Key points
- From 19 June 2026, individuals in the UK will have a formal right to complain directly to organisations about how their personal data has been handled.
- Organisations will need a clear internal process for receiving and managing data protection complaints.
- Complaints must be acknowledged within 30 days and investigated without unnecessary delay.
- Individuals must be informed about their right to complain, which will usually require updates to privacy notices and data rights response templates.
- Organisations should keep records of how complaints are handled, as these may be reviewed if a complaint is later escalated to the Information Commissioner’s Office (ICO).
The new complaints right explained
From 19 June 2026, organisations that process personal data in the UK will need to follow a structured process when individuals raise concerns about how their personal data has been handled.
The change comes from the Data (Use and Access) Act 2025 (DUAA), which introduces a statutory right for individuals to complain directly to an organisation before escalating the issue to the Information Commissioner’s Office (ICO).
In practice, this change is intended to encourage issues to be resolved directly between individuals and organisations before a regulator becomes involved.
For many organisations, preparing for the new rules will not require a complete overhaul of existing processes. Most organisations already operate customer complaints procedures or data rights request processes. The new framework is largely about ensuring those processes clearly cover data protection complaints, that they are accessible to individuals, and that organisations respond in a structured and transparent way.
Handled well, the new approach can help organisations resolve issues earlier and reduce the likelihood of complaints escalating to the regulator.
The ICO has published guidance explaining how organisations should approach data protection complaints in practice. Below we summarise what the change means and the steps organisations should consider taking.
What counts as a data protection complaint?
A data protection complaint arises when someone believes an organisation has failed to comply with data protection law in the way it has handled their personal data.
The scope is intentionally broad. Complaints may relate to issues such as how a subject access request was handled, the security measures used to protect personal data, or how personal data has been collected, used, stored or shared.
Individuals do not need to use legal terminology or refer to legislation when making a complaint. Concerns can be raised through any communication channel, including email, telephone, web forms, social media or even a conversation with a member of staff.
If it is unclear whether someone intends to raise a data protection complaint, organisations should clarify this with the individual.
What organisations will need in place
Organisations that act as data controllers must ensure they have a process for receiving and handling data protection complaints.
Individuals must also be informed that they can complain to the organisation about how their personal data has been handled. In practice, this will usually involve updating privacy notices and ensuring responses to data rights requests explain how a complaint can be raised.
Organisations must also provide a practical way for individuals to submit complaints. There is flexibility in how this is done. Complaints may be received through an online form, a dedicated email address, a phone number or an existing complaints process. A separate system is not required as long as complaints can be raised easily and handled appropriately.
Staff awareness is also important. Complaints may be raised through many different channels and may reach employees who are not part of legal or compliance teams. Organisations should therefore ensure staff understand how to recognise a data protection complaint and where it should be escalated internally.
Handling complaints in practice
Once a complaint is received, organisations must acknowledge it within 30 days.
The acknowledgement simply confirms that the complaint has been received and will be reviewed. The 30-day period begins on the day after the complaint is received, even if that day falls on a weekend or public holiday.
Organisations must then investigate the complaint without undue delay. In practice this means beginning enquiries promptly and progressing the investigation without unjustified or excessive delay. The appropriate timeframe will depend on the complexity of the complaint and the potential impact on the individual.
During the investigation, organisations may need to review relevant records, speak with relevant staff and assess whether their handling of the personal data complied with applicable data protection law and internal policies.
If the investigation is likely to take time, the complainant should be kept informed about expected timelines.
Communicating the outcome
Once the investigation is complete, the organisation should inform the individual of the outcome without unnecessary delay.
The response should explain what steps were taken to investigate the complaint and what actions have been taken as a result. Where the organisation believes it has complied with data protection law, the explanation should be clear enough for the individual to understand how that conclusion was reached.
If a complainant decides to escalate their complaint to the ICO, the organisation does not need to contact the regulator proactively. The ICO will reach out if it requires further information.
Organisations should also keep records of how complaints have been handled, including when the complaint was received, how it was investigated and the outcome. The ICO guidance notes that these records may be referenced if a complaint is later escalated to the regulator.
What organisations should consider doing now
Although the new requirements take effect in June 2026, organisations should begin reviewing their processes in advance.
In many cases this will involve targeted updates rather than significant operational change. Organisations may wish to review their privacy notices, check that individuals are clearly informed about how to raise a complaint, and ensure existing complaints procedures can accommodate data protection issues.
Internal processes may also need refining so that complaints are recognised quickly and escalated to the appropriate teams. Training staff to recognise a data protection complaint is often one of the most practical steps organisations can take.
Where organisations rely on third party processors, contractual arrangements may also need to be reviewed to ensure complaints involving those processing activities can be investigated effectively.
Where to find the ICO guidance
The ICO has published detailed guidance explaining how organisations should deal with data protection complaints, including practical examples of how the process may work.
The full guidance can be accessed here
How we can help
The new rules are designed to help organisations resolve concerns earlier and demonstrate accountability in how personal data is handled. For many organisations, preparing for the changes will involve reviewing existing governance and making targeted updates.
If you would like support reviewing your privacy notice, updating internal complaint handling procedures, or understanding how the new framework may affect your organisation, please get in touch. Our team would be happy to help.