Data protection complaints: New legal requirements and recommended actions

1. Summary

The Data (Use and Access) Act 2025 amends UK Data Protection Law, including the UK GDPR and Data Protection Act 2018 (DPA). 

One of the new statutory requirements that comes into force on 19 June 2026, gives individuals the right to make data protection complaints directly to data controllers and requires those controllers to:

• 'facilitate the making' of data protection complaints;
• acknowledge such complaints within 30 days;
• investigate and respond to each complaint without undue delay; and
• inform individuals of their right to complain both to the organisation and to the ICO.

UK businesses, charities, firms or other organisations collecting and processing personal data should act now to ensure they have an appropriate process for handling data protection complaints.  

Existing privacy notices and procedures may be used for this purpose but are likely to need review and updating to comply with the new legal requirements.

2. Duty to facilitate complaints - what does this mean?

Organisations must 'facilitate' the making of data protection complaints, but the new law does not impose a specific mechanism to follow.

ICO guidance merely states that organisations should take 'reasonable steps' to ensure that individuals can easily make complaints, including by providing accessible complaint channels and clear information about how to complain.

Organisations are not required to establish a new, standalone process for data protection complaints and can integrate data protection complaints into existing customer complaint procedures provided the basic legal requirements are met.

Examples of measures that may assist compliance include:

• providing an online complaints form, portal, or other accessible means of submitting complaints;
• accepting complaints by email, telephone, post and/or in person;
• establishing processes for identifying and responding to complaints made through social media (although the ICO recognises that this is generally not a secure way to send personal information);
• ensuring complaints information is accessible through the organisation's website; and
• implementing internal escalation procedures so that staff can identify and promptly direct complaints to the appropriate team.

Although organisations may encourage individuals to use a preferred complaints route (e.g. a specific data protection complaint form), individuals must still be able to complain through any channel they choose, including directly contacting employees. Organisations must therefore be capable of recognising, accepting and handling complaints received through any means.

3. Duty to acknowledge, investigate and respond to complaints

3.1 Acknowledgement

Receipt of data protection complaints must be acknowledged within 30 days of receipt.

ICO guidance confirms that the 30-day period begins on the day after the complaint is received, including where receipt occurs on a weekend or public holiday. If the final day for acknowledging falls on a non-working day, acknowledgement may be deferred to the next working day.

Acknowledgements may be provided through automated responses or verbally, although organisations should retain records to demonstrate they provided a response by the deadline.

The method of acknowledgement is flexible and may depend on how the complaint was received, subject to any relevant equality legislation requirements. In practice, it will often be sensible to communicate through the same channel used by the complainant unless agreed otherwise.

3.2 Investigation

Upon receipt of a complaint, organisations must, without undue delay:

• 'take appropriate steps' to respond to the complaint; and
• inform the complainant of the outcome.

Significantly, the obligation to investigate starts immediately upon receipt of the complaint and does not depend on the expiry of the 30-day acknowledgement period.

Appropriate investigative steps may include:

• making enquiries into the subject matter of the complaint;
• reviewing relevant personal data and internal records;
• consulting with relevant internal stakeholders; and
• keeping the complainant informed of progress where appropriate.

Where a complaint raises both data protection issues and other legal, service, contractual or commercial concerns, organisations should consider whether the data protection aspects can be investigated and resolved separately.

The ICO indicates that organisations should not delay responding to the data protection elements of a complaint merely because wider aspects of the complaint remain under investigation.

3.3 Response

The complaint itself should be responded to 'without undue delay'. However, unlike the acknowledgement requirement, there is no fixed statutory timeframe for completing the investigation or providing a substantive response. 

What is sufficient, will depend on the circumstances of the complaint, including its complexity, scope and potential impact on the complainant.  Having internal timescales would be useful but a single fixed response deadline for all data protection complaints may not be appropriate.

When communicating the outcome of a complaint, organisations should clearly explain:

• the steps taken to investigate the complaint;
• any actions taken as a result of the investigation; and
• where the organisation considers that it has complied with applicable data protection law, the reasons for that conclusion in sufficient detail to enable the complainant to understand the basis of the decision.

4. Duty to inform individuals of their complaint rights 

Organisations must inform individuals of:

• their right to make a complaint to the organisation; and
• their right to complain to the ICO.

This information must be provided:

• at the point at which personal data is collected, typically in a website privacy policy or published privacy notice; and
• when responding to requests made under the UK GDPR, including subject access requests and other data subject rights requests.

5. Recommended actions 

ICO guidance contains examples of regulatory good practice. The recommendations below are intended to assist organisations in designing a complaints process that complies with the new legal obligations and aligns with the ICO's expectations.

5.1 Implement a Compliant Complaints Process

Organisations should review their existing complaints arrangements and decide whether to:

• adapt any existing complaints processes to accommodate data protection complaints; or
• implement a separate data protection complaints process.

In either case, the process should ensure that:

• individuals can easily identify how to make a data protection complaint and locate the relevant contact details;
• complaints can be submitted through accessible channels; and
• complaints received through any channel are recognised, accepted and appropriately escalated in line with any statutory deadlines.

Organisations may find it helpful to maintain at least one dedicated contact route for data protection complaints, such as a specific email address, which may in many cases be the existing contact point for data subject rights requests. 

Depending on the size and resources of the organisation, organisations may also wish to consider implementing an internal review or escalation stage for complainants who remain dissatisfied with the outcome. 

Organisations should also establish specific procedures for handling complaints submitted by children, as well as authorised representatives making complaints on behalf of other individuals (eg any proof of authority or ID required before commencing an investigation).

5.2 Establish internal ownership and escalation procedures

Responsibility for handling data protection complaints should be clearly assigned within the organisation, for example to a data protection officer, head of data protection or another designated individual.

Internal procedures should ensure that employees can recognise complaints relating to personal data and data protection rights, and that statutory deadlines are monitored and complied with. Targeted guidance, training or briefing sessions for relevant staff can help ensure complaints are identified and handled consistently.

Organisations acting as joint controllers should review their controller arrangements to ensure that responsibility for receiving, escalating, investigating and responding to complaints is clearly allocated. In particular, organisations should bear in mind that the statutory obligations arise once a complaint is received by any joint controller.

5.3 Update privacy notice and rights request templates (if applicable)

Organisations should review and update privacy notices and any template correspondence used when responding to data subject rights requests to ensure that individuals are informed of:

• their right to complain directly to the organisation; and
• their right to complain to the ICO.

5.4 Maintain appropriate records

To demonstrate compliance and support any subsequent engagement with the ICO, organisations should maintain records of data protection complaints, including:

• the date the complaint was received;
• the acknowledgement issued;
• relevant correspondence, documents and investigative steps;
• the outcome communicated to the complainant; and
• any remedial or corrective action taken, together with the date of implementation.

6. How we can help

We can assist organisations with:

• reviewing existing complaints procedures and assessing compliance with the new statutory requirements;
• drafting or updating data protection complaints policies and procedures;
• reviewing privacy notices, data subject rights processes and template correspondence;
• advising on the allocation of responsibilities within organisations, including in joint controller arrangements; and
• advising on complex or high-risk complaints, including complaints that may involve regulatory engagement with the ICO.

If you would like assistance in preparing for the new requirements, please contact your usual Withers contact or a member of our Data Protection team.