Spear’s Family Law Index 2026 recognises 13 Keystone lawyers
Ruth Abrams, Roopa Ahluwalia & Susan Apthorp
Keynote
09 Jul 2026
•6 min read
Since 19 June 2026, individuals have a new right to complain to organisations about how their personal data is handled, and organisations should review and update their complaints handling processes, policies, and procedures to ensure they can respond promptly and appropriately.
From that date, every organisation acting as a controller is now required to establish and operate a process for handling such complaints from individuals about their personal data. This requirement has been introduced by the Data (Use and Access) Act 2025 (DUAA), which amended the Data Protection Act 2018, and the UK Information Commissioner’s Office (ICO) has published guidance to help organisations comply with this new right to complain.
Previously, individuals could complain to the ICO directly (and that statutory route remains available) but there was no express statutory right to complain to the controller or any statutory requirement for controllers to operate an internal complaints handling process. The DUAA has now introduced a statutory right for individuals to complain to the controller and has placed corresponding duties on controllers to establish and operate an internal complaints handling process. Controllers must also provide clear information about how and where individuals can submit complaints and the process that will be followed. While individuals may still complain to the ICO at any time (and are not legally required to complain to the controller first), the ICO’s guidance generally encourages individuals to raise matters with the controller in the first instance where appropriate, to allow organisations an opportunity to resolve the complaint.
Under the new requirements, organisations acting as controllers must:
Many organisations have existing channels (webform, email, phone, or live chat) that can be adapted to receive data protection complaints. In practice, even where there is a dedicated channel, organisations should ensure complaints are identified and appropriately routed wherever they are received and should not insist that individuals use only one channel. This is similar to how organisations should handle data subject access requests (DSARs): even if they are received through other channels (such as customer relations), they should be identified and handled within the applicable legal time frame. To ensure data protection complaints are recognised and routed correctly, staff should be trained to identify a complaint and know where to send it.
For example, a customer posts on your company’s social media account saying you ignored their request to delete their data. This may amount to a data protection complaint, even though it was not submitted through your formal complaints process. You should treat it as a complaint, but you should not attempt to resolve it over social media, as this is not a secure channel for discussing personal data. Instead, acknowledge the message in general terms and direct the individual to continue the conversation through a secure, appropriate channel such as email or your online portal.
Ensure individuals are also informed about how to complain about the handling of their personal data. Organisations must “facilitate” complaints (that is, make it easy for individuals to complain, for example, by providing electronic complaint forms and other reasonable means) and should clearly signpost the complaints route in their privacy information and, where helpful, in standard communications such as DSAR responses.
Organisations acting as controllers must acknowledge receipt of a complaint within 30 days; following ICO guidance, this 30-day period starts the day after receipt of the complaint. If the final day falls on a weekend or public holiday, acknowledgement may be given on the next working day. Resolution of the complaint is not required within the 30-day period, only acknowledgement of receipt is. Organisations may also need to verify the individual’s identity or authority of a representative where there is any doubt, or where someone is acting on the individual’s behalf.
There is no fixed statutory deadline for resolving a complaint but organisations acting as controllers must, without undue delay (understood as being without an unjustifiable or excessive delay), take appropriate steps to respond from the date the complaint is received, not from the date of acknowledgement. This includes investigating the issues raised by making appropriate enquiries, keeping the individual informed of progress, and informing them of the outcome.
The ICO recommends explaining the outcome in clear, plain language so the individual can understand how the decision has been reached and signposting the option to complain to the ICO if they remain dissatisfied (this does not affect an individual’s ability to complain to the ICO at any time).
Under the DUAA, the ICO may require information from organisations regarding complaints received and how they have been handled. Organisations should therefore keep appropriate records of complaints to evidence compliance, including dates of receipt and acknowledgement, key correspondence, steps taken, and outcomes.
The ICO has not publicly indicated that it will carry out stand-alone audits of every organisation’s complaints procedure from day one. However, some requirements are public-facing and easy to check (for example, whether a privacy notice explains how individuals can complain and how to escalate to the ICO). The ICO has previously run systematic, scan-based reviews of public-facing websites (for example, its scanning of cookie consent across the UK’s top 1,000 websites), which in some cases has led to warning letters and enforcement action. A similar approach could therefore be used to check whether privacy notices clearly signpost the right to complain, how to do so, and the route to the ICO. These are public, outward‑facing statements that can be checked automatically, whereas day‑to‑day handling of complaints is largely internal and not readily visible to external reviewers.
Many organisations will already have measures and processes in place that can be adapted and used to receive and handle data protection complaints, for example existing complaint tools and DSAR processes (including identity checks and handling procedures). Organisations should also update their privacy notices and DSAR templates to signpost their complaints procedure and the individual’s ability to raise concerns with the ICO (including at any time).
Practical steps to help keep current practices in line with the new requirements include:
If you have any questions about any of the issues raised in this article, please contact Thibaut D’hulst or Carolyn Bane.