The ICO publishes its regulatory approach in light of Data (Use and Access) Act 2025 and framework on its handling of data protection complaints

On February 5 2026, the ICO also clarified its approach to enforcement during the staggered commencement of the various parts of the Data (Use and Access) Act 2025 (DUAA) (the DUAA Statement). 

ICO Framework

The ICO confirmed that it will use the following criteria to triage complaints it receives:

• the level of harm caused or likely to be caused;
• the impact on vulnerable individuals (e.g., children);
• the number of people significantly impacted by the complaint;
• the breadth of improvements to data protection rights which may arise from investigating the complaint;
• whether individuals are required to provide their data to the organisation (e.g., there are no or limited alternatives, such as essential services); 
• the relevance of the issue to the ICO’s strategic priorities;
• the public interest in investigating the complaint; and 
• whether the ICO already knew about the issue.

The ICO Framework states that even where a complaint is not investigated, the ICO will record it for information purposes and will record how many data protection complaints are received in relation to an organisation. 

If the number of complaints about a particular organisation exceeds a threshold (which is yet to be finalised) within a specified time period, the ICO may re-assess whether further regulatory action is required. However, reaching the threshold will not automatically trigger regulatory action. Instead, the ICO states that it will contact organisations to discuss recurring issues and will only consider taking further regulatory action if organisations do not engage with the ICO, or the ICO considers that the steps the organisation has taken to address issues are inadequate.

DUAA Statement

DUAA received Royal Assent on June 19 2025. However, it has, and will continue to, come into effect in phases with provisions commencing two, six and twelve months after Royal Assent (August 2025, December 2025 and June 2026, respectively). Various provisions amend pre-existing laws under the Data Protection Act 2018, the UK General Data Protection Regulation and the Privacy and Electronic Communications Regulations (PECR).

In the DUAA Statement, the ICO confirmed that it will “apply the law” as it stood at the time of infringement, rather than at the date of complaint or when the infringement was identified. However, in some cases, the ICO will exercise its discretion in considering regulatory action in response to alleged non-compliance with an existing provision that is going to be removed, amended or replaced under DUAA. In these cases, the ICO will make a judgment on whether: (i) to proceed with regulatory action under the old provision; or (ii) where there is continued non-compliance, to take action under the new or amended provisions. In making this judgement, the ICO will take into account the guidance available to organisations at the time of the alleged non-compliance.

The ICO also noted that DUAA grants it new enforcement powers, including the power to compel a witness to attend an interview, request technical reports, and issue fines of up to £17.5 million or 4% of global turnover under PECR. The ICO has already consulted (between 31 October 2025 and 23 January 2026) on its new draft procedural guidance addressing investigation and enforcement action processes following DUAA. Final guidance will be published in due course – the ICO has not yet confirmed a publication date. The ICO also expects to publish guidance on the new requirements for organisations introduced by DUAA, such as those relating to children’s use of online services and data protection complaints. 

The ICO Framework here and the DUAA Statement is available here.