Data Protection Complaints Update

Written by Katerina Douni

By June 2026 all organisations must have a published data protection complaints procedure in place. The ICO has released draft guidance on how to comply. Our latest article, written by our Support Consultant Katerina Douni, explains what you need to do and how to prepare.

New Legal Duty: Data Protection Complaints Procedures Required by June 2026

The Data (Use and Access) Act 2025 introduces a new obligation for all organisations. By June 2026, you must have a formal procedure in place for handling data protection complaints.

The Information Commissioner’s Office (ICO) has published draft guidance to help organisations prepare. While the guidance is open to consultation until October 2025, the core requirements are unlikely to change.

This update explains what the law requires, how to prepare, and what steps you should take now.

Why is this change important?

Until now, if an individual complained to the ICO, the regulator often redirected the issue back to the organisation. From June 2026, the ICO will expect individuals to use your complaints procedure first before they escalate to the regulator.

If you do not have a clear and accessible procedure in place, the ICO may identify this as a compliance gap quickly.

What the law requires

From June 2026, every organisation must:

Provide a procedure for people to raise data protection complaints directly.
Acknowledge complaints within 30 days of receiving them.
Investigate and take appropriate steps without undue delay, keeping the complainant informed.
Provide an outcome without undue delay, including a clear explanation of actions taken.
Keep records of all complaints and how they were handled.

How people can complain

The law does not prescribe one method, but you must make it easy for individuals to raise complaints. Options include:

An electronic or written complaints form
Telephone line for complaints
Online complaints portal
Live chat with escalation to a human agent
In-person option if no online presence

Organisations must also publish their complaints procedure, either on their website or provide it at the earliest opportunity.

The 5-Step Data Protection Complaints Process

1. Acknowledge

Acknowledge within 30 days (email auto-response, letter, or written follow-up to verbal complaints). The timeframe begins the day after receipt, even if received on a weekend or holiday.

2. Investigate

Identify the issue clearly and gather relevant facts. Speak to staff, compare records, and review internal policies. Ask the complainant for clarification or evidence early on.

3. Update on progress

Keep the complainant informed if the investigation takes time. Provide a contact point and expected completion date.

4. Provide outcome

Respond as soon as possible with a clear explanation. State actions taken and provide enough detail for the individual to understand your conclusion. Inform them of their right to escalate to the ICO if they remain dissatisfied.

5. Record keeping

Keep a record of receipt, acknowledgement, investigation steps, outcome, and actions taken. Agree a suitable retention period for complaint records.

Key steps to take now

Collaborate internally to agree your complaints handling process.
Assign responsibility for investigating and resolving complaints.
Draft and publish a complaints procedure before June 2026.
Update staff training so all employees can recognise a data protection complaint.
Integrate the procedure into your privacy notices to raise awareness.

FAQs

Who does this apply to?
All organisations that process personal data, regardless of size or sector.

Do we need a new procedure if we already have a complaints process?
You may adapt an existing process, but it must specifically cover data protection complaints.

What happens if we do not comply?
Failure to publish or follow a complaints procedure may expose your organisation to ICO scrutiny and could be treated as a breach of the Data (Use and Access) Act 2025.

Does the 30-day acknowledgement mean we must resolve complaints within 30 days?
No. You must acknowledge within 30 days. The investigation and outcome must be provided “without undue delay”, which means as quickly as reasonably possible.

Can complaints be made on someone else’s behalf?
Yes, but you must confirm the person is authorised, for example by checking a signed authority letter or power of attorney. If no evidence is provided, you do not have to investigate.

Should we publish this procedure online?
Yes, the ICO expects organisations to make the process easily accessible, ideally via your website and privacy notices.

Final thoughts

This is a significant compliance change that will affect every organisation. The ICO is clear that complaints procedures will become a focal point for accountability and transparency.

At Data Protection People, we recommend starting preparations now so you are not caught out in 2026. If you need help designing or embedding a compliant complaints procedure, our consultancy team can support you.

Speak to an Expert

Cyber Security Services

PCI DSS

ISO 27001

Cyber Security Consultancy

Cyber Security Support

Pentesting

External Attack Surface Management

Data Protection Services

SAR Support

Data Protection Support

Outsourced DPO

Data Protection Consultancy

Information Management Software

GDPR Training

GDPR Audits

GDPR Representative

GDPR Documentation

GDPR Toolkit

Information Rights Request

Expert support when you need it most