Data Protection Complaints: What Firms Need to Know Before June 2026

There’s a significant change on the horizon for organisations handling personal data in the UK. From 19 June 2026, all organisations will be legally required to have a clear process in place for handling data protection complaints. This requirement comes under the new Data (Use and Access) Act and marks a shift towards greater transparency and accountability.

So, what does this actually mean in practice?

A New Legal Duty – Made Simple

At its core, the law is about making sure people have a straightforward way to raise concerns about how their personal data is being handled and that those concerns are taken seriously.

Organisations will need to:

• Provide a clear way for individuals to raise a data protection complaint
• Acknowledge complaints within 30 days
• Take reasonable steps to investigate and respond without unnecessary delay
• Keep the individual updated as the matter progresses
• Provide a clear outcome once the complaint has been addressed

While this might sound like an extension of existing good practice, it’s now becoming a formal legal obligation.

What Counts as a Data Protection Complaint?

A data protection complaint is essentially any concern about how an organisation handles someone’s personal information.

This could include situations where someone is unhappy about:

• A data breach that has affected them
• How their data rights request (such as access or deletion) has been handled
• How long their personal data is being retained
• Whether their information is accurate
• The security measures used to protect their data
• Profiling or automated decision-making
• Or any other issue relating to the use of their personal information

Previously, many organisations will be familiar with the Information Commissioner’s Office (ICO) contacting them after receiving a complaint. Going forward, the ICO is more likely to direct individuals back to the organisation first.

In other words, if your process isn’t visible or easy to use, it will quickly become obvious.

What Isn’t a Data Protection Complaint?

Not every issue involving personal data falls into this category.

For example, it’s quite common for someone to raise a general complaint while also exercising their data rights but that doesn’t automatically make it a data protection complaint.

Some typical examples include:

• Someone unhappy with how quickly their request was handled, even if it was within legal timeframes
• An employee raising a workplace grievance alongside a request for their personal data
• A customer service complaint where the individual also asks for their data to be deleted

In these situations, the data rights request should be handled separately from the broader complaint.

If there’s ever uncertainty, the simplest solution is to ask the individual to clarify what they’re raising.

Making It Easy for People to Complain

One of the key expectations is accessibility. People need a clear and simple way to raise concerns.

There’s no single prescribed method, but organisations might consider offering:

• An online or downloadable complaints form
• A dedicated email address or phone line
• A customer portal
• Live chat with escalation to a person
• In-person options where appropriate

That said, people don’t have to follow your preferred process. A complaint could come through any channel email, social media, or even via a member of staff who wasn’t expecting it.

That’s why internal awareness is just as important as the process itself.

Don’t Forget Your People

Policies alone won’t make this work. Employees need to understand:

• What a data protection complaint looks like
• How to recognise one when it comes in
• What steps to take next

Without this awareness, complaints risk being missed or mishandled.

Be Transparent from the Start

Another important change is around communication.

When you collect someone’s personal data, you’ll need to make it clear that they have the right to raise a complaint. This means updating privacy notices and ensuring responses to data rights requests include information about your complaints process.

Although not strictly required, it’s also good practice to publish your complaints procedure on your website. This can help manage expectations and reduce confusion.

You might include:

• What information is needed to investigate a complaint
• Any identification requirements
• What happens if someone is acting on behalf of another person
• Expected timelines for acknowledgement, updates, and outcomes

Do You Need a Separate Policy?

Interestingly, the law doesn’t require a standalone data protection complaints policy. You could incorporate it into your existing complaints framework.

However, in practice, separating the two can make things clearer for both your team and your clients.

Why? Because the timelines and expectations are different.

For example:

• The Legal Ombudsman typically expects a full response within 8 weeks
• Many firms acknowledge general complaints within a few days
• Data protection complaints, however, must be acknowledged within 30 days, with outcomes provided “without undue delay”

Having a distinct process can help avoid confusion and ensure the right standards are applied in the right situations.

Final Thoughts

This new requirement isn’t just about compliance, it’s about trust.

By putting clear, accessible processes in place and making sure your team understands them, you’re not only meeting your legal obligations but also demonstrating that you take people’s data rights seriously.

With June 2026 approaching, now is a good time to review your current approach and make any necessary changes.