Organisations across the UK are now legally required to have a clear process in place for handling data protection complaints.

This new duty arises under the Data (Use and Access) Act 2025, which inserts a new section 164A into the Data Protection Act 2018. The complaints-handling requirement came into force on 19 June 2026 and applies to organisations handling personal data.

For many organisations, this will require more than a quick update to a privacy notice. It will require a joined-up internal process that allows staff to recognise, triage, record, investigate and respond to data protection complaints properly.

Our Commercial and Data Protection team explains what has changed, why it matters and the practical steps organisations should now be taking.

Organisations across the UK are now legally required to have a clear process in place for handling data protection complaints.

This new duty arises under the Data (Use and Access) Act 2025, which inserts a new section 164A into the Data Protection Act 2018. The complaints-handling requirement came into force on 19 June 2026 and applies to organisations handling personal data.

For many organisations, this will require more than a quick update to a privacy notice. It will require a joined-up internal process that allows staff to recognise, triage, record, investigate and respond to data protection complaints properly.

Our Commercial and Data Protection team explains what has changed, why it matters and the practical steps organisations should now be taking.

What has changed?

Under the new section 164A of the Data Protection Act 2018, individuals have a statutory right to complain directly to a controller if they consider that there has been an infringement of data protection law in connection with their personal data.

In practical terms, this means individuals can complain directly to an organisation about how their personal data has been handled before escalating the issue to the Information Commissioner’s Office (ICO).

The ICO has confirmed that organisations must now:

  • give people a clear way to raise a data protection complaint;
  • acknowledge complaints within 30 days;
  • take appropriate steps to respond, including investigating appropriately;
  • keep the complainant informed; and
  • communicate the outcome without undue delay.

This applies to complaints received on or after 19 June 2026.

Why does this matter?

Data protection complaints are no longer something that can be treated as an informal customer service issue, a side point in an HR grievance, or a matter to be dealt with only if the ICO becomes involved.

The new regime gives individuals a clearer route to complain directly to the organisation first. That means businesses, charities, schools, care providers, healthcare organisations, professional services firms, technology companies and other data controllers need to be ready to deal with these complaints at source.

The risk is not limited to regulatory enforcement. A poorly handled complaint can quickly become:

  • an ICO complaint;
  • a subject access request;
  • an employment dispute;
  • a customer complaint;
  • a contractual issue;
  • a reputational issue;
  • a data breach concern; or
  • evidence of wider weaknesses in an organisation’s data governance.

The volume of data protection complaints is already significant. The ICO received 42,315 data protection complaints in 2024/25, compared with 39,721 in 2023/24 and 33,753 in 2022/23. The ICO’s own consultation material also forecast that complaint volumes could rise further to between 45,000 and 55,000 in 2025/26.

That trend matters. Individuals are more aware of their data rights, organisations are using more personal data than ever before, and complaints about access, accuracy, marketing, retention, data security and transparency are now common across most sectors.

What is a data protection complaint?

A data protection complaint is not limited to someone saying, “I am making a GDPR complaint”.

The ICO makes clear that individuals do not need to use legal language or refer to specific legislation. A complaint may arise where someone says, in substance, that an organisation has mishandled their personal information or failed to comply with data protection law.

Examples include complaints about:

  • how an organisation responded to a subject access request or other rights request;
  • inaccurate personal data;
  • excessive data retention;
  • direct marketing;
  • lack of transparency about how personal data is used;
  • data sharing with third parties;
  • security measures;
  • alleged misuse of employee data;
  • failure to delete or restrict use of personal data; or
  • concerns following a data breach.

This is why staff awareness and triage are important. A complaint may arrive through a customer service inbox, HR team, reception desk, sales team, complaints portal, social media channel, account manager or senior leadership contact. If staff do not recognise that the complaint has a data protection element, the organisation may miss the new statutory requirements.

What should organisations do now?

Organisations should review their current data protection framework and ask whether they can confidently answer the following questions.

1. Do we tell people how to complain?

Privacy notices should be checked to make sure they clearly explain how an individual can raise a data protection complaint.

This does not need to be overcomplicated, but it should be clear, accessible and consistent with the organisation’s actual internal process. If the privacy notice directs complaints to an email address that is not monitored, or to a generic inbox where complaints are not triaged, the process is unlikely to work properly in practice.

Organisations should also consider whether complaint routes are clear on websites, customer portals, employee privacy notices, patient or service-user materials, supplier-facing documents and app or platform interfaces.

2. Do staff know what a data protection complaint looks like?

One of the biggest practical risks is misclassification.

A data protection complaint may be hidden inside a wider complaint. For example:

  • an employee grievance may include allegations that HR records have been shared too widely;
  • a customer complaint may include a request to delete personal data;
  • a service user may complain that inaccurate information has affected a decision about them;
  • a client may object to direct marketing;
  • an individual may complain that a subject access request has not been answered properly.

Staff do not need to become data protection lawyers, but they do need enough awareness to spot when a complaint should be escalated.

3. Is there a documented internal procedure?

A good process should explain:

  • who receives complaints;
  • who logs them;
  • who decides whether they are data protection complaints;
  • who investigates them;
  • when legal, HR, IT, information security or senior management should be involved;
  • how the 30-day acknowledgement requirement is monitored;
  • how updates are provided;
  • how outcomes are approved;
  • when complaints should be escalated;
  • how complaints are linked to DSARs, data breaches, grievances and customer complaints; and
  • how records are retained.

This is particularly important for organisations with multiple locations, business units, schools, clinics, branches, departments or group companies.

4. Are there template responses?

Organisations should consider preparing template documents, including:

  • an acknowledgement;
  • a clarification request;
  • a holding update;
  • an internal investigation checklist;
  • a complaint outcome letter;
  • an escalation note; and
  • a closure record.

Templates help ensure consistency and reduce the risk of rushed, defensive or incomplete responses. They also make it easier to demonstrate that the organisation followed a fair and structured process.

5. Is the process aligned with DSARs and data breaches?

Data protection complaints often overlap with other GDPR processes.

For example, a complaint about failure to provide information may also be a subject access issue. A complaint about disclosure to the wrong person may also raise a personal data breach issue. A complaint about inaccurate records may require rectification. A complaint about continued marketing may require suppression or objection handling.

A standalone complaints process that does not connect with the organisation’s DSAR, breach, retention, HR, CRM and marketing processes will be difficult to operate safely.

6. Are processors and suppliers covered?

The statutory complaints duty is primarily relevant to controllers, but processors and suppliers may still be critical to the response.

For example, an outsourced payroll provider, IT supplier, CRM platform, marketing agency, HR system provider or SaaS vendor may hold information needed to investigate a complaint. Organisations should therefore check whether their contracts and internal escalation processes allow them to obtain support quickly.

In some cases, this may require reviewing data processing agreements, supplier terms, support arrangements and incident escalation procedures.

7. Are complaints recorded and monitored?

A compliant process should not end with a response letter.

Complaints can reveal patterns: repeated DSAR issues, inaccurate records, poor retention practices, unclear privacy notices, excessive data access, marketing weaknesses or training gaps.

A complaints register can help organisations identify recurring issues and evidence accountability. It can also help senior management, boards, trustees or compliance leads understand where data protection risk is arising in the business.

The commercial case for getting this right

This change should not be viewed as another piece of compliance administration.

Handled properly, a data protection complaints process can help organisations:

  • resolve issues before they escalate to the ICO;
  • reduce the risk of regulatory criticism;
  • improve customer and employee trust;
  • identify weaknesses in data governance;
  • strengthen DSAR and breach response processes;
  • reduce management time spent on avoidable disputes;
  • evidence accountability under the UK GDPR; and
  • demonstrate a mature approach to information governance.

The ICO has said that its focus is on helping organisations embed good practice rather than catching businesses out. It has also emphasised the importance of making complaints processes clear and accessible.

For organisations operating in regulated, trust-sensitive or data-heavy sectors — such as healthcare, education, care, charities, financial services, technology, professional services, recruitment, retail, logistics and membership organisations — the issue is particularly important. These organisations often hold large volumes of personal data, special category data, employee data, customer data and operational records. A poor complaints process can quickly expose wider problems.

Practical checklist

Organisations should now consider whether they have:

  • updated privacy notice wording explaining how to make a data protection complaint;
  • a dedicated or clearly monitored route for receiving complaints;
  • an internal data protection complaints policy or procedure;
  • a complaints register;
  • template acknowledgement and outcome letters;
  • a 30-day acknowledgement tracker;
  • clear escalation routes to legal, HR, IT/security and senior management;
  • alignment with DSAR, breach, HR grievance and customer complaints procedures;
  • staff guidance on recognising data protection complaints;
  • supplier and processor escalation arrangements where third parties hold relevant data;
  • management reporting for trends and repeat issues; and
  • evidence that complaints are reviewed and used to improve compliance.

If any of these points are missing, the organisation may not be able to demonstrate that it has an effective process in place.

How Flint Bishop can help

Flint Bishop’s Commercial and Data Protection team advises organisations on all aspects of data protection compliance, including privacy notices, DSARs, data breaches, data processing agreements, supplier arrangements, employee data, customer data, marketing compliance and wider information governance.

We can help organisations prepare for and comply with the new complaints-handling requirements by providing:

  • a review of existing privacy notices and complaint wording;
  • a data protection complaints procedure;
  • internal staff guidance;
  • template acknowledgement and outcome letters;
  • a complaints register template;
  • DSAR, breach and grievance alignment;
  • supplier and processor escalation review;
  • training for key staff; and
  • fixed-fee or tailored support depending on the organisation’s needs.

Free 20-minute consultation

We are offering a free 20-minute consultation for organisations that want to understand what the new complaints-handling requirements mean for them.

This can be used to discuss:

  • whether your current process is likely to meet the new requirements;
  • what documents or procedures you may need;
  • how to align complaints with DSARs, breaches, HR and customer complaints;
  • practical steps for staff training and internal triage; and
  • how to reduce the risk of complaints escalating to the ICO.

What are the new data protection complaints requirements?

Since 19 June 2026, organisations handling personal data must have a clear process for receiving, acknowledging, investigating and responding to data protection complaints. These requirements were introduced by the Data (Use and Access) Act 2025, which inserted section 164A into the Data Protection Act 2018.

Who do the new complaints-handling rules apply to?

The new requirements apply to organisations acting as data controllers that process personal data. This includes businesses, charities, schools, healthcare providers, care organisations, professional services firms, technology companies and public sector bodies.

How quickly must organisations acknowledge a data protection complaint?

Organisations must acknowledge a data protection complaint within 30 days and take appropriate steps to investigate and respond without undue delay.

What counts as a data protection complaint?

A data protection complaint can relate to any concern about how an organisation has handled personal data. Common examples include complaints about subject access requests, inaccurate personal information, excessive data retention, direct marketing, data sharing, security, or transparency.

What should organisations do to comply with the new requirements?

Organisations should review their privacy notices, implement a documented complaints procedure, train staff to recognise data protection complaints, establish clear escalation routes, prepare template responses and maintain a complaints register.

Why is having a formal complaints process important?

An effective complaints process helps organisations resolve concerns before they escalate to the Information Commissioner’s Office (ICO), demonstrates accountability under UK GDPR and can identify wider weaknesses in data governance.

If you would like advice on implementing a compliant data protection complaints process or reviewing your wider data protection framework, our Commercial and Data Protection team can help. Call 0330 123 9501 or complete the form below to speak with a member of our team.

Scroll to next section

Scroll back to the top

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

For more information on how these cookies work, please refer to our Cookies Policy.

Strictly necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous.

Force24 cookies & tracking

This website utilises Force24’s marketing automation platform. Force24 cookies are first-party cookies and are enabled at the point of cookie acceptance on this website. The cookies are named below:

F24_autoID
F24_personID

They allow us to understand our audience engagement thus allowing better optimisation of marketing activity.