Data Protection Right To Complain

People have always had the opportunity to complain about the processing (use) of their personal data, the misuse or perceived poor management of their data. There were a number of routes – the Controller, the Information Commissioner and if necessary a First-tier Tribunal.

This became a right in the Data (Use and Access) Act 2025 which set out amendments to the Data Protection Act 2018 affecting all organisation and separately set out amendments for Law Enforcement processing.

This is enforceable from 19 June 2026.

From this date you MUST have a process for handling data protection complaints. There are no exceptions. This includes telling people that they can complain.

What is a data protection complaint?

When a data subject (people) make a complaint it actually has to be the ‘right sort’ of complaint.

It has to relate to the management of a data subject’s personal data.
Typically this will be linked to the exercising of other rights such as the right of access, the right to erasure or the right to restrict processing (n.b. this is not an exhaustive list of rights).
They may complain about the security measures you have used to store their data (often if they have been impacted by a data breach).
How you collected their data, where you have stored it, how long you have kept it or even its accuracy.
Your use of their data for direct marketing.

The complaint or processing does not have to reportable.

The complaint can be received from Children as they have the same rights as adults.

Key to dealing with the complaint is to understand the context of the complaint and determine if possible, what the complainant is hoping to achieve or the outcome they desire.

You MUST accept a complaint.

What is NOT a complaint

Some people may complain about the service or some other matter whilst exercising their rights, these are not data protection complaints. For example:

An employee raising a grievance and requesting a copy of their personal data.
Complaining about customer service and requesting you delete (erase) their data.

If you are not sure, ask them to clarify.

Key obligations

You need to:

Facilitate the opportunity for someone to make a complaint i.e. tell them how to do this
Acknowledge receipt of the complaint within 30 days.
Take the appropriate steps to investigate and resolve the issue without undue delay.
Keep the complaint informed on progress and tell them the outcome of their complaint.

So what does this mean for each obligation

1. Facilitate the opportunity for someone to make a complaint

‘such as providing a complaint form which can be completed electronically and by other means’ (ICO).
As the controller you can decide on the ‘how’ e.g. an online form, phone, an online complaints portal, chat function (live), email etc.
You don’t have to procure or build a separate tool if you have an existing acceptable method that they can use to raise their complaint.
Bear in mind that the complainant can still use their own method to complain, you can’t force them to use the one you provide. This could also be in person, so a verbal complaint.

2. Acknowledge receipt of the complaint within 30 days of receiving it.

Acknowledging is not the same as providing the resolution or answer.
If you have received a verbal complaint, you may need to summarise the complaint back to the complainant and ask them how you can contact them with the outcome.
If you can respond in full within 30 days you do not need to send an acknowledgement (you need to decide what is best practice and reflects better on your organisation).
The 30 days starts the day after you receive the complaint (ICO).

3. Take appropriate steps without undue delay

In theory there is no time limit on this stage of the complaint process.
The ICO has not provided a defined timeline
There isn’t really an incentive to delay unnecessarily.
Start the investigation within the first 30 days.

4. Keep the complaint informed on progress and tell them the outcome

It is recommended that you keep the complainant informed if the investigation and steps to resolve their complaint are taking some time. This may be more relevant if you need to take specialist advice such as IT or Systems, or legal advice.
You MUST tell them the outcome of their complaint and the subsequent investigation.

Other Considerations

Think about how you will handle complaints raised through Social Media. Take a sensible approach and consider if the person is intending to raise a complaint and expecting a response or if they are just making a public statement (‘grumble’).

As children can make a complaint, consider how you will deal with these as they are likely to be less aware of the risks and consequences, and their actual rights when you process their personal data. For children, you SHOULD respond in plain, clear language that they will understand, and you MUST assess their competence. You may need to provide different methods for children to complain. It is advisable to deal with children’s complaints as quickly as you can.

Actions

Update your privacy notice to include details of their right to complain, how to complain to you and then if still not satisfied with the outcome, their right to complain to the ICO.

Consider some or all of the following to support the data protection complaints process.

Staff awareness – do they know what a complaint might look like and who to escalate it to?
Internal deadlines – how quickly do you need other teams / depts to respond?
Identification checks – do you need to do these and how? Is someone else raising a complaint on behalf of a data subject and how will you check their authorisation to do this?
Appoint a suitable member of staff to deal with the complaints.
Appropriate enquiries within the organisation or with partners – how will these be made?
Compare the complaint against the information held.
Be prepared to admit mistakes – is the board or senior management accepting of this?
Create objective and concise responses.
Improve internal processes and procedures.
Consult with HR if there are potential disciplinary matters – are your HR polices updated to accommodate this?
Maintain a complaints log or a sub-category on your requests log – you may have to report on these numbers to the regulator in future, but your board or senior management are likely to want to know this. Allocate unique reference numbers to each complaint.
If you are a joint controller you may need to update the agreement and identify a process for handling complaints.

If you need support, do not hesitate to contact Debbie at DT Information Governance https://www.dtinformationgovernance.co.uk/contact/