Data Protection Complaints: New Legal Requirements from June 2026

May 7, 2026

From 19 June 2026, UK organisations will face a new compliance requirement under the Data (Use and Access) Act 2025.

All organisations acting as data controllers will be required to operate a formal internal process for handling data protection complaints, including complaints arising from the handling of Data Subject Access Requests (DSARs).

This is not simply a matter of “good practice”. It is a statutory obligation, and organisations that do not adapt their existing privacy documentation and internal workflows risk regulatory scrutiny from the ICO.

What is changing?

The DUAA introduces a new statutory “right to complain”, inserted into the Data Protection Act 2018. In practical terms, this requires organisations to provide a clear mechanism for individuals to raise data protection concerns directly with them, before any escalation to the ICO.

The focus of the reform is to encourage early resolution and reduce unnecessary escalation, but it also places additional procedural obligations on organisations.

Who does this apply to?

The requirement applies to all UK organisations that act as data controllers, regardless of size or sector. There are no exemptions for SMEs, charities, or organisations that already have general complaints procedures in place.

If your organisation determines the purposes and means of processing personal data about customers, employees, users or contacts, this regime will apply to you.

What must businesses do?

By 19 June 2026, organisations must have a clear, accessible internal complaints process covering data protection matters. In particular:

1. A clear way to submit data protection complaints

Individuals must be able to submit complaints easily, using a mechanism that is clearly signposted. This might include:

  • a dedicated email address;
  • an online form;
  • a postal address; or
  • a telephone contact point.

Existing complaint channels can be adapted, but the process must clearly cover data protection complaints, not just general customer service issues.

2. Acknowledgement within 30 days

Any data protection complaint must be acknowledged within 30 days of receipt. The legislation does not require a substantive response within that period, but silence is no longer an option.

3. Investigation and response without undue delay

Organisations must take appropriate steps to investigate and respond to the complaint without undue delay. This includes making relevant enquiries and addressing the issues raised.

4. Ongoing communication and outcome notification

Complainants must be:

  • kept informed of progress where appropriate; and
  • told the outcome of their complaint once the investigation has concluded.

This will require clearer internal ownership of complaints and coordination between various teams.

5. Mandatory signposting to the ICO

Organisations must inform individuals of their right to escalate the complaint to the ICO if they are dissatisfied with the outcome.

This signposting must form part of the complaints process and cannot be omitted simply because the organisation believes the complaint lacks merit.

What does this mean for DSAR procedures?

An organisation’s DSAR procedures will need to be reviewed. Complaints about how a subject access request has been handled (for example timing, scope or redactions) will now need to be dealt with under this separate statutory complaints process, rather than treated as informal correspondence.

Practical next steps for businesses

Businesses should be using the lead‑in period before June 2026 to:

  • identify how data protection complaints will be recognised and triaged;
  • review existing complaint processes to ensure they meet the new requirements;
  • review existing DSAR processes;
  • update privacy notices and template DSAR responses;
  • train staff to recognise when a communication amounts to a data protection complaint; and
  • ensure appropriate records and an audit trail is kept showing compliance with the new regime.
Conclusion

The new complaints regime does not fundamentally change how organisations should approach data protection concerns, but it does formalise expectations and introduce new procedural obligations. Organisations that treat this as a tick-box exercise may find themselves exposed, particularly where complaints arise out of DSAR handling.

If you would like advice on updating your policies and processes in relation to these new requirements, please contact us.

Rhian Hazeldene
Solicitor, Commercial
<script>
document.addEventListener('DOMContentLoaded', function () {
  const deptEl = document.getElementById('acf-author-department');
  const department = deptEl?.dataset?.department;

  if (typeof gtag === 'function' && department) {
    gtag('set', { author_department: department });
  }
});


  window.dataLayer = window.dataLayer || [];
  const dept = document.getElementById("author-department")?.textContent?.trim();
  if (dept) {
    window.dataLayer.push({
      event: "authorDataReady",
      author_department: dept
    });
  }

</script>
View profileContact Us

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Latest Legal Insights