A major change to the way data protection complaints must be handled will take effect on the 19 June 2026. By this date, all UK businesses and organisations must have a clear, documented process for handling data protection complaints from individuals. This requirement stems from the Data (Use and Access) Act 2025, which received Royal Assent in June 2025 and introduced a range of updates to the UK’s data protection framework.

What’s changing?

Previously, while the UK GDPR and the Data Protection Act 2018 required organisations to take data protection seriously, there was no specific legal obligation to have a formal, written complaints-handling process in place.

From 19 June 2026, the new rules mean organisations must:

• Have a clearly documented internal data protection complaints procedure for handling concerns raised by individuals (such as employees, customers, or service users).
• Acknowledge data protection complaints promptly and deal with them without undue delay.
• Communicate the outcome of any complaint to the individual who raised it.
• Make information about the complaints process easily accessible, for example, through a privacy notice or on their website.

The ICO published its finalised guidance on how organisations should deal with data protection complaints in February 2026, giving businesses until the June deadline to comply.

Why has this been introduced?

The ICO receives a large volume of complaints each year from members of the public who feel their data protection rights have not been respected. Many of these complaints could be resolved directly between the individual and the organisation, without the need for ICO involvement.

The new requirement encourages organisations to resolve complaints internally first, which is felt to benefit all parties. Individuals should get faster outcomes, and businesses avoid scrutiny from the ICO. 

Organisations that can demonstrate a robust complaints process are also likely to be viewed more favourably by the ICO should a complaint escalate.

Who does this apply to?

These requirements apply to all organisations that process personal data under UK GDPR and the Data Protection Act 2018, regardless of size or sector. 

What should businesses do now?

If you don’t already have a formal data protection complaints procedure, now is the time to put one in place. Here’s a simple checklist to get started:

1. Draft or update your complaints procedure — set out clearly how someone can raise a data protection concern, who will handle it, and the expected timescales for a response.
2. Designate a point of contact — make sure someone in your organisation is responsible for receiving and managing data protection complaints.
3. Update your privacy notice — include a reference to your complaints process so individuals know their rights and how to exercise them.
4. Train your team — ensure relevant staff understand the process and know how to respond appropriately.
5. Keep records — document complaints received and the steps taken to resolve them.