May 52026

Preparing for the UK’s New Data Protection Complaints Regime: Key Steps Before June 2026

Francesca Blythe, William RM Long and Eleanor Dodding
, ,

The Data (Use and Access) Act 2025 (“DUAA”) has made a number of changes to the UK’s data protection regime, many of which have already come into force (see here).

From 19 June 2026, organisations will need to implement or update their data protection complaints procedure to align with the new DUAA requirements which provide a mechanism for complaints made directly to a controller. This new requirement is supported by recent guidance from the UK Information Commissioner’s Office (“ICO”).

This marks a shift towards a more formalised, controller-led complaints-handling framework, requiring organisations to treat certain expressions of dissatisfaction as regulated complaints with defined procedural obligations.

Key Considerations and FAQs

What is a “complaint”?

In this context, not all communications from data subjects need to be viewed as a “complaint” requiring compliance with the DUAA complaints process. Examples of complaints that may fall within scope of the new requirements include: i) the way an organisation has responded to a data subject rights request; ii) the security measures an organisation has implemented to store its personal data; and iii) how an organisation is processing its personal data (e.g., retention or accuracy).

Issues that are unlikely to fall in scope include: i) an employee grievance (that also requests copies of personal data); or ii) a deletion request in the context of a customer service issue.

Where there is uncertainty, the ICO recommends that an organisation clarify with the individual whether they intend to raise a complaint.

What are the key requirements?

  • A data subject must be able to make a complaint directly to a controller if they consider that there has been an infringement of the UK data protection laws;
  • Controllers must acknowledge receipt of such complaint within 30 days; and
  • Upon receipt of a complaint, controllers must, without undue delay:
  1. Take appropriate steps to respond (including making enquiries into the subject matter of the complaint, where appropriate, and informing the complainant of the complaint’s progress); and
  2. Inform the complainant of the outcome of the complaint.

What do organisations need to do in practice?

Many organisations will likely have in place existing policies and procedures to address data protection complaints, and so it may be that certain of these steps will already be addressed by existing approaches. In any event, organisations should consider the following key steps:

  • The controller can decide on the primary complaint mechanism: the form is not prescribed and could, for example, be a complaint form, an email address, phone number, an online complaints portal or a live chat function.
    • Organisations do not need a new or separate tool: existing complaint tools can be adapted.
    • Complaints must be accepted regardless of the channel through which they are received: as with data subject rights’ requests, individuals may – but are not required to – use the designated mechanism.
  • Inform individuals about their ability to complain: both in the privacy notice and when responding to a subject rights request.
    • It is already a requirement under the UK GDPR to inform individuals about the right to complain to the ICO. Existing privacy notice language should be reviewed and, where necessary, updated to clearly signpost the option to complain directly to the controller as a first step.
  • Consider documenting a complaints procedure: this is not mandatory, but the ICO suggests a written procedure will help demonstrate compliance. Publishing the procedure externally may also reduce operational burden by guiding individuals towards the appropriate channels and setting expectations.
  • Develop or update processes for administering the complaints procedure, including:
    • Responding within the required timeframes (including defining internal expectations around “without undue delay”);
    • Confirming the complainant’s identity (particularly where complaints are made on behalf of others);
    • Record keeping;
    • Internal training to ensure staff can recognise and appropriately escalate complaints;
    • Assessing whether other legal or regulatory frameworks apply (e.g., sector-specific complaint-handling obligations);
    • Governance and escalation pathways (e.g., when to involve legal, a Data Protection Officer, or senior management);
    • If acting as a joint controller, updating arrangements to clarify responsibility for handling complaints; and
    • Reviewing processor agreements to ensure appropriate cooperation obligations are included.

Further Guidance

The ICO provided further guidance expanding on the requirements above. Key points include:

  1. Acknowledge the complaint within 30 days.

This period begins the day after receipt of the complaint (including weekends and public holidays). If the final day falls on a weekend or public holiday, the deadline extends to the next working day.

Notably, the ICO confirms that where an organisation can both investigate and provide a substantive response within 30 days, a separate acknowledgement is not required.

  1. Investigate the complaint (without undue delay).

This obligation arises immediately upon receipt of the complaint (i.e., it does not depend on the acknowledgement). What constitutes an unjustifiable delay will depend on factors such as the complexity and scale of the issue, and the level of harm or risk to the complainant. Any uncertainty regarding the scope of the complaint or the desired outcome should be clarified with the complainant at an early stage.

  1. Keep data subjects up to date.

In practice, this means providing updates on expected timelines and explaining any delays, rather than detailing every investigative step.

  1. Record actions taken.

Organisations should keep records of: i) the date of receipt of the complaint; ii) the acknowledgement; iii) relevant correspondence and documentation; iv) the outcome; and v) any remedial actions taken. Tracking complaint volumes and themes may also support broader compliance monitoring and risk management. The ICO (and where relevant, industry bodies) may request access to these records.

  1. Conclude the investigation and inform the complainant (without undue delay).

Organisations must communicate the outcome without unjustifiable delay, clearly explaining the findings and any steps taken (or proposed) to address the issue.

If the complainant is dissatisfied, it is good practice to provide further explanation where appropriate and remind them of their right to complain to the ICO.

What if an individual complains directly to the ICO?

The ICO confirms that where a complainant approaches them directly, an organisation is not required to take additional proactive steps unless contacted. However, in practice, the ICO will typically encourage individuals to raise their complaint with the organisation first. This reflects a broader regulatory trend towards “controller-first” complaint resolution, similar to the approach under the UK Online Safety Act, where complaints are expected to be handled by the platform before escalation to Ofcom.

Next Steps

With the 19 June 2026 deadline approaching, organisations should consider reviewing their complaint-handling frameworks against the DUAA requirements and ICO guidance. In particular, organisations should focus on ensuring that complaints can be identified across all intake channels, investigated promptly and tracked in a way that demonstrates compliance with the DUAA’s procedural requirements. Early action will be key to avoiding both regulatory scrutiny and operational disruption once the regime takes effect.

Trainee solicitor Jennifer Petch also contributed to this article.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Francesca Blythe

London

fblythe@sidley.com

William RM Long

London

wlong@sidley.com

Eleanor Dodding

London

edodding@sidley.com

You might also like
UK Operational Incident and Third-Party Reporting Rules: What Firms Should Do Now

The Financial Conduct Authority (FCA) has published Policy Statement PS26/2 together with final guidance in FG26/3 and FG26/4. The Prudential Regulation Authority (PRA) has also published PS7/26 alongside Supervisory Statement SS1/26 and an update to SS2/21. PS26/2 and PS7/26 introduce a new UK framework for reporting serious operational incidents and material third-party arrangements. The framework was developed by the FCA, PRA, and the Bank of England and is intended to give the regulators better visibility of operational disruption and third-party dependencies and to support a more data-driven supervisory approach.

Chambers 2026 Global Practice Guide for Cybersecurity

The Chambers Global Practice Guide for Cybersecurity 2026 has been published. The guide provides the latest legal information on cybersecurity law and regulation, including in relation to critical infrastructure, financial sector operation resilience, cyber-resilience, and ICT certification. The guide also covers the intersection of cybersecurity with data protection law, developments in AI and healthcare regulation.

There’s a New Sheriff in Town — Texas as Privacy Regulator

For many years, the privacy community took the position that the state of California was the leading data privacy regulator. The state of New York, with its active cyber enforcement by the New York Department of Financial Services, was a close second. However, in the past two years, Texas has emerged not only as a significant privacy regulator but also as an aggressive enforcer of its laws.