Legal briefing | 26 Feb 2026 |

Get ready for the new data protection complaints handling rules

Organisations need to ensure that their processes for handling data protection complaints meet new rules under the Data (Use and Access) Act 2025 (DUAA) ahead of a 19 June 2026 deadline. The new rules are designed to facilitate complaints being made directly to the data controller and include mandatory information requirements and timeframes. This briefing unpacks the new complaints regime and supporting ICO guidance, with practical steps that businesses should consider to ensure compliance.

Key requirements

Organisations must:

have in place an accessible way to receive complaints from data subjects
acknowledge complaints within 30 days of receipt
without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries and providing timely updates
without undue delay, inform data subjects of the outcome of their complaint (including their right to escalate to the ICO)

What practical steps can you take?

In practical terms, this is likely to mean:

updating privacy policies and template DSAR responses to make clear that a data subject has the right to make a complaint to the business
establishing an appropriate way for the business to receive complaints in a way that is accessible for all data subjects – there's flexibility as to how to do this
putting in place processes (or adapting existing processes) to acknowledge complaints within 30 days of receipt and provide investigation updates and outcome without unjustifiable or excessive delay
updating internal policies and training staff on how to identify complaints and what actions to take
keeping appropriate records of the complaint journey
checking that contractual arrangements with processors include appropriate provisions to allow for the business to be notified, investigate and respond to any complaints received

Now Reading

What counts as a data protection complaint?

What counts as a "complaint" is very broad. The ICO guidance makes clear that any allegation by a data subject (or someone on their behalf) that a business has infringed data protection legislation because of the way their personal data has been handled will constitute a complaint. Just as there are no formalities for raising a data subject access request (DSAR), there is no requirement for specific legal terminology to be used and the complaint can be made through various media, including in writing and in conversation. Various examples of complaints are provided in the ICO guidance, including a data subject alleging non-compliance relating to DSAR responses, security measures, or how long their personal data has been stored.

…but not all communications of dissatisfaction count as complaints…

The ICO guidance draws a distinction between complaints relating to infringement of data protection laws and complaints about other business areas that also involve the exercise of data protection rights. These are not considered to be complaints – for example, a data subject acknowledging a DSAR was responded to on time but expressing dissatisfaction that the process was not expedited; an employee raising a grievance issue and simultaneously raising a DSAR; or a general customer service complaint which includes a request to delete their information.

What preparatory steps do businesses need to take?

Businesses must make data subjects aware of their right to complain. In practice, this will require minor updates to privacy notices and any DSAR response templates. Some businesses may also choose to publish a complaint handling procedure, but this is certainly not mandatory.

The DUAA also requires data controllers to provide an accessible way to facilitate complaints being raised; however, neither the DUAA, nor the ICO guidance, mandates a specific method to comply with this requirement. Therefore, businesses have the flexibility to choose the most appropriate format (factoring in applicable equality legislation requirements). We expect that electronic complaint forms will be a common method, but it is not a requirement. The ICO guidance provides a list of other potential formats, including providing a complaint email, online complaints portal, live chat function with the option for human escalation or over the phone. The complaint process can be integrated into any pre-existing complaints processes a business may have – it does not have to be set up separately.

It is important that all business personnel who may receive complaints are trained to recognise one, or at least aware of an appropriate internal channel to raise any queries. Internal policies and training materials should be updated to raise staff awareness of data subjects' complaint rights (alongside the need to comply with mandatory response times, as explained in section 3 below.

How should a business handle a data protection complaint?

Businesses must acknowledge receipt of a complaint within 30 days of receipt. Again, the ICO guidance is not prescriptive about how to do this but lists a few practical examples, including an auto-acknowledgment email. The ICO guidance does note that it is likely to be "most practical to follow the method the complainant has used, unless they've requested you reply using a different method"; however, ultimately, it is up to the business to decide how it wants to meet the acknowledgement requirement.

Clarification on timing

The 30-day acknowledgement period will start to run the day after a complaint is received regardless of whether this day falls on a weekend or public holiday. Businesses will have until the next working day to provide acknowledgment if the 30th day falls on a weekend or public holiday.

An investigation into the complaint must then be made "without undue delay", which is clarified in the ICO guidance to mean "without an unjustifiable or excessive delay". Context is therefore relevant here and timeframes will vary according to the type of complaint.

Businesses must also keep a complainant updated "without undue delay". The ICO guidance describes this in practice as keeping a complainant up to date with timeframes and explaining any delays, rather than informing them of each step that has been taken so far in the investigation.

How should a business respond to a data protection complaint?

Businesses must inform a complainant about the outcome of their complaint "without an unjustifiable or excessive delay". A separate acknowledgement and outcome response is not required where a complaint outcome can be provided within the initial 30-day timeframe.

A business should tell the data subject:

what steps have been taken to resolve the complaint
where appropriate, what actions have been taken as a result of the complaint
in sufficient detail for the data subject to be able to understand the rationale, why the business believes it has complied with the applicable data protection legislation (assuming this is the case)
as a matter of good practice, the right to complain to the ICO, providing relevant contact details (this should already form part of a business' privacy policy). There is no need for a business to inform the ICO if a complainant decides to escalate their complaint to the ICO – the ICO will reach out if necessary.

The ICO guidance makes clear that a record of the above steps should be kept by the business as the ICO may reference these actions in the event a complainant escalates its complaint to the ICO.

How we can help

Our Technology and Commercial Transactions team are well versed in assisting businesses comply with their data protection obligations in a practical way, including these new requirements brought in by the DUAA. Please reach out to us if you require any assistance on this matter, including updating privacy policies and internal policy documents, providing training sessions and/or a review of contractual provisions.

This is part of a series of briefings about the DUAA data protection reforms – we've also commented on the new automated decision-making rules and provided a summary of all other DUAA reforms.

Read Louisa Chambers Profile