The Information Commissioner’s Office (ICO) has launched two new consultations on changes to data protection laws that are set to be introduced under the Data (Use and Access) Act 2025 (the Act), which received Royal Assent on 19 June 2025.
The ICO is consulting on draft guidance it has published which will support organisations with understanding and applying amendments relating to data protection complaints and a new lawful basis for processing personal data in the public interest known as ‘recognised legitimate interest’.
What is processing personal data?
Get instant, expert answers to your HR questions...
The consultation on the ICO’s draft Complaints guidance for organisations is open until 23.59 on 19 October 2025. The ICO says that by June 2026, organisations must comply with the new requirement to have a process in place to handle data protection complaints introduced by the Act. A complaint can come from anyone who is unhappy with how an organisation has handled their personal data, i.e. in response to a subject access request or where there has been a data breach. Organisations will be required to:
- Give people a way of making data protection complaints
- Acknowledge receipt of complaints within 30 days of receiving them
- Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; and
- Without undue delay, tell people the outcome of their complaints.
A separate consultation on the ICO’s draft Recognised legitimate interest guidance has also been opened. ‘Recognised legitimate interest’ is a new lawful basis for processing personal data introduced by the Act, although not yet in force.
This is different to the current ‘legitimate interests’ lawful basis that already exists under the GDPR. The draft guidance sets out five recognised legitimate interest conditions for processing personal data that is in the public interest, including crime prevention, safeguarding, national and public security, emergencies and public task disclosure requests.
The consultation runs until 23.59 on 30 October 2025.
What should be included in a GDPR policy?
Get instant, expert answers to your HR questions...