When Suppliers Use AI: Contractual and Data Risks for Businesses
How suppliers’ use of AI can create IP, data protection, and contractual risks, and how businesses can manage them.
Read MoreInsight
Organisations across the UK are now legally required to have a clear process in place for handling data protection complaints.
This new duty arises under the Data (Use and Access) Act 2025, which inserts a new section 164A into the Data Protection Act 2018. The complaints-handling requirement came into force on 19 June 2026 and applies to organisations handling personal data.
For many organisations, this will require more than a quick update to a privacy notice. It will require a joined-up internal process that allows staff to recognise, triage, record, investigate and respond to data protection complaints properly.
Our Commercial and Data Protection team explains what has changed, why it matters and the practical steps organisations should now be taking.
Organisations across the UK are now legally required to have a clear process in place for handling data protection complaints.
This new duty arises under the Data (Use and Access) Act 2025, which inserts a new section 164A into the Data Protection Act 2018. The complaints-handling requirement came into force on 19 June 2026 and applies to organisations handling personal data.
For many organisations, this will require more than a quick update to a privacy notice. It will require a joined-up internal process that allows staff to recognise, triage, record, investigate and respond to data protection complaints properly.
Our Commercial and Data Protection team explains what has changed, why it matters and the practical steps organisations should now be taking.
Under the new section 164A of the Data Protection Act 2018, individuals have a statutory right to complain directly to a controller if they consider that there has been an infringement of data protection law in connection with their personal data.
In practical terms, this means individuals can complain directly to an organisation about how their personal data has been handled before escalating the issue to the Information Commissioner’s Office (ICO).
The ICO has confirmed that organisations must now:
This applies to complaints received on or after 19 June 2026.
Data protection complaints are no longer something that can be treated as an informal customer service issue, a side point in an HR grievance, or a matter to be dealt with only if the ICO becomes involved.
The new regime gives individuals a clearer route to complain directly to the organisation first. That means businesses, charities, schools, care providers, healthcare organisations, professional services firms, technology companies and other data controllers need to be ready to deal with these complaints at source.
The risk is not limited to regulatory enforcement. A poorly handled complaint can quickly become:
The volume of data protection complaints is already significant. The ICO received 42,315 data protection complaints in 2024/25, compared with 39,721 in 2023/24 and 33,753 in 2022/23. The ICO’s own consultation material also forecast that complaint volumes could rise further to between 45,000 and 55,000 in 2025/26.
That trend matters. Individuals are more aware of their data rights, organisations are using more personal data than ever before, and complaints about access, accuracy, marketing, retention, data security and transparency are now common across most sectors.
A data protection complaint is not limited to someone saying, “I am making a GDPR complaint”.
The ICO makes clear that individuals do not need to use legal language or refer to specific legislation. A complaint may arise where someone says, in substance, that an organisation has mishandled their personal information or failed to comply with data protection law.
Examples include complaints about:
This is why staff awareness and triage are important. A complaint may arrive through a customer service inbox, HR team, reception desk, sales team, complaints portal, social media channel, account manager or senior leadership contact. If staff do not recognise that the complaint has a data protection element, the organisation may miss the new statutory requirements.
Organisations should review their current data protection framework and ask whether they can confidently answer the following questions.
Privacy notices should be checked to make sure they clearly explain how an individual can raise a data protection complaint.
This does not need to be overcomplicated, but it should be clear, accessible and consistent with the organisation’s actual internal process. If the privacy notice directs complaints to an email address that is not monitored, or to a generic inbox where complaints are not triaged, the process is unlikely to work properly in practice.
Organisations should also consider whether complaint routes are clear on websites, customer portals, employee privacy notices, patient or service-user materials, supplier-facing documents and app or platform interfaces.
One of the biggest practical risks is misclassification.
A data protection complaint may be hidden inside a wider complaint. For example:
Staff do not need to become data protection lawyers, but they do need enough awareness to spot when a complaint should be escalated.
A good process should explain:
This is particularly important for organisations with multiple locations, business units, schools, clinics, branches, departments or group companies.
Organisations should consider preparing template documents, including:
Templates help ensure consistency and reduce the risk of rushed, defensive or incomplete responses. They also make it easier to demonstrate that the organisation followed a fair and structured process.
Data protection complaints often overlap with other GDPR processes.
For example, a complaint about failure to provide information may also be a subject access issue. A complaint about disclosure to the wrong person may also raise a personal data breach issue. A complaint about inaccurate records may require rectification. A complaint about continued marketing may require suppression or objection handling.
A standalone complaints process that does not connect with the organisation’s DSAR, breach, retention, HR, CRM and marketing processes will be difficult to operate safely.
The statutory complaints duty is primarily relevant to controllers, but processors and suppliers may still be critical to the response.
For example, an outsourced payroll provider, IT supplier, CRM platform, marketing agency, HR system provider or SaaS vendor may hold information needed to investigate a complaint. Organisations should therefore check whether their contracts and internal escalation processes allow them to obtain support quickly.
In some cases, this may require reviewing data processing agreements, supplier terms, support arrangements and incident escalation procedures.
A compliant process should not end with a response letter.
Complaints can reveal patterns: repeated DSAR issues, inaccurate records, poor retention practices, unclear privacy notices, excessive data access, marketing weaknesses or training gaps.
A complaints register can help organisations identify recurring issues and evidence accountability. It can also help senior management, boards, trustees or compliance leads understand where data protection risk is arising in the business.
This change should not be viewed as another piece of compliance administration.
Handled properly, a data protection complaints process can help organisations:
The ICO has said that its focus is on helping organisations embed good practice rather than catching businesses out. It has also emphasised the importance of making complaints processes clear and accessible.
For organisations operating in regulated, trust-sensitive or data-heavy sectors — such as healthcare, education, care, charities, financial services, technology, professional services, recruitment, retail, logistics and membership organisations — the issue is particularly important. These organisations often hold large volumes of personal data, special category data, employee data, customer data and operational records. A poor complaints process can quickly expose wider problems.
Organisations should now consider whether they have:
If any of these points are missing, the organisation may not be able to demonstrate that it has an effective process in place.
Flint Bishop’s Commercial and Data Protection team advises organisations on all aspects of data protection compliance, including privacy notices, DSARs, data breaches, data processing agreements, supplier arrangements, employee data, customer data, marketing compliance and wider information governance.
We can help organisations prepare for and comply with the new complaints-handling requirements by providing:
We are offering a free 20-minute consultation for organisations that want to understand what the new complaints-handling requirements mean for them.
This can be used to discuss:
Frequently Asked Questions
Since 19 June 2026, organisations handling personal data must have a clear process for receiving, acknowledging, investigating and responding to data protection complaints. These requirements were introduced by the Data (Use and Access) Act 2025, which inserted section 164A into the Data Protection Act 2018.
The new requirements apply to organisations acting as data controllers that process personal data. This includes businesses, charities, schools, healthcare providers, care organisations, professional services firms, technology companies and public sector bodies.
Organisations must acknowledge a data protection complaint within 30 days and take appropriate steps to investigate and respond without undue delay.
A data protection complaint can relate to any concern about how an organisation has handled personal data. Common examples include complaints about subject access requests, inaccurate personal information, excessive data retention, direct marketing, data sharing, security, or transparency.
Organisations should review their privacy notices, implement a documented complaints procedure, train staff to recognise data protection complaints, establish clear escalation routes, prepare template responses and maintain a complaints register.
An effective complaints process helps organisations resolve concerns before they escalate to the Information Commissioner’s Office (ICO), demonstrates accountability under UK GDPR and can identify wider weaknesses in data governance.
Contact Us
If you would like advice on implementing a compliant data protection complaints process or reviewing your wider data protection framework, our Commercial and Data Protection team can help. Call 0330 123 9501 or complete the form below to speak with a member of our team.
Related Services
Knowledge