Print article
Authors
Authors
From June 2026, all organisations which process personal data must have a clear internal process for handling data protection complaints. This requirement applies to all organisations, regardless of size or sector.
The Information Commissioner’s Office (ICO) has published guidance to help organisations prepare for the implementation of these complaints processes, which will become a legal requirement from 19 June pursuant to section 103 of the Data (Use and Access) Act 2025 (DUAA).
The ICO guidance is that organisations must have a process for handling data protection complaints and that there will be “no exemptions” to this position.
The aim of the new process is to make it easier for individuals to raise concerns directly with organisations about how their personal data has been handled, and to resolve issues at an early stage, without the need to involve the ICO unless necessary.
What counts as a data protection complaint?
DUAA provides that a data subject can make a complaint to a controller if there has been any infringement of the UK GDPR or Part 3 of the Data Protection Act 2018. Part 3 covers law enforcement processing, the data protection principles of processing, data subject rights, controller and processor obligations and international transfers of personal data. By way of example, complaints could therefore be about:
- how personal data has been collected or used;
- delays or problems with the organisation responding to a subject access request;
- personal data being shared incorrectly; or
- concerns following a personal data breach.
The ICO makes clear that organisations must accept complaints however they are received, even if they are not submitted through a formal complaints form or designated channel.
What must organisations do?
Under DUAA and the ICO’s guidance, organisations must:
- provide a way for people to make data protection complaints (for example by email, online form, phone or post);
- acknowledge receipt of a complaint within 30 days;
- investigate and respond to the complaint without undue delay, keeping the complainant informed of progress; and
- clearly explain the outcome once the complaint has been concluded.
Organisations are not required to create a brand‑new complaints system – guidance from the ICO is that existing complaints processes can be adapted, provided they properly cover data protection issues.
How detailed does the process need to be?
The ICO has explained that it expects complaints processes to be:
- easy to find, such as being clearly signposted in privacy notices or on websites;
- easy to use, without unnecessary barriers; and
- accessible to everyone; not just customers or employees.
While some elements are mandatory, the ICO recognises that organisations can design a process that is proportionate to their size and structure.
What happens if a complaint goes to the ICO?
Under the new framework, the expectation from the ICO appears to be that individuals will be able to show that they have already raised their complaint with the organisation before the ICO considers acting.
If a complaint is referred to the ICO, the current indications are that the regulator will assess that complaint based on factors such as:
- the seriousness of the issue;
- the potential harm to individuals; and
- whether regulatory intervention is in the public interest
Not every complaint will result in a formal ICO investigation.
When do organisations need to act?
Although the new complaints requirement does not legally take effect until 19 June 2026, the ICO has said that following the guidance now represents good practice and will help organisations demonstrate accountability and readiness.
Organisations should therefore be actively reviewing and updating their existing complaints procedures ahead of June to ensure they meet the new legal requirements