New complaints process required by the Data (Use and Access) Act
On 12 February 2026, the Information Commissioner’s Office (ICO) published the final version of its guidance relating to the new requirement for organisations to have a data protection complaints process.
The Data (Use and Access) Act 2025 inserts a new section into the Data Protection Act 2018 giving data subjects the right to make a complaint to a data controller and imposes on a data controller a duty to facilitate this and, without undue delay, take appropriate steps to respond to the complaint and inform the data subject of the outcome.
In most cases, if someone complains to the ICO about the way an organisation has handled their personal data, then the ICO will direct them to raise a complaint with the organisation first.
Timing
The new legal requirement comes into force on19 June 2026.
Data protection law hasn’t previously required organisations to have a process of this type and so, for most organisations, action must now be taken to comply with the new requirements. No organisations are exempt from this new requirement.
What do organisations need to do?
1. Establish an internal process to deal with and record complaints and tell data subjects they can complain to the organisation if they believe the organisation has breached data protection law. This must be done when the personal data is collected (more likely in a privacy notice) and in responses to subject rights requests. Like SARs, organisations must provide a way for data subjects to make a complaint (including an electronic method like emailing a data protection email address), but complaints can be submitted in any way, so it will be important to make staff aware of the new right for data subjects to make complaints and what to do if they receive one.
2. Acknowledge complaints within 30 days of receipt.
3. Take appropriate steps, without undue delay, to respond to each complaint. This will include investigating the complaint and keeping the data subject informed.
4. Without undue delay, provide a response to the data subject setting out the outcome of the investigation into their complaint.
5. Comply with the new ICO data protection complaints guidance.
How we can help you to comply?
We have pulled everything that controllers need to have in place to comply with the new requirements into a clear, ready‑to‑use data protection complaints process pack, including templates policies, staff communications and process guidance aligned with the requirements of the Act and the ICO guidance.
If you’d like a structured, compliant process that can be implemented quickly, please get in touch with our specialist Data Protection Team.
_______________________________________________________________________________________
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
