UK organisations have until 19 June 2026 to put a formal process in place for handling complaints about how they use personal data, creating a new operational requirement under the Data (Use and Access) Act 2025.
The change requires organisations to provide individuals with a clear route to make a data protection complaint. They must acknowledge receipt within 30 days, investigate the issue appropriately, keep the complainant informed, and confirm the outcome without undue delay.
The Information Commissioner’s Office has published guidance setting out how organisations should handle complaints under the new statutory framework. A complaint may arrive through a customer service team, an HR inbox, a branch, a contact centre, a supplier relationship, or a generic email address, so organisations will need staff to recognise when an apparently routine concern is in fact a data protection complaint.
Privacy Helper, a UK data protection consultancy, has warned that many organisations may not be ready. A privacy notice or generic customer service process will not satisfy the new duty if the business cannot show who owns the complaint, how it was handled, when it was escalated, and what outcome was reached.
Andy Chesterman, managing director of Privacy Helper, said: “Most businesses believe they are compliant until a complaint exposes the gaps. From 19 June, organisations need a practical process that staff understand and can follow.
“A routine issue can escalate quickly if nobody knows who owns the complaint, what needs to be recorded or when it should be referred internally. The real risk is not simply receiving a complaint, it is being unable to show that the business handled it properly.
“This is a commercial issue as much as a compliance issue. Poor handling creates avoidable cost, management time and reputational damage.”
Privacy Helper is advising organisations to assign clear responsibility, establish escalation routes, create a record-keeping process, and train relevant staff before complaints arrive. Although data protection is often treated as a legal or compliance matter, the first response may depend on people in customer service, HR, operations, marketing, IT, or finance.
Complaints about personal data can arise from marketing consent, subject access requests, employee monitoring, automated decision-making, inaccurate records, failed deletion requests, customer profiling, recruitment systems, loyalty schemes, AI-enabled tools, and cyber incidents. Many of those issues begin as service problems before they develop into regulatory concerns.
The new duty also changes the path to regulator involvement. Individuals are expected to raise complaints directly with an organisation before escalating to the ICO, but poor handling may make any later scrutiny more damaging. A business that cannot evidence acknowledgment, investigation, communication, and resolution may find itself judged less on the original complaint than on the weakness of its response.
That creates a practical risk for smaller organisations that have relied on templates and privacy policies without building internal accountability around data handling. Larger companies face a different challenge, because complaints may be fragmented across regional teams, outsourced contact centres, HR platforms, and multiple technology systems.
The deadline arrives while the UK continues to reshape its post-GDPR data regime. The Data (Use and Access) Act is intended to update parts of the framework while preserving core rights, but the operational effect is clear: data governance remains a live management responsibility, even as the policy debate focuses on innovation, AI, data sharing, and regulatory reform.
A well-run complaints process will need more than a new webform. Organisations will need internal triggers, ownership, escalation rules, record-keeping, response templates, and training. They will also need a way to identify recurring complaint patterns, because repeated issues around marketing, HR data, inaccurate records, or automated systems may reveal wider governance weaknesses.
Complaints handling rarely attracts attention until the process fails. The 19 June deadline gives organisations little room to treat the change as a housekeeping task. A clear procedure, documented ownership, and trained staff will determine whether a complaint is contained as a manageable issue or becomes evidence of poor privacy governance.
You must be logged in to post a comment.