From 19 June 2026, the Data (Use and Access) Act 2025 (the Act) will introduce a new requirement for organisations to have a process for handling data protection complaints. We look at what employers need to know to prepare for this change.
Background
The Act amends, but does not replace, parts of the UK GDPR and Data Protection Act 2018, with the changes being phased in over a 12-month period from when the Act received Royal Assent on 19 June 2025. The introduction of the new data protection complaints process requirement follows a consultation by the Information Commissioner’s Office (ICO) which closed on 19 October 2025.
What is the new requirement?
From 19 June 2026, organisations will be required to:
- Give people a way of making data protection complaints
- Acknowledge receipt of complaints within 30 days of receiving them
- Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keeping people informed; and
- Without undue delay, tell people the outcome of their complaints.
The ICO has published its ‘Complaints guidance for organisations’, which confirms that there are no exemptions - the new requirement will apply to all UK organisations regardless of size or industry.
Organisations must tell people they can complain to the organisation, as well as the Information Commissioner’s Office (ICO), at the point that the organisation collects personal information (i.e. in its privacy notice) and when it responds to a subject access request.
What are data protection complaints?
A complaint can come from anyone who is unhappy with how an organisation has handled their personal data (or the personal information of someone they're acting on behalf of). Examples of the issues people may complain about include:
- the way the organisation has responded to their subject access request, or other individual rights request;
- the security measures the organisation has used to store their information (e.g. someone who has been impacted by a data breach); or
- how the organisation has collected or used their personal information (e.g. where it is stored, how long it is kept for, or its accuracy).
Existing complaints processes
According to the ICO guidance, there is no need to set up a separate tool for receiving complaints, as long as organisations can still meet their obligations. Organisations that have an existing complaints process may adapt it to include data protection complaints, or they may decide to set up a new complaints tool, to ensure that they meet the new requirement.
Complaints through social media
Organisations will need to consider how they will manage complaints received through social media, particularly where it may be difficult to identify if someone is intending to make a complaint and expecting a response. The ICO guidance highlights that in general, responding on social media is not a secure way of providing information, so organisations should request an alternative contact method from the individual.
