24/06/2026

From 19 June 2026, a significant change to UK data protection law has come into force under the Data (Use and Access) Act 2025 (“DUAA”). This change introduces a statutory requirement for all data controllers to implement a formal internal process to handle data protection complaints.

A new statutory right to complain 

Historically, individuals could complain directly to the Information Commissioner’s Office (ICO), but organisations were not expressly required to operate their own internal complaints procedure.

The DUAA has amended this position by inserting a new section 16A into the Data Protection Act 2018. Under the DUAA data controllers now must:

• give data subjects a way of making data protection complaints directly;
• acknowledge receipt of complaints within 30 days of receiving them;
• without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; and
• without undue delay, tell people the outcome of their complaints.

The intent of the legislation is to encourage early resolution of disputes and reducing regulatory involvement where issues can be resolved directly.

Practical impact on employers

Whilst the intent of the legislation is to encourage resolution of disputes over data related issues at an early stage, in reality this change is likely to result in a heavier compliance and administrative load for employers.

Greater attention will be now paid to the robustness of internal complaint procedures, particularly the way complaints are recognised, examined and resolved, and organisations may need to commit more time and resource to ensure investigations are carried out thoroughly.

What sort of complaint can a data subject make?

Data subjects may submit a complaint to an organisation where they believe an organisation has failed to comply with data protection law whilst handling their personal data.

This could include complaints in relation to an organisation’s response to a subject access request or in relation to their data use, sharing, accuracy, retention and security issues.

Practical ICO guidance

The ICO has published new Guidance on preparing for data protection complaints, which sets out practical steps organisations that act as data controllers should take:

• Organisations must ensure that individuals are able to submit data protection complaints directly in line with the DUAA eg via a complaint form, email, telephone etc.
• Organisations must inform individuals of their right to complain, including in privacy notices, and provide clear, plain‑language explanations of the process.
• Once a complaint is received, organisations must acknowledge receipt of the complaint within 30 days and then investigate the issue without undue delay.
• Once the investigation is completed, the complainant must be informed about the outcome without an unjustifiable or excessive delay, with a clear explanation of the steps that have been taken to resolve the complaint and any actions taken.
• Individuals must also be informed of their right to complain to the ICO and be provided with the ICO’s contact details.

We would encourage members to review this guidance.

Failure to handle complaints

A failure to handle complaints correctly and in line with the guidance will likely result in further escalation to the Information Commissioner’s Office which may result in investigations and/ or regulatory action (depending on the seriousness). Outside of this, there is also a risk of reputational damage if a complaint is mishandled.

Key takeaways

Organisations should now take immediate steps to implement a clear internal process for handling data protection complaints, ensuring processes are in place to record complaints received, update their privacy notices and train staff on any new procedures and how to handle complaints.

We are currently drafting a template procedure that can be adapted to your organisation and we will share this in the next week.