In June 2025, the UK’s Data (Use and Access) Act 2025 (DUAA) came into force, introducing important changes to the data protection obligations. You can read more about DUAA here.
One of the most significant changes is that, from June 2026, all organisations will be required to have a process for handling data protection complaints. In practice, this means individuals must first raise their concerns with the organisation (as the data controller) before approaching the ICO.
To help businesses prepare, the ICO has published draft guidance on handling complaints, open for consultation until 19 October 2025. The draft guidance explains what organisations must, should and could do at each stage of the process. In this blog post, we look at the key obligations and what practical steps SMEs can take now.
New legal obligations for handling complaints
Under the DUAA and UK data protection law, organisations will soon be under a formal duty to manage complaints effectively. The ICO’s draft guidance highlights several core requirements you must comply with:
- Provide a complaints channel: People must be able to complain directly to you. It could be through an online form, email or post, over the phone or live chat. It will no longer be acceptable to have no route for complaints – every organisation should be prepared to receive and address data protection complaints.
- Acknowledge within 30 days: You must confirm receipt of the complaint within 30 days of receiving it. This reassures the complainant that you are looking into the matter and marks the start of your process.
- Investigate and respond promptly: You must investigate the complaint and take appropriate steps without undue delay, keeping the individual informed of progress. ‘Without undue delay’ essentially means as soon as reasonably possible. Unnecessary delays in investigating or updating the complainant could breach this obligation.
- Provide an outcome: Once your investigation is complete, you must explain the outcome clearly and without undue delay. In your response, explain what you found and any action taken to resolve the issue. If the person is not satisfied, you should also inform them of their right to escalate the matter to the ICO and provide them with its contact details.
These are binding legal obligations. Only after an individual has received your response may they escalate their complaint to the ICO. Failing to meet these requirements could not only undermine trust with your customers but also put your organisation in breach of data protection law.
Preparing your organisation
Create a complaints procedure: If you do not already have one, create a written data protection complaints procedure for your organisation. This document should outline how someone can make a complaint and what they can expect after lodging it. For example, clarify that you will acknowledge the complaint within 30 days, investigate promptly, keep the person informed and provide a clear outcome. Use plain, simple language so that anyone can follow the process.
- Establish clear complaint channels: Make it straightforward for people to complain. Options might include a form (online or paper), a dedicated email address, a phone line or live chat. Include these routes in your privacy notice or on your website.
- Train your staff: Ensure your team knows how to recognise a data protection complaint and what to do if they receive one. Even if someone doesn’t call it a ‘complaint,’ it may still count. Include this in your regular data protection training.
- Special considerations for children’s data: If your organisation deals with children’s data (or services likely to be used by children), be prepared to handle complaints from or on behalf of children. The ICO expects you to communicate in clear, age-appropriate language throughout the complaints process. You should also think about how you will verify a child’s capacity to exercise their rights and whether a parent or guardian is authorised to act for them. If you are subject to the Age Appropriate Design Code, you must also have mechanisms in place to help children exercise their rights or make complaints, indicate when a complaint or request is urgent and prioritise accordingly.
- Keep records and learn from them: Log each complaint with dates, details, steps taken and the outcome. This shows compliance if the ICO ever asks for evidence. Afterwards, review what happened and identify improvements. For example, recurring complaints about delays in data subject access requests may highlight a need to streamline your process. Learning and adapting will reduce complaints over time and demonstrate accountability.
What to do when you receive a complaint
Once you receive a complaint, you should:
1) Acknowledge receipt
Confirm within 30 days that the complaint has been received. This could be an automatic email, a letter or a written confirmation following a phone call.
2) Investigate promptly
Gather facts, review relevant records and speak to staff involved. You may need further information from the complainant, such as proof of identity or a letter of authority if someone acts on another’s behalf. Requests must be proportionate. If authority is not provided, you do not need to investigate further, but you should explain why.
3) Keep the complainant informed
Stay in touch with the complainant throughout the investigation, especially if the investigation takes time. Provide updates and a contact point so the individual knows their concerns are being taken seriously.
4) Provide a clear outcome
Once the investigation is complete, set out the outcome in plain language, addressing each issue raised and explaining any remedial action taken. If the complainant remains dissatisfied, inform them of their right to escalate the matter to the ICO and provide them with ICO’s contact details.
5) Review and improve
Each complaint is an opportunity to improve. After closing the complaint, reflect whether processes could be improved to avoid similar issues. Documenting lessons learned demonstrates accountability and can reduce complaints over time.
The ICO’s role in the complaints process
The ICO expects organisations to be the first line of response for complaints. If someone contacts the regulator without first going through your process, the ICO will usually redirect them back to you.
This is the trade off in terms of the requirement to institute a complaints process. Because the ICO expects that complaints are handled first by the organisation, the scope for ICO involvement in respect of a complaint is reduced as the complainant cannot simply go to the ICO if there are any issues.
You don’t need to notify the ICO if someone says they plan to complain – just continue handling the matter professionally. If the ICO does become involved, being able to show that you acknowledged, investigated and resolved the complaint promptly will put you in a strong position. Conversely, ignoring or delaying complaints could count against you in enforcement action. With complaint-handling now a statutory duty, the ICO is likely to pay closer attention to how organisations respond.
Conclusion
Handling data protection complaints is no longer just good practice. It will soon be a legal requirement for all businesses under the UK’s updated data protection regime.
The ICO’s draft guidance is intended to help organisations prepare, but it is not final. The consultation is open until 19 October 2025, after which the ICO will review responses and publish a final version of the guidance. That version may adjust or expand on the current draft.
In the meantime, organisations should start preparing now by creating a clear complaints procedure, training staff and ensuring complaints are acknowledged, investigated and resolved promptly. Doing so will put you in a strong position when the final guidance is released and help you demonstrate accountability and build trust with customers.
At EM Law, we are experts in data protection law. If you need help with drafting or updating your complaints procedure or ensuring you are compliant with the UK GDPR, please contact us. One of our data protection specialists, such as Neil Williamson or Colin Lambertus, would be more than happy to assist you.
