Data protection complaints are becoming more and more common as individuals get more savvy about their privacy rights. These aren’t always labelled as complaints, but can still arise across several scenarios and come from various individuals, from your customers to your staff.
Currently, individuals can complain to the ICO (the data protection regulator) if they think their data has been mishandled under data protection laws.
From 19 June 2026, big changes are coming. Following reforms under the Data (Use and Access) Act 2025 (DUAA), individuals will have a legal right to complain directly to data controllers about alleged data protection infringements and controllers must have a clear and compliant complaints handling process in place - with no exceptions.
All UK data controllers will be affected - but the greatest impact is likely to be on customer-facing, marketing-led and digitally trading organisations, where heavy data is processed and complaints can come across multiple channels and teams.
If you’re a data controller (i.e. you decide how and why you handle personal data) you need to act now to build a structured and legally compliant complaints process ahead of the June deadline. This is not a legal tick-box exercise - it’s a statutory rule that will directly affect your governance duties, risk and accountability.
This article provides a high-level introduction to the new complaints regime, with legal and best practice tips to help you prepare for the changes ahead. For full advice on this topic and what it means for you, our data protection team can help.
Contents:
- What’s changing under DUAA on 19 June 2026?
- What counts as a data protection complaint?
- Which businesses are most affected?
- What should a data protection complaints process include?
- How should businesses prepare operationally?
- What if you work with data processors?
- What happens if complaints are escalated to the ICO?
- What are the risks of getting this wrong?
- When should businesses seek legal advice?
- Pitfalls to watch
- What you should do now
What’s changing under DUAA on 19 June 2026?
Individuals can already complain to the ICO about alleged data protection infringements.
Before the DUAA changes on complaints processes come into force, there’s no specific statutory obligation on controllers to facilitate or handle data protection complaints internally - although the ICO generally expects individuals to raise concerns with the organisation before escalating to them.
From 19 June 2026, this changes and new rules go live. The DUAA creates a new statutory obligation on controllers to facilitate, acknowledge and handle data protection complaints.
Controllers must have a data protection complaints handling process in place by 19 June 2026. However, the ICO has already issued guidance recommending these processes as best practice, so businesses shouldn’t delay preparing.
Complaints might relate to any alleged infringement of data protection law rules about an individual’s personal data or data of a person they act on behalf of. There’s no requirement for complaints to be formally framed or legally articulated.
Controllers need to be able to receive, assess, investigate and respond to complaints in a consistent and structured manner.
Put simply, as a controller you’ll need to:
- Facilitate individuals being able to make data protection complaints. Consider hosting a ‘data protection complaints policy’ on your website which offers an accessible electronic route to submit complaints
- Acknowledge receipt of all data protection complaints within 30 days
- Without undue delay - take appropriate steps to respond, make enquiries where needed, update on progress and ultimately inform the complainant of the outcome
These changes form part of a wider phased rollout of the DUAA - a broad new law which makes targeted updates across various data protection law rules.
What counts as a data protection complaint?
A data protection complaint is any complaint alleging an infringement of the UK GDPR or Data Protection Act 2018 in relation to an individual’s personal data, or data of someone they act on behalf of.
Individuals can complain about any alleged infringement and don’t need to use formal legal language to do so.
Complaints can be raised via any channel and to any part of your organisation. This means staff awareness, training and escalation routes are critical.
Complaints could be about your:
- Collection or use of personal data
- Retention periods
- Security measures
- Data sharing
- Transparency and privacy information
- Handling of data subject rights requests
- Profiling, automated decision-making or AI
- Use of processors or third parties in UK and based outside of the UK
- Processing of children’s or vulnerable individuals’ data
Which businesses are most affected?
All data controllers must comply with the new complaints rules when they are in force.
The impact remains to be seen - but we’re expecting businesses who will feel this the most to include those that:
- handle large volumes of personal data
- deal with consumers regularly
- have a large number of employees
- handle high volumes of subject access requests
- use processors such as SaaS platforms to handle personal data
- handle children’s data, sensitive or special category information or complaints from vulnerable individuals
This can cover businesses operating in:
- e-commerce and retail
- banking
- SaaS, digital platforms and telecoms
- recruitment agencies
- healthcare and education providers
- financial and professional services organisations
Complaints directed at these businesses will often land across different teams - spanning customer support, HR and operations. Without a clear process, complaints could be missed or not handled properly.
What should a data protection complaints process include?
Your complaints process needs to be clear, properly structured and workable across your business. What matters is that the process allows you to facilitate, acknowledge and handle data protection complaints in line with the legal rules.
Your process should cover the full complaint lifecycle, including:
Being transparent - explain how people can complain for example by hosting a clear data protection complaint policy on your website
Ways to receive complaints - make it easy for people to raise a complaint using the right channels, including at least one electronic channel. This could include a complaint form, email address, phone line, online portal, live chat with human escalation or a way to complain in person. This could also be included in the external data protection complaints policy.
Checking and assigning complaints - work out what the complaint is about and decide who should handle it
Identity checks - if you have doubts about the complainant’s identity, ask for proof of ID at the earliest chance if needed
Representative complaints - if someone complains on behalf of another person, verify that they have authority
Looking into the complaint - gather facts, check records and involve the right teams
Responding to the complaint - acknowledge it, keep the person updated and explain the outcome and what to do if the person is unsatisfied
Keep a clear record - document what you did and the reasons for your decisions
Set escalation routes - make sure complex, sensitive, high-risk or lengthy complaints are sent up to the right people and your legal team where needed
Remember to distinguish specific data protection complaints from:
- data subject requests
- HR grievances
- security incidents
- general customer complaints
- personal data breaches
Don’t confuse data protection complaints with data subject rights requests or general complaints.
Individuals have specific rights under the UK GDPR (including access, rectification and erasure). Each request you get needs to be properly assessed and classified so it’s handled under the correct regime. Misclassifying a rights request as a complaint may result in missed deadlines and risk for your business.
If a complaint includes both data protection and non-data protection issues, the data protection elements should be clearly identified, separated and handled under the data protection complaints process - with appropriate routing to relevant teams.
How should businesses prepare operationally?
If your data protection processes are already in good shape and you already have an internal complaints/escalation process, you may not need to build something from scratch. You may just need to tighten, formalise and align your current process with the new legal rules. It’s worth getting a data protection lawyer to check this.
That said, we expect many organisations might not yet have a clear or structured process in place and if that’s you, you need to move quickly.
This is not about having a templated complaints policy you quickly draft and store away. You need a practical, end-to-end process for receiving, triaging and handling complaints across all channels - to help you handle these rules properly and show you take this seriously.
You should prepare by planning for:
- Who takes ownership of complaints and how responsibility is assigned and escalated in your business
- How complaints are received and triaged
- How the process is communicated to data subjects and made visible/accessible - with clear information on how to complain, what to expect and key timelines
- How data protection issues are spotted and separated from general complaints or grievances
- How complaints are investigated - including making appropriate enquiries
- How you communicate with complainants - including acknowledgements, progress updates and outcomes
- How you verify identity and authority where needed
- How you manage sensitive types of complaints e.g. those involving children or vulnerable individuals
- How you handle complaints involving processors or third parties
- What records you keep - including a clear audit trail of actions, decisions and outcomes to evidence your accountability
What if you work with data processors?
Many controllers rely on data processors (e.g. IT providers, payroll or cloud services) to handle personal data on their behalf when delivering services.
Whilst the legal responsibility for complaints sits with the controller, processors should have clear processes to identify and promptly escalate complaints too.
Use this as a chance to review and update contracts and make sure your processors:
- Pass complaints on to you without delays
- Assist with investigations as needed, including providing relevant information
Complaints can be more complex in joint controller arrangements and we recommend taking legal advice if this happens.
What happens if complaints are escalated to the ICO?
How you handle a complaint can affect whether the person takes it further to the ICO.
These rules are mandatory. If you don’t follow them, there is a risk the issue could be escalated to the ICO, who may take enforcement action if you’ve breached your duties.
If the ICO does look into a complaint and how you handled it, it may consider facts like whether you:
- Had a clear complaints process
- Acknowledged, updated and responded lawfully
- Looked into the issues properly
- Kept the person updated
- Kept good records of what you did and why
This is why it’s important to invest in a robust complaints process, see it through and keep evidence to show you followed the rules.
What are the risks of getting this wrong?
If a controller fails to comply and is investigated, the ICO may consider regulatory action - including fines and other enforcement action.
As the rules are not yet live, it remains to be seen how they’ll be applied in practice. Given this uncertainty, it’s best to take a cautious approach and follow the ICO’s guidance.
In particular - keep clear records of your processes, investigations, responses and supporting evidence, as this will help protect you if your actions are ever questioned.
Poor complaint handling can also increase the risk of reputational damage, repeat complaints, a drain of internal resources and may expose wider gaps in your data protection governance.
When should businesses seek legal advice?
Legal input can help if a complaint brings difficult judgement calls, relates to riskier data processing or has a prospect of escalating further.
Risky situations to watch out for include:
- complaints over complex or high-risk data use activities
- complaints involving sensitive types of personal data, children or vulnerable individuals
- repeated, serious or escalated complaints - including complaints already raised with the ICO
- issues involving employee monitoring, profiling, automated decision-making or AI tools
- complaints that cut across multiple legal or regulatory areas, or involve processors, partners or joint controller arrangements
- complaints made by representatives where authority to act is unclear
You may also want advice on what evidence to gather, how far an investigation should go, how to frame a response or whether the complaint points to a wider remediation exercise you need to action as a business.
Pitfalls to watch
The new rules can bring risks, challenges and a higher compliance burden for businesses.
For instance:
- The risk of complaints increasing fast as public awareness of the complaints regime increases
- Extra work for internal teams - requiring more time and resources
- Complaints being misrouted where you don’t understand their context
- Handling complaints poorly leading to worse consequences
- Poor recordkeeping leaving you exposed if the complaint is escalated
- Complaints adding leverage to dispute situations, as part of a tactical strategy
This is why you shouldn’t take chances and start preparing for the new rules now to mitigate risk.
What you should do now
Ahead of the June deadline, check any current complaint handling process and decide what needs to be actioned for compliance.
A sensible starting point is a gap analysis - look at how complaints currently arise, where they land, how quickly they’re acknowledged, who investigates them and what records you keep. That will help you identify your gaps and build a process that’s right for your size, risk profile and complaint volume.
Key action points for controllers:
- Check your current internal complaints process against the new rules and ICO guidance
- Put a clear internal data protection complaints handling process in place to help you comply
- Decide who is responsible for handling complaints at each stage (covering triage, investigation, response and sign‑off)
- Offer clear ways to complain, consider hosting this in a standalone policy on your website
- Train staff so they can spot and pass on complaints wherever they’re received
- Update privacy notices and SAR templates so people know how to complain and what to expect
- Keep a clear complaints log, including what was received, what you did and the outcome
- Make sure your process covers key checks, like ID verification, representatives and mixed complaints
- Review supplier and joint controller arrangements so complaint responsibilities are clear
- Set up escalation routes for complex or high-risk complaints
- Test your process, monitor complaints and aim to improve over time
This is a nuanced and developing area, so it’s sensible to take legal advice if you’re unsure how to handle complaints or how to navigate this new obligation.
