One of the more significant changes made by the Data (Use and Access) Act (the “Act”), is the introduction of a specific right for individuals to make data protection complaints directly to an organisation. Although individuals have always been able to do this (and encouraged to do so by the ICO), there are a couple of significant obligations that the Act introduces and that we have set out below. We have also produced a refresher of the changes to UK data protection law and developments to date which can be found here.
Click below to be learn more about the data subject complaints regime:
- What is the data subject complaints regime?
- How does the complaints regime compare to the current law and guidance?
- What can individuals raise complaints about?
- What complaints procedures must organisations put in place?
- What must organisations do when they receive a complaint?
- How does the complaints regime affect our relationship with processors?
- Do we need a complaints procedure?
- Conclusion and Next Steps
What is the data subject complaints regime?
Section 103 of the Act introduces a right for individuals to complain to an organisation when they consider that their personal data has not been handled in accordance with data protection law. It also introduces corresponding obligations on organisations to facilitate the making of complaints, deal with those complaints in a certain way and to make individuals aware of their right to complain directly to the organisation.
The relevant provisions came into effect on 19 June 2026 and apply to complaints received by organisations on or after this date.
How does the complaints regime compare to the current law and guidance?
Prior to 19 June, the process for data subject complaints was determined by the processes of the ICO, who typically required individuals to raise any data issues directly with the organisation, and give them 30 days to respond, before making a complaint to the ICO.
Section 103 of the Act codifies and clarifies the position. The regime puts in place more structure and sets out clearer expectations for what organisations should do if they receive a complaint from an individual. The ICO has also recently published its guidance on the regime, entitled “How to deal with data protection complaints” (the “ICO Guidance”).
What can individuals raise complaints about?
Individuals can make a complaint about any infringement under the UK GDPR or the Data Protection Act 2018 (“DPA 2018”) that involves their personal data. In a similar way to data subject rights requests, individuals don’t need to use legal terms or quote the law to make a valid complaint about how their data has been processed in order to make a valid complaint. It is therefore important that staff within organisations are sufficiently trained to spot when a complaint has been raised under UK data protection law.
Whilst individuals can raise a complaint on a range of matters, in practical terms, we anticipate that complaints will be concentrated in areas that attract the most attention from individuals. These are typically issues relating to data subject access requests and data security where there has been a data breach, but it can also be relevant where individuals (notably staff) feel their data has been shared inappropriately, or used to reach a decision that negatively impacts them.
What complaints procedures must organisations put in place?
Organisations must inform individuals of their right to complaint directly to the organisation (for example in a privacy notice or policy), and must also provide a way for individuals to complain to them directly. The means of doing this can be decided by the organisation, and there is quite a bit of flexibility here.
The ICO Guidance outlines some suggestions that are a helpful steer, stating that organisations may want to put in place one of the following methods (i) a form that can be submitted electronically or in writing; (ii) an email address that individuals can send complaints to; (iii) a telephone number; (iv) a live chat function (with the option to escalate the matter to a human if needed); or (v) an option to make complaints in person.
Although organisations can encourage a particular method to complain, the guidance confirms that individuals can ultimately choose any method to make the complaint (including through social media) and organisations must accept the complaint regardless of how it is received.
What must organisations do when they receive a complaint?
When an organisation receives a complaint, it must acknowledge that complaint within 30 days. The organisation is then required to take “appropriate steps to respond” to the complaint, by gathering as much information as required such as looking at the relevant facts and making enquiries into the issues raised. Once that process is complete, the organisation must inform the individual of the outcome of their complaint without undue delay.
How does the complaints regime affect our relationship with processors?
The codification of the complaints process makes it even clearer that organisations are responsible for (and may receive complaints about) the actions of the processors they engage to process on their behalf. Organisations may therefore want to review their due diligence processes to seek to reduce the likelihood of data protection concerns stemming from their processors. An organisation should also ensure that: (i) any processor the organisation engages is required to inform the organisation promptly if the processor receives a complaint about its handling of any data it processes for the organisation; and (ii) the processor cooperates in providing sufficient information to the organisation so that the organisation can respond to the complaint as required.
Do we need a complaints procedure?
The introduction of section 103 of the Act does not necessarily require a formal complaints procedure, but it may be helpful to implement one. Many organisations have complaints procedures to deal with other issues, and it would be sensible to incorporate data protection matters within these current processes. Where this is the case, organisations should make sure that they respond to any data protection complaints in a manner that is compliant with the new regime, in particular with respect to the required timeframes (noting the 30-day deadline to acknowledge a complaint in the first instance).
Conclusion and Next Steps
The data subject complaints regime provides for a clearer understanding of what is required from organisations when they receive a data protection complaint from an individual.
It would therefore be prudent to take the following steps in light of these provisions coming into force and the ICO Guidance:
1. Review your privacy notice(s) to ensure that this states explicitly that individuals have a right to complain directly to your organisation if they have any concerns about the handling of their personal data, including information about how they can do this;
2. Review your internal processes and ensure that staff are trained so that they can identify a data protection complaint and initiate the process to respond appropriately, and within the timeframes required (i.e. an acknowledgment within 30 days and a substantive response without undue delay);
3. Consider whether any agreements with processors need to be amended to ensure that processors are required to notify your organisation of any complaints and cooperate with you to help to address those complaints.
Whether you need to draft policies from scratch or are looking to review your current data handling practices, our team can help you to deal with your data protection challenges. Our team have launched a new set of data protection health checks for organisations which can be found here.
The material in this article is provided for guidance and general information only and is not intended to constitute legal or other professional advice upon which you should rely. In particular, the information should not be used as a substitute for a full and proper consultation with a suitably qualified professional. Please do contact the Bates Wells team if you require further advice.