New Complaints Procedure for Data Protection Coming in June – Are You Ready?

The Data (Use and Access) Act 2025 (the “Act”) received Royal Assent last year and introduces slight reforms to the UK’s data protection regime. 

One change, is the new requirement (which will come into force on 19 June 2026) for data controllers to put in place a procedure for dealing with a data subject’s complaint. 

What is the new requirement?

If a data subject believes an organisation has breached their obligations in relation to the processing of their personal data, they can complain to the Information Commissioner’s Officer (“ICO”).  However, the Act says they may first make a complaint to the data controller.

Such complaints could include those relating to a data subject access request response (or requests relating to other data subject rights), complaints about security measures (e.g. data breaches) or complaints about how their personal data is being processed (e.g. that it has been kept for too long, is out of date etc). 

The Act specifically requires the data controller to:

• facilitate the making of complaints by taking steps such as providing a complaint form which can be completed electronically and by other means;
• acknowledge receipt of the complaint within 30 days (beginning with the date the complaint is received); and
• Without undue delay, take appropriate steps to respond to the complaint and inform the complainant of the outcome of the complaint. Appropriate steps to respond include making enquiries into the subject matter of the complaint (to the extent appropriate) and informing the complainant about progress on the complaint.

ICO Guidance

The ICO has produced practical guidance for organisations on how to deal with complaints (How to deal with data protection complaints).  This says that organisations:

• Must have a process for handling data protection complaints.  Organisations could consider putting a written policy in place to evidence this procedure (though they do not strictly have to).  The ICO says that organisations could publish this on their websites (there is no expectation that a purely internal policy for staff would be published externally).
• Must give people a way to complain, but that’s how this is done is up to the organisation.  It says this could be done via a complaint form (submitted electronically or by other means), but that it is also possible for an organisation to allow complaints via an email address, telephone number, online portal or live chat function.   There should be a way for people to make complaints in person if the organisation does not have an online presence.  Privacy notices could be adapted to include information about how to complain. 
• Need to be aware that, although they can set up a complaints process, there is no obligation on individuals to use this, and they can complain in any way they choose – for example, they may contact any employees at the company or complain via social media.
• Must make sure they take a sensible approach to identifying complaints raised via social media and consider whether someone intends to raise a complaint and receive a response.
• Use plain, clear language that children can understand if a complaint is received from a child and that they assess the competence of the child to understand and exercise their rights.
• Tell people they can complain at the point their data is collected and when responding to a data subject access request.  There are additional rules for organisations that process personal data for law enforcement purposes, which must be complied with.
• Should use plain language and explain any jargon or legal terms.
• May need to ask a complainant for ID if they have genuine concerns over their identity before responding, or for proof of authority if a third party is making the request on the data subject’s behalf.  This should be requested at the earliest opportunity.
• Should train staff appropriately to ensure they know how to recognise a complaint and the process to follow.
• Should have arrangements in place with any joint controllers and processors relating to how complaints will be handled. 
• Must acknowledge receipt within 30 days – the format for doing this is up to the organisation. For example, this could be an automated response to an electronic complaint.  When replying to a complaint received on social media, organisations could request alternative contact details, as it is not appropriate to share personal data on this platform.
• Should gather as much information as they can to investigate the complaint without undue delay. This includes looking at all relevant facts fairly and accurately, speaking to relevant members of staff, comparing information from the complaint with information held and checking terms, policies and procedures have been followed.
• Must keep the complainant updated on the progress of the investigation and outcome without undue delay.  The outcome should clearly explain what the organisation has done and actions taken (where appropriate).    
• Should have a system for keeping records which includes the date of the complaint and details, the acknowledgement sent, relevant conversations/documents, outcome and action taken. Obligations may later be introduced on data controllers to confirm the number of complaints received and so it is important logs are kept for this purpose as well as to evidence compliance.
• May want to provide more detail or clarify their decision if the complainant remains unhappy, and could consider having a review process in such instances.

Facilitate the making of complaints by taking steps such as providing a complaint form.

Next Steps

This change comes into effect next month, and so it is important that organisations take steps to address this now.  The simplest route for many organisations will be to amend privacy notices to include a clear reference to the right to complain and how to exercise it (e.g., via an email address).   However, in line with the ICO Guidance, organisations will also need to consider having written policies in place, staff training and a record management system.     

It is important to note that the Act does not make complaining to the data controller mandatory (as the legislation simply says they ‘may’ do this), but the ICO certainly encourage individuals to do this and will, no doubt, ask the individual if steps have been taken to resolve matters directly if any complaint is made to them.  Individuals would be best advised to contact the ICO before raising a complaint.   

Our Data Protection team can assist you in complying with this new obligation, so do not hesitate to get in touch!