From 19 June 2026, the Data (Use and Access) Act 2025 (the Act) will introduce a new requirement for organisations to have a process for handling data protection complaints. This follows a consultation by the Information Commissioner’s Office (ICO) which closed on 19 October 2025.
The Act amends, but does not replace, parts of the UK GDPR and Data Protection Act 2018, with the changes being phased in over a 12-month period from when the Act received Royal Assent on 19 June 2025.
The ICO has published its ‘Complaints guidance for organisations’, which confirms that there are no exemptions - the new requirement will apply to all UK organisations regardless of size or industry.
A complaint can come from anyone who is unhappy with how an organisation has handled their personal data (or the personal information of someone they're acting on behalf of), i.e. in response to a subject access request or where there has been a data breach.
From 19 June 2026, organisations will be required to:
- Give people a way of making data protection complaints
- Acknowledge receipt of complaints within 30 days of receiving them
- Without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keeping people informed; and
- Without undue delay, tell people the outcome of their complaints.
There is no need to set up a separate tool for receiving complaints, as long as organisations can still meet their obligations. Organisations that have an existing complaints process may adapt it to include data protection complaints, or they may decide to set up a new complaints tool, to ensure that they meet the new requirement.
