Data Protection: mandatory complaints process required by 19 June
On 19 June 2026, new rules require all businesses to implement a mandatory data protection complaints process. Time is quickly running out for any organisation who has not yet reviewed their existing complaint system and identified where changes need to be made.
Individuals will have a statutory right to make a complaint directly to businesses if they believe their personal data has been unlawfully processed. The changes mean businesses will be legally required to handle data protection complaints under the provisions of the Data (Use and Access) Act 2025. The Act amended the UK General Data Protection Act and Data Protection Act 2018.
Complaints rising
Data protection complaints to the Information Commissioner’s Office (ICO) are rising substantially. Its latest figures (for 2024 – 2025) show it received 42,881 complaints – a 7.4% increase on the previous year (39,721). The ICO forecasts that this current year (2025 – 2026) it will receive between 45,000 and 55,000 complaints – a substantial and concerning rise in data protection complaints.
Under s103 of new Act, all businesses will be required to:
· give data subjects a clear, efficient complaints mechanism to raise a data protection complaint where they believe the GDPR has been infringed. There must be an electronic means by which to make a complaint, as well as other means
· acknowledge a complaint within 30 days
· take appropriate steps to investigate and to keep complainants informed - without undue delay and
· inform complainants of the outcome. The ICO says businesses should clearly explain what they have done to resolve the complaint and, where appropriate, actions they have taken as a result. If you believe you have been compliant, explain this in detail to the complainant
Note that further regulations could be passed requiring data controllers to report to the ICO on complaints made.
The new mandatory complaints process for businesses is not intended to be a necessary ‘first step’ before a complaint direct to the ICO – complainants will still be able to use the existing route to lodge complaints with the ICO.
SMEs are less likely to have formal data protection complaints processes already in place and the ICO has produced guidance reflecting that reality. Smaller businesses may be concerned at a further regulatory burden, but the aim is to reduce data protection complaints to the ICO – which can take several weeks to resolve. The new requirement could well help SMEs ensure complaints are swiftly dealt with inhouse without drawn out ICO involvement.
What should we do?
Data protection law is a notoriously complex area, impacting every business organisation and charity. Careful consideration needs to be given to these additional rules and the appropriate action required to ensure continued compliance. Always take specialist legal advice from data protection law experts.
If you would like us to cover an issue in the next NGM Tax Law Newsletter, we would be pleased to hear from you