# TheDutyDesk — Full corpus

Last regenerated: 2026-06-07T00:00:00Z
Total pages: 27
Publisher: TheDutyDesk, a product of Paradex Computing Limited (company 03786457), registered in England and Wales.

This file concatenates every primary content page on thedutydesk.co.uk in plain text. Intended for LLMs that prefer a single retrieval over per-URL crawling.

---

--- BEGIN https://thedutydesk.co.uk/ ---
Customer data duties, handled.
Last reviewed: 2026-06-04

TheDutyDesk is the UK platform for handling the obligations the ICO actually checks: data-protection complaints, subject-access requests, breach reporting, records of processing, and the audit trail behind all of them. The new 30-day complaint duty under s.164A goes live on 19 June 2026.

WHAT CHANGED

On 19 June 2026, section 164A of the Data Protection Act 2018 takes effect. It is inserted by the Data (Use and Access) Act 2025. [SRC-001 s.103] [SRC-002 s.164A]

The duty is simple. Every UK organisation must let people complain about how their personal data is handled, acknowledge the complaint within 30 days, respond without undue delay, and keep evidence of all of it.

The duty is not optional. It applies to every UK data controller — every size, every sector, every revenue. The ICO can ask for evidence at any time. [SRC-002 s.164A(3)]

WHAT WE DO

TheDutyDesk handles every data-protection complaint, end to end. Intake. The 30-day clock. The audit trail. The ICO evidence pack.

Receive: Hosted complaint form, embeddable widget, email-to-ticket. Every channel into one inbox.
Resolve: A 30-day clock that does not stop. State changes, internal notes, evidence attachments. One assignee, full audit.
Evidence: Click once. Send the ICO a complete, timestamped pack. PDF, structured data, hash-chained audit trail.

WHY THEDUTYDESK

Every personal-data duty in one place. Complaints, subject-access requests, breach reporting, records of processing — one platform, one audit trail.

The 30-day complaint clock, handled. Section 164A applies from 19 June 2026 to every UK organisation. We track the clock, send the acknowledgement, keep the evidence.

Live in 30 minutes. No IT. Embed the form. Configure the acknowledgement. Done before lunch.

From £199 a year. 14-day free trial. Pricing on the page. No demo. No salesperson. Cancel anytime.

Built in the UK, hosted in the UK. Your complainants' data stays in the UK. UK English. UK timezone. UK support.

One click for the ICO. Every case produces a complete, timestamped, tamper-evident evidence pack.

WHAT WE COVER

Data-protection complaints | s.164A DPA 2018 | Live from 19 June 2026
Track the 30-day clock, send the acknowledgement, keep the evidence the ICO can review.

Subject-access requests | UK GDPR Art.15 | On the platform
One-month clock. Intake, identity-check, search, redaction, response pack.

Other data-subject rights | UK GDPR Art.16–22 | On the platform
Rectification, erasure, restriction, portability, objection.

Breach reporting | UK GDPR Art.33 | Available
The 72-hour clock. Pre-filled ICO notification, internal escalation.

Records of processing | UK GDPR Art.30 | Available
The living RoPA. Connected to every complaint and DSAR.

DPIAs and vendor risk | UK GDPR Art.35 | On the roadmap (Q4 2026)
Pre-processing assessment, vendor register, residual risk.

FREQUENTLY ASKED

Q: Does this apply to my business?
A: If you are a UK organisation that handles personal data — customers, employees, suppliers, members — yes. The duty applies to every UK data controller, regardless of size or sector.

Q: We already have a privacy policy. Aren't we covered?
A: No. A privacy policy is the document. The duty is the operational procedure. Receive complaints, acknowledge in 30 days, respond, evidence it. The policy doesn't satisfy the duty.

Q: We use Zendesk / a shared inbox. Why do we need this?
A: Zendesk and shared inboxes do not have a 30-day clock, an immutable audit log, or an ICO evidence pack. When the regulator asks, you'll be stitching screenshots and CSVs. We do it in one click.

Q: Will the ICO actually fine us?
A: The maximum fine is £17.5 million or 4% of worldwide turnover, whichever is higher. The ICO issued 28 monetary penalty notices in 2025, totalling approximately £19.6 million.

Q: Where is the data hosted?
A: In the UK. Customer data is held in AWS London. EU residency available. US not offered.

Q: How do I know the audit trail can't be edited?
A: Every audit event references the cryptographic hash of the previous event. Change one, every hash after it breaks. We pin the chain to write-locked storage daily.

--- END ---

--- BEGIN https://thedutydesk.co.uk/for-founders ---
Data-protection duties for small businesses — without hiring anyone.
Last reviewed: 2026-06-05

The 30-day complaint duty applies to every UK business with no size threshold and no revenue floor. TheDutyDesk handles it end to end — set up in 30 minutes, from £199 a year.

DOES THIS ACTUALLY APPLY TO ME?

Yes. Section 164A of the Data Protection Act 2018 applies to every UK data controller — a sole trader, a four-person studio, a 40-person agency — with no size threshold and no revenue floor. If you hold customer details, employee records, or supplier contacts, you hold the duty. [SRC-002 s.164A]

Statute (DPA 2018, s.164A(1)): "A controller must, where requested by a data subject, facilitate the making of a complaint by the data subject to the controller where the data subject considers that there has been an infringement of data protection legislation in relation to their personal data."

"Facilitate" is an active obligation. You must provide a named, accessible route for data-protection complaints — not just a general contact form.

WHAT YOU ACTUALLY HAVE TO DO

Four obligations. All of them strict. [SRC-002 s.164A]

01. Let people complain. Provide a named, signposted channel for data-protection complaints — on your website, in your privacy notice, and on every channel you use.

02. Acknowledge within 30 days. Once you receive the complaint, acknowledge it within one month. A generic auto-responder does not count. The clock starts from the moment the complaint reaches your organisation. [SRC-002 s.164A(2)(a)]

03. Respond without undue delay. Investigate and communicate the outcome. No hard deadline after acknowledgement, but you must move at a reasonable pace and keep a record of your progress. [SRC-002 s.164A(2)(b)]

04. Keep evidence the regulator can review. An auditable record of every complaint — what arrived, when, what you said, what you decided. The ICO can ask for it at any time. [SRC-002 s.164A(3)]

WHY AN INBOX WON'T CUT IT

What the duty requires | What email gives you
30-day clock, per complaint | Timestamps on individual emails — no countdown, no owner
Tamper-evident audit trail | A folder of emails that can be recalled, deleted, or lost
One-click ICO evidence pack | A day rebuilding threads and screenshots into something usable

WHAT IT COSTS IF YOU GET IT WRONG

The headline number: a maximum penalty of £17.5 million or 4% of worldwide annual turnover, whichever is higher. [SRC-003 Art.83] The ICO issued 28 penalty notices in 2025, totalling approximately £19.6 million. [SRC-009]

The realistic small-business risk is not a headline fine. It's an ICO information notice you cannot answer — demanding the full complaint file, the acknowledgement timestamp, the audit trail. If you can't produce it, you face a formal investigation.

WHAT IT COSTS

Starter — £199 / year
Under 10 staff · 1 user · 50 complaints / yr
Hosted complaint form + embeddable widget, 30-day clock and auto-acknowledgement, immutable audit trail, one-click ICO evidence pack, UK data residency.
14-day trial · no card to start · cancel anytime.

SME — £600 / year
10–250 staff · 3 users · unlimited complaints
Everything in Starter + 3 user accounts, unlimited complaint volume, Zendesk + Slack integrations, all channels.
14-day trial · no card to start · cancel anytime.

Annual or monthly billing available on both tiers.

FREQUENTLY ASKED

Q: We're a small business — are we really in scope?
A: Yes. The s.164A duty applies to every UK data controller — there is no size threshold and no revenue floor. If you hold customer details, employee records or supplier contacts, you hold the duty.

Q: We already have a privacy policy. Aren't we covered?
A: No. A privacy policy is the document. The duty is the operational procedure: receive complaints, acknowledge in 30 days, respond, evidence it. The policy doesn't satisfy the duty.

Q: Can't we just use email for complaints?
A: Email has no 30-day clock, no tamper-evident audit trail, and no one-click evidence pack. When the ICO asks, you'll be stitching screenshots and email threads. TheDutyDesk does it in one click.

Q: How long does setup actually take?
A: About 30 minutes. Embed the complaint form, configure the acknowledgement template, done. No IT department. No procurement. No sales call.

--- END ---

--- BEGIN https://thedutydesk.co.uk/what-we-cover ---
What we cover.
Last reviewed: 2026-06-04

The six obligations the ICO actually checks. One platform. One audit trail.

Data-protection complaints — s.164A DPA 2018 — Live from 19 June 2026
The 30-day clock. Acknowledgement, response, evidence. Every complaint tracked, every clock running, every piece of evidence ready for the ICO in one click.

Subject-access requests — UK GDPR Art.15 — On the platform
One-month clock. Intake, identity verification, search, redaction, response pack, audit trail.

Other data-subject rights — UK GDPR Art.16–22 — On the platform
Rectification, erasure, restriction, portability, objection. One workflow per right, one audit log across all.

Breach reporting — UK GDPR Art.33 — Available
72-hour clock to the ICO. Pre-filled notification form, internal escalation, evidence trail.

Records of processing — UK GDPR Art.30 — Available
The living RoPA, connected to every complaint and DSAR so the record updates itself.

DPIAs and vendor risk — UK GDPR Art.35 — On the roadmap (Q4 2026)
Pre-processing assessment, vendor register, residual risk scoring.

--- END ---

--- BEGIN https://thedutydesk.co.uk/duaa ---
The 30-day data-protection complaint duty.
Last reviewed: 2026-06-04

On 19 June 2026, a new operational duty applies to every organisation in the UK that handles personal data. Introduced by the Data (Use and Access) Act 2025 (which inserts section 164A into the Data Protection Act 2018), it gives individuals a statutory right to complain directly to a data controller about how their data is being handled — before escalating to the ICO.

For organisations, this creates a hard deadline: you must acknowledge the complaint within 30 days and keep evidence of the process.

The practical 30-day clock: What counts as day one, and what you need to do before day 30.
Who does it apply to: Scope, sector coverage, and the four main obligations.
What an ICO evidence pack looks like: What the regulator expects to see if they investigate.

--- END ---

--- BEGIN https://thedutydesk.co.uk/duaa/30-day-rule ---
The 30-day clock.
Last reviewed: 2026-06-04

This article is part of The Duty (https://thedutydesk.co.uk/duaa).

The law requires acknowledgement of complaints within 30 days. Here is what that means in practice.

Day 1: The clock starts the day the complaint is received by your organisation — not the day it reaches the privacy team. If a customer emails a generic support address complaining about data handling, the 30-day clock has started.

Acknowledgement: Within 30 days, you must acknowledge the complaint. This means a substantive communication confirming receipt and opening a dialogue. An automated auto-responder does not satisfy the requirement if it is not specifically acknowledging a data-protection complaint.

Resolution: The law requires you to respond "without undue delay". While the acknowledgement has a hard 30-day deadline, the resolution must happen as quickly as reasonably possible depending on the complexity of the complaint.

The Audit Trail: If the ICO investigates, they will ask for proof of when the complaint was received and when it was acknowledged. Without a tamper-proof system of record, you cannot prove you met the 30-day deadline.

--- END ---

--- BEGIN https://thedutydesk.co.uk/duaa/who-does-it-apply-to ---
Who does the 30-day duty apply to?
Last reviewed: 2026-06-04

This article is part of The Duty (https://thedutydesk.co.uk/duaa).

Section 164A applies to every UK data controller. There are no exemptions for size, revenue, or sector.

If your organisation handles personal data of UK residents — customers, employees, suppliers, or members — you are a data controller subject to this duty.

The four obligations:
1. Facilitate complaints: You must provide a way for individuals to complain about how their personal data is handled.
2. Acknowledge: You must acknowledge every complaint within 30 days of receipt.
3. Respond: You must respond to the complaint without undue delay.
4. Evidence: You must keep evidence of the complaint, the acknowledgement, and the response for regulatory review.

--- END ---

--- BEGIN https://thedutydesk.co.uk/duaa/ico-evidence-pack ---
What an ICO evidence pack looks like.
Last reviewed: 2026-06-04

This article is part of The Duty (https://thedutydesk.co.uk/duaa).

When the ICO asks to see your compliance with section 164A, you cannot send them a Zendesk CSV or a spreadsheet of tickets.

The regulator expects an auditable trail that proves the 30-day duty was met. This means cryptographic proof of when the complaint was received, exactly what was sent in acknowledgement, and when that acknowledgement was transmitted.

TheDutyDesk produces this pack in one click. Every pack contains:
- The original intake payload and metadata
- A complete timeline of all communications
- Cryptographic hashes proving the timeline has not been altered
- Evidence of the 30-day SLA compliance

--- END ---

--- BEGIN https://thedutydesk.co.uk/duaa/section-164a-text ---
Section 164A — Data protection complaints: full annotated text.
Last reviewed: 2026-06-05. Next review: December 2026.

The complete text of section 164A of the Data Protection Act 2018, as inserted by section 103 of the Data (Use and Access) Act 2025, with plain-English reading and practical implications for each subsection. Authoritative source: legislation.gov.uk [SRC-002].

164A(1) — The facilitation duty: A controller must, where requested by a data subject, facilitate the making of a complaint by the data subject to the controller where the data subject considers that there has been an infringement of data protection legislation in relation to their personal data. [DPA 2018, s.164A(1)]

Reading: "Facilitate" is an active obligation — the controller must provide a named, accessible mechanism for data-protection complaints. A generic contact form does not satisfy this provision. The mechanism must be identifiable as a data-protection complaints channel.

Practical implication: Every UK data controller must operate a functioning, publicly accessible data-protection complaints process — a dedicated intake mechanism communicated to data subjects.

164A(2)(a) — The acknowledgement deadline: A controller who receives a complaint under this section must acknowledge receipt of the complaint within one month of receiving it. [DPA 2018, s.164A(2)(a)]

Reading: The statute says "one month" — not exactly 30 days. In practice, treating the deadline as 30 days provides a conservative working margin. Acknowledgement must be substantive — not a generic auto-responder. The clock starts from receipt by the organisation, not when the complaint reaches the data protection team.

Practical implication: Controllers need a system that timestamps complaints at intake and tracks the acknowledgement deadline automatically. Without a tamper-proof timestamp at intake, controllers cannot prove to the ICO when the complaint was received.

164A(2)(b) — Outcome communication: A controller who receives a complaint under this section must communicate the outcome of the complaint to the data subject within a reasonable time of the acknowledgement. [DPA 2018, s.164A(2)(b)]

Reading: The outcome communication is governed by a "reasonable time" standard — not a fixed deadline. Most complaints should be resolved within a few weeks of acknowledgement. "Outcome" means a substantive conclusion — what the controller found and what, if anything, it is doing in response.

Practical implication: Every complaint must be formally closed with a written outcome. Any complaint acknowledged but not formally closed is an open compliance liability.

164A(3) — No fee: A controller must not charge a fee for complying with this section. [DPA 2018, s.164A(3)]

Reading: Data subjects cannot be charged for submitting a complaint or for the investigation of that complaint. This prohibition is absolute — unlike the narrow fee exception that applies to manifestly unfounded DSAR requests under Art.15.

Practical implication: Any terms and conditions that purport to charge for handling personal-data complaints must be removed.

--- END ---

--- BEGIN https://thedutydesk.co.uk/pricing ---
Pricing.
Last reviewed: 2026-06-04

Four tiers. Priced on the page. 14-day free trial on every paid plan.

Starter — £199/year — Under 10 staff — 1 user — 50 complaints/yr — Web form + widget — 14-day trial
SME — £600/year — 10–250 staff — 3 users — Unlimited complaints — All channels — Zendesk, Slack — 14-day trial
Business — £5,000/year — 250–1,000 staff — Unlimited users — Unlimited complaints — All channels + integrations — 14-day trial
Enterprise — From £25,000/year — 1,000+ staff — Unlimited — All channels + custom — Bespoke trial

All paid plans: ICO evidence pack, immutable audit trail, UK data residency (EU optional on Business+).

--- END ---

--- BEGIN https://thedutydesk.co.uk/trust/residency ---
Where data lives.
Last reviewed: 2026-06-04

All customer data is hosted in AWS eu-west-2 (London). EU residency is available on Business and Enterprise plans. US hosting is not offered.

The waitlist email list is held in the EU (via Resend).

--- END ---

--- BEGIN https://thedutydesk.co.uk/trust/sub-processors ---
Who we use to run the service.
Last reviewed: 2026-06-04

Active sub-processors:
- Amazon Web Services — Cloud infrastructure hosting — London, UK
- Resend — Transactional email delivery — EU

--- END ---

--- BEGIN https://thedutydesk.co.uk/about ---
About TheDutyDesk.
Last reviewed: 2026-06-07

A UK team, building UK regulatory tech.

TheDutyDesk is a UK platform for handling personal-data obligations. We work alongside DPOs, Heads of Compliance and Operations Directors at UK organisations of every size.

The platform handles data-protection complaints, subject-access requests, breach reporting, records of processing, and the audit trail the ICO can review — one product, one price, ready when you are.

TheDutyDesk is a product of Paradex Computing Limited. Company No. 03786457. Registered in England and Wales.

RESOURCES

Board readiness checklist: Twelve questions your board will ask you about the 30-day duty. (https://thedutydesk.co.uk/resources/readiness-checklist)
Finance Director one-pager: Everything your Finance Director needs to approve the budget. (https://thedutydesk.co.uk/resources/fd-one-pager)

TRUST & SECURITY

UK data controller and UK data processor. All customer data hosted in AWS London (eu-west-2). Sub-processors: AWS, Resend.
Data Processing Agreement: https://thedutydesk.co.uk/trust/dpa
Sub-processor list: https://thedutydesk.co.uk/trust/sub-processors
Data residency: https://thedutydesk.co.uk/trust/residency

--- END ---

--- BEGIN https://thedutydesk.co.uk/about/editorial-standards ---
Editorial standards.
Last reviewed: 2026-06-04

How our content is researched, cited, and reviewed.

The law is precise, and our writing must be too. Standards:

- Primary sources only: Every factual claim about the Data (Use and Access) Act 2025 or the Data Protection Act 2018 cites the source text or official ICO guidance.
- No fabricated authors: Content is published under the byline "TheDutyDesk Editorial".
- No AI hallucination: We do not publish unreviewed AI-generated legal interpretations.
- Plain English: We translate legal requirements into operational realities without losing technical precision.

Last reviewed: June 2026.

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights ---
Insights — TheDutyDesk.
Last reviewed: 2026-06-07

Plain-English articles on UK data protection news, the Data (Use and Access) Act 2025, and what it means for your organisation.

15 published articles. Newest first.

1. Six months of the Data (Use and Access) Act: where things stand — 5 June 2026
2. The 30-day complaints duty: no exemptions, no exceptions — 1 June 2026
3. The right to complain: what schools and trusts must have ready — 18 May 2026
4. Goodbye ICO, hello Information Commission: what changes for you — 4 May 2026
5. Cookies just got easier: the consent exceptions explained — 30 April 2026
6. The Reddit fine: why children's data is everyone's problem now — 30 March 2026
7. A simpler reason to use data: recognised legitimate interests — 23 March 2026
8. Letting software decide: automated decisions under UK GDPR — 9 March 2026
9. Your cookie banner is now a board-level risk: fines up to £17.5m — 2 March 2026
10. You no longer have to search everything for a data request — 23 February 2026
11. Subject access requests: you can now stop the clock — 16 February 2026
12. Inside the regulator's new approach to fines — 12 February 2026
13. The Data (Use and Access) Act is live: seven changes every UK business should know — 9 February 2026
14. Sending data abroad: the 'data protection test' explained — 19 January 2026
15. EU data adequacy renewed to 2031 — what it means if you send data to Europe — 22 December 2025

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/duaa-six-months-duty-briefing ---
Six months of the Data (Use and Access) Act: where things stand.
Published: 2026-06-05. Last reviewed: 2026-06-07. Next review: 2026-12-05.
Author: TheDutyDesk Editorial. Pillar: Insights. ~3 min read.

A plain-English round-up of the Data (Use and Access) Act so far: what has already taken effect, what is still coming, and the short list of things a UK business should do before 19 June 2026.

The Data (Use and Access) Act 2025 received Royal Assent on 9 April 2025. Its data-protection provisions came into force in stages. The most significant — the 30-day data-protection complaints duty under s.164A — takes effect on 19 June 2026. Other provisions (recognised legitimate interests, automated decision safeguards, the 'stop the clock' DSAR rule, PECR fine increases) took effect on 5 February 2026.

Sources: [SRC-001] Data (Use and Access) Act 2025 | [SRC-006] Commencement regulations (SI 2026/82) | [SRC-004] ICO guidance on complaint handling | [SRC-020] ICO guidance on storage and access technologies (final, April 2026) | [SRC-021] ICO guidance on recognised legitimate interests, March 2026

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/complaints-duty-no-exemptions ---
The 30-day complaints duty: no exemptions, no exceptions.
Published: 2026-06-01. Last reviewed: 2026-06-07. Next review: 2026-12-01.
Author: TheDutyDesk Editorial. Pillar: Duty. Audience: SME. ~3 min read.

Every UK organisation must have a way to take data protection complaints and must acknowledge them within 30 days. It applies whether you employ five people or five thousand. Here is what you actually need in place.

Section 164A of the Data Protection Act 2018 (inserted by s.103 DUAA 2025) imposes four operational duties: (1) facilitate complaints — provide a named, accessible channel; (2) acknowledge within 30 days of receipt; (3) respond without undue delay; (4) keep evidence the ICO can review. There is no size threshold, no revenue floor, no sector exemption.

Sources: [SRC-001] Data (Use and Access) Act 2025 | [SRC-002] Data Protection Act 2018 (post-DUAA consolidated), s.164A | [SRC-006] Commencement regulations (SI 2026/82) | [SRC-004] ICO guidance on complaint handling

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/schools-trusts-right-to-complain ---
The right to complain: what schools and trusts must have ready.
Published: 2026-05-18. Last reviewed: 2026-06-07. Next review: 2026-11-18.
Author: TheDutyDesk Editorial. Pillar: Sectors. Audience: SME. ~3 min read.

Schools and trusts handle a lot of personal data and a steady stream of concerns from parents and staff. The data protection complaints duty applies to them too. Here is what to put in place.

Schools and multi-academy trusts are data controllers. Section 164A applies to them as it applies to every other UK data controller — with no exemption for public bodies, charities, or educational institutions. Practical steps: designate a named complaints contact; update the privacy notice; configure an acknowledgement process that timestamps receipt; keep records per complaint.

Sources: [SRC-002] Data Protection Act 2018 (post-DUAA consolidated), s.164A | [SRC-006] Commencement regulations (SI 2026/82) | [SRC-004] ICO guidance on complaint handling

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/ico-becomes-information-commission ---
Goodbye ICO, hello Information Commission: what changes for you.
Published: 2026-05-04. Last reviewed: 2026-06-07. Next review: 2026-11-04.
Author: TheDutyDesk Editorial. Pillar: Insights. ~3 min read.

The Information Commissioner's Office is being reshaped into the Information Commission, run by a board rather than a single commissioner. Here is what is changing, what is staying the same, and why it should not change anything you do today.

The DUAA 2025 replaces the single Information Commissioner with a board-run Information Commission. The enforcement powers, fining regime, and the existing regulatory guidance all transfer. The change is primarily a governance restructure — the regulator's remit, your obligations, and the ICO website and contact details remain the same during transition.

Sources: [SRC-001] Data (Use and Access) Act 2025 | [SRC-025] Information Commission transition (DUAA governance changes), 2026

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/new-cookie-exceptions ---
Cookies just got easier: the consent exceptions explained.
Published: 2026-04-30. Last reviewed: 2026-06-07. Next review: 2026-10-30.
Author: TheDutyDesk Editorial. Pillar: Guides. Audience: SME. ~3 min read.

Some low-risk cookies no longer need a consent pop-up. The ICO finalised its guidance on 29 April 2026. Here is what is now exempt, what still needs consent, and how to update your banner without getting it wrong.

The ICO's final guidance on storage and access technologies (April 2026) introduces new categories of strictly necessary cookies that do not require consent: security cookies, fraud prevention, load balancing, user-input cookies, and first-party analytics used only for aggregate statistics. Consent is still required for advertising, cross-site tracking, and functional personalisation.

Sources: [SRC-020] ICO guidance on storage and access technologies (final, April 2026) | [SRC-001] Data (Use and Access) Act 2025

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/age-assurance-reddit-fine ---
The Reddit fine: why children's data is everyone's problem now.
Published: 2026-03-30. Last reviewed: 2026-06-07. Next review: 2026-09-30.
Author: TheDutyDesk Editorial. Pillar: Insights. ~3 min read.

The ICO fined Reddit £14.47m over children's data and weak age checks. Even if you are nowhere near social media, the case signals how the regulator now thinks. Here is what it means for any business that might collect data from under-18s.

The ICO issued a monetary penalty notice against Reddit Inc. in February 2026 for failing to protect children's data and implement adequate age-assurance mechanisms. The ICO and Ofcom issued a joint statement in March 2026 signalling coordinated enforcement across age-assurance requirements. The case extends beyond social media — any organisation that collects data where under-18s might participate should review whether its age-assurance approach withstands regulatory scrutiny.

Sources: [SRC-023] ICO monetary penalty notice, Reddit, February 2026 | [SRC-024] ICO and Ofcom joint statement on age assurance, March 2026

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/recognised-legitimate-interests ---
A simpler reason to use data: recognised legitimate interests.
Published: 2026-03-23. Last reviewed: 2026-06-07. Next review: 2026-09-23.
Author: TheDutyDesk Editorial. Pillar: Duty. ~3 min read.

There is an additional lawful reason to use personal data, and for a short list of purposes it skips the usual balancing test. Here is what 'recognised legitimate interests' covers and where the shortcut does and does not apply.

The DUAA 2025 introduces 'recognised legitimate interests' — a category of data uses for which the controller does not need to run the three-part legitimate interests assessment. The recognised list includes: safeguarding individuals, emergency services access, prevention of unlawful acts, disclosure to legal advisers, and a small number of other defined purposes. For uses outside the list, the existing legitimate interests framework under UK GDPR Art.6(1)(f) applies as before.

Sources: [SRC-001] Data (Use and Access) Act 2025 | [SRC-021] ICO guidance on recognised legitimate interests, March 2026 | [SRC-003] UK GDPR (retained EU regulation)

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/automated-decisions-article-22 ---
Letting software decide: automated decisions under UK GDPR.
Published: 2026-03-09. Last reviewed: 2026-06-07. Next review: 2026-09-09.
Author: TheDutyDesk Editorial. Pillar: Duty. ~3 min read.

The old near-ban on fully automated decisions about people has been replaced by a system of safeguards. If you use software or AI to make decisions about customers or staff, here is what changed and what you must now put in place.

The DUAA 2025 replaces UK GDPR Art.22 (the near-prohibition on automated decisions with legal or similarly significant effects) with a new framework. Fully automated decisions are now permitted if certain safeguards are in place: meaningful information about the logic involved must be provided; data subjects must have the right to request human review; and significant decisions cannot be based solely on special-category data without explicit consent. The ICO published updated guidance in 2026.

Sources: [SRC-001] Data (Use and Access) Act 2025 | [SRC-003] UK GDPR (retained EU regulation) | [SRC-022] ICO automated decision-making guidance and consultation, 2026

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/pecr-fines-17-5-million ---
Your cookie banner is now a board-level risk: fines up to £17.5m.
Published: 2026-03-02. Last reviewed: 2026-06-07. Next review: 2026-09-02.
Author: TheDutyDesk Editorial. Pillar: Duty. ~3 min read.

The maximum fine for breaking the UK's cookie and electronic marketing rules has jumped from £500,000 to £17.5m. Here is what changed, why it matters even to small businesses, and the cheap fixes that remove most of the risk.

The DUAA 2025 raised the maximum PECR fine from £500,000 to match the UK GDPR ceiling: £17.5 million or 4% of global annual turnover, whichever is higher. This change applies to cookie consent failures, unlawful electronic marketing, and other PECR breaches. Practical risk mitigation: audit your cookie banner against ICO's April 2026 final guidance; ensure marketing lists are consented; document your legal basis for each marketing channel.

Sources: [SRC-001] Data (Use and Access) Act 2025 | [SRC-020] ICO guidance on storage and access technologies (final, April 2026)

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/reasonable-proportionate-dsar ---
You no longer have to search everything for a data request.
Published: 2026-02-23. Last reviewed: 2026-06-07. Next review: 2026-08-23.
Author: TheDutyDesk Editorial. Pillar: Guides. Audience: SME. ~3 min read.

When someone asks for their data, you now only have to make a 'reasonable and proportionate' search, not an exhaustive one. Here is what that means day to day, and where the limit sits.

The DUAA 2025 modifies the right of access under UK GDPR Art.15 by introducing a 'reasonable and proportionate' search standard. Controllers are no longer required to search every system, archive, and backup for responsive data — the search must be reasonable given the nature of the request and the resources involved. Factors: specificity of the request, sensitivity of the data, cost of retrieval. The ICO's guidance clarifies that a 'manifestly unfounded' request can still be refused.

Sources: [SRC-001] Data (Use and Access) Act 2025 | [SRC-003] UK GDPR (retained EU regulation)

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/dsar-stop-the-clock ---
Subject access requests: you can now stop the clock.
Published: 2026-02-16. Last reviewed: 2026-06-07. Next review: 2026-08-16.
Author: TheDutyDesk Editorial. Pillar: Guides. ~3 min read.

When someone asks for a copy of their data, you usually have one month to respond. You can pause that month while you confirm who they are or check what they want. Here is how the 'stop the clock' rule works in practice.

The DUAA 2025 introduces a formal 'stop the clock' mechanism for DSARs. The one-month response clock pauses if the controller needs to: (1) verify the identity of the requestor where there is reasonable doubt; or (2) clarify the scope of the request when it is unclear. The clock restarts when the requestor responds. Controllers must notify the requestor promptly when pausing and explain the reason.

Sources: [SRC-001] Data (Use and Access) Act 2025 | [SRC-003] UK GDPR (retained EU regulation)

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/ico-enforcement-settlement ---
Inside the regulator's new approach to fines.
Published: 2026-02-12. Last reviewed: 2026-06-07. Next review: 2026-08-12.
Author: TheDutyDesk Editorial. Pillar: Investigations. ~3 min read.

The regulator has been overhauling how it decides fines, including offering discounts for settling early. Here is what the new approach means, and why cooperating quickly is now worth real money.

The ICO's overhauled enforcement framework (consulted on October 2025, implemented 2026) introduces: a formal settlement procedure with fine discounts for early cooperation; a clearer graduated approach to penalty notices; and a policy of publishing the factors that determined fine amounts. The enforcement action register is updated in real time. Organisations that cooperate early and fully can secure meaningful reductions — the ICO's consultation cited discounts of up to 20%.

Sources: [SRC-005] ICO enforcement consultation, October 2025 | [SRC-009] ICO enforcement action register

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/duaa-part-5-live-seven-changes ---
The Data (Use and Access) Act is live: seven changes every UK business should know.
Published: 2026-02-09. Last reviewed: 2026-06-07. Next review: 2026-08-09.
Author: TheDutyDesk Editorial. Pillar: Duty. ~3 min read.

The main data protection changes in the Data (Use and Access) Act took effect on 5 February 2026. Here are the seven that matter most for an ordinary UK business, in plain language, with what each one means in practice.

Seven key DUAA changes from 5 February 2026: (1) recognised legitimate interests — skips the balancing test for a defined list; (2) automated decisions — Art.22 replaced by safeguard framework; (3) DSAR stop the clock — pause for identity/clarification; (4) reasonable and proportionate DSAR search; (5) PECR fines raised to £17.5m; (6) Information Commission replaces ICO (governance only); (7) 30-day complaints duty commences 19 June 2026 (not yet live at publication).

Sources: [SRC-001] Data (Use and Access) Act 2025 | [SRC-002] Data Protection Act 2018 (post-DUAA consolidated) | [SRC-003] UK GDPR (retained EU regulation) | [SRC-006] Commencement regulations (SI 2026/82)

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/international-transfers-data-protection-test ---
Sending data abroad: the 'data protection test' explained.
Published: 2026-01-19. Last reviewed: 2026-06-07. Next review: 2026-07-19.
Author: TheDutyDesk Editorial. Pillar: Guides. ~3 min read.

If your business uses cloud tools or suppliers based abroad, your data is travelling. New guidance from January 2026 introduces a clearer 'data protection test'. Here is what it means without the jargon.

The ICO's consolidated international transfers guidance (January 2026) replaces multiple overlapping documents and introduces the 'data protection test' as the unified framework for assessing whether a transfer to a third country is permitted. The test requires: (1) an adequacy decision covers the destination country, or (2) appropriate safeguards are in place (standard contractual clauses, binding corporate rules), or (3) a derogation applies. The UK adequacy decisions (EU, EEA) remain in force after renewal in December 2025.

Sources: [SRC-019] ICO updated international transfers guidance, January 2026 | [SRC-001] Data (Use and Access) Act 2025 | [SRC-003] UK GDPR (retained EU regulation)

--- END ---

--- BEGIN https://thedutydesk.co.uk/insights/adequacy-renewed-to-2031 ---
EU data adequacy renewed to 2031 — what it means if you send data to Europe.
Published: 2025-12-22. Last reviewed: 2026-06-07. Next review: 2026-06-22.
Author: TheDutyDesk Editorial. Pillar: Insights. ~3 min read.

The European Commission renewed the UK's data adequacy on 19 December 2025, so personal data keeps flowing freely between the UK and Europe. Here is what the renewal covers, the catch in the small print, and what it means for a UK business.

The European Commission renewed the UK adequacy decisions on 19 December 2025 for a further period through to 2031. The renewal covers transfers of personal data from the EU/EEA to the UK without the need for standard contractual clauses or other safeguards. The catch: the renewal is conditional on the UK maintaining a GDPR-equivalent data protection framework. Significant divergence from UK GDPR — such as broad carve-outs or removal of individual rights — could trigger a review or suspension. For UK businesses: no immediate action required; transfers to and from the EU continue without additional formality.

Sources: [SRC-018] European Commission UK adequacy decisions, renewed December 2025 | [SRC-003] UK GDPR (retained EU regulation) | [SRC-001] Data (Use and Access) Act 2025

--- END ---