Katarina Douni

Data Protection Consultant

Katerina is Data Protection Consultant at Data Protection People. Having started from the Support Desk team, Katerina helps customers stay compliant while guiding them through every stage of the process.

Get to Know Katarina

Katerina is a Data Protection Consultant at Data Protection People. She joined DPP in 2024 and she enjoys partnering with SMEs that are committed to achieving data protection compliance but may not know where to begin. She is passionate about making compliance accessible and practical and she strongly believes that with robust organisational measures and ongoing guidance, improving data protection compliance can be a straightforward and achievable process.

A former high jump athlete and National Champion in Greece, she brings a strong sense of discipline and responsibility to her work. Outside of her professional work, she enjoys embroidery and spending as much time as possible in the countryside.

Experience

Katerina started her academic career in the Law School of the National and Kapodistrian University of Athens, Greece. She has worked in Greece as a lawyer specialising in civil and corporate law. During this time, she developed a strong interest in data protection and a desire to deepen her expertise in the field. She subsequently moved to the UK, where she completed an LL.M. in Data Protection and Intellectual Property at the University of Law, Leeds gaining a solid foundation in data protection.

Following this, DPP offered her the opportunity to further develop her expertise in data protection and apply her knowledge in practice. Since then, Katerina has worked within the Support Desk Team and progressed to the Data Protection Consultancy Team, where she manages a diverse portfolio of clients across various sectors, guiding them through the complexities of data protection.

Due to the fact that Katerina had years of experience working as a lawyer before making the jump to consulting, she has gained an in-depth perspective over the whole legal apparatus. In addition to that, having experience in both European law and British law, she has gained a wider understanding enabling her to consult on international affairs regarding data protection and how companies that have an addressable market outside the UK can navigate safely through various sets of legislation.

Every data protection journey needs a reliable map, the right tools, and trusted guidance.

Katarina Douni
Data Protection Consultant

Katarina's Posts

Data Protection Complaints Procedures Required by June 2026

Data Protection Complaints Update

New Legal Duty: Data Protection Complaints Procedures Required by June 2026

The Data (Use and Access) Act 2025 introduces a new obligation for all organisations. By June 2026, you must have a formal procedure in place for handling data protection complaints.

The Information Commissioner’s Office (ICO) has published draft guidance to help organisations prepare. While the guidance is open to consultation until October 2025, the core requirements are unlikely to change.

This update explains what the law requires, how to prepare, and what steps you should take now.

Why is this change important?

Until now, if an individual complained to the ICO, the regulator often redirected the issue back to the organisation. From June 2026, the ICO will expect individuals to use your complaints procedure first before they escalate to the regulator.

If you do not have a clear and accessible procedure in place, the ICO may identify this as a compliance gap quickly.

What the law requires

From June 2026, every organisation must:

  • Provide a procedure for people to raise data protection complaints directly.
  • Acknowledge complaints within 30 days of receiving them.
  • Investigate and take appropriate steps without undue delay, keeping the complainant informed.
  • Provide an outcome without undue delay, including a clear explanation of actions taken.
  • Keep records of all complaints and how they were handled.

How people can complain

The law does not prescribe one method, but you must make it easy for individuals to raise complaints. Options include:

  • An electronic or written complaints form
  • Telephone line for complaints
  • Online complaints portal
  • Live chat with escalation to a human agent
  • In-person option if no online presence

Organisations must also publish their complaints procedure, either on their website or provide it at the earliest opportunity.

The 5-Step Data Protection Complaints Process

1. Acknowledge

Acknowledge within 30 days (email auto-response, letter, or written follow-up to verbal complaints). The timeframe begins the day after receipt, even if received on a weekend or holiday.

2. Investigate

Identify the issue clearly and gather relevant facts. Speak to staff, compare records, and review internal policies. Ask the complainant for clarification or evidence early on.

3. Update on progress

Keep the complainant informed if the investigation takes time. Provide a contact point and expected completion date.

4. Provide outcome

Respond as soon as possible with a clear explanation. State actions taken and provide enough detail for the individual to understand your conclusion. Inform them of their right to escalate to the ICO if they remain dissatisfied.

5. Record keeping

Keep a record of receipt, acknowledgement, investigation steps, outcome, and actions taken. Agree a suitable retention period for complaint records.

Key steps to take now

  • Collaborate internally to agree your complaints handling process.
  • Assign responsibility for investigating and resolving complaints.
  • Draft and publish a complaints procedure before June 2026.
  • Update staff training so all employees can recognise a data protection complaint.
  • Integrate the procedure into your privacy notices to raise awareness.

FAQs

Who does this apply to?
All organisations that process personal data, regardless of size or sector.

Do we need a new procedure if we already have a complaints process?
You may adapt an existing process, but it must specifically cover data protection complaints.

What happens if we do not comply?
Failure to publish or follow a complaints procedure may expose your organisation to ICO scrutiny and could be treated as a breach of the Data (Use and Access) Act 2025.

Does the 30-day acknowledgement mean we must resolve complaints within 30 days?
No. You must acknowledge within 30 days. The investigation and outcome must be provided “without undue delay”, which means as quickly as reasonably possible.

Can complaints be made on someone else’s behalf?
Yes, but you must confirm the person is authorised, for example by checking a signed authority letter or power of attorney. If no evidence is provided, you do not have to investigate.

Should we publish this procedure online?
Yes, the ICO expects organisations to make the process easily accessible, ideally via your website and privacy notices.

Final thoughts

This is a significant compliance change that will affect every organisation. The ICO is clear that complaints procedures will become a focal point for accountability and transparency.

At Data Protection People, we recommend starting preparations now so you are not caught out in 2026. If you need help designing or embedding a compliant complaints procedure, our consultancy team can support you.