What's Happening?
In June 2026, new regulations under the Data (Use and Access) Act 2025 (DUAA) will come into effect, impacting how subscription providers handle customer complaints related to data protection. These changes
amend the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations. The reforms aim to simplify the data protection framework, support innovation, and encourage responsible data sharing while maintaining high standards. Subscription businesses, which rely heavily on customer data for marketing and engagement, are advised to review their complaints processes to ensure compliance. The DUAA mandates that data controllers provide clear and accessible channels for individuals to raise complaints, with a requirement to acknowledge complaints within 30 days and investigate them promptly. Non-compliance could result in significant fines, up to £17.5 million or 4% of global turnover for severe breaches.
Why It's Important?
The introduction of these new rules is significant for subscription providers as it emphasizes the importance of data protection and customer satisfaction in the digital economy. With the potential for substantial fines, businesses are incentivized to prioritize transparent and efficient complaint handling processes. This shift not only protects consumer rights but also encourages companies to maintain high standards of data management, which can enhance customer trust and loyalty. As subscription models become increasingly prevalent, the ability to manage customer data responsibly is crucial for sustaining business growth and competitiveness. The DUAA's focus on direct resolution of complaints before escalation to the Information Commissioner’s Office (ICO) also highlights a move towards more proactive and customer-centric business practices.
What's Next?
Ahead of the June 2026 deadline, subscription providers are expected to review and possibly revise their existing complaints, privacy, and customer service processes to align with the new DUAA requirements. This includes ensuring that privacy notices are updated and that contractual arrangements with third parties adequately cover data protection complaints. Businesses will need to implement clear procedures, accessible reporting routes, and consistent record-keeping to demonstrate compliance. As the deadline approaches, there may be increased scrutiny from regulatory bodies, and companies will need to ensure that their staff are adequately trained and aware of the new processes. The emphasis on resolving issues directly with customers before involving the ICO suggests a shift towards more efficient and customer-focused complaint resolution strategies.
