← Back to Regulatory Updates

Regulatory Update • June 2026

New Data Protection Complaints Law Now in Force

Published: 19 June 2026 Topic: UK GDPR / Complaints Handling Source: ICO Guidance

From 19 June 2026, organisations handling personal data must have a clear process for receiving and dealing with data protection complaints.

The requirement applies across organisations of all sizes. Businesses should make it easy for people to raise concerns, acknowledge complaints within 30 days, and have a clear internal route for investigating and responding without undue delay.

Reading time 2 minutes

What changed

From 19 June 2026, organisations handling personal data must have a process for dealing with data protection complaints. The requirement was introduced through the Data (Use and Access) Act 2025 and applies to organisations of all sizes.

The process must give people a way to make a complaint, acknowledge receipt within 30 days, and take appropriate steps to investigate and respond without undue delay. The ICO has published detailed guidance to help organisations prepare and embed the new requirement into their usual data protection arrangements.

What is a data protection complaint?

A data protection complaint is a concern from an individual about how an organisation has handled their personal information. It may relate to issues such as unwanted marketing, access requests, inaccurate data, a privacy concern, a suspected breach, or how information has otherwise been used.

Why this matters

Until now, many organisations have dealt with privacy concerns informally, through general customer service channels, inboxes or ad hoc internal conversations. The new legal requirement means there should now be a clear and accessible route for individuals to raise data protection concerns directly with the organisation.

This is not simply about adding another policy to a website. Organisations need a practical process with clear ownership, a way to log complaints, an acknowledgement process, and a route for investigating and responding appropriately. For wider developments across privacy, data protection and compliance, see our Regulatory Updates page.

What organisations should do

Organisations should now make sure their complaints process is clear, visible and workable in practice.

  • Provide a straightforward way for people to raise data protection concerns.
  • Make sure staff know where complaints should be sent or escalated.
  • Acknowledge complaints within 30 days of receipt.
  • Keep a simple record of complaints, actions taken and outcomes provided.
  • Assign responsibility for investigating complaints and approving responses.
  • Review whether privacy notices, contact pages and internal procedures signpost the process clearly.

Practical takeaway

A complaints process should not feel like a legal formality. It should give people a clear route to raise concerns, help organisations identify recurring privacy issues early, and reduce the chance that avoidable matters escalate to the ICO.

Grounded in

ICO guidance on the new data protection complaints process introduced by the Data (Use and Access) Act 2025, including the requirements to make complaints accessible, acknowledge them within 30 days, and investigate and respond without undue delay.

Sources

Future Implementation Support Waitlist