Changes In Handling Data Protection Complaints: What Your Organisation Needs To Know

The Data (Use and Access) Act 2025 ("DUAA") introduces a new obligation for all organisations to maintain a formal process for handling data protection complaints. The Information Commissioner's Office (the "ICO") has published its guidance, setting out how organisations are expected to receive, manage and resolve complaints. The legal obligation takes effect next month and organisations are strongly advised to establish a complaints policy and procedure in advance to ensure operational readiness.

With new rules on data protection complaints coming into force, this article breaks down what’s changing and the practical steps organisations should take now to prepare.

What is changing for data protection complaints?

From 19 June 2026, all organisations must have a process in place for the handling of data protection complaints. There are no exemptions to this requirement. Individuals will be expected to raise their concerns with the relevant organisation (as data controller) in the first instance before approaching the ICO. The ICO’s guidance sets out mandatory 'must have' requirements and 'good practice expectations' that provide clear expectations about what organisations should do in respect of acknowledging, investigating and resolving complaints, as well as around record keeping and providing evidence of compliance.

What counts as a 'data protection complaint'?

A data protection complaint arises where an individual believes that an organisation has not complied with data protection law when handling personal information. This may relate to the individual’s own data, or data belonging to someone they are authorised to act for.

Individuals do not need to use legal terminology or refer to specific legislative provisions for a complaint to be valid. In practice, complaints may concern matters such as:

• how an organisation has responded to a subject access request or other information rights request;
• the security measures used to protect personal information, including where an individual has been affected by a data breach; or
• how personal data has been collected, used, stored, retained or kept accurate.

The ICO's guidance clarifies that not every complaint that mentions personal data will amount to a data protection complaint. For example, a general service complaint does not become a data protection complaint simply because an individual also exercises data protection rights alongside it. Where it is unclear whether an individual intends to raise a data protection complaint, organisations should seek clarification of this from the data subject at the earliest opportunity.

Step one - providing complaints channels

Organisations must provide a way for individuals to make data protection complaints directly to them. This can be achieved by offering options such as providing a complaint form that individuals can submit by email or post, or over the phone, via an online complaints portal, via a live chat function (with escalation to talk to a human), or an in-person route (particularly for organisations without an online presence). Although organisations may encourage individuals to use a preferred complaints channel, there is no requirement for individuals to do so. A data protection complaint may be raised through any part of the organisation, including directly with individual members of staff. Organisations must therefore ensure they are prepared to recognise and accept complaints regardless of how they are received.

Complaints raised via social media:

Where an organisation has an online presence, complaints may also be raised through social media platforms. Organisations should consider how they will identify and handle complaints raised in this way. As social media is generally not a secure means of communication, it may be appropriate to ask the individual to move the discussion to a more secure channel before engaging substantively about the complaint to ensure a secure record can be kept of discussions.

Complaints from children:

The ICO guidance emphasises that children have the same data protection rights as adults but merit specific protection, as they may be less aware of the risks and consequences of data processing and their rights. Organisations must assess a child's competence to understand and exercise their rights, communicate in plain, clear language at all stages and consider accessibility throughout the process. Where the Children's Code (Age Appropriate Design Code) applies, organisations should provide a mechanism enabling children to complain easily, indicate urgency and explain why, and have procedures to take swift action where safeguarding concerns arise.

Telling people they can complain:

The ICO's guidance specifically sets out that organisations must tell individuals they can complain, both to the organisation itself and to the ICO. This must be done:

1. at the point the personal information is collected (typically done by including this within a privacy notice); and
2. when responding to subject access requests.

For organisations processing information for law enforcement purposes, there are additional points at which individuals must be informed of their rights to complain, unless a restriction applies (such as when responding to a subject access request, or when refusing a rectification, erasure or restriction request).

Step two - what to do when you receive a complaint

The ICO guidance also sets out some key practice guidelines on the process that must be followed on receipt of a data protection complaint. These are:

1. Acknowledge within 30 days

Confirm receipt of the complaint within 30 days. Some ways of doing this might be:

• For verbal complaints - ensure a contemporaneous written record is made, summarise the complaint back to the complainant and follow up in writing.
• For electronic complaints – send out an automated response confirming receipt. If received via social media, then request an alternative contact method to respond.
• For postal complaints – send out an acknowledgement letter. 

It is vital to ensure that the 30-day timeframe is met. This may include having a cover plan in place during periods of staff absence or busy periods to ensure compliance. This 30-day period begins the day after the complaint is received, regardless of whether this falls on a weekend or public holiday. If the final day falls on a weekend or public holiday, then acknowledgement may be provided on the next working day.

2. Verify the identity of the complainant

If there are doubts about the complainant's identity, you may ask for proof of ID before responding but it is important to ensure that you request such details (if required), at the earliest opportunity. Where someone makes a complaint on behalf of another person (e.g. family member, solicitor or child advocacy service), you must check they are authorised to act. Evidence for this may include an appropriate power of attorney, or signed letter of authority. If you have no evidence of authorisation, you must not investigate the complaint until appropriate authority is provided.

3. Investigate without undue delay and keep complainants informed

Organisations must make the appropriate level of enquiries to justify how the complaint was handled. The obligation to investigate begins when the complaint is received, not after the 30-day acknowledgment period. Start by gathering the necessary information as early as possible, such as checking relevant systems and records, speaking with staff and comparing the complainant’s account with your data. If you are unclear what the complaint is about, ask for more information quickly. You should also keep the complainant updated on the progress of the investigation without undue delay. If the investigation is likely to take time, you'll need to follow up to explain the delay and consider providing a point of contact for any questions. Where a data protection complaint forms part of a wider complaint, if you can provide an outcome to the data protection element sooner, you must do so rather than waiting to address all issues together.

4. Keep a record of the complaint

This includes the complaint receipt date, acknowledgment, relevant conversations and documents, the outcome and any actions taken. This evidences compliance and may be requested by the ICO, so your record-keeping systems should be kept up to date, clearly organised and labelled so that information can be found quickly. Recording the volume of complaints and any recurring themes will also help you identify any potential compliance issues and areas for improvement.

Step 3 - resolving the complaint

The final step is resolution of the complaint. It is important that you:

1. Communicate the outcome

Decisions must be explained to the complainant as soon as possible. Information should be included on how and why you came to your decision and what actions, if any, you have taken to resolve the matter.

2. Deal with dissatisfied complainants

If the complainant is unhappy with the outcome, consider providing additional detail, clarification of your decision, or a review process. You should also inform the complainant of their right to escalate to the ICO and provide the ICO’s contact details to enable them to do so.

3. Review and improve

After providing an outcome, review what happened and consider whether there are any improvements you can make to prevent future complaints. Failure to meet the above requirements may constitute a breach of data protection obligations, so it's essential to ensure your organisation’s complaints policy aligns with these guidelines to ensure compliance.

Other considerations - joint controllers and processors

If you are a joint controller, you should have a transparent arrangement with other joint controllers setting out how complaints will be handled. The 30-day timeframe begins when any of the controllers receives the complaint, so it is important everyone is clear on what they need to do. It is worth considering whether to have a central point of contact, deciding who will co-ordinate the investigation and who will liaise with the complainant.

If using processors, it is still important to agree how complaints are managed. This may be by requiring the processor to forward any complaints to you and provide the necessary information to help you meet your obligations. It is important to note that the processor may assist with this administration but the obligation to handle the complaint will sit with you as the controller.

Practical next steps to prepare

Organisations should start preparing now to ensure readiness and compliance with the new rules. You can do this by drafting and implementing a complaints policy that addresses the above requirements. If you already have a complaints procedure or a data subjects' rights policy in place, assess whether they need to be adapted to meet the new requirements and specifically address data protection complaints. The key approach is to follow the complaint lifecycle described in the three steps above.

It is also important to have adequate staff training in place to ensure your staff can recognise a data protection complaint, know how to log it, and understand the handling process and escalation paths.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.