UK data protection law update: the Data (Use and Access) Act 2025 and complaints handling procedures

What are the key changes?

The Act introduces various key changes for organisations, which include:

• The new requirement for organisations to implement complaints handling procedures;
• Digital verification services;
• Changes to the law on automated decision-making;
• Reform of the restrictions on international transfers;
• The introduction of the new ‘recognised legitimate interests’ legal basis for processing personal data;
• Smart data schemes; and
• Changes to the UK’s Information Commissioner’s Office (“the ICO”).

This article will focus on the recent guidance issued on complaints handling procedures and steps organisations should undertake to remain legally compliant.

Complaints handling procedures

In February 2026, the ICO released a guidance note on dealing with data protection complaints. The ICO has made clear that organisations must have a process for handling data protection complaints within their organisation.

Under the legislation, organisations must:

• give people a way of making data protection complaints to them;
• acknowledge receipt of complaints within 30 days of receiving them;
• without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; and
• without undue delay, tell people the outcome of their complaints.

What complaints fall in scope?

All organisations must have a process for handling data protection complaints which sets out clear expectations on acknowledging, investigating, recording and resolving complaints. This process must be in place by no later than 19 June 2026. Organisations should therefore have such procedures high on their agenda to ensure they remain compliant with UK data protection legislation. As with data subject access requests, data protection complaints do not need to use legal terms or quote sections of legislation in order for them to be treated as complaints under the Act.

If data protection legislation has been infringed because of the way an organisation has handled a data subject’s personal information, they have the ability to submit a complaint. For example, potential complaints could cover:

• the way an organisation has responded to an individual’s data subject access request (“DSAR”) or other subject rights;
• security measures used to store an individual’s personal data, if affected by a data breach; or
• how an organisation has collected or used an individual's personal data.

The ICO has also issued guidance on what may not constitute a data protection complaint, such as:

• where a DSAR has been responded to on time, but has not been expedited;
• where an employee has raised a grievance issue, and also requested copies of their personal information; or
• where a person has complained about a customer service issue, and also requested the deletion of their information.

This shows that data protection complaints may not always be clear-cut, so it is important to clarify with the individual whether they are raising a complaint or not.

How can you best prepare for how you will receive and check complaints?

A key element of the ICO’s guidance is that organisations must give people a way of making data protection complaints directly to them. There is no prescriptive way of doing this, however the ICO has provided some examples of how this can be done:

• provide a complaint form that people can submit to your organisation either electronically or in writing (e.g. by email or post);
• provide an email address for people to submit complaints to;
• allow people to make complaints over the phone;
• provide an online complaints portal;
• have a live chat function with the option to escalate to a human if needed; or
• give people a way to make complaints to you in person (e.g. if you do not have an online presence).

The ICO has emphasised that you do not need to have a separate tool for receiving complaints, as long as there is a clear and accessible complaints process which can demonstrate compliance with the UK data protection legislation. It would be good practice for the complaints procedure to contain the following information:

• the method your organisation has set to receive complaints;
• what evidence or supporting information your organisation needs to investigate complaints;
• what proof of ID your organisation accepts;
• what type of proof of authority your organisation accepts, if people complain on behalf of others; and
• that your organisation acknowledges complaints within 30 days (which starts the day after you receive the complaint, regardless of weekends or public holidays), and keeps people informed of progress and explains the outcome to their complaint.

Another consideration is that although you can invite people to use your set process, there is no obligation for them to do this. People may complain in a way of their choosing and may use other channels. For example, they may contact other employees in the organisation (who are not responsible for data protection compliance) or contact the organisation via a social media account where they have an online presence. If this does happen, it is important that the complaint is acknowledged by the organisation and dealt with in accordance with its complaints handling procedure. If someone were to submit a complaint via social media, generally, responding on social media is not a secure way of providing information. In such a case, the ICO emphasises asking for an alternative contact method instead.

Transparency of informing individuals of their right to complain

The ICO emphasises that organisations must tell people they can complain to them, as well as to the ICO:

• at the point the organisation collects their personal information (for example, by displaying this in their privacy notices); and
• when organisations respond to a DSAR.

If an organisation is processing information for law enforcement purposes, there are various points when organisations must tell people they can complain, unless a restriction applies:

• when restricting the information organisations provide to people in connection with their right to be informed;
• when responding to a DSAR;
• when refusing a rectification, erasure or restriction request; and
• when withholding information in response to a DSAR, or the right to be informed, where the basis for withholding information is that it is protected by legal professional privilege or if another exemption applies.

Key takeaways

There are a number of steps organisations can take now to ensure they are legally compliant:

• Draft or update existing data protection documents, e.g. privacy notice, to include a procedure to deal with data protection complaints.
• Ensure your record keeping system is fit for purpose – keep your records up to date, clearly organised and labelled to enable you to access information quickly and efficiently.
• Training – ensuring that those people dealing with data protection complaints are trained on the procedure, including understanding how to recognise a data protection complaint. You may also wish to train/signpost employees in the organisation as to what to do if they receive a data protection complaint themselves.
• Meet your obligations as joint controllers and processors – there should be transparent processes in place if one controller receives a complaint, so that they know how they should notify/liaise with another joint controller, having regard to the Data Sharing Code of Practice. Data Processors should be cooperative with such investigations into complaints.
• Ensure you respond to data protection complaints within the requisite timeframe and keep individuals informed of the status and outcome of their complaint. Organisations should also inform individuals of their right to submit a complaint to the ICO and provide their contact details.