New requirement for a complaints procedure under UK data protection laws

TL;DR: All organisations, from SMEs to global businesses, are required to directly facilitate and handle data protection complaints by 19 June 2026. This requires appropriate policies, procedures and changes to existing privacy notices to meet the requirement.

Legal requirement for a complaints process

The Data (Use and Access) Act 2025 (DUAA) has introduced a variety of changes to the way organisations process personal data, by amending and supplementing the UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003.

One of the changes introduced by DUAA is that organisations must directly facilitate and handle data protection complaints from individuals. This is a legal obligation which organisations must implement by 19 June 2026.

Before the introduction of DUAA, individuals could lodge a complaint with the Information Commissioner’s Office, the data protection regulator in the UK (ICO), if they believed their personal data was being processed in a manner that breached data protection laws. There was no legal obligation on organisations to facilitate and handle data protection complaints, although the ICO generally expected individuals to raise their concerns with the relevant organisation before escalating to the ICO.

A failure to comply with this new obligation may expose organisations to regulatory action by the ICO, data protection claims from individuals, and reputational damage. The maximum fine which can be issued by the ICO is £17.5 million or 4% of the organisation’s total annual worldwide turnover.

Legal and practical steps

Documentation – how to prepare

The legislation (S164A DPA 2018) says that organisations should “facilitate the making of complaints by taking appropriate steps to respond to the complaint, and inform the complainant of the outcome of the complaint” – which may include providing a complaint form which can be completed electronically or by other means.

The simplest way to do this and to demonstrate compliance is via a complaints procedure and complaints form, as well as an underlying process to make sure that the request is handled appropriately in accordance with the legislation. As ever with data protection, both meeting the requirement and documenting compliance are equally important.

Practical steps to demonstrate compliance

Organisations should acknowledge receipt of a complaint within 30 days, the complainant should be kept informed of the progress of their complaint, and should be informed of the outcome without undue delay.

When investigating the complaint, it is crucial to look at all the relevant facts thoroughly, speak to relevant staff, and ask for any necessary clarification to show due process. Organisations should keep a record which can be used to justify the manner in which they handled each complaint.

Following the investigation, the organisation should provide the outcome to the complainant, include information on what has been done to resolve the complaint, and any action taken. This should be in a format which is accessible for each complainant.

Staff training and awareness

While organisations can direct individuals within their privacy notices to a prescribed form, individuals can complain to any employee in any part of an organisation. As such all staff should be trained to be able to identify data protection complaints to ensure that the organisation complies with its obligations effectively and responds within the statutory timeframe. For consumer facing businesses with existing complaints policies and procedures, thought should be given as to how the two interact, particularly where a complaint involves both a data protection issue and goods/services complaint.

Organisations must also distinguish between data protection complaints and data subject rights requests. A misinterpretation of the individual’s request risks non-compliance with statutory deadlines to respond in full to a subject access request, which could expose the organisation to further regulatory risk.

Conclusion

The introduction of an obligation on organisations to directly facilitate complaints represents a shift in how organisations should engage with individuals’ data protection concerns. With the deadline fast approaching, organisations should now take steps to establish clear procedures, train staff and ensure that complaints are identified and handled effectively.

If you would like to discuss these changes in more detail, please get in touch with one of our Experts.