Summary
- The ICO says all organisations handling personal data must now provide a clear way to raise data protection complaints.
- Organisations must acknowledge complaints within 30 days, investigate appropriately, and communicate outcomes.
- The change affects governance, breach-adjacent complaints, evidence handling, customer trust, and regulatory escalation.
The Information Commissioner’s Office says new legal requirements on how organisations handle data protection complaints are now in force, creating a practical compliance duty across privacy operations, customer service, incident response, and governance.
The new duty applies to all organisations handling personal data. The ICO says they must give people a clear way to raise a data protection complaint, acknowledge complaints within 30 days, investigate appropriately, and communicate the outcome. The regulator has framed its launch approach around helping organisations embed good practice rather than catching businesses out.
The ICO has published a notice on the new complaints law and separate guidance on how to deal with data protection complaints. The guidance makes clear that organisations must have a process for handling complaints and that there are no exemptions from the requirement.
The change is not a cyber incident, but it belongs in the same governance environment. Complaints are often the first visible sign that something has gone wrong with personal data handling. A customer may report an unexpected account change, a suspicious email, a failed deletion request, a misdirected disclosure, an access problem, or concern that their data has been exposed. Weak complaints processes can delay escalation, fragment evidence, and leave organisations with a poor record of what they knew and when they knew it.
The 30-day acknowledgement requirement also affects how teams route concerns internally. Data protection complaints may arrive through customer service, legal, privacy, security, HR, product teams, branch staff, social media, or third-party processors. Organisations that rely on informal routing can lose time before the right people understand the complaint’s significance.
In breach-adjacent scenarios, that delay can shape the response. A data protection complaint may not be a confirmed breach notification, but it can trigger the need to assess whether personal data has been compromised, whether a processor or supplier is involved, whether technical logs are needed, and whether the organisation has separate reporting obligations. Complaints handling therefore needs to connect with incident response rather than sitting in a detached customer-relations workflow.
The new duty also creates a practical accountability test. The ICO’s emphasis on clear routes, investigation, and communication means organisations will be judged not only on whether they have a written policy, but on whether people can actually use it. A confusing webform, poorly trained frontline staff, or vague response template may satisfy neither complainants nor the regulator if the underlying process does not work.
Larger organisations will need to treat complaints data as operational intelligence. Repeated complaints can reveal control failures, product design problems, supplier issues, weak access controls, or recurring confusion around rights. Treating complaints as isolated cases misses their value in identifying patterns that should feed into risk reporting and remediation.
Smaller organisations may face a different problem: ownership. The ICO has warned that many businesses aware of the Data (Use and Access) Act either do not know or incorrectly think the change does not apply to them. A simple process can be enough, but it still needs named responsibility, records, escalation thresholds, and the ability to demonstrate that complaints were handled properly.
The law creates a defined obligation, while the practical effect is broader. Data protection complaints now form part of the evidence base for whether organisations take personal data governance seriously before a dispute becomes an enforcement matter.





