Data protection and the right to complain: What companies need to know

In anticipation of this deadline, the Information Commissioner's Office ("ICO") has published guidance on what represents good practice for those businesses introducing or looking to refresh their data protection complaints process.

For organisations, this is a clear call to action. For those with an existing data complaints process, they will need to consider any amendments to their existing processes. Those businesses that lack a data protection complaints process should be taking proactive measures to prepare. These steps will certainly need to include establishing proper complaint mechanisms, training staff, and implementing effective communication strategies to ensure compliance.

The evidence indicates that data protection complaints are increasing. Figures made available by the ICO highlight it received 42,315 complaints in the year 2024/25, compared to 39,721 in 2023/24, and up from 33,753 in 2022/23. This is a clear upward trend. For the ICO, these numbers generate concern about the resources required to respond, with the regulator emphasising its need to maximise "efficiency by focusing on complaints where there seems to be clear harm, and on interventions where we can make the most impact."¹

The new requirement for individuals to first contact the data controller with a data protection complaint will likely lower the number of complaints received by the regulator in the long-term. However in the short-term the regulator will be aware that complaints to organisations or businesses that have not thoroughly examined the new requirements may result in unnecessary complaints and referrals to the ICO. The ICO guidance on good practice is therefore welcome and essential, and should be one of the first ports of call for organisations understanding their obligations and taking steps to compliance.

The statutory right to complain

A data protection complaint can be generated in a number of ways:

• A stand-alone data protection issue, such as concerns about the security measures used to protect a data subject's information or how that information has been collected or used
• A follow-up to a Data Subject Access Request (DSAR) where the data subject is dissatisfied with the response
• A complaint may be submitted alongside a DSAR itself

As noted above, there have been longstanding concerns that many data protection complaints are directed to the ICO despite resolution being possible between the controller and subject. As noted within the initial Parliamentary briefing for the DUAA, there is a need for the ICO to take a more-risk based approach, and devote fewer resources to complaints.

Section 103 of the DUAA introduced the statutory right to complain to a data controller into the Data Protection Act 2018. This provision did not take effect on the passing of the Act, instead being introduced via the Data (Use and Access) Act 2025 (Commencement No. 6 and Transitional and Saving Provisions) Regulations 2026 in early February 2026. The Regulations confirmed the provisions of Section 103 would take effect from 19 June 2026. This will be a mandatory requirement for all data controllers; there are no exemptions.

Section 103 requires that data controllers implement a data protection complaints procedure which includes:

• Facilitating the making of complaints, which may include a complaints form, to be completed electronically or via other means
• Acknowledging all complaints within 30 days
• Taking appropriate steps to respond to the complaint without 'undue delay' (including making enquiries and keeping the complainant informed), and
• Informing the complainant of the outcome without 'undue delay'

Section 103 also provides the Secretary of State with the power to introduce regulations requiring data controllers to notify the ICO of the number of complaints made within defined periods. This power, as noted within the initial delegated powers memorandum for the DUAA, is likely to be used if efforts to encourage data controllers to self-report number of complaints are unsuccessful.

As part of the planning for their data protection complaints process, controllers should also be considering the type and detail of management information to be collected. This will be useful both for internal reporting purposes whilst also being mindful of mandatory reporting requirements in the future.

The ICO guidance on complaints handling

Companies updating or creating a data protection complaints process should consult the published ICO guidance as the starting point for their response. The guidance can be found here, and there are a number of key issues and pointers to be drawn from the ICO advice that will help to inform both organisations' understanding of their obligations and the specifics of their response.

• People must be notified that they can complain to both the organisation and the ICO upon completion of the initial process.
• How will the complaints procedure operate, will there an email address, online complaints portal, live chat with human interaction?
• How will the organisation respond to complaints made via social media?
• How will the organisation respond to complaints made by children? The ICO emphasises that organisations must assess the competence of any child complainant to understand and exercise their rights.
• How will the acknowledgment process operate, will this include auto-acknowledgment emails, letters or verbal confirmation?
• Ensuring the process allows for complaints to be investigated without 'undue delay', which in the words of the ICO means 'an unjustifiable or excessive delay'. The time it takes to investigate a complaint will be affected by factors such as complexity, the harm being suffered by the complainant and the scale (i.e is this a single complaint?).
• Establishing a clear process following the conclusion of the investigation including communication with the complainant.

Our key recommendations

Companies and organisations preparing for the upcoming deadline should be focusing on the following key steps:

• Drafting or updating a formal complaints procedure, which data subjects can easily access.
• Assigning roles and responsibilities – will the process facilitate an independent review by a colleague who was not involved in any previous correspondence with the data subject?
• Consider how data subject complaints will sit with any other complaints obligations organisations are subject to.
• Ensure that adequate records are kept to be able to respond to complaints.
• Inform and train staff. This will involve specific training for data protection staff, as well as general awareness-raising across organisations so that complaints are recognised and dealt with promptly.
• Establish a process to identify any trends and to reflect so that any lessons are learned.

Our colleagues have extensive expertise in data protection claims and complaints processes, and we are able to support organisations in navigating the complexities of the new complaints requirements.

Whether you need guidance on drafting or updating your complaints procedure, or ensuring robust record-keeping and staff training, we can provide tailored advice to help you meet your obligations and mitigate risk.

If you would like to discuss any of the issues outlined above, or explore how we can assist you in strengthening your complaints management, please do not hesitate to contact us.

[1] Page 35, ICO Annual Report 2024/25