Data Protection Complaints: NEW requirements

By June 2026 you’ll be legally required to have a procedure in place to handle data protection complaints. This was one of the few new obligations ushered in by the Data (Use and Access) Act 2025.

The ICO has published draft guidance on how to comply. While this is open to consultation until mid-October and may be subject to some amendments, it gives some useful pointers on the steps to take.

The aim of this change is to give anyone who is unhappy with how your organisation has handled their personal information a clear method for raising a complaint. For example, they could have a complaint about;

• a data breach which affected them
• your response to their Data Subject Access Request
• how long you’re keeping their data
• how you’ve profiled them
• or any other data protection relation matter

I’m sure some of you reading this will have received a letter from the ICO in the past asking for a complaint they’ve received to be resolved by you directly with the individual. Essentially this approach is changing. Moving forward, in the majority of cases when the ICO receives a complaint, the individual will be asked to go through your complaints procedure first.

A little warning. If you don’t have a clear procedure in place for data protection related complaints, the ICO may spot this pretty quickly should you come up on their radar.

What the law says

Organisations are legally required to fulfil the following:

• Procedure – give people a way of raising data protection complaints
• Acknowledgement – acknowledge each complaint within 30 days of receipt
• Action and progress – take appropriate steps to respond without undue delay, including making any relevant enquiries and keeping complainants up to date on progress
• Outcome – provide an outcome without undue delay

How people can raise a complaint

People must have a way of being able to raise a complaint directly with you. While the law doesn’t set out precisely how this must be done, the ICO gives some examples of different ways this could be achieved:

• Complaints form – for people to submit their complaint either electronically or in writing
• Telephone – allow people to make a complaint over the phone
• Portal – provide an online complaints portal
• Live chat – use a live chat function with the option to escalate to a human if needed
• In person – provide a way to make complaints in person if you don’t have an online presence

Published complaints procedure

Many organisations particularly those in the public sector will already have a complaints procedure which could be adapted for this purpose. For those which don’t, the ICO expects you to write one and publish your procedure on your website, or provide it to people at the earliest opportunity. This would be expected to cover:

•  How people can make data protection complaints
• What people can expect from your process (e.g. acknowledgement within 30 days, kept informed of progress, and provided with an outcome without undue delay)

In our opinion it would seem fitting to add the key points of your complaints procedure to your external privacy notice, and replicate this in any other relevant audience specific privacy notices.

Asking for more information

If evidence or additional information is needed, such as reference numbers or proof of ID, this should be asked for at the earliest opportunity. It would be helpful to mention this in your published procedure, for example ‘we may need to ask for proof of ID’.

Complaints made on someone’s behalf

As with privacy rights requests, an individual may make a complaint on someone else’s behalf. You’ll therefore need to make sure they are authorised to do so, for example by seeking power of attorney or a signed letter of authority. The ICO is clear if you have no evidence a third party is authorised to act on someone’s behalf you aren’t required to investigate a complaint, but should respond explaining this.

The 5 step data protection complaints process

1. Acknowledge

The law doesn’t prescribe how an acknowledgement should be provided but the ICO gives the following examples:

• Verbal complaints – Keep a record and follow up in writing (e.g. by email or post)
• Email / live chat – an automated response could be used
• Letters – acknowledgement by post

The 30 days in which you must acknowledge a complaint starts the day after you receive the complaint, regardless of whether you received this on a weekend or bank holiday. If the last day to acknowledge falls on a weekend or bank holiday you have until the next working day.

The ICO says you must have arrangements in place to acknowledge and continue handling complaints, regardless of whether key people are off sick or if your organisation is closed. An important point for organisations such as schools or colleges which may close for a period of time.

2. Investigate

You must investigate the complaint without undue delay. If it’s not clear what the complaint is about, you should ask for more detail as quickly as possible.

It may also be useful to ask people to let you now the outcome they’re seeking, and if you choose to use a complaints form, this point could be built-in.

You’ll need to gather the information necessary to respond to the complaint and the ICO tells us this might include taking actions such as;

• Looking at relevant facts thoroughly, fairly and accurately
• Speaking to relevant staff
• Comparing information you hold with the information from the complainant
• Checking you’ve upheld your own terms, policies and standards

3. Update on progress

There’s a duty to keep people updated on the progress of your investigation. If it’s likely an investigation is going to take some time, you’ll need to tell them you’re working to resolve the issue. You can always provide them with a date for when you expect to complete your investigation, and give them a point of contact if they have any questions.

4. Provide outcome

Once the investigation is completed you must provide an outcome to the complainant without undue delay. The ICO says this means ‘as soon as possible’, and would expect your response to include the following:

• A clear explanation of what you’ve done to resolve their complaint
• Any actions you’ve taken (where appropriate)
• Enough information to help the individual understand how you’ve reached your conclusion

If the individual is not satisfied with your outcome, you should tell them they have the right to complaint to the ICO, and it would be good practise to provide them with the regulator’s contact details.

If they then tell you they’re planning to complain to the ICO you don’t have to get in touch with the regulator yourself. The ICO will come to you if they need more information.

Crucially you must be able to justify why you handled a complaint in the way you did. Which neatly brings us on to…

5. Record keeping

It will be necessary to keep evidence of your approach to each complaint you receive and the ICO recommends keep a record of the following:

• the date you received the data protection complaint
• your acknowledgement
• any relevant conversations and documents
• the outcome of the complaint
• any actions you took as a result of your investigation

You may be asked to provide this evidence to the ICO, or other industry bodies.

In all of this don’t forget data retention, it would be a good idea to agree how long you’ll keep records of complaints.

Key steps to take now

We’d recommend taking the following actions:

• Collaborate with relevant colleagues and agree your approach
• Assign responsibility for investigating and reviewing complaints
• Publish your complaints procedure (prior to June 2026)
• Start raising awareness and adapt relevant training so staff know how to recognise a data protection complaint and know what to do if they receive one.

For more detail please see the ICO’s draft complaints guidance for organisations.