ICO guidance on handling data protection complaints under the DUAA 2025

Process for handling data complaints

On 19th June 2026, the Data (Use and Access) Act 2025 will introduce a statutory right for data subjects to make a data protection complaint to a controller.

From this date, organisations are required to have a process for internally managing data protection complaints. There are no exemptions to this requirement. The ICO has provided comprehensive guidance on what organisations need to do in order to comply with the new requirements, and we have set out below the key requirements.

What is a data protection complaint?

An individual can complain to an organisation that it has infringed data protection legislation in its handling of the individual’s personal data. For example, an individual may make a complaint regarding an organisation’s response to a subject access request, the organisation’s security measures or the way in which the organisation has used their personal information.

How should organisations prepare to handle data protection complaints?

Organisations must provide an easy way for people to complain to them, but it is up to the organisation to decide how they do this. Examples listed by the ICO include providing an email address specifically for complaints, providing an online complaint portal, or allowing for complaints to be made over the phone.

How should organisations handle complaints?

Acknowledge receipt of a complaint within 30 days

The organisation can decide how it does this, but it should confirm within this timeframe that the complaint has been received and will be investigated.  

The 30-day period begins the day after the organisation receives the complaint. If the day falls on a weekend or public holiday, the 30-day period starts on that weekend or public holiday.

If the last day to acknowledge the complaint falls on a weekend or public holiday, the organisation will have until the next working day to provide acknowledgment.

Investigate the complaint “without undue delay”

This means without an unjustifiable or excessive delay. The obligation to investigate begins when the organisation receives the complaint. The time it takes for the organisation to investigate will vary and likely will depend on factors such as the complexity and/or nature of the complaint and the level of harm suffered by the individual.

Update the individual “without undue delay”

The organisation should keep the individual up to date with timeframes and explain the reasoning for any delays.

Inform the individual of the outcome

Where an outcome can be provided within 30 days of investigation, the organisation does not need to provide an acknowledgement and outcome separately.

The organisation should tell the individual what it has done to resolve the complaint. If the organisation believes it has complied with data protection legislation, the individual should be told this. It is good practice to inform the individual of their right to complain to the ICO if this is not known.

What practical steps should organisations take?

• Check that any privacy policy informs an individual of their right to complain.
• Ensure individuals know how to raise a complaint.
• Advise individuals of their right to make data protection complaints when their personal data is collected, and when communicating with them, for example, in relation to any data subject access request (DSAR).
• Ensure staff are trained to recognise and handle data protection complaints.
• Put in place processes to acknowledge complaints within 30 days of receipt and give investigation updates and outcomes within the required timeframes.
• Check contracts with data processors to ensure processors are obligated to pass on any complaints they receive and to assist with investigating and responding to complaints.
• Keep a record of each complaint and all relevant documentation.

Next steps

If you need advice on complying with your data protection obligations, or would like advice on your complaints policies and processes, please get in touch with the Commercial and Technology team at [email protected].

For further information about the other changes read our article on the Data (Use and Access) Act 2025.