NNureComp
Sign inStart free 7-day discovery
UK GDPR + Data (Use and Access) Act 2025 · Complaints procedure mandatory 19 June 2026

Make your team DUAA-ready. Without re-running the same training they took five years ago.

UK GDPR didn't end with Brexit, and the Data (Use and Access) Act 2025 layers new duties on top — including a mandatory complaints procedure your staff need to know how to handle. NureComp delivers a role-mapped refresher with DPO, processor, and high-risk-data overlays — plus the audit-ready evidence pack.

Start free GDPR/DUAA discovery See sample evidence pack
The 5-step compliance loop
Discover
Anonymous survey surfaces the risk shape
Map
Role + sector + workforce profile decide what each person needs
Train
Short modules + scenario assessment per role
Evidence
Regulator-defensible pack on demand
Monitor
Continuous readiness score + alerts
Free 7-day wedge

Free 7-day Data Handling Survey

Anonymous 3-4 minute survey for your staff. Surfaces which data categories your team actually handles, which systems they use, and where the DUAA complaints-procedure readiness gap sits.

  • Role-based DUAA exposure map — who handles what data, where the special-category-data hotspots are
  • Complaints-procedure readiness gap (do your staff know what to do when a subject complains?)
  • PECR/cookie compliance posture for your customer-facing teams
  • Sub-processor relationship audit (third-party register)
  • Draft Article 30 ROPA addendum your DPO can sign off
Start the handling survey
Sample evidence pack

Download a synthetic-data example showing the exact format your regulator, insurer, or auditor will see.

Download sample

Sectors where this matters most

Financial services

FCA expects current GDPR training plus DUAA awareness. Special-category-data overlays for vulnerable-customer handling.

Healthcare

Article 9 special category data, NHS Data Security and Protection Toolkit alignment.

Legal practice

SRA Code of Conduct overlap; client confidentiality + DUAA complaints procedure.

Recruitment

Heavy data handling; ICO has multiple recent recruitment-sector enforcement actions.

Education

Children's data + safeguarding overlay; ICO age-appropriate design code.

Marketing & PR

PECR, consent capture, lawful basis selection, e-marketing rules.

Bundle savings

Bundle GDPR/DUAA with AI Literacy and Harassment for £50/seat/year on Pro — saves 33% vs separate purchases.

See multi-domain pricing

Common questions

My team did GDPR training in 2018. Why again?

DUAA 2025 changes obligations materially: complaints procedure (mandatory 19 June 2026), automated decision-making transparency, scientific-research grounds. The refresher is targeted at what's changed — not a re-do of the 2018 basics.

What does the complaints-procedure obligation actually require?

From 19 June 2026, every controller must have a procedure for data subjects to complain to the controller (not just the ICO). Your staff need to recognise complaints when they arrive, escalate correctly, and respond within statutory timeframes.

Will this satisfy the DPO's training-records obligation?

Yes. Article 39 obligations include "raising awareness and training of staff". The evidence pack documents who completed what, when, with role-mapped depth.

Do you cover special-category data?

Yes — a dedicated overlay for staff who handle Article 9 data (health, biometric, racial/ethnic origin, etc.).

Start free GDPR/DUAA discovery

Free discovery survey. Report in 7 days. No payment to get started.

Start free GDPR/DUAA discovery See pricing