From 19 June 2026 all controllers processing personal data under UK GDPR must comply with new data protection complaints handling requirements. This mandate, driven by the Data (Use and Access) Act 2025 (DUAA), will affect organisations large and small.
The new regime moves to prioritise “local resolution first”, requiring controllers to attempt to resolve grievances directly with individuals. Strategic risk mitigation now requires organisations to move beyond ad hoc responses to a more considered approach.
This regime transforms complaints handling from a reactive task into a mandatory, compliance operations function. Controllers must audit existing frameworks to ensure they:
- Tell people how they can make a complaint
- Put in place a process which allows them to:
- Acknowledge complaints within the required time frame
- Effectively investigate the complaint without undue delay
- Keep the individual informed
- Provide a response to the complaint without undue delay
For practical guidance on the regime changes, you can watch our webinar here.
Who does this apply to? The “No Exemptions” approach
The obligation to maintain a data protection complaints process is universal. The ICO has explicitly stated there are no exemptions based on turnover, headcount, or sector. The mandate applies to:
- SMEs and large organisations
- Charities and non-profits
- Schools and educational institutions
- Employers
- Public authorities
What is a data protection complaint?
Under the new regime, a complaint is triggered when an individual considers you have infringed data protection law in how their personal data is or has been used. Triggers for complaints could include:
- Suspected misuse of data:Â Processing data in a manner the data subject did not expect or for which there is no legal basis.
- Excessive retention or unlawful sharing:Â holding data beyond the time needed for its lawful purpose or e.g. sharing without a valid legal basis.
- Concerns regarding AI and Automated Decision-Making (ADM): e.g. where there has been a failure to ensure the individual has adequate information and opportunity to contest the decision.
- Data breaches and DSAR failures: e.g. failure to respond to a DSAR within the required time frame.
Data protection complaints rarely arrive in isolation. They are frequently “bundled” with customer service grievances, refund requests, or employment disputes. A senior compliance director’s view from the bridge is that your intake teams must be trained to “unbundle” these issues. While the refund is handled by Finance, the data grievance must be separated out and dealt with in coordination with relevant departments e.g Marketing, HR, or Legal to ensure statutory requirements are met.
Responding to the complaint and the 30-Day ruleÂ
The legislation has established procedural benchmarks that demand high levels of operational coordination.
- The 30-Day acknowledgment: Controllers must acknowledge receipt of the complaint within 30 days of receipt. Do not use this acknowledgment to commit to a premature resolution deadline, use it to manage expectations and provide a realistic timeline based on the complexity of the issue.
- Postal complaints:Â For organisations operating remote offices or hybrid models, be aware that physical post can create a significant operational bottleneck that must be addressed through centralised mail scanning or redirected intake.
- Effective investigation: You must make appropriate enquiries to investigate the complaint without undue delay, this might involve speaking with staff, reviewing relevant documentation etc.
- Response timing:Â The law requires a full response to the complaint “without undue delay,” The legislation also requires you to keep the individual informed of the progress of the complaint.
Updates to policies and procedures
Controllers must execute a comprehensive review of all public-facing and internal documentation to ensure compliance with the new regime, in particular:
- Privacy Notices:Â These must be updated to signpost complaint routes.
- Data Subject Rights workflows: Every right request response must explicitly mention the individual’s right to complain if they consider the response is not compliant.
- Intake channels:Â Controllers must ensure that a complaint can easily be made by an individual – for example, if customer service chatbots and AI interfaces are used, they should be trained to recognize phrases beyond the word “complaint.” Triggers such as “Why are you still contacting me?”, “Where did you get my data?”, or “I want my data deleted” should be automatically flagged for the privacy team.
- Internal complaints procedure: This needs to align with requirements including timeframes, the need to verify identity and to verify the authority of third parties and provide for a review of the outcome of complaints to ensure lessons are learned.
- Complaints log: To record and monitor the progress of complaints
Practical implementation: Verification, training, and security
If it is necessary to carry out identity checks, these must be reasonable and proportionate. In terms of third party representatives, there is potentially a significant security risk. Controllers must verify the specific authority of any third party acting on behalf of an individual at the outset.
Staff training
Training must not be a one-size-fits-all exercise. We recommend a layered approach:
- High-level training (all staff):Â Focusing on recognising and escalating potential data protection complaints even in the absence of legal terminology and ensuring staff understand complaints can be made in a number of different ways and must be dealt with however they are received.
- Enhanced training (privacy, legal, and frontline):Â Deep-dive training on how to respond to complaints compliantly and in accordance with your organisation’s procedures.
Governance
Senior management must maintain oversight of complaint-handling trends. Recurring themes in complaints (e.g., marketing opt-out glitches) should trigger a wider review of the organisation’s privacy processes and technical and organisational measures.
Why the regulatory landscape has changed
The shift to mandatory internal complaints handling addresses three regulatory objectives:
- Earlier dispute resolution:Â Resolving issues at the source to prevent regulatory friction.
- Operational accountability:Â Forcing organisations to treat privacy concerns with the same operational rigor as financial or consumer complaints.
- Reducing ICO pressure:Â With the ICO receiving over 42,000 complaints annually, the “local resolution” is a strategic move to try to free up regulator resources.
The new regime is not merely a restatement of rights and organisations that fail to engage, risk direct regulatory intervention and reputational damage.
Download our complaints checklist to help your compliance journey.
If you need more support, please contact us.
FAQs
What is the difference between a consumer / customer complaint and a data protection complaint?
Individuals do not need to use specific legal terminology, mention the word "complaint," or use a designated form to raise a data protection complaint. Because of this, it is crucial to recognize that a data protection complaint might just be a single sentence bundled inside a broader customer service query or a social media message.
How can we train chatbots to identify specific privacy phrases?
When training an AI chatbot to identify privacy phrases, you need to be highly strategic about the terminology it is programmed to flag.
First, you should train the chatbot to look for specific keywords like “complaints” and “data protection”. Because individuals do not always use formal legal language when raising an issue, you must also program the chatbot to recognise common conversational phrases, such as “what are you doing with my data?” or “why are you still contacting me?” to flag these for consideration.
Crucially, you must avoid relying on broad, standalone terms like “data”. When identifying complaints amidst the “noise” of a busy inbox, using overly broad terms will flag too many routine queries and overwhelm your ticketing system. By focusing on targeted phrases, your chatbot can successfully act as a first line of defence to spot and escalate data protection concerns.
What are the risks of using generic complaint response templates?
Alienating the complainant and failing to make them feel heard is a primary risk of using overly generic complaint response templates. When individuals make a data protection complaint, they are often already frustrated, and sending a standard, generic letter that does not even refer to their specific situation can make them feel ignored and dismissed.
Â
Additionally, relying on generic responses poses the risk of prolonging the dispute and inviting further questions. If your template response fails to address every point the individual raised in their original complaint, it will likely prompt them to come back with follow-up emails and additional queries. This not only creates extra administrative work for your team but also increases the likelihood that an unhappy individual will escalate the matter to the Information Commissioner’s Office (ICO).
Â
While keeping response templates on hand is recommended for efficiency and to ensure legal terminology is correct, it is critical that these templates are highly tailored to the specific complaint. Relying solely on existing generic complaints procedures will likely fail to satisfy the ICO’s new operational expectations without proper modification. You must ensure that the final response specifically outlines the exact steps taken to investigate and resolve their unique concerns.
