Mon 02 Mar 2026

Handling data protection complaints: Getting to grips with the new requirements

From June 2026, organisations must have a formal process in place to handle data protection complaints directly.

A new requirement for organisations to implement an internal complaints procedure for handling data protection complaints before the matter is escalated to the Information Commissioner's Office (ICO) has been introduced by the Data (Use and Access) Act 2025. This will come into force on 19 June 2026. Organisations must plan now and prepare for the upcoming changes.
 
The ICO has also published guidance on how to deal with data protection complaints to help organisations comply.

Complaints

Data protection related complaints can be raised by individuals by any means, for example by telephone, letter, email, through social media or during a conversation. There is no prescribed manner as to how an individual should raise a complaint. The ICO emphasises that if you are ever unsure whether an individual is making a data protection complaint then you should ask them to clarify.

Procedure for handling complaints

Organisations must implement a procedure to give people a way to make data protection complaints directly to them. Each organisation can take its own view on how best to do this provided it meets its obligations. However, as an example, the ICO suggests the following actions:

  • create a complaint form for submitting complaints electronically or in writing
  • provide an email address or telephone number for submitting complaints
  • provide an online complaints portal
  • set up a live chat function with the option to escalate to a human if needed
  • allow people to submit complaints in person if the organisation does not have a digital presence

While individuals can be encouraged to follow the official complaint process of an organisation, they still have the right to raise a complaint in any form they like, and organisations must accept a complaint regardless of whether it is raised through the official channels or not.
 
The ICO asks organisations to consider how they will handle complaints raised through social media and by children and young people, providing some practical guidance on the way they should respond to such complaints and the requirement for organisations to assess the competence of the child to exercise their legal rights.
 
When accepting complaints, if an organisation is unsure of the complainant's identity then it should ask for proof of ID at the earliest possible opportunity. If the complaint is raised on behalf of someone else, organisations must check that the person making the request is authorised to do so either by a signed letter of authority or a power of attorney.
 
It is recommended that organisations put in place a written complaints handling procedure to make the process transparent. The complaints procedure could be published on the organisation's website or supplied to individuals either on request or at the earliest most appropriate opportunity.

A written complaints procedure could:

  • include the preferred method for receiving complaints
  • set out what supporting information the organisation requires
  • set out what is acceptable proof of ID and what authorisation document is required if the complaint is raised on behalf of the individual
  • explain timescales for acknowledgement and response

Organisations could also find it beneficial to create an internal written procedure to assist staff in dealing with complaints alongside other staff training being provided.

Right to complain

Organisations are required to inform individuals of their right to complain, including their right to complain to the ICO. This must be done when they are collecting personal information and must be in a clear and simple manner for people to understand. For example, the right to complain should be included within the privacy notice. Furthermore, organisations must advise individuals of their right to complain when responding to data subject access requests.

What to do if you receive a complaint?

  1. Acknowledgement - acknowledge receipt of the complaint within 30 days starting from the day after the complaint is received. Where the last day to acknowledge a complaint falls on a weekend or public holiday, you have until the next working day to provide an acknowledgement. There is no exemption for non-acknowledgement when staff are absent for certain periods of the year like school holidays or sickness. Organisations must make alternative arrangements to ensure that acknowledgements are sent out acting compliantly with data protection laws. Acknowledgements should usually be provided in the same format that the complaint is received.
  2. Investigation - organisations must gather all the relevant facts and information. This should be done without undue delay. If an organisation requires more information to be able to answer, it should ask the person making the request but it must make such enquiries as soon as possible, avoiding excessive delays.
  3. Keeping the complainant involved - the complainant must be kept informed throughout the progress of the investigation. Organisations should provide updates on progress, timeframes and explain any delays.
  4. Records management - subject to retention periods, as personal data must not be kept for longer than required, organisations should keep a record of the date that the complaint was received and any correspondence including acknowledgement, outcome, other conversations and documents.
  5. Outcome - provide an outcome to the complaint without delay. While there is no prescribed timeframe for providing an outcome to complaints, it is important to follow step 3 and keep the complainant informed throughout the process. In providing the outcome, an organisation should explain what has been done to resolve the complaint and any actions that have been taken because of it. The ICO recommends that organisations have in place a complaints review process for individuals that are unhappy with their outcome.

The ICO also reminds organisations that there is no obligation for individuals to wait for you to review your complaint outcome and individuals could raise complaints directly with the ICO at any point.

Key takeaways

The new requirement for organisations to deal with complaints directly in the first instance is being introduced to reduce the ICO's workload and improve individuals' experiences of raising complaints by allowing organisations to resolve issues directly, making the process much faster.
 
To recap, ahead of the new requirement coming into force this June, organisations should prepare by:

  • putting in place a formal complaints route for example a designated email address or webpage
  • updating their privacy notice to inform individuals of their right to complain to the organisation
  • drafting a complaints procedure that can be shared with individuals whose data is being processed for clarity on the complaints process and their rights
  • drafting internal complaints procedures and training staff to be able to handle data protection complaints without undue delay and in compliance with the legislation

Please contact David Gourlay or another member of our Data Protection and Cyber Security team for assistance with updating your existing complaints process or putting in place a new one to comply with the new rules.

This article was co-authored by Aleks Werecka, Trainee Solicitor in our Data Protection team.

Related Insights

View All

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice