The new UK data protection right to complain: what is it and how must businesses comply?
From 19 June 2026, individuals in the UK will have the right to lodge a complaint directly with the data controller responsible for processing their personal data. This article explains what businesses need to do.
From 19 June 2026, individuals in the UK will have the right to lodge a complaint directly with the data controller responsible for processing their personal data, where they believe that such processing has breached the UK GDPR or the Data Protection Act 2018.
Section 103 of the Data (Use and Access) Act 2025 introduces new complaints-handling duties for data controllers. In practice, every data controller must have an internal process for handling data protection complaints - there are no exemptions - so it’s time to put something in place.
The Headline
Under the new UK data protection framework controllers will be required to:
- Establish a mechanism for individuals to submit data protection complaints directly to them
- Acknowledge those complaints within 30 days of receipt
- Take appropriate steps to investigate and respond without undue delay while keeping complainants informed throughout the process
- Notify individuals of the outcome of their complaint once a decision has been reached, without undue delay
What Counts as a Data Protection Complaint
A data protection complaint arises where an individual believes that personal data, whether their own or that of someone they represent, has been handled in a way that breaches UK data protection law. Importantly, the individual does not need to frame their complaint in legal terms or reference specific legislation for it to qualify.
Common examples include complaints about:
- The handling of a data subject access request (DSAR) or other data protection rights request
- The impact of a data breach on an individual
- How the controller is processing the complainant’s personal data
If it is unclear whether the person is making a data protection complaint, then when acknowledging receipt, you should seek clarification regarding the request.
Some complaints combine a service issue with a data protection rights request. These are not necessarily data protection complaints on their own. Things that are often “service complaints + a rights request” (and not a data protection complaint on their own) include:
- A complaint that a SAR was handled on time but wasn’t expedited as requested
- An employee grievance that also includes a request for personal data copies
- A customer service complaint that also asks for deletion
What Must, Should, and Could Businesses Do?
The introduction of a mandatory complaints procedure for controllers stems from the considerable strain placed on ICO resources by the volume of data subject complaints it receives. The ICO has been transparent that these changes are designed to redirect complaints in the first instance to those responsible for processing the data to reduce the burden on the regulator. To assist organisations in preparing, the ICO has published guidance on establishing effective complaints handling procedures ahead of the new rules coming into force.
The ICO guidance distinguishes between what businesses must, should and could do:
Must do | Legal requirements (or binding case law within the ICO’s remit) |
Should do | What the ICO expects to see as effective compliance, unless a business has a good reason not to do so and can show another approach still complies |
Could do | Helpful options/examples how organisations may achieve compliance although there may be other ways to comply |
The following sections distil the ICO guidance into a practical framework for designing and implementing a complaints procedure. The tables below summarise what organisations must, should, and could do at each stage.
Practical Process Design: What “Good” Looks Like
1. Complaint intake
MUST | SHOULD | COULD |
Provide a way for people to complain directly to you | If a complaint comes in via social media, take a sensible approach to recognising it and assessing whether the person expects a response | Offer multiple routes (form, email, phone, online portal, live chat with escalation to a human, in-person option) |
Accept a complaint regardless of how it is submitted (including social media) - individuals are not obliged to use your preferred route. | Ask for an alternative contact method for social media complaints (social media is generally not secure for exchanging personal information) | Publish a short written “how to complain” procedure and what to expect (often placed in the privacy notice) |
Have a clear internal process for handling data protection complaints
| If it is not clear that the person is making a data protection complaint, ask them to clarify | Use practical acknowledgements by channel E.G. verbal acknowledgement for phone/in-person, written acknowledgement for post etc |
If a third party submits the complaint for someone else and the authority is unclear, contact the complainant to clarify authority |
|
|
2. Complaints from Children
MUST | SHOULD | COULD |
Assess the child’s competence to understand and exercise their rights | Respond in plain, clear, child-friendly language when handling complaints from children |
|
| Consider children’s needs throughout the complaints process, alongside data protection by design obligations |
|
| If subject to the Age-Appropriate Design Code, organisations should implement mechanisms that:
|
|
3. Acknowledgement (within 30 days)
MUST | SHOULD | COULD |
Acknowledge receipt of the complaint within 30 days starting the day after you receive the complaint, even if that day is a weekend/public holiday. If the last day falls on a weekend/public holiday, you have until the next working day. | Start investigating early, do not wait until the 30-day acknowledgement period ends
| Automate acknowledgements for electronic complaints
|
Plan so complaints are still acknowledged during staff absences | If identity is unclear, ask for proof of ID early (only what is needed) | If the case is likely to take time, provide an estimated completion date and a contact point |
Avoid requesting more ID if you already have enough to verify identity |
|
|
4. Investigation
MUST | SHOULD | COULD |
Investigate without undue delay* (no unjustifiable or excessive delay). The duty to investigate begins when you receive the complaint | Gather relevant facts thoroughly and fairly
| Ask what outcome the person wants (apology, change of decision, process change). This often narrows scope and speeds up resolution |
Keep the complainant updated on progress without undue delay. | Compare what the complainant says with the information you hold |
|
| If unclear what the complaint is about, ask for more information as quickly as possible |
|
|
| You could also ask the complainant what outcome they are seeking (for example an explanation, correction, or change of decision). |
| Check compliance with your own policies/terms/standards |
|
| Speak to relevant staff |
|
| Keep up-to-date records of the investigation (dates, acknowledgement, conversations, documents, outcome, actions taken) |
|
* What does “without undue delay” mean?
“Undue delay” depends on the circumstances rather than a fixed standard timeline. The ICO notes that relevant factors may include:
- the complexity of the issue
- the scale of the complaint (for example, a single issue versus multiple issues over time)
- any harm the individual may be experiencing
Even where organisations set internal target timelines, they should still act as quickly as reasonably possible.
5. Updates and outcome
MUST | SHOULD | COULD |
Keep the complainant updated on progress without undue delay. | Explain expected timeframes and reasons for any delay. | Provide an estimated completion date and a contact point if the case is likely to take time. |
Provide the outcome without undue delay | Clearly explain what you did to investigate and resolve the complaint, including actions taken | Offer a review step if the complainant remains unhappy |
Deal with the data protection aspect as soon as you can, even if other parts of a wider complaint take longer | If you believe you complied with the law, explain why in enough detail that the person can understand your reasoning | Tell the person they can complain to the ICO and provide contact details (the ICO notes there is no obligation to do this at this stage, but it is good practice) |
| Review each case afterwards and identify improvements |
|
6. Evidence and governance
MUST | SHOULD | COULD |
Do not keep personal information longer than needed | The ICO expects recordkeeping that demonstrates you handled the complaint properly | Consider logging volumes, recurring themes and trends (useful for spotting compliance issues) |
| You should record:
|
|
Readiness Checklist
1. Map and document your complaints process end-to-end
Cover intake, acknowledgement, investigation, updates to the complainant, outcome, closure, and lessons learned.
2. Check privacy notices and templates
Confirm your privacy notice explains the right to complain and how to do it. Check subject access response templates also signpost complaint routes where appropriate.
3. Put a 30-day acknowledgement control in place
Ensure complaints are acknowledged within 30 days. Automated acknowledgements for electronic channels are often the simplest solution.
4. Train staff to recognise complaints
Update internal policies and training so staff can recognise a data protection complaint even when it arrives as a general complaint or through non-privacy channels.
5. Review processor and joint-controller arrangements
Complaints may be received by vendors, processors, or operational teams rather than the privacy team. Ensure contracts and internal processes require complaints to be promptly escalated to the controller and that processors support investigation and response. Joint controller arrangements should clearly set out how complaints will be handled. Existing data subject request clauses may already address this, but templates should be reviewed to confirm.
5. Put a simple recordkeeping approach in place
Maintain a case log and supporting evidence bundle (date received, acknowledgement, communications, outcome, actions taken) and define an appropriate retention period.
6. Decide how to handle social media complaints
Ensure complaints received through social media are identified, triaged, and moved to a secure communication channel where necessary.
7. Prepare for complaints from children
If complaints from children may arise, ensure teams can respond in child-friendly language and assess competence where required, in line with the ICO guidance and the Age-Appropriate Design Code where applicable.
Conclusion
The ICO guidance introduces a clear expectation that organisations handle data protection complaints through a structured internal process before individuals approach the regulator.
In practice, compliance is less about creating a new standalone system and more about ensuring that existing complaint handling processes can recognise data protection issues, investigate them without undue delay, and keep complainants informed throughout the process.
Quick reference: Complaints process map
STAGE | CORE ACTION | KEY FOCUS |
| Make it easy to complain and accept complaints through any channel | Provide complaint routes and ensure complaints are recognised wherever they arrive |
2. Children | Apply additional safeguards where complaints involve children | Use clear language and assess competence where required |
3. Acknowledgement | Confirm receipt within 30 days | Track the deadline and keep a record of acknowledgement |
4. Investigation | Make appropriate enquiries without undue delay | Gather facts, check records and policies, and speak to relevant staff |
5. Keep updated (During Investigation) | Keep the complainant informed during the process | Explain timelines and provide updates where investigations take longer |
6. Outcome | Provide the result and explain your reasoning | Address the data protection issue and explain actions taken |
7. Governance & evidence | Maintain records and retention controls | Keep evidence of how complaints were handled and track themes |