information Commission” under the DUAA).
The guidance aims to walk organisations through the new requirements and inform them of what they must, should and could do to comply. It includes helpful tips and practical advice for each stage in the process. Responses to the consultation will help the ICO determine whether it needs to provide additional clarity before it publishes the final version.
Consultation 2: draft “recognised legitimate interest” guidance
The second consultation relates to the ICO’s draft guidance on “recognised legitimate interest”. This is a new, distinct lawful basis for processing personal data, introduced by the DUAA. Unlike the existing “legitimate interests” basis under UK GDPR, this new basis applies to specified purposes considered to be in the public interest.
There are five pre-approved purposes under this new basis:
- crime prevention;
- national and public security;
- safeguarding;
- emergencies; and
- public task disclosure requests.
The ICO’s draft guidance aims to clarify the scope and benefits of this new legal basis, as well as how it differs from the established “legitimate interests” lawful basis. It encourages organisations to review the guidance to understand when and how they may rely on “recognised legitimate interest” for processing personal data.
Next steps for organisations
Both consultations present an important opportunity for organisations to engage with the ICO and help shape the final guidance. Employers, and HR professionals in particular, should review the draft guidance documents and consider how the new requirements and lawful basis may impact their data protection policies and procedures. If you wish to provide comments on the draft guidance, the consultations remain open until 19 October 2025 and 30 October 2025, respectively.
It is also important to review and update your complaints handling procedures in line with the draft guidance and assess whether any of your data processing activities may fall under the new “recognised legitimate interest” basis.
