From 19 June 2026, the Data Use and Access Act 2025 (DUAA) will introduce a new, statutory "right to complain" for individuals in the UK regarding their data protection rights. This right, set out in the new section 164A of the Data Protection Act 2018 and as inserted by DUAA, requires individuals to lodge a complaint directly with an organisation first before they can escalate it to the ICO. 

The ICO has published guidance setting out how organisations should handle data protection complaints which we have summarised below.

What is a data protection complaint?

A data protection complaint arises when someone believes an organisation has infringed data protection legislation because of the way it has handled their personal data. For example, a complaint may relate to the way a data subject access requests was handled, what data security measures were applied to store someone's data in the event of a data breach, or how an organisation has collected or used someone's personal data. If an organisation is unsure whether someone is making a data protection complaint then they should ask for clarification.

As with other data subject rights requests, complaints can be made via any channel and individuals do not need to use legal terms or quote applicable legislation to make them. 

What do organisations need to do?

Organisations need to inform individuals about their right to complain:

• At the time their data is collected (for example, in a privacy notice), and
• When responding to data subject rights requests.

Individuals need to be given a mechanism through which to make their complaint, for example, via email, phone or a complaints portal. Existing data subject rights or complaints processes can be adapted for organisations to meet their obligations. Although not required, providing a written complaints procedure can make it easier for individuals to understand how to raise a complaint, which in turn helps make an organisation in meeting these obligations. 

Organisations should ensure that staff can recognise a data protection complaint and know how to handle it appropriately. This includes understanding where complaints should be directed and ensuring that handling of data protection complaints forms part of internal data protection training.

How should organisations handle complaints?

Organisations must have a process for handling data protection complaints which includes:

• Acknowledging a request within 30 days of receiving it,
• Taking steps to investigate the complaint without undue delay, and
• Informing the complainant of the outcome without undue delay.

The 30-day time limit to acknowledge the complaint begins from the day after the complaint is received even if the following day is a weekend or public holiday. If the 30^th day falls on a weekend or public holiday, the acknowledgement can be sent the following working day.

Investigation into the complaint should begin from the day the complaint is received and enquiries into the complaint must be conducted without unjustifiable or excessive delay. The scope and depth of those enquiries must be appropriate based on the circumstances of each complaint, and organisations must be able to justify the approach they take. The overall time period to respond is likely to be affected by the complexity and scale of the issue and the level of harm the individual has suffered. 

Organisations must keep individuals updated on the progress of their investigation without undue delay. For example, if an investigation is likely to take a long time, the organisation needs to follow up on the initial acknowledgment to make the individual aware of this. 

How should organisations respond?

Once the investigation is complete, the outcome should be communicated to the individual and the organization should clearly explain what they did to resolve the complaint and any actions it took as a result of its investigation. If complainants are unhappy with the outcome, organisations could consider clarifying their decision and, as best practice, provide details about how to complain to the ICO. 

What should organisations do after the response has been shared?

After the response is shared, organisations should ensure their internal records are updated with details about how they dealt with the complaint, including the date it was received, when the acknowledgment was sent, details of the investigation, the outcome of the complaint and actions taken as a result. 

Finally, organisations should consider reviewing lessons learned to prevent future, similar data protection issues.

Practical takeaways 

• Privacy notices will need to be updated to ensure individuals are aware of their formal right to complain.
• If you do not already have a complaints procedure, you should consider putting one in place so individuals are farmilar with the process and know what to expect. This should be easily accessible to data subjects (e.g. provided via a link on your website).
• When drafting your privacy notice, use plain language and avoid legal jargon, explaining any necessary legal terms in a straightforward way.
• Develop an internal process for staff, and provide appropriate training to staff so that they can recognise a data protection complaint and know how to handle and escalate it appropriately.
• Consider how complaints should be handled under other legislative frameworks, such as equality and discrimination laws, to ensure a consistent and compliant approach.

If you have any questions or would like assistance with updating privacy notices, drafting complaints procedures and/or internal complaints policies, please reach out to a member of our team who will be happy to assist.