The new data protection complaints rules are here: Are you ready?

The Data (Use and Access) Act 2025 (“DUAA”) introduces important new requirements for how organisations handle data protection complaints. These changes came into effect on 19 June 2026 and, as such, organisations should now review and, where necessary, update their complaints handling frameworks to ensure compliance.

What are data protection complaints?

Under the new requirements, individuals have a right to complain if they consider that a business has handled their personal data in a way that does not comply with UK data protection legislation.

Individuals do not need to label their concern as a “data protection complaint” or use legal terminology, so organisations must assess the substance of the issue raised rather than the language used. However, not every complaint involving personal data will qualify as a data protection complaint. The ICO's guidance explains that individuals may complain about a service or another issue while also exercising their data protection rights. For example, a person may complain about a customer service issue and, at the same time, request that their information be deleted. In these circumstances, the complaint would not constitute a data protection complaint.

Where it is unclear whether someone is making a data protection complaint, organisations should seek clarification to determine whether the new requirements apply.

Complaints can be made through any channel

The ICO's guidance makes clear that organisations must accept complaints regardless of the channel through which they are received. Individuals are not required to use a specific complaints process and may raise concerns through a variety of routes, including email, telephone, online forms, directly with members of staff, or via social media where an organisation has an online presence. Organisations should therefore ensure that staff are able to recognise potential data protection complaints and that appropriate processes are in place for handling complaints received through less formal channels such as social media.

Key requirements

The DUAA introduces a set of core procedural requirements which controllers must follow when handling data protection complaints, as follows:

Timing and responsiveness

  • Controllers must acknowledge receipt of a complaint within 30 days of receipt.
    • Time runs from the day after receipt.
    • Where the deadline falls on a weekend or public holiday, it extends to the next working day.
  • Complaints must be investigated without undue delay, meaning without any unjustified or excessive delay.
  • Controllers must begin investigating the complaint from the point of receipt and should not delay investigation pending formal acknowledgment.
  • Once concluded, controllers must provide the outcome without undue delay.

Investigation and handling

  • Controllers must take “appropriate steps” to investigate the complaint, which will depend on the nature and complexity of the issue.
  • As part of this process, controllers must keep the complainant informed throughout the process.

The DUAA clarifies that “appropriate steps” include both making enquiries into the subject matter of the complaint and providing updates on progress. This requires a fact-specific and proportionate investigation, rather than a purely procedural or standardised response.

Accessibility and transparency

  • Controllers must provide individuals with a means of submitting complaints (e.g. email, phone, online form or other accessible channels).
  • As above, controllers must accept complaints made through any channel, including informal routes (e.g. via employees), and cannot mandate the use of a specific process.
  • Individuals must be informed of their right to complain:
    • at the point at which personal data is collected (e.g. in a privacy notice); and
    • when responding to subject access requests and certain other rights requests.
  • Where privacy information is provided, it must be clear and accessible, particularly where children are involved.

In addition, the ICO expects organisations to implement clear complaints procedures and policies, maintain records of complaints and outcomes, and monitor recurring issues to help identify and address potential compliance risks. Organisations should also ensure their procedures are accessible to children exercising their rights, including by using age-appropriate communications and complying with the Age Appropriate Design Code where relevant.

Practical steps

A helpful point for organisations is that the ICO has confirmed that data protection complaints can be managed through existing complaints procedures and timeframes, provided this does not result in unjustifiable or excessive delay. As a result, the new regime should not require a wholesale overhaul of established complaints processes.

The legislation and accompanying ICO guidance are not overly prescriptive as to the form a complaints process must take. For example, organisations retain flexibility over the mechanism through which complaints are submitted. This flexibility allows organisations to incorporate data protection complaints into existing complaint-handling frameworks rather than creating separate processes. As such, many organisations (particularly those with mature complaint-handling frameworks, such as FCA-regulated firms) will already have much of the necessary infrastructure in place. However, organisations subject to multiple complaints regimes should take care to identify and manage any differing procedural requirements, particularly where applicable response and resolution timeframes do not align.

The key is to assess how the new requirements fit within existing processes and make targeted adjustments where needed. This may be more complex for organisations operating under multiple complaints regimes, but it is worth getting right from the outset to ensure complaints are handled efficiently and consistently. This is particularly important given the growing use of AI by complainants, which is making it easier to generate detailed and sophisticated complaints at scale.

How Foot Anstey can help

Foot Anstey can help organisations review existing complaint handling frameworks, assess the impact of the new requirements and implement changes where needed. We also support clients in responding to complex data protection complaints, helping to reduce regulatory risk.

Get in touch

Related