On 19 June 2026, a new legal obligation goes live for every organisation that handles personal data. As we explained in our earlier blog, individuals will soon have a formal right to complain directly to organisations about how their personal data has been handled.
Your organisation will be legally responsible for handling those complaints in a structured and auditable way; often before the Information Commissioner’s Office (ICO) becomes involved. With only days to go, now is the time to check whether you are ready.
What is changing?
The changes are part of the final elements of Data (Use and Access) Act 2025 coming into force. From 19 June, controllers of personal data are required to have a process to handle data protection complaints within their organisation, before individuals escalate their concerns to the ICO. Previously, controllers were not required to have a complaints process and individuals would often first complain directly to the ICO.
In practice, this makes complaints handling a frontline compliance issue, rather than something dealt with primarily through regulatory engagement.
What do organisations need to do?
From 19 June, all organisations that process personal data must have a complaints process in place which meets the specific requirements laid down in the Data Protection Act 2018 (as amended) and guidance of the ICO.
There are no exemptions from that statutory requirement, regardless of size or sector your organisation operates within.
As a minimum, you must:
- Provide a clear way for people to complain
- Acknowledge complaints within 30 days
- Investigate and respond without undue delay
- Keep the complainant updated during the process
- Clearly communicate the outcome
For some organisations (particularly if you are a public authority required to undertake internal reviews under the Freedom of Information Act 2000 / Environmental Information Regulations 2004), this review territory will feel familiar. For others, it represents a step-change in how data protection issues are handled. However, either way, this isn't simply a procedural change - it will have a direct operational impact. It is conceivable that many organisations will see more complaints. Issues that might previously have gone straight to the ICO will now come to you first; and your handling of complaints will be scrutinised if they are escalated.
Final checklist: Are you going to be compliant?
With the deadline approaching, all organisations should be asking:
- Do we have a clear process covering data protection complaints
- Is it easy for individuals to find and use (eg via privacy notices or our website)?
- Can staff recognise a data protection complaint - even if it is informal (eg through social media)?
- Who owns/leads data protection complaints internally?
- Can we reliably meet the 30-day acknowledgement requirement
- Are we resource planning for complaints to be investigated internally?
- Are we keeping a clear record of complaints and how they are handled?
If you haven't yet reviewed your complaints process, this is your last opportunity to act before the new regime takes effect. Getting this right now will not only reduce regulatory risk, but also put you in a stronger position to resolve issues quickly and avoid escalation.
We're advising a number of clients on their preparations; please let us know if you need any assistance.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.