Data Protection complaints are not new.
People have always been able to raise concerns if they believe their personal information has been mishandled. But what is changing is the level of expectation placed on organisations to handle those complaints properly, clearly and consistently.
From 19 June 2026, organisations will be legally required to have a process in place for handling Data Protection complaints under the Data Use and Access Act 2025. The ICO has confirmed that businesses across the UK need to prepare, with particular emphasis on small and medium-sized organisations that may not currently have a formal complaints process in place.
This is not just another compliance task. It is about trust, accountability and giving people a clear route to raise concerns when something does not feel right.
What Is Changing?
The key change is that organisations must have a clear way for people to raise a Data Protection complaint directly with them.
This means that if someone believes their personal information has been mishandled, used unfairly, kept too long, shared incorrectly, lost, exposed, or not dealt with properly following a rights request, they should be able to complain to the organisation first.
The ICO says organisations must:
- Give people a way to make Data Protection complaints
- Acknowledge complaints within 30 days
- Take appropriate steps to investigate and respond without undue delay
- Keep people informed
- Tell people the outcome of their complaint without undue delay
The ICO has also made it clear that organisations must have a process for handling these complaints and that there are no exemptions.
Why Is This Changing?
The change is being introduced through the Data Use and Access Act 2025, which became law on 19 June 2025. The Act makes a number of changes to UK Data Protection and privacy law, but it does not replace the UK GDPR, Data Protection Act 2018 or PECR. The government says the Act is designed to simplify rules for organisations, encourage innovation, support responsible data sharing and maintain high Data Protection standards.
In simple terms, the complaints requirement is about making sure people do not feel ignored, passed around or forced to go straight to the regulator because an organisation has no clear route for raising concerns.
It gives individuals a clearer voice.
It also gives organisations a better opportunity to resolve issues early, learn from mistakes and prevent matters escalating to the ICO.
The ICO has said that having a clear complaints process supports customer trust and good day-to-day relationships. It has also highlighted that resolving complaints quickly and fairly can prevent issues from escalating, protect trust and reduce the likelihood of regulatory involvement.
What Counts as a Data Protection Complaint?
A Data Protection complaint does not need to include legal language. A person does not need to quote UK GDPR articles or know the correct terminology.
If someone believes you have infringed Data Protection law because of how you handled their personal information, they can complain.
This could include concerns about:
- How you responded to a Subject Access Request
- How you handled another information rights request
- The security measures used to protect their information
- A data breach or suspected data breach
- How you collected their information
- How long you kept it for
- Whether the information is accurate
- Where their data has been stored or shared
This is important because many complaints will not arrive neatly labelled as a “Data Protection complaint”.
They may come through customer service, email, phone, social media, HR, reception, a manager, a frontline worker or even verbally during a meeting.
That means staff need to know what to look for.
Why This Matters for Organisations
A Data Protection complaint is not just an admin issue.
It can be a warning sign.
It may show that something in your organisation is unclear, outdated or not working as it should. It might highlight a problem with your privacy notice, retention rules, access controls, staff training, cyber security, supplier management or DSAR process.
Handled badly, a complaint can damage trust quickly.
Handled well, it can show professionalism, accountability and respect.
The real risk is not just receiving a complaint. The bigger risk is not recognising it, not recording it, not responding properly, or allowing it to sit in someone’s inbox with no ownership.
That is where organisations can get caught out.
What the ICO Has Said
The ICO published guidance to help organisations prepare before the legal requirement comes into force. It has said the guidance represents good practice even before the 19 June 2026 deadline.
The ICO has encouraged businesses, particularly SMEs, to read the guidance and take straightforward steps now. Emily Keaney, Deputy Commissioner for Regulatory Policy at the ICO, said the ICO is not there to catch businesses out, but to help them get ready.
The ICO has also made an important practical point: a complaint can come from any customer at any time. Having a clear process helps organisations respond quickly, resolve issues fairly and protect trust.
That message matters.
This is not only about legal compliance. It is about how your organisation listens, responds and learns.
What Organisations Need to Do Before 19 June 2026
Organisations should not wait until the deadline.
The starting point is to create or adapt a process that explains how Data Protection complaints will be received, recognised, acknowledged, investigated, recorded and resolved.
1. Give People a Clear Way to Complain
You must give people a way to make a Data Protection complaint directly to you. This could be by email, online form, written complaint, phone, portal, live chat or in person. The ICO says organisations do not need to create a separate tool if an existing complaints process can be adapted, but however a complaint is received, it must be accepted.
2. Update Your Privacy Notice
You must tell people that they can complain to you, as well as to the ICO. This should be included at the point you collect personal information, such as within your privacy notice, and when responding to a Subject Access Request.
3. Train Your Staff
Your people need to recognise a Data Protection complaint when they see one.
This is vital because complaints may not arrive through a central inbox. A member of staff may receive one by phone, social media, email or face to face. The ICO says all staff should be able to recognise a Data Protection complaint and know where to direct it internally.
4. Acknowledge Complaints Within 30 Days
You must acknowledge receipt of a complaint within 30 days. The 30 days start the day after the complaint is received, and if the final day falls on a weekend or public holiday, the organisation has until the next working day to acknowledge it.
5. Investigate Without Undue Delay
You must make enquiries into the complaint without undue delay. Importantly, the obligation to investigate begins when you receive the complaint, not after the 30-day acknowledgement period.
6. Keep the Person Informed
If the investigation is taking time, the complainant should be kept updated. Good communication can reduce frustration and help prevent people escalating matters to the ICO before you have had the chance to resolve them.
7. Provide a Clear Outcome
Once the investigation is complete, you must tell the complainant the outcome without unjustifiable or excessive delay. The ICO says organisations should explain what they have done, what they found and any action taken as a result.
8. Keep Records
You should record the date the complaint was received, the acknowledgement, relevant conversations, documents, the outcome and any actions taken. The ICO says recording complaint numbers, themes and trends can help identify wider compliance issues and areas for improvement.
The Deadline
The key deadline is:
19 June 2026
From this date, organisations must have a Data Protection complaints process in place.
The ICO published its guidance in February 2026 and updated it in May 2026, giving organisations time to prepare before the legal requirement comes into force.
That means now is the time to act.
Not when the complaint arrives.
Not when the ICO gets involved.
Not when a customer loses trust.
Now.
Hints and Tips for the Future
Make It Easy to Find
If people cannot find your complaints process, it is not really accessible. Add clear wording to your privacy notice, website, internal procedures and customer communications.
Use Plain English
Avoid legal jargon. People should understand how to complain, what information to provide, what happens next and when they can expect to hear from you.
Create an Internal Escalation Route
Make sure staff know who handles Data Protection complaints. This could be your Data Protection Lead, DPO, senior manager, governance lead or external Data Protection support.
Link It to DSARs and Rights Requests
Many complaints will come from frustration around Subject Access Requests, deletion requests, rectification requests or unclear responses. Your complaints process should sit alongside your information rights process.
Review Your Data Landscape
Complaints often reveal deeper issues. Regularly review what data you collect, where it is stored, who has access, who it is shared with and how long it is kept.
Learn From Trends
One complaint may be a one-off. Three complaints about the same issue may show a pattern.
Use complaints as part of your Data Privacy maturity review. They can help identify gaps in training, systems, suppliers, security, retention and communication.
Do Not Treat Complaints as Failure
A complaint is not always a sign that an organisation has failed. But ignoring it, delaying it or responding poorly can be.
A good complaints process gives organisations a chance to put things right, explain decisions and build trust.
Final Thoughts
The new Data Protection complaints requirement is not just a legal deadline.
It is a trust moment.
It is about giving people a clear voice when they are concerned about how their personal information has been used. It is also about giving organisations a fair opportunity to listen, respond, learn and improve.
The organisations that handle this well will not just have a policy on a website. They will have trained people, clear ownership, good records, practical processes and a culture that takes concerns seriously.
Because Data Protection is not just about what happens when things go right.
It is also about how you respond when someone says something has gone wrong.
And that response can make all the difference.
Data Done Right.
