25 June 2026 5 mins

Quick answer

From 19 June 2026, UK organisations must have a process for handling data protection complaints.

That means people need a clear way to complain to you if they think you have mishandled their personal data. You must acknowledge their complaint within 30 days, investigate it without undue delay, keep them updated where appropriate, and tell them the outcome.

For most businesses, this does not need to be complicated. In many cases, it means updating your privacy notice, adding a clear complaints route, creating a simple internal process and making sure the right people know what to do when a complaint comes in.


What changed on 19 June 2026?

A new data protection complaints requirement came into force on 19 June 2026 under the Data (Use and Access) Act 2025.

The change gives individuals a clearer route to complain directly to an organisation if they believe their personal data has not been handled properly.

This matters because it shifts the focus onto businesses dealing with complaints properly at an early stage, rather than people going straight to the Information Commissioner’s Office.

In plain English, if someone has a concern about how you have used, stored, shared, deleted or responded to a request about their personal data, they should have a clear way to raise that complaint with you.

You then need to deal with it properly.

That means:

  • giving people a way to make a data protection complaint;
  • acknowledging the complaint within 30 days;
  • taking appropriate steps to investigate and respond without undue delay;
  • keeping the person informed where appropriate;
  • telling them the outcome without undue delay.

This is not just a line in your privacy notice saying people can complain to the ICO. It is about having a working internal process.


Who does this apply to?

This applies to organisations that handle personal data.

That will include most UK businesses.

If you hold personal information about customers, clients, employees, contractors, suppliers, website users, prospects or other individuals, this is likely to be relevant to you.

There is no general exemption just because your business is small.

The good news is that the process can be proportionate. A small business does not need the same level of process as a large financial services firm or healthcare provider. But it still needs to have a sensible way of receiving, recording, investigating and responding to complaints.

For many smaller organisations, that may be as simple as:

  • a clear email address for data protection complaints;
  • a short update to the privacy notice;
  • a one-page internal process;
  • a complaints log;
  • a named person or team responsible for dealing with complaints.

What counts as a data protection complaint?

A data protection complaint is a complaint from someone who believes you have infringed data protection law in the way you have handled their personal data.

They do not need to use formal legal wording.

They do not need to mention the UK GDPR, the Data Protection Act or the ICO.

They might simply say something like:

  • “I do not think you should still have my details.”
  • “I asked for my information and you have not sent it.”
  • “You sent my personal information to the wrong person.”
  • “I asked you to delete my data and you have not done it.”
  • “I do not understand why you are using my information for this.”
  • “I am unhappy with the way you dealt with my data request.”

Common examples include complaints about:

  • subject access requests;
  • deletion or correction requests;
  • data breaches;
  • use of personal data for marketing;
  • data retention;
  • inaccurate personal data;
  • sharing information with third parties;
  • security of personal data;
  • lack of transparency about how data is being used.

The safest approach is simple: if the complaint appears to be about personal data, pause and check whether it should be treated as a data protection complaint.

If it is unclear, ask for clarification.


What does your organisation need to have in place?

You do not need an elaborate new system. But you do need a process that works.

Here are the practical steps.

1. Give people a clear way to complain

People need to know how to raise a data protection complaint with you.

This could be through:

  • a dedicated email address;
  • a general complaints email address;
  • an online form;
  • a postal address;
  • a phone number;
  • an existing customer support route.

You do not necessarily need a separate data protection complaints platform. Many businesses can adapt the complaints process they already have.

The important point is that the route must be clear, accessible and understood internally.

For example, if someone sends a data protection complaint to a general inbox, the person monitoring that inbox should know where to send it.

2. Update your privacy notice

Your privacy notice should explain that people can complain to you if they are unhappy with how you have handled their personal data.

This does not need to be long.

A simple paragraph can often do the job, provided it is clear.

For example:

“If you are unhappy with how we have handled your personal data, you can raise a data protection complaint with us by contacting [insert contact details]. We will acknowledge your complaint and respond in line with our legal obligations.”

You should also continue to explain that people can complain to the ICO if they remain unhappy.

3. Acknowledge complaints within 30 days

When you receive a data protection complaint, you must acknowledge it within 30 days.

That does not mean you need to fully resolve every complaint within 30 days.

It means you need to confirm that you have received it and explain what will happen next.

For a straightforward complaint, you may be able to acknowledge it and respond with an outcome at the same time. For more complex complaints, the acknowledgement should explain that you are looking into it.

4. Investigate without undue delay

You must take appropriate steps to investigate the complaint.

What this involves will depend on the complaint.

You may need to:

  • review emails or records;
  • check what personal data was held;
  • look at how a request was handled;
  • speak to relevant staff;
  • ask a supplier or processor for information;
  • check whether your privacy notice or internal process was followed;
  • review whether an error occurred.

“Without undue delay” means you should not let the complaint drift. If the issue is simple, deal with it promptly. If it is more complex, keep the person updated and record why it is taking longer.

5. Keep the person informed

If the complaint cannot be resolved quickly, you should keep the complainant updated.

That does not mean constant updates. It means sensible communication, especially if the investigation is taking longer than expected.

A short update is often enough:

“We are still looking into your complaint. We are reviewing the relevant records and will come back to you as soon as we can.”

6. Provide an outcome

Once you have investigated, you need to tell the person the outcome without undue delay.

Your response should explain, in plain English:

  • what you looked into;
  • what you found;
  • whether you agree with the complaint;
  • what action you have taken or will take;
  • what they can do if they remain unhappy.

If you made a mistake, say what you are doing to put it right.

If you do not agree with the complaint, explain why.

Avoid defensive or overly legalistic language. A clear, fair response is usually more effective than a long technical one.


Why a line in your privacy policy may not be enough

Many businesses already have wording in their privacy notice saying that people can complain to the ICO.

That is still relevant, but it is no longer enough on its own.

The new requirement is about giving people a way to complain to you first and making sure you have a process for dealing with that complaint.

So the issue is not just:

“Does our privacy notice mention complaints?”

The better questions are:

  • Can someone easily complain to us about data protection?
  • Would our team recognise a data protection complaint?
  • Do we know who would deal with it?
  • Can we acknowledge it within 30 days?
  • Can we investigate and respond properly?
  • Would we have a record of what happened if the ICO later asked?

If the answer to any of those is “not sure”, it is worth tightening things up.


What should businesses do now?

If you have not looked at this yet, do not panic. But do not ignore it either.

This is one of those compliance changes that is much easier to deal with before a complaint arrives.

Here is a sensible order of priority.

This week

Check your privacy notice.

Does it tell people they can complain to you about how you have handled their personal data?

If not, update it.

Decide where complaints should go. For many businesses, this will be a dedicated email address or an existing complaints inbox.

Make sure the relevant people know what a data protection complaint might look like.

Next

Create a simple internal process.

It does not need to be long. A one-page process is often enough.

It should cover:

  • where complaints come in;
  • who reviews them;
  • how they are logged;
  • who investigates;
  • when they must be acknowledged;
  • how updates are given;
  • how the outcome is recorded;
  • when to get legal input.

Create a complaints log.

This can be a spreadsheet or simple tracker, provided it is kept securely.

Then

Review your template responses.

This includes:

  • subject access request responses;
  • deletion request responses;
  • correction request responses;
  • privacy notice wording;
  • general complaints wording;
  • website contact pages.

Make sure your documents point people to the right complaints route.

Then test the process.

Ask someone internally: “If this complaint came in today, what would happen?”

If nobody is sure, the process needs more work.


Practical checklist

Use this as a starting point.

Privacy notice and external wording

  • Privacy notice updated to mention data protection complaints.
  • Contact route for complaints is clear.
  • ICO escalation wording remains included where appropriate.
  • Website contact page updated if needed.
  • Template responses updated for data rights requests.

Internal process

  • Data protection complaints process documented.
  • Person or team responsible for complaints identified.
  • Escalation route agreed.
  • 30-day acknowledgement requirement built in.
  • Process for investigation agreed.
  • Process for providing an outcome agreed.
  • Process for keeping complainants updated agreed.

Staff awareness

  • Relevant staff know what a data protection complaint might look like.
  • Customer-facing teams know where to escalate complaints.
  • Anyone monitoring shared inboxes understands the process.
  • Social media or website enquiries are not overlooked.
  • Managers know when to seek legal input.

Record keeping

  • Complaints log created.
  • Date received is recorded.
  • Date acknowledged is recorded.
  • Investigation steps are recorded.
  • Outcome is recorded.
  • Any remedial action is recorded.
  • Records are stored securely.

What you probably do not need

Most businesses do not need to overcomplicate this.

You probably do not need:

  • a standalone complaints portal;
  • a long formal complaints policy;
  • complex new software;
  • a new team;
  • a completely separate process if your existing one can be adapted.

The process should match the size and risk profile of your business.

For a smaller business, the right answer may be a privacy notice update, a complaints email address, a short internal process and a clear record-keeping template.

The important thing is that it works in practice.


Why this matters

This is not just a technical compliance point.

Data protection complaints often arise when someone is already frustrated. Maybe they think you have ignored a request. Maybe they are worried about a breach. Maybe they do not understand why you still hold their data.

A clear process helps you respond calmly and consistently.

It can also reduce the chance of the issue escalating to the ICO.

Handled well, a complaint can be resolved quickly and fairly. Handled badly, it can become a bigger problem than it needed to be.


How Hybrid Legal can help

If you are unsure whether your current setup covers this properly, we can help you sense-check it.

That might include:

  • reviewing your privacy notice;
  • checking whether your complaints wording is clear;
  • creating a simple data protection complaints process;
  • preparing a complaints log template;
  • updating DSAR and data rights response templates;
  • briefing your team on what to look out for;
  • helping you respond to a complaint if one has already landed.

This does not need to become a big project.

For many businesses, it is a practical tidy-up: a few wording changes, a simple process and a clearer internal route for complaints.

The value is knowing that if a complaint arrives, your team knows what to do.


FAQs

Do we need a separate data protection complaints policy?

Not necessarily.

You need a process, but that does not always mean a separate published policy. If your existing complaints process can handle data protection complaints properly, you may be able to adapt it.

The key is that people can complain, your team knows what to do, and you can meet the legal requirements.

Do we need a dedicated email address?

No, but it can help.

A dedicated email address can make the route clearer and reduce the risk of complaints being missed. But you can use an existing complaints or contact email address if it is properly monitored and staff know how to escalate data protection complaints.

What if someone complains through social media?

Do not ignore it.

If the message appears to be a data protection complaint, you should acknowledge it and move the conversation to a more secure channel where appropriate. Social media is usually not suitable for discussing personal data in detail.

Do we have to resolve every complaint within 30 days?

No.

You must acknowledge the complaint within 30 days. The outcome must be provided without undue delay. Some complaints may be resolved within 30 days, but more complex matters may take longer.

If it takes longer, keep the person informed and record what is happening.

What if the complaint is not really about data protection?

If the complaint is mainly about your product, service, pricing or another non-data issue, it may be better handled through your general complaints process.

But if there is any doubt, check. Ask the person to clarify whether they are complaining about how their personal data has been handled.

Can someone still complain to the ICO?

Yes.

Your process does not remove someone’s right to complain to the ICO. But in many cases, the ICO will expect them to raise the complaint with you first so you have the chance to respond.

Does this apply to small businesses?

Yes.

There is no general exemption based on size. But the process can be simple and proportionate.

A small business may only need a clear contact route, a short internal process and a basic complaints log.

What happens if we do nothing?

You risk being non-compliant.

You also risk missing complaints, responding late, or dealing with issues inconsistently. That can make matters worse if the person later complains to the ICO.

Putting a simple process in place now is much easier than trying to work it out after a complaint has arrived.


Key takeaways

From 19 June 2026, UK organisations need a process for handling data protection complaints.

The requirement applies to businesses of all sizes that handle personal data.

You need to give people a way to complain, acknowledge complaints within 30 days, investigate and respond without undue delay, keep people informed where appropriate, and provide an outcome.

This does not need to be complicated.

For many businesses, the practical steps are:

  • update your privacy notice;
  • decide where complaints should go;
  • create a simple internal process;
  • brief the right people;
  • keep a clear record of complaints and outcomes.

If you are unsure whether your current process covers this, Hybrid Legal can help you check it and make the right updates.


Sources checked

This article was prepared by reference to:

ICO guidance on the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025

The Data Protection Act 2018

ICO guidance on how to deal with data protection complaints

Share with your network

Ryan Lisk

Ryan has helped a vast number of businesses protect and control their intellectual property as well as drafting and advising on consumer and commercial contracts.

Share with your network
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Read our Privacy Policy.