From 19 June 2026, every organisation operating under UK data protection law must have a formal process for handling complaints from individuals about how their personal data is used. The Data (Use and Access) Act 2025 introduced this obligation with no exemptions, meaning it applies regardless of your organisation’s size, sector, or processing activities. While the ICO has published guidance on what compliance looks like, the practical challenge of building and maintaining a complaints process that actually works – one that is auditable, consistent, and responsive – is where most organisations struggle. This article sets out what the new requirements demand of you, where the operational pitfalls lie, and how you can establish a complaints management capability that exceeds expectations at every step.
What the New Legal Requirements Actually Demand
The statutory framework is more prescriptive than many organisations initially expect. You must provide individuals with a clear and accessible way to raise data protection complaints directly with your organisation. Once a complaint arrives, you must acknowledge its receipt within 30 calendar days. You must then, without undue delay, take appropriate steps to investigate and respond, which includes making necessary enquiries and keeping the complainant informed throughout the process. Finally, you must communicate the outcome to the individual, again without undue delay.
These are not aspirational standards or soft guidance; they are legal obligations. Failure to meet them could result in the ICO taking enforcement action, and it could also undermine your position if a complaint escalates to a formal regulatory investigation. The ICO has made clear that it expects organisations to treat complaints handling as a core part of their privacy programme, not an afterthought bolted onto an existing customer service function.
What makes these requirements particularly demanding is the combination of timeliness and substance. A 30-day acknowledgement window sounds generous until you consider that many organisations lack a single intake point for data protection concerns, meaning complaints can sit unrecognised in general inboxes for weeks before anyone identifies them as falling within scope.
Why Most Organisations Are Not Ready
The gap between having a privacy policy that mentions complaints and having an operational process that can deal with data protection complaints consistently is significant. Many organisations have invested in records of processing, data protection impact assessments, and breach notification procedures, but complaints management has historically received far less attention.
There are several reasons for this. Complaints often arrive through unpredictable channels: customer service emails, social media messages, verbal conversations with staff, or letters addressed to senior management. Without a centralised intake mechanism, these complaints fragment across departments, and accountability becomes unclear. Who owns the complaint? Who tracks the 30-day acknowledgement deadline? Who ensures the investigation is proportionate and thorough?
The risk is compounded in larger organisations where multiple business units process personal data independently. A complaint about marketing preferences might land with the marketing team, while a complaint about an inaccurate credit check might go to the finance department. Neither team may have the training or authority to handle the complaint in accordance with data protection law, and the DPO or privacy lead may never learn the complaint existed.
This fragmentation is precisely the kind of operational disconnect that creates regulatory exposure. The ICO does not distinguish between a complaint that was mishandled and one that was never identified in the first place; both represent failures to comply.
Building a Complaints Process That Actually Works
A compliant complaints process requires three foundational elements: visibility, workflow, and evidence.
Visibility means ensuring that every data protection complaint, regardless of how or where it arrives, is captured in a single system of record. Your staff across all departments need clear guidance on what constitutes a data protection complaint and how to escalate it. A complaint does not need to use the phrase “data protection” or reference the GDPR to qualify; any expression of dissatisfaction about how personal data has been handled should trigger your process.
Workflow means having defined steps that move a complaint from intake through investigation to resolution, with assigned responsibilities and time-bound milestones at each stage. Your process should specify who acknowledges the complaint, who conducts the investigation, who approves the outcome, and who communicates with the individual. These roles may vary depending on the nature of the complaint, but the structure should be consistent.
Evidence is perhaps the most overlooked element. The ICO expects you to be able to demonstrate compliance, not merely assert it. This means maintaining records of when complaints were received, when they were acknowledged, what investigative steps were taken, what the outcome was, and when it was communicated. If the ICO asks you to evidence your complaints handling, “we dealt with it informally” is not an answer that will satisfy a regulator.
Defining What Counts as a Data Protection Complaint
Not every piece of negative feedback qualifies. A data protection complaint is specifically an expression of dissatisfaction about how your organisation has handled someone’s personal data. This could include concerns about unauthorised disclosure, inaccurate records, failure to respond to a subject access request, unwanted marketing, or a perceived breach of any data protection principle.
General service complaints, even those that tangentially involve personal data, do not automatically fall within scope. However, your staff should err on the side of caution. It is far better to log a borderline case and assess it properly than to dismiss a genuine data protection complaint as a routine customer gripe.
Setting Realistic Timelines
The 30-day acknowledgement requirement is a maximum, not a target. Best practice is to acknowledge complaints within five working days, which demonstrates responsiveness and gives you a buffer against delays. For the investigation itself, there is no fixed statutory deadline, but “without undue delay” means you cannot let complaints languish for months without action. A reasonable internal target for most complaints is 30 to 60 days from receipt to outcome, though complex cases may take longer provided you keep the individual informed.
Governance, Assurance, and Audit Readiness
Your complaints process does not exist in isolation; it forms part of your broader privacy programme and must be governed accordingly. The DPO or privacy lead should have oversight of all data protection complaints, even those investigated by other teams, to ensure consistency and to identify systemic issues.
Regular reporting to senior management is essential. Complaint volumes, resolution times, and outcomes should be tracked as key performance indicators, and trends should inform your risk assessments and processing reviews. If you receive multiple complaints about the same processing activity, that is a signal that your DPIA may need revisiting or that your privacy notices are inadequate.
From an audit perspective, your complaints records should be structured so that an external reviewer, whether the ICO, an internal auditor, or a certification body assessing you against ISO 27701, can trace any individual complaint from receipt through to resolution and verify that each statutory requirement was met. This level of traceability is difficult to achieve with spreadsheets and shared folders, which is why many organisations are turning to purpose-built privacy management platforms.
PrivacyEngine consolidates complaints management alongside your other core privacy operations, including records of processing, DPIAs, breach governance, and data subject rights management, so that your DPO has a single, auditable view of the entire programme. Trusted by over 80,000 users worldwide, the platform is designed around how privacy practitioners actually work, capturing decisions, accountability evidence, and approvals without requiring months of IT configuration. When a complaint relates to a specific processing activity or a prior breach, having that context immediately accessible within the same system dramatically reduces investigation time and improves the quality of your response.
What Happens When the ICO Gets Involved
If an individual is dissatisfied with how you have handled their complaint, or if you have failed to respond at all, they can escalate the matter to the ICO. The regulator will typically ask you to evidence your complaints process and demonstrate how you handled the specific case. This is where organisations with poor record-keeping face the greatest risk: even if you resolved the complaint satisfactorily, an inability to prove it can result in enforcement action.
The ICO has also indicated that it will consider an organisation’s complaints handling track record when deciding how to respond to other regulatory matters. A well-run complaints process signals a mature privacy programme, while a chaotic or non-existent one raises questions about your broader compliance posture.
Your complaints process should therefore include a clear escalation path that explains to individuals how they can raise concerns with the ICO if they remain dissatisfied. This is not just good practice; transparency about external recourse is part of meeting your obligations under data protection law.
Bridging the Gap Between Policy and Operations
Many organisations will have a written complaints procedure in place before 19 June 2026. Fewer will have one that is genuinely operational. The difference between the two is the difference between a document that sits on a SharePoint site and a living process that staff understand, follow, and can evidence.
Training is a critical part of bridging this gap. Every member of staff who interacts with the public, or who handles personal data in a way that could generate complaints, should understand what a data protection complaint looks like and what to do when they receive one. This training does not need to be extensive, but it does need to be specific, practical, and refreshed regularly.
Testing your process before the statutory deadline is equally important. Run a tabletop exercise using realistic complaint scenarios. Can your team identify the complaint, log it, acknowledge it within the required timeframe, investigate it, and communicate the outcome? Where does the process break down? These exercises reveal weaknesses that are invisible on paper.
PrivacyEngine supports this operational readiness by providing structured workflows for complaint handling that mirror the statutory requirements, complete with automated deadline tracking and audit trails. As one G2 reviewer noted, it is a “user friendly platform that ensures compliance,” which reflects the practitioner-first design philosophy that distinguishes it from tools that prioritise complexity over usability.
Treating Complaints as a Strategic Asset
Organisations that view complaints purely as a regulatory burden miss a significant opportunity. Every data protection complaint is a data point about how your processing activities are perceived by the people they affect. Patterns in complaints can reveal gaps in your privacy notices, weaknesses in your consent mechanisms, training deficiencies among staff, or processing activities that carry higher risk than your initial assessments suggested.
A well-structured complaints function feeds directly into your risk management framework, informing decisions about where to invest in privacy improvements and where your programme is performing well. This is the kind of continuous improvement cycle that regulators, auditors, and certification bodies want to see.
Think of it in the same way you would treat financial controls. No organisation would consider it acceptable to have no process for handling billing disputes or expense irregularities. Data protection complaints deserve the same operational rigour, the same governance structures, and the same management attention.
Your Next Step
If your organisation does not yet have a structured, auditable process to deal with data protection complaints, the 19 June 2026 deadline is approaching rapidly. Rather than building from scratch with spreadsheets and manual workflows, consider a platform purpose-built for privacy operations. PrivacyEngine gives your DPO and privacy team a single system for managing complaints alongside every other element of your programme, from RoPA to breach response. Book a Demo to see how it can bring your vision for a compliant, efficient complaints process to life.
Ready to make enterprise privacy easier to manage?
Move beyond one-size-fits-all tools. See how PrivacyEngine helps large organisations build tailored privacy workflows, simplify complex compliance operations, and scale with confidence across regions, teams, and regulations.
