Personal Data and your Business – is your complaints procedure in place?

A new requirement in UK data protection law requires all organisations to have a process in place for handling data protection complaints. There are no exemptions to this requirement. The purpose of this requirement is to make it easier for individuals to raise concerns directly with organisations before taking matters further with the regulator. All businesses are required to ensure that they are compliant with the requirement by 19th June 2026.

The intention of the new rule is to ensure that people have a clear and accessible route to complain if they believe that there is non-compliance with a requirement of data protection law. A data protection complaint may relate to a wide range of matters, such as how personal information has been collected, used, stored, retained, shared or kept accurate. It may also concern the way an organisation has responded to an individual’s data rights request, such as a subject access request, or concerns arising from a personal data breach. The ICO makes clear that a complaint is not limited to major incidents; it can arise whenever an individual believes that data protection law has not been followed in relation to their information.

What will this mean for your business?

Under the new requirement, organisations must be sure that they are compliant in several ways. Here is a checklist.

• Ensure that all staff are aware of the importance of the correct recording and management of complaints when relating to personal data

• Update any public facing privacy notice to confirm that a complaints procedure exists and may be taken advantage of and provide a means of access to it

• Provide a way for people to make data protection complaints – keep in mind that complaints can be registered in various ways, including through social media direct messaging, as well as made orally to a team member. But at the same time, remember that requiring ID evidence can be a vital precautionary step to be followed

• Acknowledge receipt of a complaint as early as practicable

• Take appropriate actions in order to respond without undue delay and keep the complainant informed

• Explain to the individual the outcome of the complaint without undue delay

Importantly, organisations have flexibility in how they design their procedure. There is not an expectation that businesses will create an entirely separate or complex system if a method for recording and managing complaints is already in place. In many cases, an existing complaints process can be adapted, provided it properly covers data protection issues. However, the procedure must be easy to find, easy to use, and accessible. The guidance also indicates that organisations should not place unnecessary barriers in the way of complainants.

What standards are your investigation procedures expected to meet?

There is an expectation that organisations make appropriate enquiries. This suggests that businesses should have a clear internal workflow for gathering relevant information, reviewing what happened, and deciding whether any remedial action is needed. At the end of the process, the organisation should explain the outcome clearly and promptly. A well-run procedure can therefore do more than satisfy a legal requirement; it can help resolve concerns early, improve accountability, and reduce the likelihood of escalation.