Data protection complaints process: the 19 June duty

From 19 June 2026, anyone whose personal data you hold gains a clearer route to challenge how you handle it. A customer who thinks you kept their records too long, a job applicant unhappy with how their CV was screened, a patient querying who saw their notes: each can lodge a complaint with you directly, and you will be under a statutory duty to deal with it. That duty makes a documented data protection complaints process a requirement for every controller in the UK, not a matter of good practice.

The change comes from Section 103 of the Data (Use and Access) Act 2025, which inserts a new section 164A into the Data Protection Act 2018. The Information Commissioner's Office published its supporting guidance, "How to deal with data protection complaints", on 12 February 2026. The duty itself starts on 19 June 2026, so the window to put a process in place is short.

What changes on 19 June 2026

Until now, a person unhappy with how an organisation handled their data could go straight to the ICO. Many organisations had an internal route, but no law compelled them to have one or to respond within a set time.

Section 164A changes that for controllers. The Act creates a direct obligation to receive, investigate and respond to complaints from data subjects about how their personal data is processed. The ICO frames the wider expectation as controller-first: people are encouraged to raise the issue with the organisation before escalating, and the regulator will generally decline to act until they have, save in exceptional cases. Individuals are not statutorily barred from approaching the ICO, but the practical effect is that most complaints will now land on your desk first.

For the person complaining, the experience should be simpler. They contact the organisation holding their data, get a confirmation that someone is looking into it, and receive an answer with a clear outcome and a note of their right to take it further. For the business, that same flow has to be designed, owned and recorded.

The data protection complaints process every controller now needs

Section 164A sets four core obligations. A controller must make it easy to complain, acknowledge a complaint within a set period, investigate and respond without undue delay, and tell the complainant how to escalate to the ICO.

Making it easy to complain has a specific meaning in the ICO guidance. You must offer an electronic facility, such as a web form, plus at least one other route. You also have to accept a complaint however it actually arrives, whether by email, post, phone, live chat, in person or social media. You cannot insist that someone uses your preferred channel before you will treat their message as a complaint.

That intake design is where most organisations will need work. A fintech fielding complaints about automated credit decisions needs the same defined way in as a defence supplier handling concerns from its own employees about HR data: a record that starts the moment a complaint lands, whatever route it arrives by. The principle holds across a SaaS provider's subprocessor queries and an enterprise's cross-department logging too.

Acknowledge within 30 days, then respond without undue delay

The acknowledgement deadline is fixed. Under section 164A, you must acknowledge receipt within 30 days, counted from the day after the complaint reaches you. The ICO confirms that weekends and bank holidays count towards the period, though if the final day falls on a non-working day it rolls to the next one. For electronic complaints, an automated reply can serve as the acknowledgement. If you give a full substantive response inside 30 days, you do not need a separate acknowledgement first.

The investigation duty is not parked until you have acknowledged. It begins on receipt. After looking into the matter, you must respond without undue delay and inform the complainant of the outcome. "Without undue delay" is judged on the complexity of the issue, the scale of what is involved and the potential harm, so a straightforward retention query and a complex profiling dispute will not carry the same timeline.

The final step is to tell the complainant they can escalate to the ICO if they remain dissatisfied. That signpost is part of the duty, not an optional courtesy.

When a complaint can go to the ICO

The sequencing here is worth stating precisely, because it is easy to overstate. The framework is controller-first, and the ICO encourages people to use internal routes before escalating. The regulator will generally decline to act until they have done so, except in exceptional circumstances. It is not the case that a person is legally required to exhaust your process before they are allowed to approach the ICO.

For your process, the implication is practical rather than legal. The cleaner and faster your internal handling, the fewer complaints reach the ICO at all, and the better the record you can show if one does. The complaint data the ICO gathers helps it spot patterns across sectors and intervene earlier where an organisation is generating repeat issues.

What a documented complaints process looks like in practice

The statute sets the four duties. The ICO guidance sets out what it expects you to be able to evidence, and that is the more useful checklist for a product or operations lead.

In practice, a defensible process has a named owner, a defined intake covering the electronic form plus an alternative route, and an internal log that captures the date of receipt, the acknowledgement and its date, the enquiries made during investigation, and the outcome. The outcome should be recorded in plain language, with the findings and any remedial action taken or proposed, plus when that action was completed. The ICO also expects you to track the volume and themes of complaints over time.

That last point anticipates a further provision. Section 103 also inserts a new section 164B, a reserve power under which the Secretary of State may in future require controllers to report the number of complaints they receive. It is not a live duty as of 3 June 2026, but it signals that complaint volumes are likely to become a reporting metric. Organisations that log themes from the start will not have to retrofit that later.

For a healthtech business, this might mean one log across clinical and corporate teams so a patient complaint and a staff complaint follow the same path. For an enterprise spread across business units, it usually means a single intake and log rather than a different approach in every department.

Who the duty applies to, and why there are no exemptions

The duty under section 164A applies to every controller, in every sector, at any size. There are no confirmed exemptions. A two-person fintech and a global enterprise carry the same baseline obligation. The duty sits on controllers rather than processors, so if you determine how and why personal data is processed, it is yours to meet.

The complaints in scope are those about alleged infringements of the UK GDPR, and separately Part 3 of the Data Protection Act 2018 for law-enforcement processing. For most commercial organisations, the UK GDPR limb is the one that matters.

On enforcement, the duty sits within the existing Data Protection Act 2018 regime, where the ICO's tools run from reprimands and enforcement notices through to penalty notices with a ceiling of £17.5 million or 4 per cent of total annual worldwide turnover, whichever is higher. That ceiling is regime context, not a threatened fine for a missing complaints form. The shift on 19 June is that handling complaints well moves from good practice to statutory obligation, and clean handling becomes a procurement and trust asset rather than a box to tick.

How the complaints duty fits the wider Data (Use and Access) Act changes

The complaints duty is one piece of a larger commencement. The bulk of the Act's data-protection reforms came into force on 5 February 2026 under the Commencement No. 6 Regulations. The complaints duty was held back to 19 June 2026, giving organisations a defined period to prepare. If you reviewed your UK GDPR and DPA 2018 setup after the February changes, the complaints process is the next item to close off.

The Naq platform automates UK GDPR and DPA 2018, ISO 27001, Cyber Essentials and DSPT from a single dashboard. Controls are mapped across frameworks, so one piece of evidence satisfies requirements in several standards at once rather than being collected separately for each. A documented complaints process, its log and its owner sit inside that same record, alongside the DPIAs and data-mapping that the rest of the framework already draws on.

Where you need named expert sign-off, Naq's virtual DPOs work alongside the platform to review your process and stand behind it.

To see how your data protection complaints process maps across your existing tooling and frameworks, book a 15-minute demo.

FAQ

When does the new data protection complaints duty start?

It starts on 19 June 2026. Section 103 of the Data (Use and Access) Act 2025 inserts a new section 164A into the Data Protection Act 2018. The ICO published its supporting guidance, "How to deal with data protection complaints", on 12 February 2026.

How long does a controller have to acknowledge a complaint?

Thirty days, counted from the day after the complaint is received. After that, the controller must respond without undue delay and tell the complainant the outcome. For electronic complaints, an automated reply can serve as the acknowledgement, and no separate acknowledgement is needed if a full response is given inside the 30 days.

Do individuals have to complain to the organisation before going to the ICO?

The ICO expects people to raise the issue with the controller first and will generally decline to act until they have, except in exceptional cases. They are not absolutely barred from approaching the ICO, but the framework is controller-first.

Which organisations does the duty apply to?

Every controller, in every sector, with no confirmed exemptions. A small startup and a large enterprise carry the same baseline duty. The obligation sits on controllers rather than processors.