Data Protection Network
CONTACT US
NEWSLETTER

NEW Data Protection Complaints Requirement

Philippa Donn
February 2026

Under UK data protection law all organisations will be legally required to have a process in place for handling data protection complaints by 19 June 2026. It’s one of the few new obligations ushered in by the Data (Use and Access) Act.

The ICO has published guidance to help organisations meet this new requirement, which I’ve summarised and suggested some key actions to take now. Any text in italics below is a quote from the ICO.

What does the law say?

Organisations are legally required to fulfil the following:

 Give people a way of raising data protection complaints
Acknowledge each complaint within 30 days of receipt
Take appropriate steps to respond without undue delay, including making any relevant enquiries and keeping complainants up to date on progress
Provide an outcome to complainants without undue delay

What is a data protection complaint?

The aim of this new obligation is to give anyone unhappy with how your organisation has handled their personal information a clear method for raising a complaint. For example, they could have a complaint about;

a data breach which impacted them;
your response to their Data Subject Access Request or other privacy rights request;
how long you’re keeping their personal information;
the accuracy of information you hold about them;
the security measures you have in place to protect their personal details;
how you’ve profiled them;
or any other data protection relation matter.

In the past some of you will have received a letter from the ICO about a complaint they’ve received, asking you to resolve the matter directly with the individual. Moving forward, in the majority of cases, if the ICO receives a complaint they’ll ask the person to first raise it with the organisation in question.

Crucially, this means it will quickly become apparent if people can’t find out how to raise a data protection complaint with you.

What is NOT a data protection complaint?

If someone is complaining about your service or other matters, and is also exercising one of their privacy rights (such as access, erasure or objection), this shouldn’t be treated as a data protection complaint. The ICO gives the following examples which they say wouldn’t be data protection complaints:

a person may acknowledge you responded to their subject access request on time, but express dissatisfaction that you didn’t expedite it;
an employee may raise a grievance issue, and also request copies of their personal information; or
a person may complain about a customer service issue, and also request that you delete their information.

If you’re unsure of the nature of someone’s request or whether they are raising a complaint, you can always ask for clarification.

Give people a way to raise a data protection complaint

You must give people a way to raise a data protection complaint directly with your organisation. While the law doesn’t set out precisely how this must be done, the ICO gives some examples of different ways this could be achieved:

Complaints form – for people to submit their complaint either electronically or in writing
Telephone
Portal – provide an online complaints portal
Live chat – use a live chat function with the option to escalate to a human if needed
In person – provide a way to make complaints in person if you don’t have an online presence

BUT people are not obliged to use your set process. They can complain however they want. Like with Data Subject Access Requests, people could contact any employee, any part of the organisation or even submit a complaint via social media.

Raise awareness & update training

Employees need to know about this change in the law, be able to recognise a complaint and know what to do if they receive or spot a complaint.

Tell people they can complain

At the point you collect personal information, people must be told they can raise a data protection complaint. This means privacy notices will need to be updated. It also means when responding to Data Subject Access Requests, you’ll have to make sure you explain your complaints process.

Public facing complaints procedure

While not a legal requirement, the ICO says you could publish a complaints procedure on your website, or provide it to people as soon as possible. For example, this could include:

What evidence or supporting information you need to investigate complaints
What proof of ID you accept (where necessary)
What type of authority you accept if a complaint is made on behalf of someone else.
That you’ll acknowledge within 30 days, keep people updated on progress and explain the outcome.

Verifying identity

If you have any doubts about a complainant’s identity you should ask for proof of ID as soon as possible. But the ICO stresses: “If you have sufficient information to be satisfied about the requester’s identity, you must not request more information”.

Complaints made on behalf of others

As with privacy rights, a family member, solicitor, or other relevant organisation can raise a complaint on behalf of another person. You’ll therefore need to have a process for checking they’re authorised to do this, such as an appropriate Legal Power of Attorney or signed Letter of Authority from the person they are acting on behalf of.

Consider other legal frameworks

The ICO says organisations need to be mindful of other legal frameworks and obligations beyond data protection when handling complaints.
Where a data protection complaint is part of wider issues, the Regulator says if you’re able to provide an outcome to the data protection complaint sooner than other issues, you must do so.

Joint controllers

Joint controllers will be expected to have a transparent arrangement in place for handling data protection complaints and a clear understanding of where responsibilities lie. The timescale for acknowledgement starts as soon as the complaint is received by any controller. This means joint controller agreements may need updating..

Your suppliers (processors)

As with other privacy rights, where relevant processors will need to know to send complaints to you, help investigate them and provide any necessary information. Data processing agreements may need updating to reflect this.

Internal data protection complaints process

Organisations will need a process to effectively handle complaints. Many public sector bodies or other regulated sectors may already have a complaints process, and it’s perfectly acceptable for data protection complaints to be integrated into existing processes, as long as legal requirements are met. Here are six steps your process should cover:

1. Acknowledgement

Complaints must be acknowledged within 30 days. There are no specific legal requirements for what an acknowledgement should include, but it would make sense to at least confirm you’ve received the complaint and will look into it.

The method you use for acknowledgements is your choice, subject to any relevant equality legislation. The ICO suggests it will be most practical to use the same method the complainant has used. For example, if they email you respond by email, if they write to you respond by letter.

And don’t forget to keep a record of your acknowledgement so you can demonstrate you’ve met this obligation within the statutory timeframe.

When does the 30 days start at end?

The 30 days start the day after you receive the complaint. It doesn’t matter if this day falls on a weekend or a public holiday. The 30 days still starts on this day.
If the last day to acknowledge the complaint falls on a weekend or public holiday, you have until the next working day to provide an acknowledgement.

2. Investigate

Your investigation should start without undue delay i.e. without an unjustifiable or excessive delay. The ICO says it expects the investigation to start immediately, not after the 30-day acknowledgement period. Some key points to bear in mind:

You can seek clarification if the complaint is unclear
You can ask the individual for the outcome they are looking for
Consider all circumstances of the complaint
Be able to justify the manner in which a complaint was handled
You are not required to take steps which would be unreasonable or disproportionate

3. Keep people updated

Complainants should be kept informed about your progress. This could include providing an expected date for the outcome, a point of contact for questions and explanation of any delays.

4. Record your actions

The ICO expects organisations to keep a record of the following, which they or other industry bodies may request to see:

the date you received the data protection complaint;
your acknowledgement;
any relevant conversations and documents;
the outcome of the complaint; and
any actions you took as a result of your investigation.

You could take a further optional step of keeping a record of the number of data protection complaints you receive, along with recurring themes and trends.

5. Provide outcome to the complainant

An outcome must be provided without an unjustifiable or excessive delay. If it’s possible to do this within 30 days of receiving the complaint, it’s not necessary to provide an acknowledgement and outcome separately.

There are no set rules on how you communicate the outcome with the complainant. For example, relatively straightforward complaints can be resolved over the telephone. However, the ICO would expect the outcome to include:

Explanation of what has been done to resolve the complaint
Where appropriate any actions taken as a result
Explain in detail how you’ve complied with data protection law, if you believe you have.
Enough information to help the complainant understand your decision.

If the individual is not satisfied with the outcome, you could provide more detail or clarify your decision. The ICO suggests having a review process for those who are not satisfied. It would also be good practice to let people know they have the right to complaint to the ICO, and provide contact details.

6. Review lessons learned

The ICO expects organisations to review what happened, and consider any improvements to prevent future complaints.

Key actions to take now

We’d suggest taking the following steps prior to 19 June 2026:

Collaborate with relevant colleagues and agree your approach.
Assign responsibility for investigating and reviewing complaints.
Develop an internal process or integrate data protection complaints into existing complaints process.
Update privacy notices to include details of how people can raise a data protection complaint. It would be helpful to also explain your procedure, but this is not mandatory.
Raise awareness and adapt relevant training, so staff know how to recognise a data protection complaint and know what to do if they receive one.
Update other relevant data protection policies, procedures or guidance.
Check arrangements with any joint controllers and relevant processors.

For full details see the ICO’s How to deal with data protection complaints

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN

The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Related Articles

What’s a recognised legitimate interest?

A seventh lawful basis is being added to UK GDPR of recognised legitimate interests - five 'pre approved' specified purposes

How to use the ‘charitable purpose soft opt-in’

When will charities be able to use a soft opt-in exemption to consent for direct marketing? The key points to consider.

DUA Act and the 5 cookie exceptions

What are the new exceptions for cookies and similar tech which won't require consent? Find out the changes the DUA Act ushers in
Data Protection Network