What organisations need to know
From 19 June 2026, all organisations must have a data protection complaints process in place. In other words, organisations must provide a way for individuals to raise concerns if they believe their data protection rights have been infringed by the organisation.
The Information Commissioner’s Office (ICO) has always encouraged individuals to contact the relevant organisation first to attempt to resolve their complaint before escalating it to the ICO, however, the Data Use and Access Act 2025 (DUAA) formalises this into a legal requirement. There are no exceptions, and although DUAA does not create a standalone offence or penalty for failing to implement a complaints procedure, non-compliance will amount to a breach of UK data protection law and is therefore subject to the ICO’s full suite of enforcement powers.
A new emphasis on complaints handling
Under DUAA 2025, organisations must have a user-friendly and accessible process for dealing with data protection complaints. In practical terms, this means organisations must:
- inform individuals that they have the right to complain to the organisation and the ICO;
- provide a method for raising complaints (for example, via a dedicated email address, form or telephone number);
- recognise when a data protection complaint has been made;
- log and track complaints internally;
- investigate and respond appropriately; and
- demonstrate that concerns have been taken seriously.
The focus is not simply on having a formal procedure, but on ensuring complaints are handled consistently, transparently and fairly.
What counts as a “complaint”?
Complaints do not have to follow a prescribed format to be valid. They may arise via the organisation’s website “contact us” form, an email to an employee’s inbox, or even a conversation on the phone. While it is helpful to provide a complaints form or a dedicated email address, organisations should avoid taking an overly rigid approach. If a concern relates to how personal data has been handled, it should be treated as a data protection complaint regardless of how it is received or by whom. This means internal training is critical – staff across all teams should be able to recognise potential data protection complaints and escalate them appropriately.
Timing: acknowledgement vs response
Complaints must be acknowledged within 30 days, and a response should be provided “without undue delay”. For good practice and consistency, organisations should set an internal target timeframe for responding – the timeframes used for subject access requests can be a helpful benchmark. However, unlike subject access requests, there are no exemptions organisations can rely on for not responding to a complaint received.
Although DUAA does not prescribe a specific deadline for issuing a response, the ICO’s template complaints letter for individuals refers to a 30‑day response timeframe. While this is not legally binding, it may create an expectation among individuals, and possibly the ICO, that 30 days is the standard. If a complaint cannot be resolved quickly, organisations should provide regular updates as to the progress of the investigation to maintain transparency and trust.
There is no limitation period for raising a data protection complaint. Individuals may raise concerns long after the relevant events, which reinforces the importance of good record‑keeping.
Managing the substance of the complaint
Once a complaint has been acknowledged, organisations should conduct a fair and thorough investigation, gathering relevant evidence and verifying the facts before reaching a conclusion. Responses should clearly address each aspect of the complaint, explain the reasoning behind the outcome, and outline any remedial steps taken.
When responding to complaints, organisations should remain focused on the substance of the issue raised. In some cases, individuals may raise broader concerns while also exercising their data protection rights. This does not necessarily amount to a data protection complaint in itself. For example, an employee might submit a workplace grievance while also requesting access to their personal data. Similarly, a customer may complain about service issues while requesting that their personal data be erased. In these situations, the underlying complaint relates to a separate issue, and the data protection request should be handled independently and in accordance with the relevant procedure. If it is unclear whether an individual has made a data protection complaint, it is good practice to seek clarification so concerns can be addressed appropriately.
Organisations should also be confident and transparent in their communications. It is important to explain clearly what individuals are, and are not, entitled to under data protection law. Over-accommodation, for example, providing copies of internal documents the individual is not legally entitled to in order to deal with a complaint quickly, can create unnecessary risk for the organisation, and expectations from the individual.
Keeping records of complaints
Robust record‑keeping is a critical element of an effective complaints process. Organisations should maintain clear and comprehensive records of each complaint, including
- when it was received;
- how it was assessed;
- the steps taken during the investigation;
- copies of relevant correspondence and evidence considered;
- the rationale for any decisions reached and;
- any remedial action taken.
Maintaining a clear audit trail not only supports consistency and accountability, but also enables organisations to demonstrate compliance if a complaint is later escalated to the ICO.
Escalation and regulatory risk
If a complainant is dissatisfied with the response, they may escalate the issue to the ICO. The ICO will typically expect to see evidence that the organisation has:
- engaged with the complaint meaningfully;
- attempted to resolve the issue directly; and
- clearly explained its position.
A well-handled internal complaint can significantly reduce the likelihood of regulatory scrutiny.
Practical steps for compliance
To align with DUAA 2025, organisations should:
- review internal processes to ensure complaints are identified and escalated consistently;
- train staff across departments so that complaints are recognised regardless of where they are received;
- implement a logging system to track complaints, acknowledgements, responses and follow-up actions;
- set internal response timeframes and monitor performance against them;
- prepare template responses to ensure consistency and clarity; and
- ensure complaints processes are easy to find and use (for example, signposting them in privacy notices).
Final thoughts
DUAA 2025 does not fundamentally change the concept of handling data protection complaints, but it does raise expectations around how organisations manage them in practice. A flexible, well-understood and consistently applied complaints process will be essential. Organisations that take a pragmatic and legally grounded approach will be best placed to manage risk, maintain trust and demonstrate accountability.
How Moore Barlow can help
If you would like assistance reviewing your complaints procedures, handling complex data protection complaints, or if you have any other data protection queries, our Commercial lawyers would be happy to help.