From 19 June 2026, organisations that act as data controllers will be subject to new legal obligations when handling data protection complaints.
The changes are being introduced through the Data (Use and Access) Act 2025 (DUAA), which amends the Data Protection Act 2018 and creates a formal statutory process allowing individuals to raise complaints directly with organisations before escalating concerns to the Information Commissioner’s Office (ICO).
For many organisations, handling data protection complaints is already considered good practice. However, from June 2026, certain aspects of complaint handling become a specific legal requirement.
What Has Changed?
The new legislation gives individuals a statutory right to complain directly to an organisation about how their personal data is being processed.
Where a complaint is received, organisations must:
- Provide a means for individuals to submit data protection complaints.
- Acknowledge receipt of complaints within 30 days.
- Investigate complaints and take appropriate steps to respond without undue delay.
- Keep complainants informed where appropriate.
- Communicate the outcome of the complaint without undue delay.
These requirements apply to organisations acting as data controllers, regardless of size or sector.
Why Organisations Should Review Their Privacy Notices
Although the legislation does not explicitly require Privacy Notices to contain complaint handling information, the ICO has made it clear that organisations should help individuals understand how to exercise their rights and raise concerns.
As a result, organisations should consider updating their Privacy Notices to explain the new complaints process.
A Privacy Notice could include wording such as:
“You have the right to raise a complaint with us if you are unhappy with how we handle your personal data.”
The notice should also provide clear contact details for the appropriate team, such as a Data Protection Officer (DPO), Privacy Team or designated contact person.
For example:
“If you have a complaint or concern regarding how we process your personal data, please contact our Data Protection Team using the details provided below.”
Explaining Your Internal Complaints Process
Organisations should briefly explain what individuals can expect after submitting a complaint.
For example:
“We will acknowledge receipt of your complaint within 30 days and investigate the matter without undue delay. We will communicate the outcome of our investigation as soon as reasonably practicable.”
Providing this information helps manage expectations and demonstrates transparency.
Remember the ICO
Most Privacy Notices already contain information about the right to complain to the ICO. However, organisations should review this wording to ensure it remains accurate and prominent.
For example:
“If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).”
Many organisations may also wish to encourage individuals to contact them first so concerns can be resolved quickly and informally.
For example:
“We encourage you to contact us in the first instance so that we can investigate and attempt to resolve your concerns.”
Review Internal Procedures
Privacy Notices are only one part of data protection compliance. Organisations should also review their internal data protection complaint handling procedures to ensure they reflect the new legal requirements.
Key areas to review include:
- How complaints are identified and logged.
- Responsibility for investigating complaints.
- Acknowledgement within the statutory 30-day period.
- Investigation and response processes.
- Communication of outcomes.
- Record keeping and audit trails.
- Staff training and awareness.
It is particularly important that employees understand that a data protection complaint may arrive through a variety of channels, including email, website forms, post, telephone calls or even social media.
What Should Organisations Do Now?
With the new requirements taking effect on 19 June 2026, organisations should review their Privacy Notices, complaints procedures, training materials and data protection governance arrangements now.
Taking action before the implementation date will help demonstrate compliance, improve customer trust and reduce the likelihood of complaints escalating to the ICO.
If your organisation requires support reviewing its privacy documentation, complaint handling procedures or wider UK GDPR compliance arrangements, the consultants at Assent Risk Management can help.
Need Data Protection, GDPR or Privacy Support?
Assent Risk Management’s data protection experts can help you update privacy policies and the back-end processes to ensure you remain compliant with legislation and read to answer queries and complaints from data subjects.
We also offer an Outsourced DPO Service which is popular with teams lacking resources and knowledge about privacy legislation. An Outsourced DPO can maintain your policies and procedures, advise on required actions when you introduce new processing activities and handle data subject access requests and complaints. Contact us today!
