The Data (Use and Access) Act 2025 introduced several important regulatory changes to the existing UK data protection framework. One of the most notable changes is the introduction of a formal right for individuals to complain directly to organisations about how their personal data has been handled. This has consequently necessitated organisations to have in place an efficient system for handling and responding to such complaints.

The Information Commissioner’s Office (ICO), the UK’s data protection authority, has now issued guidance clarifying how these requirements are expected to be applied in practice.

A Shift in Responsibility: What Has Changed?

From 19 June 2026, individuals must first raise a data protection concern with the relevant organisation handling their data before escalating the matter to the ICO. This effectively positions organisations as the first line of resolution for data protection complaints.

For many organisations, this will not be entirely new. What has changed is the level of formality and the expectation that complaints are handled through a defined and accountable process.

What Does This Mean in Practice?

Individuals will have the right to submit a complaint if they believe their personal data has been handled by the organisation in a way that infringes UK data protection law. The ICO however does stress that the complaints do not need to reference specific legal provisions or use technical terminology in order to be valid.

Complaints may cover a wide range of issues, including:

  • handling of subject access requests or other data subject rights requests;
  • the security measures used to store individuals’ information;
  • collection, use, retention, sharing, or storage of personal data; or
  • accuracy of personal data.

The ICO draws a line between these types of concerns and broader dissatisfaction with a service. Not every complaint that mentions personal data will fall within the scope of a data protection complaint, and organisations will need to exercise some judgement here.

Handling Complaints: The Core Expectations

A consistent theme in the ICO’s approach is accessibility. Individuals should be able to raise concerns easily, without being directed through overly rigid processes. This translates to the following obligations on organisations:

  • Providing a clear and accessible method for submitting complaints: Organisations can meet this requirement by offering a range of accessible channels for submitting complaints, such as a dedicated email address, an online or postal complaint form, telephone support, an online portal dedicated to complaint redressal, or a live chat with the ability to escalate to a member of staff where necessary. Where existing complaints mechanisms are already in place, these may be adapted to cover data protection complaints rather than introducing entirely new systems. However, individuals are not required to use any designated channel. A complaint may be made in any form, and organisations must be prepared to recognise and handle it accordingly once received.
  • Ensuring transparency: Organisations are also expected to make individuals aware of their right to complain and the available methods for doing so. In practice, this is typically addressed by updating privacy notices and ensuring that information about the complaints process is included in responses to data subject requests;
  • The 30-day rule (and what comes after): Organisations are expected to acknowledge complaints within 30 days, with the timeframe starting the day after receipt. If organisations are able to investigate the complaint and provide an outcome within 30 days they are not required to provide an acknowledgement and outcome separately;
  • Investigating complaints without undue delay;
  • Keeping complainants informed where appropriate: Where investigation into a complaint is ongoing, individuals should be kept informed, particularly if there are delays.
  • Communicating the outcome, including any remedial actions taken: At the conclusion of the process, the outcome should be clearly explained, along with any steps taken to address the issue.
  • Maintaining detailed records of complaints, including:
    1. date of receipt
    2. acknowledgement of the complaint
    3. relevant correspondence and internal assessments
    4. outcome of the investigation
    5. any remedial measures taken

Retention of complaint-related personal data must align with existing data retention policies and be limited to what is necessary.

While the ICO does not impose a fixed deadline for completing investigations, organisations are expected to act promptly and be able to justify their timelines.

Identity Verification

Where there are reasonable doubts about a complainant’s identity, organisations may request additional information, but only to the extent necessary. If a complaint is submitted by a representative, their authority to act must be verified before proceeding.

When Complaints Come from Unexpected Places

Complaints may be raised through informal channels, including social media. Organisations should ensure they can identify when such communications constitute a data protection complaint. As a general principle, substantive engagement on social media should be avoided. Instead, individuals should be directed to a secure and appropriate complaints channel.

Implementation Priorities Ahead of June 2026

With June 2026 approaching, organisations should focus on embedding processes rather than building entirely new ones. In practical terms, this means:

  1. Review existing customer complaints frameworks to ensure they can be modified to cover data protection complaints.
  2. Develop a documented data protection complaints policy outlining submission channels and internal processes.
  3. Update privacy notices and rights response templates to inform individuals of their right to complain and how to do so.
  4. Train relevant teams, such as Customer Service, HR and Compliance, to recognise and escalate complaints appropriately.
  5. Implement and maintain a complaint log.
  6. Ensure outcome communications inform individuals of their right to escalate concerns to the ICO if they remain dissatisfied.

The Real Takeaway: This Is About Accountability

In many respects, the intent behind these changes formalise what good practice already looks like. Most organisations will already handle complaints relating to personal data in some form.

The difference now is that this process must be explicit, accessible, and consistently applied. The absence of strict investigation deadlines does not reduce this burden; rather, it requires organisations to exercise judgement and be able to justify their approach. In this sense, the change is less about new rules and more about demonstrable compliance.

| | | , , , , ,