ARTICLE
3 June 2026

Dealing With Data Protection Complaints

Sa
Shepherd and Wedderburn LLP

Contributor

Shepherd and Wedderburn LLP logo
Shepherd and Wedderburn is a leading, independent Scottish-headquartered UK law firm, with offices in Edinburgh, Glasgow, Aberdeen, London and Dublin. With a history stretching back to 1768, establishing long-standing relationships of trust, rooted in legal advice and client service of the highest quality, is our hallmark.
Explore Firm Details
Starting June 19, UK data protection law introduces a mandatory requirement for organisations to establish internal complaint procedures before individuals can escalate issues to the Information Commissioner's Office. This procedural shift aims to reduce the ICO's complaint backlog while placing greater responsibility...
United Kingdom Privacy
Joanna Boag-Thomson and Joseph Fitzgibbon
Your Author LinkedIn Connections
Joanna Boag-Thomson’s articles from Shepherd and Wedderburn LLP are most popular:
  • with readers working within the Construction & Engineering industries
Shepherd and Wedderburn LLP are most popular:
  • within Antitrust/Competition Law, Food, Drugs, Healthcare and Life Sciences topic(s)

19 June sees a small but significant amendment to data protection law come into force. As of that date, organisations are required to have a procedure in place for dealing with data protection complaints.

In a move to try and address the backlog of complaints with the Information Commissioner’s Office (ICO) there will be a requirement to first raise a complaint with the organisation itself before the ICO will consider the complaint. The ICO will require evidence that the data subject has sought to address their issue directly with the organisation before contacting them. In fact, the complaint procedures on the ICO website already reflect this.

What does this mean for organisations?

Many organisations will already have a complaints procedure in place and so will be able to adapt this to take account of data protection complaints.

Where there is no such complaints procedure in place then one will need to be created. The legislation itself suggests that one option is to create online forms to make it easier to complain.

How long do organisations have to deal with a complaint?

The key requirement from the legislation is that the complaint is acknowledged within 30 days of receipt.

There is no specific timeline for resolving the complaint (recognising that some are more complex than others) but it must be resolved without undue delay.

What documents should organisations update?

Where organisations are adding data protection to existing complaints policies and procedures, employees could be dealt with separately as they will have their own grievance route.

Other documentation that will need to be updated will include privacy policies, which should make it clear that the route to complain is firstly the organisation’s complaints procedure and then secondly the ICO. Similarly, any pro forma documentation for responding to requests from data subjects (including data subject access requests) should be updated to refer to the right to complain.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Joanna Boag-Thomson
Joanna Boag-Thomson
Photo of Joseph Fitzgibbon
Joseph Fitzgibbon
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More