Personal Data and your Business – is your complaints procedure in place?

A new requirement in UK data protection law requires all organisations to have a process in place for handling data protection complaints. There are no exemptions to this requirement. The purpose of this requirement is to make it easier for individuals to raise concerns directly with organisations before taking matters further with the regulator. All businesses are required to ensure that they are compliant with the requirement by 19th June 2026.

The intention of the new rule is to ensure that people have a clear and accessible route to complain if they believe that there is non-compliance with a requirement of data protection law. A data protection complaint may relate to a wide range of matters, such as how personal information has been collected, used, stored, retained, shared or kept accurate. It may also concern the way an organisation has responded to an individual’s data rights request, such as a subject access request, or concerns arising from a personal data breach. The ICO makes clear that a complaint is not limited to major incidents; it can arise whenever an individual believes that data protection law has not been followed in relation to their information.

What will this mean for your business?

Under the new requirement, organisations must be sure that they are compliant in several ways. Here is a checklist.

  • Ensure that all staff are aware of the importance of the correct recording and management of complaints when relating to personal data

  • Update any public facing privacy notice to confirm that a complaints procedure exists and may be taken advantage of and provide a means of access to it

  • Provide a way for people to make data protection complaints – keep in mind that complaints can be registered in various ways, including through social media direct messaging, as well as made orally to a team member. But at the same time, remember that requiring ID evidence can be a vital precautionary step to be followed

  • Acknowledge receipt of a complaint as early as practicable

  • Take appropriate actions in order to respond without undue delay and keep the complainant informed

  • Explain to the individual the outcome of the complaint without undue delay

Importantly, organisations have flexibility in how they design their procedure. There is not an expectation that businesses will create an entirely separate or complex system if a method for recording and managing complaints is already in place. In many cases, an existing complaints process can be adapted, provided it properly covers data protection issues. However, the procedure must be easy to find, easy to use, and accessible. The guidance also indicates that organisations should not place unnecessary barriers in the way of complainants.

What standards are your investigation procedures expected to meet?

There is an expectation that organisations make appropriate enquiries. This suggests that businesses should have a clear internal workflow for gathering relevant information, reviewing what happened, and deciding whether any remedial action is needed. At the end of the process, the organisation should explain the outcome clearly and promptly. A well-run procedure can therefore do more than satisfy a legal requirement; it can help resolve concerns early, improve accountability, and reduce the likelihood of escalation.

Get in touch

The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.

Related news & articles

Subscribe to our mailing list
1 of 1
  • News

    Freeths advises on the sale of PayCaptain to Citation

  • Article

    The largest shake up of right to work checking liability in decades

  • Article

    Navigating the waters of main contractor insolvency: A toolkit for lenders, investors and developers

  • Article

    Environmental Law Update | July 2026

  • Article

    ASA cracks down on “recycled” claims: Key lessons for fashion retailers

  • News

    Freeths advises Veracity Associates Limited on sale of SPGL Limited to CERTANIA

  • News

    Freeths strengthens disputes capability in Scotland with Partner appointment in Glasgow

  • Article

    AI-generated claims are on the rise: What your business should do about it

  • Article

    Behind the meter: Unlocking the value of private electricity networks

  • Article

    Bonus schemes: When a cap comes too late – lessons from the EAT

  • Article

    The new EHRC Code of Practice: What it means for single-sex services and facilities

  • News

    Freeths named Planning Team of the Year at Midlands Residential Property Awards 2026

Get in touch

Contact us today

Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.

Telephone

Get in touch

For general enquiries, please complete this form and we will direct your message to the most appropriate person.