New data protection complaints procedures: What organisations need to know

From 19th June 2026, organisations subject to UK data protection law will be legally required to have a formal process in place for handling data protection complaints. This new obligation is introduced by the Data (Use and Access) Act 2025 (DUAA), with accompanying guidance published by the Information Commissioner’s Office (ICO).

The aim is to ensure individuals have a clear, effective way to raise concerns about how their personal data has been handled, and to resolve issues directly with organisations before escalating matters to the ICO.

What is a data protection complaint?

A data protection complaint is a concern raised by an individual about how an organisation has handled their personal data. This can include complaints about:

• A personal data breach

• The handling of a data subject access request or other rights request

• Data accuracy, retention or security

• Profiling or automated decision making

• Any other matter relating to compliance with data protection law.

This is distinct from general service complaints, even where a complaint is raised alongside the exercise of data protection rights.

Key legal requirements

Under the new regime, organisations must:

• Provide a way for individuals to raise data protection complaints directly with them

• Acknowledge complaints within 30 days of receipt

• Take appropriate steps to investigate and respond without undue delay

• Provide an outcome to the complainant, explaining what action has been taken or why the organisation believes it has complied with the law.

Where a complaint can be fully resolved within 30 days, there is no requirement to provide a separate acknowledgement.

How the 30 day deadline works

The 30 day acknowledgement period:

• Begins the day after the complaint is received (including weekends and public holidays)

• If the deadline falls on a non working day, runs until the next working day.

The ICO expects investigations to start immediately, not after the acknowledgement is sent.

How complaints can be made

The law does not mandate a single complaints channel. Organisations may use forms, email, telephone, portals or in person routes. However, individuals are not required to use a specific process and may raise complaints with any employee or via informal channels, including social media.

This makes staff awareness and internal escalation processes particularly important.

Record keeping and outcomes

The ICO expects organisations to keep records of:

• When complaints are received

• Acknowledgements sent

• Investigations undertaken

• The final outcome

• Any remedial actions taken.

Outcomes should provide enough information to help individuals understand the decision and, where applicable, how compliance has been achieved. Organisations are also encouraged to explain how individuals can escalate matters to the ICO if they remain dissatisfied.

Key takeaways

• Data protection complaints procedures become mandatory from 19 June 2026

• Acknowledgement is required within 30 days, but investigations should begin immediately

• Complaints may be raised through any channel, not just designated forms

• Robust record keeping and clear outcomes are essential for demonstrating compliance

• The ICO expects organisations to deal with data protection aspects promptly, even where complaints overlap with other issues.

Proactive steps to take now

Organisations should begin preparing ahead of the June 2026 deadline by:

1. Designing or updating an internal complaints process - this may be standalone or integrated into existing complaints frameworks, provided data protection requirements are met

2. Assigning ownership and escalation routes - clear responsibility should be allocated for investigating and responding to complaints

3. Updating privacy information - privacy notices and responses to rights requests should explain how individuals can raise a data protection complaint

4. Training staff - employees should be trained appropriately to ensure they are able to recognise a data protection complaint and know how to escalate it.

5. Reviewing third party arrangements - joint controller arrangements and data processing agreements may need updating to reflect complaint handling responsibilities.

Our views

The new complaints regime is designed to improve early resolution and transparency, but it also increases regulatory risk for organisations without clear, workable processes in place. Taking proactive steps now will help reduce escalation to the ICO and demonstrate accountability under the UK GDPR framework.