All Organisations In the UK Need A Data Protection Complaints Process By June 19th 2026

Home » News » All Organisations In the UK Need A Data Protection Complaints Process By June 19th 2026
Knowledge Hub
15 June 2026 | Finn McCabe

From 19 June 2026, all organisations operating in the UK must have a data protection complaints process. This means you must:

  • Give people a way of making complaints to you;
  • Acknowledge receipt of complaints within 30 days;
  • Without undue delay, take appropriate steps to respond to the complaint, including by making appropriate enquiries and informing the complainant of progress on the complaint; and
  • Without undue delay, tell the complainant the outcome of their complaint.

This applies to all organisations that are established in the United Kingdom or offer goods or services, or monitor the behaviour of data subjects in the United Kingdom.

Receiving complaints

Organisations need to provide people a way to complain. This could be a complaint form, an email address, a live chat function (with the option to escalate to a human) or even in person if you don’t have an online presence.

There is no need to set up a new tool for data protection complaints, as long as arrangements in place already can deal with them. Importantly, whether or not your organisation has a dedicated complaints process, people can complain in whatever way they choose – whether or not they use your set process, and whether or not they use legal terms, you must accept the complaint.

Complaints must be acknowledged within 30 days of receipt starting the day after you receive the complaint, even if this is a weekend or public holiday. (If the last day is on a weekend or public holiday, you have until the next working day to provide an acknowledgement).

Investigating complaints

All organisations must make appropriate enquiries and keep the complainant informed about the progress of their complaint, without undue delay.

The Information Commissioner’s Office (ICO) say making appropriate enquiries might mean speaking to members of staff, checking whether you’ve upheld your organisation’s policies and if you aren’t sure what the complaint is about, asking the complainant for more information.

In practice, keeping the complainant informed about progress likely means informing them of the timeframe for your investigation, and explaining any delays in the process.

Responding to complaints

Organisations must tell the complainant the outcome of their complaint without undue delay. Note that if providing the outcome within 30 days, there is no requirement to provide an acknowledgement and outcome separately.

Guidance

Your organisation must acknowledge receipt of complaints within 30 days and must deal with the complaint without undue delay.  

While the Data (Use and Access) Act 2025 doesn’t require a formal written complaints procedure, organisations will need to make sure that they can deal with complaints effectively and consistently as part of their accountability obligations under UK GDPR. Organisations should consider: 

Good practice indicates a written procedure which can be published or otherwise made available, and relevant procedures for staff. Other steps to be considered include:

  1. Adopting a data-protection specific complaints procedure including a clear policy for receiving and resolving complaints, alongside updating your existing data protection documentation to reflect these new obligations:
    • Your organisation’s privacy notice should inform individuals of their right to complain.
    • If you have a record of processing activities, this should record the steps you take to resolve a data protection complaint.
  2. Training staff in customer-facing roles about the organisation’s complaints process so they can recognise a complaint wherever it is made.
  3. Reviewing complaints to improve the organisation’s process going forward.

If individuals aren’t satisfied with the outcome of their complaint or the process for handling it, they may complain to the ICO, who will consider their complaint, and may provide your organisation with advice and guidance, or in some cases, take regulatory action.

How can we help

At Abbiss Cadres, we offer pragmatic data protection advice to help businesses develop the policies and procedures that generate consumer, business partner, and employee confidence. For more information about how we can help, please contact us.

Disclaimer

Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.

Data Protection, UK News

The author

Finn McCabe
Finn McCabe
Legal Assistant