New data protection complaints procedures: what this means for public authorities

From 19 June 2026, all public authorities must operate a clear and accessible data protection complaints procedure, following reforms introduced by the Data (Use and Access) Act 2025 and supported by ICO guidance.

This requirement is particularly significant for public bodies given their volume of personal data processing, public accountability obligations and exposure to regulatory scrutiny.

What is a data protection complaint?

A data protection complaint is a concern raised by an individual about how a public body has handled their personal data. This can include complaints about:

• A personal data breach
• The handling of a data subject access request or other rights request
• Data accuracy, retention or security
• Profiling or automated decision making or
• Any other matter relating to compliance with data protection law

This is distinct from general service complaints, even where a complaint is raised alongside the exercise of data protection rights.

Key legal requirements

Under the new regime, public bodies must:

• Provide a way for individuals to raise data protection complaints directly with them
• Acknowledge complaints within 30 days of receipt
• Take appropriate steps to investigate and respond without undue delay and
• Provide an outcome to the complainant, explaining what action has been taken or why the public body believes it has complied with the law

Where a complaint can be fully resolved within 30 days, there is no requirement to provide a separate acknowledgement.

How the 30 day deadline works

The 30 day acknowledgement period:

• Begins the day after the complaint is received (including weekends and public holidays) and
• If the deadline falls on a non working day, runs until the next working day.

The ICO expects investigations to start immediately, not after the acknowledgement is sent.

How complaints can be made

The law does not mandate a single complaints channel. Public bodies may use forms, email, telephone, portals or in person routes. However, individuals are not required to use a specific process and may raise complaints with any employee or via informal channels, including social media.

This makes staff awareness and internal escalation processes particularly important.

Record keeping and outcomes

The ICO expects public bodies to keep records of:

• When complaints are received
• Acknowledgements sent
• Investigations undertaken
• The final outcome and
• Any remedial actions taken.

Outcomes should provide enough information to help individuals understand the decision and, where applicable, how compliance has been achieved. Public bodies are also encouraged to explain how individuals can escalate matters to the ICO if they remain dissatisfied.

Key impacts for public authorities

• Individuals must be able to raise data protection complaints directly with the authority, before approaching the ICO
• Complaints must be acknowledged within 30 days and investigated without undue delay
• Complaints can be raised through any channel, including informal routes or frontline staff
• Where data protection issues overlap with service or statutory complaints, authorities must still deal with the data protection element promptly.

Key takeaways

• Existing corporate or statutory complaints procedures may be used, but only if they meet data protection specific requirements
• Staff at all levels must be trained to recognise and escalate data protection complaints
• Poor handling increases the risk of ICO intervention, Ombudsman escalation and reputational harm.

Proactive steps

• Integrate data protection complaints clearly into corporate complaints frameworks
• Review joint controller arrangements (e.g. shared services and partnerships)
• Update privacy notices, FOI/DPA response templates and staff guidance

For more information on the contents of this legal article, please get in touch with Shireen Eliyas or another member of our Public Sector team.