Somvilla
Compliance

What the Data (Use and Access) Act 2025 means for Northern Ireland businesses | Somvilla

The June 2026 complaint logging deadline is approaching. Here's what NI manufacturers, law firms and accountancies need to do now.

5 min read

The Data (Use and Access) Act received Royal Assent in February 2026. Most businesses in Northern Ireland have either not heard of it or assumed it only applies to large UK corporations. Neither assumption is correct.

If your firm processes personal data — and almost every NI business does — parts of this Act apply to you, and a specific deadline lands in June 2026. Here is what you actually need to know.

What changed in February 2026

The DUAA 2025 replaces and expands on several provisions of the UK GDPR framework. The headline changes that affect smaller businesses are:

  • Mandatory complaint logging for organisations that receive data-related complaints from individuals
  • Strengthened subject access rights, with tighter response windows and clearer documentation requirements
  • New rules around automated decision-making, relevant to any business using AI-assisted tools
  • Expanded legitimate interests balancing tests, which affect how you justify processing personal data without consent

The ICO has been given broader enforcement powers under the Act, including the ability to issue assessment notices to smaller organisations it previously could not easily audit.

June 19, 2026 — the complaint logging deadline

From this date, organisations that receive complaints about how they use personal data must maintain a structured record of those complaints, the actions taken, and the outcome. A spreadsheet that someone updates occasionally will not satisfy this requirement. You need a system with an audit trail.

The June 2026 deadline in plain English

Under the DUAA 2025, if a customer, employee, or member of the public contacts you to say “I think you’re misusing my data” — or to exercise any data rights (access, erasure, restriction) — you must:

  1. Log the complaint with a timestamp and the nature of the request
  2. Record every action taken in response, with dates
  3. Record the outcome and any communications sent
  4. Retain that log in a retrievable format for at least three years

This is not a new concept — good data practice has always involved this kind of record-keeping. What the Act does is make it mandatory and auditable. The ICO can now formally request to see your complaint log as part of an assessment.

If you have no log, or your log is incomplete, that is itself a compliance failure — separate from whatever the original complaint was about.

What this means for law firms

Law firms in Northern Ireland are in a specific position. You hold deeply sensitive personal data: financial history, criminal matters, family circumstances, medical information in personal injury cases. Individuals exercising subject access rights against a law firm is not a hypothetical — it happens regularly.

You already have obligations under the Solicitors Regulation Authority and Law Society guidelines. The DUAA adds a layer of structured audit-trail requirement on top of those. If a client lodges a complaint about data handling and you cannot produce a clean log of how it was handled, you face dual exposure: ICO enforcement and professional regulatory sanction.

The practical requirement is a system that any fee earner can update without needing IT involvement, that timestamps entries automatically, and that produces an exportable report on demand.

What this means for manufacturers and distributors

Manufacturing and distribution firms often dismiss data protection as a concern for service businesses. This is a mistake. You hold personal data on employees, suppliers, delivery contacts, and trade customers. Subject access requests from ex-employees are increasingly common.

More relevantly for this Act: if you are using any automated tooling — ERP systems that flag credit limits, logistics software that scores delivery windows, AI tools that process documents — you now have documentation requirements around those automated processes that touch personal data.

The complaint log requirement is the immediate practical issue for most manufacturers. A system that captures “employee X submitted a SAR on [date], we responded on [date], outcome was [Y]” is the baseline.

What this means for accountancy practices

Accountancy firms handle personal data for every sole trader and individual client on their books. You also often hold data on behalf of clients — payroll data, for instance. That makes you both a controller and, in some contexts, a processor.

The complaint logging obligation applies in both capacities. If a payroll client’s employee raises a data concern with you, you need to log it. If one of your own clients asks you to delete their personal data, you need to log that request and its outcome.

The additional consideration for accountancies is the interaction with Making Tax Digital infrastructure. HMRC data flows involve personal data, and the DUAA’s expanded subject access provisions may generate more requests from individuals wanting to know what data you hold in connection with their tax affairs.

The practical steps before June 2026

You do not need an enterprise compliance platform. You need a system that does four things reliably:

  1. Captures incoming complaints and rights requests — with the date, the channel (email, letter, phone), and a description
  2. Logs actions chronologically — who did what, when, with what outcome
  3. Generates a report — the ICO will want to see a structured summary, not a folder of emails
  4. Restricts editing — an audit trail that can be quietly amended is not an audit trail

For most NI SMEs, this is a straightforward database-backed system. It does not need to be complex. It needs to be correct, timestamped, and in use before June 19.

Need a complaint logging system built before the deadline? I build audit-trail systems as a standard component of data work for NI businesses. Start a brief at somvilla.com/qualify — fixed price, delivered in 5–7 working days.