Data Protection and the right to complain

By DT Information Governance Ltd

17 Jun 2026

DP COmplaints.png.png

People have always had the opportunity to complain about the processing (use) of their personal data, the misuse or perceived poor management of their data. There were a number of routes – the Controller, the Information Commissioner and if necessary a First-tier Tribunal.

This became a right in the Data (Use and Access) Act 2025 which set out amendments to the Data Protection Act 2018 affecting all organisation and separately set out amendments for Law Enforcement processing.

This is enforceable from 19 June 2026. 

From this date you MUST have a process for handling data protection complaints. There are no exceptions. This includes telling people that they can complain.

What is a data protection complaint?

When a data subject (people) make a complaint it actually has to be the ‘right sort’ of complaint. 

  • It has to relate to the management of a data subject’s personal data.
  • Typically this will be linked to the exercising of other rights such as the right of access, the right to erasure or the right to restrict processing (n.b. this is not an exhaustive list of rights).
  • They may complain about the security measures you have used to store their data (often if they have been impacted by a data breach).
  • How you collected their data, where you have stored it, how long you have kept it or even its accuracy.
  • Your use of their data for direct marketing.

The complaint or processing does not have to reportable.

The complaint can be received from Children as they have the same rights as adults.

Key to dealing with the complaint is to understand the context of the complaint and determine if possible, what the complainant is hoping to achieve or the outcome they desire.

You MUST accept a complaint.

What is NOT a complaint

Some people may complain about the service or some other matter whilst exercising their rights, these are not data protection complaints. For example:

  • An employee raising a grievance and requesting a copy of their personal data.
  • Complaining about customer service and requesting you delete (erase) their data.

If you are not sure, ask them to clarify.

Key obligations

You need to:

  1. Facilitate the opportunity for someone to make a complaint i.e. tell them how to do this
  2. Acknowledge receipt of the complaint within 30 days.
  3. Take the appropriate steps to investigate and resolve the issue without undue delay.
  4. Keep the complaint informed on progress and tell them the outcome of their complaint.

So what does this mean for each obligation

1. Facilitate the opportunity for someone to make a complaint

  • ‘such as providing a complaint form which can be completed electronically and by other means’ (ICO).
  • As the controller you can decide on the ‘how’ e.g. an online form, phone, an online complaints portal, chat function (live), email etc. 
  • You don’t have to procure or build a separate tool if you have an existing acceptable method that they can use to raise their complaint.
  • Bear in mind that the complainant can still use their own method to complain, you can’t force them to use the one you provide. This could also be in person, so a verbal complaint.

2. Acknowledge receipt of the complaint within 30 days of receiving it.

  • Acknowledging is not the same as providing the resolution or answer.
  • If you have received a verbal complaint, you may need to summarise  the complaint back to the complainant and ask them how you can contact them with the outcome.
  • If you can respond in full within 30 days you do not need to send an acknowledgement (you need to decide what is best practice and reflects better on your organisation).
  • The 30 days starts the day after you receive the complaint (ICO).

3. Take appropriate steps without undue delay

  • In theory there is no time limit on this stage of the complaint process.
  • The ICO has not provided a defined timeline
  • There isn’t really an incentive to delay unnecessarily.
  • Start the investigation within the first 30 days.

4. Keep the complaint informed on progress and tell them the outcome

  • It is recommended that you keep the complainant informed if the investigation and steps to resolve their complaint are taking some time. This may be more relevant if you need to take specialist advice such as IT or Systems, or legal advice.
  • You MUST tell them the outcome of their complaint and the subsequent investigation.

Other Considerations

Think about how you will handle complaints raised through Social Media. Take a sensible approach and consider if the person is intending to raise a complaint and expecting a response or if they are just making a public statement (‘grumble’).

As children can make a complaint, consider how you will deal with these as they are likely to be less aware of the risks and consequences, and their actual rights when you process their personal data. For children, you SHOULD respond in plain, clear language that they will understand, and you MUST assess their competence. You may need to provide different methods for children to complain. It is advisable to deal with children’s complaints as quickly as you can.

Actions

Update your privacy notice to include details of their right to complain, how to complain to you and then if still not satisfied with the outcome, their right to complain to the ICO.

Consider some or all of the following to support the data protection complaints process.

  • Staff awareness – do they know what a complaint might look like and who to escalate it to?
  • Internal deadlines – how quickly do you need other teams / depts to respond?
  • Identification checks – do you need to do these and how? Is someone else raising a complaint on behalf of a data subject and how will you check their authorisation to do this?
  • Appoint a suitable member of staff to deal with the complaints.
  • Appropriate enquiries within the organisation or with partners – how will these be made?
  • Compare the complaint against the information held.
  • Be prepared to admit mistakes – is the board or senior management accepting of this?
  • Create objective and concise responses.
  • Improve internal processes and procedures.
  • Consult with HR if there are potential disciplinary matters – are your HR polices updated to accommodate this?
  • Maintain a complaints log or a sub-category on your requests log – you may have to report on these numbers to the regulator in future, but your board or senior management are likely to want to know this. Allocate unique reference numbers to each complaint.
  • If you are a joint controller you may need to update the agreement and identify a process for handling complaints.

If you need support, do not hesitate to contact Debbie at DT Information Governance  https://www.dtinformationgovernance.co.uk/contact/ 

Latest news

1

Vape firm IVG targets £1bn revenue IVG Preston staff

Vape firm IVG targets £1bn revenue

08 Jul 2026

2

EG On The Move adds 85 forecourts to its portfolio Zuber Issa

EG On The Move adds 85 forecourts to its portfolio

06 Jul 2026

3

£4.6bn fighter jet contract boosts BAE Systems' Lancashire programme GCAP funding

£4.6bn fighter jet contract boosts BAE Systems' Lancashire programme

06 Jul 2026

4

Lancashire leaders help shape Northern Growth Strategy Phil Riley, Tom Riordan and Stephen Atkinson

Lancashire leaders help shape Northern Growth Strategy

06 Jul 2026

5

New road boosts access to Blackpool Airport Enterprise Zone Natures Aid

New road boosts access to Blackpool Airport Enterprise Zone

06 Jul 2026

Blackburn College (July-Aug 26)
Background image for hub sign up block

LBV Hub

Leverage Lancashire Business View platforms

Post your news
Post your events
Post your offers
Build your network
Improve your SEO
Gain coverage in the magazine
Sign-up
Events
LBV129 July/August Magazine Networking Event
Nov/Dec Networking Event
Networking
16 Jul 2026

LBV129 July/August Magazine Networking Event

Brysdales, Britannia Buildings Drumhead Road, Chorley, PR6 7BX

16:00 - 18:00

LBV130 September/October Magazine Networking Event
Jan/Feb Networking Event - Entrance
Networking
17 Sep 2026

LBV130 September/October Magazine Networking Event

The Beehive Blackburn, Shadsworth Business Park, BB1 2Q

08:30 - 10:30

Built Environment Conference 2026
BEC Listing
Networking
24 Sep 2026

Built Environment Conference 2026

08:30 - 13:00

Sub36 Awards 2026
Awards
16 Oct 2026

Sub36 Awards 2026

Park Hall Hotel & Spa , Chorley

18:00 - 00:00

LBV131 November/December Magazine Networking Event
Jan/ Feb Networking Event - Talking
Networking
19 Nov 2026

LBV131 November/December Magazine Networking Event

Lancashire

08:30 - 10:30

Lancashire Business Day 2026
LBD Listing
Networking
27 Nov 2026

Lancashire Business Day 2026

Burnley Football Club, BB10 4BX

12:00 - 17:00

July Preston Tech Connection Hot Takes
PTC Square July (900 x 900 px).png.png
LBV Hub Networking
15 Jul 2026

July Preston Tech Connection Hot Takes

Society1, Coworking Space, Preston, PR1 3LT

18:00 - 19:03

Preparing for the changes to unfair dismissal
Logo.jpg.jpg
LBV Hub Seminars
15 Jul 2026

Preparing for the changes to unfair dismissal

The Longlands Hotel, Carnforth, LA6 1JH

08:00 - 10:00

The Business Network Central and East Lancashire
LBV Header (34).png.png
LBV Hub Networking
16 Jul 2026 - 16 Jul 2026

The Business Network Central and East Lancashire

Mytton Fold, Langho, BB6 8AB

11:30 - 14:15

Achieving more with your money: Your options at retirement
LBV Hub Seminars
16 Jul 2026

Achieving more with your money: Your options at retirement

Accrington Stanley Football Club, Accrington, BB5 5BX

17:55 - 17:55

Preston Freelancer Meet-Up July
LBV Hub Networking
21 Jul 2026

Preston Freelancer Meet-Up July

Society1, Coworking Space, Preston, PR1 3LT

10:00 - 12:00

Legacy & Leadership – Planning for Lift, Death and business continuity
Logo.jpg.jpg
LBV Hub Seminars
21 Jul 2026

Legacy & Leadership – Planning for Lift, Death and business continuity

Lancaster & Morecambe College, Lancaster, LA1 2TZ

09:00 - 10:30

Advertise with us

Reaching 50,000 members, our print, digital and event platforms offer a fantastic way to raise your business profile and help you grow.

Find out more LBV124 Online Graphic
Subscribe now

Weekly news bulletin