UK Data Protection Complaints Procedure: What Organisations Need in Place Before 19 June 2026

From 19 June 2026, UK organisations must have a process for handling data protection complaints. This requirement needs a live operating process, not a dormant policy note. The ICO says the complaints-procedure requirement under the Data (Use and Access) Act 2025 starts on that date, and its published guidance already sets out what organisations are expected to do. If your business handles personal data, the practical question now is simple: can staff recognise a data protection complaint, route it correctly, acknowledge it within 30 days, and investigate it without undue delay?

For many organisations, the gap is not policy language. It is workflow. A complaint may arrive through HR, customer support, sales, a shared inbox, or social media. If nobody spots it as a privacy issue, the legal duty exists anyway. That is why this article focuses on the operating model teams need in place before June, not abstract commentary on the Act. If you need the wider legislative context first, start with our explainer on the DUAA changes.

What changes on 19 June 2026

On 5 February 2026, the ICO confirmed that most remaining data-protection provisions in the Data (Use and Access) Act had already commenced, except the requirement for organisations to have a complaints procedure, which is due to commence on 19 June 2026. The ICO’s main guidance says there are no exemptions from having a process for handling data protection complaints.

The legal structure behind that guidance appears in the Data (Use and Access) Act 2025 explanatory notes. Those notes explain that new section 164A requires controllers to facilitate complaints, acknowledge receipt within 30 days, and take appropriate steps without undue delay, including making enquiries and informing the complainant about progress.

This duty is separate from a person’s right to complain to the ICO. In practice, organisations now need an internal route to handle privacy complaints directly, while still making clear that people can escalate to the regulator.

What counts as a data protection complaint

According to the ICO, a person can complain if they believe you have infringed data protection law in the way you handled their personal information. They do not need to use legal language or cite sections of legislation. The ICO’s examples include complaints about how you handled a subject access request, how securely you stored personal data, or how you collected, retained, or used personal information.

That matters operationally because many complaints will arrive in ordinary business language. An employee might say HR records are inaccurate. A customer might say you used their details for marketing after they objected. A former member of staff might say you ignored their access request. If your teams are waiting for the phrase “data protection complaint”, they will miss real complaints.

What your complaints procedure needs to include

A clear way for people to complain

The ICO says you must give people a way to complain to you directly. That could be a form, an email address, a phone route, an online portal, live chat escalation, or an in-person route. The important point is not the format. It is that the route exists and works. The ICO also says people can still complain through other channels, including to any employee, and you must accept the complaint however it arrives.

For most organisations, the most practical model is to adapt an existing complaints process and add privacy-specific routing rules. You do not need a completely separate portal if your current system can identify, escalate, and track data protection complaints correctly.

A 30-day acknowledgement step

The headline operational rule is the 30-day acknowledgement requirement. The ICO says you must acknowledge receipt within 30 days of receiving the complaint. That acknowledgement does not have to be complex. It just needs to confirm receipt and make clear that you are looking into the issue.

Managers should be careful not to misread this as a permission to wait 30 days before doing any work. The ICO is explicit that the investigation duty begins when the complaint is received, not after the acknowledgement period expires.

Investigation and updates without undue delay

After receipt, you must take appropriate steps without undue delay. The ICO describes this as making appropriate enquiries, keeping the complainant informed, and providing the outcome without unjustifiable or excessive delay. That wording matters because it avoids giving organisations a fixed final-resolution deadline they can hide behind. A simple issue may be closed quickly. A more complex complaint may take longer, but you still need active investigation and regular updates.

A sensible process usually includes triage, scope clarification, fact gathering, internal interviews where needed, a progress update if the issue will take time, and a clear outcome message that explains what you found and what action you took. If your business already struggles with subject access requests or rights-response workflows, the same operational weaknesses often show up in complaint handling too.

Records, ownership, and escalation

The ICO recommends keeping records of the date received, your acknowledgement, relevant conversations and documents, the outcome, and any actions taken. In practice, that means your procedure should name an owner, define where the record lives, and set escalation triggers for legal, HR, information security, or senior management. If the complaint touches a possible personal data breach, the issue may also need to move into your incident process. If it concerns an access request, teams should understand the difference between the complaint itself and the underlying rights request.

Complaint vs DSAR vs breach: do not send them into the same queue

One of the easiest mistakes is to treat every privacy-related issue as the same kind of ticket. They are not. A data protection complaint is someone saying you have handled personal information improperly. A subject access request is a request for copies of personal data or related information. A personal data breach is a security or confidentiality incident. One matter can involve more than one of these, but the workflow should separate them so each obligation is met on time.

A complaint needs acknowledgement within 30 days and investigation without undue delay.
A DSAR has its own response rules and evidence requirements.
A breach may trigger containment, risk assessment, and possible regulator notification on a much faster clock.

The practical fix is a triage script for frontline teams: what has the person actually asked for, what harm are they alleging, and which internal owner needs to act first?

Five mistakes organisations are likely to make

Treating the complaints procedure as a website document only, with no internal workflow behind it.
Missing informal complaints sent to HR, support, or sales inboxes.
Acknowledging on time but failing to investigate promptly.
Bundling data protection complaints into wider customer-service or grievance cases and delaying the privacy response.
Writing a procedure but not teaching staff how to recognise a complaint in ordinary language.

What managers should do this month

Assign one accountable owner for data protection complaints.
Map every intake route, including email inboxes, phone teams, HR channels, and social media.
Create a short acknowledgement template and an outcome template.
Define how complaints are logged, tracked, and escalated.
Test the process with one employee scenario and one customer scenario before 19 June 2026.

If you are already updating processes for other DUAA changes, this should sit in the same implementation stream as your privacy-notice, cookie, and rights-handling changes.

When complaint handling becomes a training issue

If your organisation cannot reliably spot a complaint when it lands with a non-specialist team, you have a training gap as well as a procedure gap. The ICO says staff should be able to recognise a data protection complaint and know what to do with it. That makes complaint handling a frontline awareness issue, not something that can be left entirely to legal or the DPO.

For many businesses, the right answer is a mix of awareness and refresher training. The GDPR Refresher Training Course is the natural next step if staff need a structured reset on complaint recognition and escalation.

The immediate priority, though, is simpler: by 19 June 2026, you should be able to show that people have a way to complain, staff know how to route those complaints, acknowledgements are sent within 30 days, and investigations move forward without undue delay. If that is not true today, the work belongs on this month’s compliance list.

Sources

Author

Scott Dooley

Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

View all posts