The New Data Protection Complaints Regime

From this Friday, 19 June 2026, organisations can no longer rely on complaints going straight to the ICO. The Data (Use and Access) Act 2025 introduces a new regime requiring them to receive, investigate and resolve data protection complaints themselves. Maggie Burns and Charlotte Smith explain what you need to know.

The Data (Use and Access) Act 2025 (the “Act”) introduces a new complaints framework for UK data protection law.

For the first time, organisations will be legally required to put in place and operate a formal process for handling data protection complaints. In practice, this marks a shift away from a system in which individuals could go straight to the Information Commissioner’s Office (“ICO”), towards one in which concerns are expected to be raised with organisations in the first instance.

The complaints provisions come into force on 19 June 2026, with the ICO confirming that organisations are expected to have compliant processes in place from that date in its published guidance.

For many organisations, this will not require building a process from scratch, but it will require greater structure, visibility and discipline in how data protection concerns are received, investigated and resolved.

What does the Act require?

Section 103 of the Act introduces a new statutory right for individuals to make complaints directly to the controller where they consider that their data protection rights have been infringed.

In practical terms, this means that organisations must:

• provide individuals with accessible and effective means of making data protection complaints; and
• handle those complaints internally, before any escalation to the ICO.

While this reflects an approach that was previously encouraged as good practice, the Act now puts it on a statutory footing.

The legislation itself sets out the high-level framework only. The detailed expectations as to how complaints should be received, managed and resolved are instead set out in accompanying ICO guidance.

ICO guidance: core requirements for organisations

The ICO has published detailed guidance on how to deal with data protection complaints, which sets out the practical steps organisations must take to comply with the new regime.

At a high level, organisations are required to:

1. Provide a mechanism for complaints: Organisations must ensure that individuals have a clear and accessible way to raise data protection complaints directly with them.
2. Acknowledge complaints within 30 days: Receipt of a complaint must be confirmed within 30 days of it being received.
3. Investigate and respond without undue delay: Organisations must take appropriate steps to investigate the complaint, including making necessary enquiries and keeping the complainant informed of progress.
4. Provide an outcome without undue delay: Once the investigation has been completed, organisations must clearly explain the outcome to the complainant.

What counts as a data protection complaint?

A data protection complaint arises where an individual considers that an organisation has infringed data protection law in the way it has handled their personal data.

In practice, the concept is deliberately broad. It may include concerns about:

• how personal data has been collected, used or stored;
• delays or deficiencies in responding to a subject access request; or
• data breaches or other security incidents.

Importantly, the ICO emphasises that complaints do not need to be formal or expressed in legal terms. Any expression of dissatisfaction relating to the handling of personal data may be capable of constituting a data protection complaint.

Organisations must therefore be prepared to identify and handle complaints raised through a wide range of channels, including informal or indirect communications.

Practical implications for organisations

The introduction of a statutory complaints process represents a shift in how data protection concerns are handled in practice.

In particular:

1. Existing systems can be adapted: Most organisations will not need to build entirely new processes, but will need to ensure that existing complaints or data rights procedures clearly accommodate data protection complaints.
2. Aim for complaints to be resolved internally first: Organisations are now expected to address complaints directly, with escalation to the ICO operating as a secondary step rather than the starting point.
3. Complaints processes must be accessible and flexible: Complaints may be raised through a variety of channels and in informal ways, requiring organisations to adopt a broad and responsive approach.
4. The focus is on procedure and governance: The regime places greater emphasis on having structured, documented processes that can be demonstrated to the ICO, if required.

Overall, the new complaints regime represents a move towards increased organisational accountability. While many of the underlying practices will already be familiar and can be based on existing practices, the key difference is that these are now formal legal obligations which must be consistently applied and evidenced.

Further reading:

1. Data, Privacy and Information Law
2. Data (Use and Access) Act – Updating Data Protection Law and more

If you would like further advice and assistance in relation to any of the issues raised in this article, please contact us today by telephone or email This email address is being protected from spambots. You need JavaScript enabled to view it..

Maggie Burns is an Associate and Charlotte Smith is a Partner at Sharpe Pritchard LLP.

---

For further insight and resources on local government legal issues from Sharpe Pritchard, please visit the SharpeEdge page by clicking on the banner below.

 

 

Visit Sharpe Pritchard's new Building Safety Hub, focusing on The Building Safety Act 2022 and its wide-ranging impact.

This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published. If you would like further advice and assistance in relation to any issue raised in this article, please contact us by telephone or email This email address is being protected from spambots. You need JavaScript enabled to view it..