Although the Act received Royal Assent on 19 June 2025, it is being implemented in stages through secondary legislation. Organisations must now prepare for upcoming obligations, including new requirements relating to data protection complaints handling, which come into force on 19 June 2026.
Key Changes
The Act introduces several important reforms, including:
- A new requirement to implement complaints handling procedures;
- The introduction of digital verification services;
- Updates to the rules on automated decision-making;
- Reforms to international data transfer restrictions;
- A new lawful basis of ‘recognised legitimate interests’;
- The development of smart data schemes; and
- Structural and governance changes affecting the Information Commissioner’s Office (ICO).
This article focuses on complaints handling procedures, an area requiring immediate attention from HR, privacy, and compliance teams.
Complaints Handling Procedures – Mandatory Changes from 19 June 2026
Under the Act, organisations must:
- Provide individuals with a clear way to raise data protection complaints;
- Acknowledge complaints within 30 days of receipt;
- Take appropriate steps to investigate and respond without undue delay;
- Keep individuals informed of progress; and
- Communicate the outcome of complaints without undue delay.
The complaints handling procedure must be in place by 19 June 2026 and so organisations should ensure they are operationally ready well in advance of this date.
What about the ICO?
In February 2026, the ICO released a guidance note dealing with data protection complaints. The ICO has made clear that organisations must have a process for handling data protection complaints within their organisation.
What “Complaints” Fall Within Scope?
All organisations must implement procedures covering the full lifecycle of a complaint: receipt, acknowledgement, investigation, record-keeping, and resolution.
Importantly, complaints do not need to reference specific legal provisions to fall within scope. Any expression of dissatisfaction relating to the handling of personal data may qualify.
Examples of Data Protection Complaints
- Concerns about how a data subject access request (DSAR) or other rights request was handled;
- Issues relating to data security, particularly following a breach;
- Complaints about how personal data has been collected, used, or shared.
Examples That May Fall Outside Scope
The ICO notes that not all queries linked to personal data are complaints, such as:
- A DSAR processed on time but not expedited;
- An employee grievance that also includes a data request;
- A general customer service complaint accompanied by a request to delete data.
These distinctions can be nuanced. Organisations should assess each case carefully and clarify with the individual where necessary.
Preparing to Receive and Assess Complaints
A key expectation is that organisations provide accessible and effective channels for submitting complaints. While no specific format is mandated, the ICO suggests options such as:
- Online or downloadable complaint forms;
- Dedicated email addresses;
- Telephone reporting;
- Online portals or live chat (with escalation to a human);
- In-person reporting channels where applicable.
Organisations do not need to introduce new systems if existing processes can demonstrate compliance.
What Your Procedure Should Include
A robust complaints procedure should clearly set out:
- How complaints can be submitted;
- What information or evidence is required;
- Acceptable forms of identity verification;
- Requirements for third-party authorisation;
- Confirmation that complaints will be acknowledged within 30 days;
- How updates and outcomes will be communicated.
Handling Complaints Across Channels
Individuals are not required to follow prescribed processes. Complaints may arise through informal internal communication, customer-facing staff or from social media channels. Organisations must therefore be prepared to recognise and escalate such complaints internally. Where complaints are raised via insecure channels (e.g. social media), individuals should be redirected to a secure communication method.
Transparency and the Right to Complain
The key message is that organisations must proactively inform individuals (including employees) of their right to complain at the point of data collection (e.g. within privacy notices) or when responding to DSARs.
Key Actions for Organisations
To ensure compliance ahead of the 19 June 2026 deadline, organisations should prioritise the following:
- Update Documentation
Revise privacy notices and internal policies to include complaints procedures and ensure alignment across HR, legal, and data protection frameworks.
- Strengthen Record-Keeping
Maintain accurate, organised, and accessible records of all complaints and outcomes and ensure systems support timely retrieval of information.
- Deliver Targeted Training
Train staff responsible for handling complaints on the new requirements and raise awareness across the organisation so employees can identify and escalate complaints appropriately.
- Clarify Roles in Data Sharing Arrangements
Review responsibilities where acting as joint controllers, ensure clear escalation and coordination processes and confirm that data processors provide appropriate support during investigations.
- Ensure Timely and Transparent Responses
Meet statutory response expectations, keep complainants informed throughout and clearly communicate outcomes and signpost the right to complain to the ICO, including providing contact details.
Final Thoughts
The introduction of mandatory complaints handling procedures marks a material shift in UK data protection compliance expectations. While many organisations will already have similar processes in place, the Act formalises and standardises these obligations. With the 19 June 2026 implementation deadline approaching, HR teams, data controllers, and privacy professionals should act now to review, enhance, and operationalise their complaints handling frameworks.
Early preparation will not only ensure compliance but also strengthen organisational trust, transparency, and accountability in the handling of personal data.