From 19 June 2026, under an amendment to the Data Protection Act introduced by the Data (Use and Access) Act, organisations must have a clear process for handling data protection complaints. In practice, many organisations will be able to adapt an existing complaints procedure rather than create a separate standalone process, provided it is suitable, accessible and clearly signposted to individuals. This note summarises the key requirements and the practical steps you should take now.

Publicising the complaints process

Data controllers must make it clear how individuals can raise a data protection complaint. For many controllers, this can be achieved by adapting an existing public-facing complaints process, rather than creating a separate process from scratch. The key point is to review the current policy and procedure to make sure they properly cover data protection complaints.

Although the legislation does not prescribe a single format, the safest approach is to include clear information in your privacy notice and in responses to data subject rights requests. The Information Commissioner's Office (ICO) expects organisations to make complaints information easy to find and easy to use.

Who can make a complaint?

Both adults and children can make a data protection complaint.

Where the complaint is made by or on behalf of a child, you will need to consider whether the child is competent to make the complaint, in the same way as you may assess competence for a data subject access request.

If the child is not competent, a parent can usually make the complaint on the child’s behalf.

If the child is competent, the controller should seek confirmation from the child before treating the complaint as having been validly made on their behalf by a parent.

What to do when you receive a complaint

Under the requirements, data controllers must acknowledge receipt of a data protection complaint within 30 days. If the 30th day falls on a weekend or bank holiday, the deadline moves to the next working day. The ICO confirms this is a core requirement of the new process.

When sending the acknowledgement, the controller can ask for further information if it reasonably needs to verify the complainant’s identity or their authority to act for someone else, for example, under a Power of Attorney.

If the complaint is made on behalf of another person, the controller does not need to investigate it until it is satisfied that the complainant is authorised to act.

Investigating the complaint

You must investigate the complaint without ‘undue delay’. What amounts to undue delay will depend on the circumstances, so it is important to be able to explain the time taken if the matter is later challenged by the complainant or the ICO.

As a matter of good practice, controllers should keep complainants updated on progress, including likely timescales and any delays. This aligns with the expectations set out by the ICO.

You will need to keep a clear written record of the complaint, the steps taken to investigate it, the outcome reached and any remedial action, especially as there is a potential that the complainant may escalate their complaint to the ICO or the Courts.

Communicating the outcome

Once the investigation is complete, you should tell the complainant the outcome without undue delay and explain any remedial steps you have taken in response to the complaint.

You should also be ready to provide the ICO with details of the complaint, the investigation carried out and the outcome.

Key tasks

By 19 June, you should:

• Review your existing complaints procedure to ensure it covers data protection complaints.
• Update your privacy notice and data rights response templates to explain how complaints can be made.
• Make sure staff can recognise a data protection complaint and know where to direct it.
• Keep a clear record of the complaint, investigation and outcome.

If you would like help reviewing your existing complaints process, updating your privacy notice or preparing template wording for acknowledgements and outcome letters, please get in touch.