Data Protection Complaints Policy

You may already be aware that from 19^th June 2026, businesses that handle personal data, will need to have in place a Data Protection Complaints Policy.  Although the requirement did not come into force until 19 June 2026, ICO guidance makes clear that it’s good practice for organisations to begin implementing compliant procedures ahead of any formal changes.

If your business handles personal data, you now need to think about how you deal with complaints about that data. Under the Data (Use and Access) Act 2025, organisations are required to operate an internal process for handling data protection complaints. This is not just good practice anymore; it is becoming a legal requirement, reinforced through amendments to the Data Protection Act 2018.

What has changed

Previously someone could complain directly to the ICO if they believed their data protection rights had been breached.  Organisations were expected to deal with concerns internally but there was no clear structed legal duty to operate a formal complaints process.

The ICO now makes it clear that organisations must have good complaint handling procedures and must actively facilitate complaints. This includes:

• clear information for individuals to raise complaints.
• acknowledging complaints within 30 days.
• investigating and responding without undue delay.
• keeping complainants informed of progress.
• explaining outcomes clearly and transparently.

The above needs to be reflected in your policy. They are not optional; they come from both regulator expectations and statutory duties.

The new law will ensure that businesses have clear responsibilities and are able to recognise any form of data complaint; whether that be via email, social media or telephone.  The ICO is explicit that there are no exemptions based on size or sector. If your business processes personal data, you must be able to demonstrate that you can; recognise a data protection complaint when it arises, record it, investigate and respond within appropriate timelines.

What counts as a data protection complaint

ICO guidance makes clear that individuals do not need to use legal terminology. A complaint can be as simple as:  dissatisfaction with how a subject access request was handled, concerns about a data breach or security or objections to how personal data has been collected, used, or retained.

The ICO expects organisations to separate and address data protection issues properly and a well written policy will inform this.

Your complaints procedure must be easy to use and visible and should contain different methods of communication; email, telephone, post, online.

Keeping records

You should also ensure that you keep appropriate records which indicate when the complaint was received, how it was handled, what was decided and what action was taken.  If you are investigated by the ICO, this will allow you to demonstrate you acted in accordance with the law.

Once your policy has been written, this will guide you and your staff and ensure that you remain compliant.

If you require any further information, please click on the link  How to deal with data protection complaints | ICO  or contact us for further information regarding a draft policy.