A practical guide to the UK’s new Data Protection complaints regime

From 19 June 2026, organisations will be legally required to have processes in place to respond to data protection complaints. With the deadline fast approaching, we outline how businesses can best prepare.

Background

For many organisations, data protection complaints are nothing new. While often resolved quickly, even straightforward issues can absorb significant time and resources, particularly if ultimately raised with the Information Commissioner's Office (ICO). For UK businesses, the message is clear: early, effective resolution remains the best way to avoid unnecessary escalation.

The Data (Use and Access) Act 2025 (DUAA) now places complaint handling on a statutory footing. From 19 June 2026, organisations will be legally required to receive, acknowledge, investigate and resolve data protection complaints in accordance with a prescribed framework.

Incoming reforms

The Data (Use and Access) Bill was introduced at Westminster on 23 October 2024 and enacted on 19 June 2025. The ICO describes it as intended to “promote innovation and economic growth and make things easier for organisations”, while preserving safeguards for the rights of individual data subjects. It amends aspects of the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations, and addresses matters including automated decision-making, cookies, and the Commissioner’s strategic duties.

The DUAA also inserts a new section 164A into the DPA, creating a freestanding right for data subjects to complain directly to controllers where they consider there has been an infringement of their data protection rights. This reflects a recognition that resolving disputes at source is typically faster and more efficient for both the individual and the organisation than a full regulatory investigation. The ICO has published guidance to assist organisations in implementing these obligations and has urged businesses, particularly SMEs, to take the "straightforward steps needed to comply" before the regime comes into force.

What constitutes a data protection complaint?

For these purposes, data subjects may submit complaints to organisations regarding the handling of their personal data (including where acting for another). As with requests under the UK GDPR, the Freedom of Information Act or the Environmental Information Regulations, there is no requirement to cite specific legislation or use prescribed legal terminology. This may include complaints concerning:

• an organisation’s response to a data subject access request;
• the security measures implemented to protect personal data (in accordance with Article 32 UK GDPR);
• the impact of a data breach on the complainant, even where it is not reportable to the ICO; and
• data retention practices.

Under the new regime, data subjects are expected to raise a complaint with the data controller in the first instance before escalating the matter to the ICO. The ICO deals with a high volume of complaints, and this reform is intended to reduce the associated administrative burden.

Key requirements

Under the new regime, organisations (insofar as they are controllers under UK GDPR) are subject to the following key requirements:

• Receiving complaints: organisations must provide data subjects with a way to make complaints directly. This could include the use of a bespoke complaints portal, email address, live chat function or in-person routes. Businesses should ensure that the process is straightforward and not unduly burdensome for complainants.
• Acknowledgement: a new statutory timeframe requires organisations to acknowledge receipt of a data subject complaint within 30 days beginning when the complaint is received.
• Investigation: organisations must take appropriate steps to investigate complaints, conduct reasonable enquiries and respond without undue delay. The ICO expects organisations to be able to justify the approach taken.
• Updating complainants: during the complaints process, organisations must ensure transparency in handling and keep the data subject informed of the progress of the complaint.
• Providing an outcome: organisations must inform the data subject of the outcome of the complaint, which again must be communicated without undue delay.

When responding to complaints, businesses may also need to consider their wider legal obligations (for example, under equality and discrimination law). ICO guidance makes clear that there is no need for a separate data protection complaints process. If preferred, data protection complaints can instead be absorbed into existing procedures, provided those processes enable compliance with the above obligations.

Top tips for compliance

The following are some practical suggestions for controllers looking to ensure readiness ahead of 19 June:

• Map your complaint entry points now: The duty to respond appropriately to complaints applies irrespective of how they are received, including via any employee or part of the organisation. Auditing the channels through which complaints may arise (from front desks to general inboxes and staff) helps identify training gaps and ensures complaints are captured and dealt with effectively.
• Distinguish complaints from requests: Train frontline staff to identify when someone is expressing dissatisfaction about an alleged infringement of data protection legislation, even where it is wrapped in a broader grievance or customer service issue. Getting the triage right avoids missed obligations and deadline issues down the line.
• Treat investigation as a live obligation: The 30-day period is for acknowledgement only, the duty to investigate arises immediately upon receipt. Organisations that delay substantive consideration until the acknowledgement is sent risk an undue delay finding.
• Record and learn: The ICO also expects controllers to review what happened. Beyond meeting accountability obligations, tracking recurring themes and trends provides an early-warning system for compliance issues that could attract regulatory attention in future.

The good news is that compliance need not be burdensome. For most organisations, meeting these obligations will require only modest adjustments to existing processes. The key is to identify those adjustments now and implement them before the regime takes effect.

For more information in relation to any of the points raised in this article, please contact Keith Dunn, Martyn Doherty, Patrick Murray or a member of our Data Protection team.

Date published: 11 June 2026