Summary
- From 19 June 2026, UK organisations must have a process for handling data protection complaints under the Data (Use and Access) Act.
- The ICO says organisations must provide a way to complain, acknowledge complaints within 30 days, investigate, keep people informed, and provide an outcome.
- Complaints may involve security measures, breach impact, subject access requests, data handling failures, and evidence of weak governance.
The Information Commissioner’s Office has brought UK organisations into a new phase of data accountability, with legal requirements for data protection complaints processes taking effect on 19 June 2026.
The requirement sits under the Data (Use and Access) Act and applies across organisations rather than only to large enterprises or heavily regulated sectors. The ICO’s guidance says there are no exemptions from having a process for handling data protection complaints.
At a minimum, organisations must give people a way to make data protection complaints, acknowledge receipt within 30 days, take appropriate steps to respond without undue delay, make appropriate enquiries, keep people informed, and tell them the outcome. The ICO says a complaint can arise where someone considers that an organisation has infringed data protection legislation in the way it has handled their personal information.
The change affects the governance environment around security incidents, data handling failures, rights requests, retention decisions, and customer or employee concerns about how personal information is protected. The ICO’s guidance gives examples that include complaints about the security measures used to store information, including where someone has been affected by a data breach even if the incident is not reportable to the regulator.
That brings the duty directly into cyber risk management. Organisations often treat breach reporting, subject access requests, complaints, legal correspondence, and customer service handling as separate operational processes. After an incident, those processes can converge. A person may not know whether a breach was reportable, whether controls were adequate, or whether their data was misused. They may simply complain that their information was handled insecurely. The organisation will need to receive, classify, investigate, evidence, and respond to that complaint in a disciplined way.
The evidential burden also changes inside the business. A complaints process that exists only as a web form will not be enough if the organisation cannot trace decisions, retrieve technical facts, involve security and privacy specialists, and explain outcomes in a way that can withstand regulatory scrutiny. Clear ownership is needed between privacy, legal, security, customer operations, HR, and service teams, depending on the data and the individual involved.
Smaller organisations may find the requirement deceptively simple. A 30-day acknowledgement deadline is easy to understand, but the harder work is knowing who can assess a security-related complaint, how to preserve relevant logs or records, when to escalate into incident response, and how to avoid inconsistent responses across channels. Larger organisations face the opposite problem: high volumes, multiple brands, outsourced support, and fragmented data estates can make it difficult to identify all information relevant to a complaint.
Repeated complaints about the same system, supplier, product, or control can also become an early warning of broader failure. If complaints are handled as isolated service tickets, that signal may be lost. If they are connected to risk registers, incident trend analysis, supplier management, and privacy governance, they can expose weak controls before a regulatory investigation or a larger incident does.
The ICO’s guidance should therefore be treated as part of operational resilience for data handling. It requires a visible route for complaints, while the underlying discipline is broader: know what data is held, who is responsible for it, how security concerns are investigated, and how decisions are evidenced.
From 19 June, a person does not need to use legal language to trigger the process. They only need to raise a concern that their personal information has been mishandled. Organisations that cannot recognise those complaints at the front door may fail before the investigation has started.





