Preparing for data protection complaints

The impact of the new requirement to have a data protection complaints process in place from 19 June 2026 will very much depend on the size of your organisation, your sector and how much people currently raise data protection related issues with you.

Many organisations already handle concerns and complaints about data protection matters, be it accusations DSARs haven’t been fulfilled adequately, claims of unlawful marketing, holding data for too long or inaccurate records. This change gives people a clear route to complain and a more formal footing to the way you handle their concerns.

In a nutshell, the legal requirements are:

✓ Give people a way of raising data protection complaints
✓ Acknowledge each complaint within 30 days of receipt
✓ Take appropriate steps to respond without undue delay, including making any relevant enquiries and keeping complainants updated on progress
✓ Provide an outcome to complainants without undue delay.

I’ve written more about this here, and the ICO has published guidance here.

If you’d like some good news, the ICO guidance makes it clear if you already have a complaints process this can be utilised, as Robert Bond, Senior Counsel at Privacy Partnership Law explains…

Many organisations already have a complaints process to cover other legal and regulatory requirements, so this new complaint requirement needs to be integrated with existing mechanisms. Smaller organisations may need to create a process and procedure and update their data protection notices to cover this legal obligation. The good news is that the ICO will not deal with data subject complaints unless they have already followed the controller’s complaints procedure, so this is a good “defensive” action.

People’s right to complain to the ICO is not being replaced, just another important step is being introduced. In the majority of cases, if someone raises a complaint with the ICO, they’ll be asked to initially go through the organisation’s complaints process. This will put an end to the current practice of the ICO contacting organisations asking them to resolve a complaint directly with the individual. Your complaints process will be the first port of call.

Update your privacy notices

Be mindful an immediate red flag might be raised if people can’t find out how to raise a complaint with you! Matthew Kay is Group DPO at Shawbrook Bank;

Organisations should place a level of focus on making their complaints process easy to locate and ensure the process is clear, accessible and handled in a timely fashion and should note the requirement to respond to individuals within 30 days. Further emphasis should be placed on good governance with a requirement to record and track complaints and ensure individuals are clear in their right to escalate the issue to the ICO should they wish to do so.

It is clear from the level of prescription both within the statute and the ICO guidance that the introduction of these requirements is likely to bring about greater scrutiny as to how effective organisations are in handling individuals’ complaints; with this in mind organisations should now be making provisions for when this comes into force in June 2026.

Will DSARs be the focus?

It would be good preparation to think through the types of data protection issues people currently raise with your organisation and how you might handle these through a more formal process. And yes, as Sofia Carroll, DPO at a technology company points out, DSARs may well be your main focus;

The new complaints requirement is another step of the DSAR process busy teams have to manage now as well. If you already get plenty of requests, unfortunately plenty of complaints are also likely. The bare minimum from a practical point of view is to meet the legal requirement – have a procedure and follow ICO guidance.

You could make it as part of the DSAR process, or assign to a complaints team. If you wear a few hats or don’t have the resource, DPOs would be within their rights to raise this and flag it as a risk to senior management – both from DPO independence point of view and the fact that you may fall short of the new rules.

I’m definitely seeing more organisations having to grapple with nuanced and tricky access requests. We also know the ICO has been swamped by complaints, with a significant volume of these DSAR-related. The message is clear  – we need to be prepared for DSARs to come right back at us, as formal complaints. Independent consultant Stephen McCartney was an in-house DPO for many years…

Complaints, like DSARS, will be weaponised, so I would advise DP Teams to give one robust response, and then move the complainant on to the ICO. This means if you got it right, say so once and move them on, and if you got it wrong, fix it. But don’t get drawn into protracted back and forth. Don’t be afraid of the ICO getting complaints, just make sure the data subject knows you will pass on all the correspondence if they “forget” to, and don’t be afraid to challenge the ICO if you can justify what you have done. The ICO just want to close down complaints, helping them do that is in your favour.

Be prepared, but prepare to adapt

It may be difficult to fully grasp how this requirement will pan out for your organisation post 19 June. If you do nothing else, at the very least update relevant privacy notices to make sure people are clearly informed how to raise a data protection complaint with you. ICO guidance suggests a number of methods you can offer to people, such as:

✓ provide a complaint form
✓ provide an email address and/or a phone number
✓ use an online complaints portal
✓ have a live chat function with an option to escalate to a human if needed

As for your internal process, try and decide which teams/individuals will be responsible for handling complaints. And remember, whether you adapt an existing process or create one from scratch it may not be perfect. And that’s okay. You can always tweak and fine-tune it as you go along.