Updating Your Privacy Notice for the DUAA in 2026
The Data (Use and Access) Act 2025 changes parts of UK data protection law, and some of those changes need to show up in your privacy notice. The most pressing is the new complaints route that applies from 19 June 2026.
Your privacy notice is where most people will look for how to raise a concern, so it needs to reflect the new process. This guide sets out what to review and update.
Add the New Complaints Route
From 19 June 2026, individuals are expected to complain to the organisation first before going to the Information Commissioner's Office. Your privacy notice should explain how to do that.
Tell people they can raise a data protection complaint with you, point them to your complaint form, and say that they can still escalate to the ICO if they are not satisfied with your response.
The full duty behind this is covered in our data protection complaints procedure guide.
Review How You Describe ICO Escalation
Many privacy notices currently say something like "you have the right to complain to the ICO". That is still true, but the order has changed.
Update the wording so it is clear the individual should come to you first, and that the ICO is the escalation route if your response does not resolve the matter.
Check Your Lawful Bases
The DUAA introduces the concept of recognised legitimate interests, a defined list of purposes that can be relied on without the usual balancing test. If you decide to rely on one of these, your privacy notice should describe the lawful basis accurately.
Do not change your stated lawful basis unless your actual processing relies on it. The notice has to match what you really do.
What to Update at a Glance
| Area | What to change |
|---|---|
| Complaints | Add how to complain to you directly, including the complaint form |
| ICO escalation | Make clear the ICO is the route after raising it with you first |
| Lawful bases | Reflect any reliance on recognised legitimate interests accurately |
| Contact details | Confirm the named owner and contact route for data protection queries |
| Review date | Record that the notice was reviewed for the DUAA in 2026 |
Keep It Honest
A privacy notice is a statement of what you actually do with personal data. Adding a complaints route you have not built, or claiming a lawful basis you do not rely on, creates more risk than it removes.
Update the notice and the underlying process together, so the words and the practice match.
How Policy Pros Can Help
We review and rewrite privacy notices so they reflect the DUAA changes and point people to a real complaints process. Our privacy policy writing and GDPR consultancy services keep your documentation aligned with current law.
To get the complaints side right at the same time, see our small business complaints checklist and our DUAA 2025 employer guide.
Frequently Asked Questions
Do we need to update our privacy notice for the DUAA?
Yes, in most cases. The most pressing change is the new complaints route that applies from 19 June 2026, which your privacy notice should explain. You should also review how you describe ICO escalation and check that any reliance on recognised legitimate interests is described accurately.
What does the DUAA change about complaining to the ICO?
From 19 June 2026 individuals are expected to complain to the organisation first, and the ICO can decline to act on a complaint that has not been raised with the controller. Your privacy notice should make clear that people should come to you first and can escalate to the ICO if unsatisfied.
What are recognised legitimate interests?
The DUAA introduces recognised legitimate interests, a defined list of purposes that can be relied on as a lawful basis without the usual legitimate interests balancing test. Only describe reliance on one in your privacy notice if your processing actually uses it.
