ARTICLE
24 April 2026

Data Protection Complaints: Are You Ready?

WB
Womble Bond Dickinson

Contributor

Womble Bond Dickinson logo

Being different is our normal way of working. It's not just what we do, it's how we do it.

You'll benefit from more than just the skills and know-how you'd expect from a pioneering law firm; our technology specialists, process and project management leaders, accountants and tax advisers work alongside lawyers with specialist sector expertise – from business to government.

Working side by side, we'll find clever solutions to your age-old problems.

With 1,300 professionals across 39 offices in the US and UK, we're equipped to tackle mission-critical challenges, wherever you do business.

Want the proof? It's in our track record. With our straight-talking, entrepreneurial approach, we’ve set new industry precedents, achieved market firsts and delivered trailblazing work for our clients.

So, whatever your future holds, we're here for you with A Point of View Like No Other.

Explore Firm Details
From 19 June 2026, all organisations that act as data controllers must have a formal process in place for individuals to raise data protection complaints directly with them
United Kingdom Privacy
Andrew Kimble,Katie Simmonds, and Amy Prime
Your Author LinkedIn Connections
Andrew Kimble’s articles from Womble Bond Dickinson are most popular:
  • in India
Womble Bond Dickinson are most popular:
  • within Law Department Performance, Real Estate and Construction and Employment and HR topic(s)
  • with Senior Company Executives and HR
  • with readers working within the Property and Law Firm industries

From 19 June 2026, all organisations that act as data controllers must have a formal process in place for individuals to raise data protection complaints directly with them.

If you are a business that handles personal data – whether relating to customers, employees, suppliers or service users – now is the time to check that your complaints handling framework is fit for purpose. In many cases, existing grievance or customer complaints procedures will need updating.

What is changing?

The Data Use and Access Act (DUAA) introduces a statutory right for individuals (data subjects) to complain directly to a data controller if they believe their personal data has been processed in breach of data protection legislation.

While organisations have always had to deal with data protection concerns in practice, from 19 June 2026 this becomes a formal legal requirement, with specific expectations set out in legislation and supporting ICO guidance. Importantly, this obligation applies across all sectors and to all data controllers, regardless of size or industry.

The new requirement sits alongside the wider reforms introduced by DUAA and you can read our overview for background on what is already in force.

What counts as a data protection complaint?

A data protection complaint is any complaint from an individual relating to how their personal data has been handled. This could include concerns about:

  • The lawful basis for processing their data
  • How data was collected, stored, used or shared
  • Security measures and data breaches
  • How a data subject access request (DSAR) was handled
  • Failure to respect individual rights under data protection law

Crucially, a complaint does not need to be labelled as a “data protection complaint”, or submitted in a particular format, to fall within the new regime. If the substance of the concern relates to personal data, organisations must treat it accordingly.

What must organisations do?

The ICO’s guidance on how to deal with data protection complaints makes clear that organisations have flexibility in how they design their complaints process, but certain core principles apply.

In practice, businesses should ensure that they:

  • Have a clear process for receiving complaints: This could be a standalone data protection complaints procedure or an integrated process within existing governance frameworks. However, it must work in practice, not just on paper.
  • Make it easy for individuals to complain: Individuals must be able to submit complaints electronically and by other reasonable means. Online forms are encouraged, but complaints made via email or letter must also be accepted.
  • Tell people about their right to complain: Organisations must inform individuals of their right to complain about data protection issues, including when personal data is collected and when responding to a subject access request. This will usually require updates to privacy notices and DSAR templates.
  • Acknowledge complaints within statutory timescales: Complaints must be acknowledged within 30 days. This marks the start of the organisation’s handling period.
  • Investigate and respond without undue delay: Organisations must carry out an appropriate investigation and provide a clear outcome, including information about the individual’s right to escalate the complaint to the ICO if they remain dissatisfied.

What should businesses do now?

With the June 2026 deadline approaching, businesses should now start work on a data protection complaints procedure that complies with the requirements introduced by DUAA. This should include engaging early with key stakeholders across the organisation and considering whether staff training is needed so that employees understand how to recognise and handle data protection complaints when they arise.

Organisations should also review their arrangements with processors to check that contracts include appropriate provisions on complaints handling, including obligations on the processor to assist with investigations, promptly forward complaints to the controller organisation and provide the information needed to enable the organisation to respond effectively. Alongside this, privacy notices and DSAR response wording should be updated to reflect individuals’ new right to complain. Finally, it is important to ensure that clear records are kept of the internal steps taken to investigate and respond to complaints, so that organisations can demonstrate to the ICO that appropriate action has been taken.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Andrew Kimble
Andrew Kimble
Photo of Katie Simmonds
Katie Simmonds
Photo of Amy Prime
Amy Prime
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More