New requirements for handling data protection complaints
New legislation will come into force on 19 June 2026 requiring organisations to put in place a process to facilitate data protection complaints.
The Data (Use and Access) Act 2025 has introduced a new requirement for organisations to facilitate complaints about an organisation’s compliance with data protection legislation. These changes will take effect on 19 June 2026.
What is a data protection complaint?
A data protection complaint is a complaint by an individual made to an organisation about an infringement of the UK GDPR.
For example, individuals may wish to raise a complaint about how an organisation has responded to a data subject access request or how their personal data has been collected and used.
How should we deal with data protection complaints?
The Information Commissioner’s Office (ICO) has published its guidance on how it expects organisations to handle data protection complaints going forward. Key points from the ICO’s guidance can be briefly summarised below:
-
Give people a way of making a complaint: this may be providing a specific data protection complaints email address, providing a complaints form or using another method. Whilst organisations may encourage complaints through a particular method, they should still accept complaints made in other ways.
-
Acknowledging the complaint: by law, organisations will need to acknowledge a complaint within 30 days of receipt. The acknowledgement should confirm that the complaint has been received and will be investigated. The ICO expects organisations to have processes to ensure complaints can be acknowledged even during school holidays, office closures and when staff are absent due to sickness.
-
Investigating the complaint without undue delay: the duty to investigate the complaint begins as soon as the complaint is received and it must be carried out without undue delay. Organisations should gather all relevant information, speak to appropriate staff, compare the complaint with their records and check compliance with internal policies. If the complaint is unclear, the complainant should be asked for further information promptly.
-
Keeping the complainant informed: throughout the investigation, organisations must keep the complainant informed of progress. This will usually mean informing the complainant of expected timeframes and reasons for any delay.
-
Informing the complainant of the outcome: complainants must be informed of the outcome of their complaint promptly. The ICO expects organisations to explain how the complaint has been resolved and, if appropriate, the actions taken as a result of the complaint. Organisations may offer a right of review and inform the complainant of their right to contact the ICO if they remain dissatisfied (although there is no legal obligation to do so).
-
Recording your actions: organisations should keep records of when the complaint was received, when it was acknowledged, the outcome and any actions taken as a result of the investigation. These records also allow organisations to identify patterns in data protection complaints, enabling them to better address compliance risks.
The ICO's full guidance can be accessed here: How to deal with data protection complaints.
Practical steps for organisations to take
Some organisations may wish to incorporate data protection complaints into their wider complaints policy. However, a standalone policy may be beneficial where timeframes may differ from the general complaints policy or where general policies apply only to certain categories of complainant.
Organisations should also take steps to ensure data protection complaints can be addressed at all times. This will be particularly relevant for schools and other organisations who have significant periods of closure throughout the year.
If you would like to discuss any aspect of this article further, please contact the Charities and Social Economy team on 0113 244 6100.
You can also keep up to date by following Wrigleys Solicitors on LinkedIn.
The information in this article is necessarily of a general nature. The law stated is correct at the date (stated above) this article was first posted to our website.
Specific advice should be sought for specific situations. If you have any queries or need any legal advice, please feel free to contact Wrigleys Solicitors.
|
How Wrigleys can help Wrigleys Solicitors is a specialist charity and private client law firm with a dedicated Charities and Social Economy team that advises hundreds of charities and not-for-profit organisations. As one of the leading charity law practices in the UK, and one of the few firms with lawyers working exclusively for charity and social enterprise clients, we are recognised as experts in our field. We provide practical, common-sense, and technically excellent advice, forming valued long-term relationships with our clients. If you or your organisation require advice on this topic, get in touch. |
