For any charity, the handling of personal data is a foundational element of its relationship with its data subjects. The Data (Use and Access) Act 2025 (DUA 2025) introduces a new change to the data protection complaints process, presenting a new legal obligation that also serves as a unique opportunity to strengthen public confidence.
From Ad-Hoc to Accountability: The Past Regime and DUA 2025
Under the previous regime, a data subject with a concern could choose to either address the issue directly with the organisation or escalate it immediately to the Information Commissioner’s Office (ICO).
The DUA 2025 now formalises a data subject’s “right to complain” to a data controller. This means a charity’s supporters, beneficiaries, and volunteers are required to raise their data protection concerns with the organisation first. The ICO will typically only consider a complaint after the individual has exhausted the organisation’s internal process.
This new legal requirement is not a roadblock; it is an invitation for charities to take control of the narrative, demonstrate transparency, and rebuild confidence directly with the individual. Resolving a complaint effectively in-house reinforces the organisation’s commitment to data protection and strengthens the bonds of trust that are so essential to its mission.
What a Charity’s Complaints Process Must Look Like
To comply with the DUA 2025, a charity must have a clear, accessible, and robust complaints procedure. This process should be designed with its diverse stakeholders in mind. The Act requires that an organisation:
- Facilitates the complaint: It must be easy for supporters to complain. This might involve a simple, dedicated form on the charity’s website or a clear email address highlighted in its privacy notice.
- Responds promptly: The organisation has a legal duty to acknowledge the complaint within 30 days. Timely communication is key to demonstrating that the matter is being taken seriously.
- Investigates thoroughly: The Act mandates that an organisation takes “appropriate steps” to investigate “without undue delay.” This means conducting a fair and objective review of the issue, which might involve communication with staff or volunteers and a review of relevant processes.
- Provides a clear outcome: Once the investigation is complete, the organisation must inform the complainant of the result. The response should be clear, non-technical, and transparent about what has been found and how the issue has been or will be resolved.
Who Heads This Process?
In many charities, the Data Protection Officer (DPO) would be the natural leader for this new process. A DPO’s expertise is critical for a complaint-handling process that can involve complex issues like data subject access requests (DSARs), data breaches, and disputes over the legal basis for processing personal data. A DPO can objectively investigate complaints, apply data protection law to specific scenarios, and ensure the charity’s response is legally sound and consistent with regulatory expectations. Their independence protects them from conflicts of interest, allowing them to provide impartial advice to the highest management levels, which is vital for making difficult decisions and maintaining integrity.
By embracing this new framework, a charity can transform a potential challenge into a powerful demonstration of its commitment to its community. This is a chance to not only comply with the law but to reinforce the ethical foundation upon which its charitable work is built.
To know more, or to find more information about Hope and May’s DPO support, please do reach out to us at info@hope-may.com
