UK ICO explains the Data (Use and Access) Act's new data protection complaints requirements
Published on 18th February 2026
With less than six months until new obligations take effect, guidance offers controllers practical steps for compliance
At a glance
New legal obligations require controllers to receive, acknowledge and respond to data protection complaints from individuals from 19 June.
Separate form or complaints tool is not required – existing means can be adapted for data protection; automated electronic acknowledgements are sufficient for email submissions.
The ICO will use complaint volumes and trends to identify potential compliance issues and determine whether to intervene with individual organisations.
The Information Commissioner's Office (ICO) has published its final guidance on handling data protection complaints following consultation. The Data (Use and Access) (DUA) Act 2025 introduces a new right for individuals to complain to controllers about the handling of their personal data and obligations on controllers in relation to their handling of those data protection complaints.
In short, controllers must provide data subjects with a way of making data protection complaints to them and acknowledge receipt of complaints within 30 days of receipt. They must also, without undue delay, both take appropriate steps to respond to complaints, including making appropriate enquiries and keeping complainants informed, and inform complainants of the outcome of their complaints.
These requirements take effect on 19 June. In its guidance, the ICO aims to help businesses prepare by explaining what they must, should and could do to comply. For many organisations, there will be relatively little to do to comply with the strict legal requirements in relation to complaints.
Enabling complaints
The ICO states that while controllers must give people a way to make data protection complaints directly to them, how controllers do this is up to them. Options include complaint forms (for example, by email or post), providing an email address for people to submit complaints to, online complaints portal, live chat functions with the option to escalate to a human if needed, and giving people a way to make data protection complaints over the phone or in person.
The guidance addresses the scenario where organisations may already have existing complaints processes or tools that could be leveraged for data protection complaints. The ICO is clear that, in that scenario, the existing process or tool could be adapted to include data protection complaints (there is no need, in that scenario, to build a separate tool for receiving data protection complaints). That will be particularly relevant for organisations with wider regulatory obligations to manage complaints.
Finally, like data subject access requests (DSARs) and other requests, there is no obligation on individuals to use a set process for making complaints. For example, controllers may ask individuals to submit complaints to a specific email address or using a specific form but that does not prohibit an individual from making a complaint via social media instead. That means that, as with DSARs and other requests, recognising data protection complaints – however they are made – is particularly important.
Acknowledging receipt
Controllers have an obligation to acknowledge receipt of complaints within 30 days of receipt. Complaints can be acknowledged in different ways. The ICO suggests that it is likely to be most practical to follow the method the complainant has used unless they have requested a reply via a different means.
Importantly, from a practical perspective, the ICO says that if you receive a complaint electronically (for example, via email or live chat), an automated response, such as auto-acknowledgement emails, will be sufficient to satisfy the obligation to acknowledge receipt within 30 days. Similarly, if a complaint is received verbally, it is sufficient to acknowledge receipt verbally.
Investigating the complaint
Unlike DSARs and other data subject rights requests, there is no specific timescale for substantively responding to the individual's complaint. According to the ICO, "without undue delay" in this context means "without an unjustifiable or excessive delay".
What is unjustifiable or excessive always depends on the circumstances and varies from one complaint to another and from one organisation to another. According to the ICO, the important thing is to consider all the circumstances of the complaint, not to apply a set period of time as a blanket approach.
How the ICO responds to complaints
Individuals can still complain to the ICO. Even before the changes introduced by the DUA Act, though, the ICO was encouraging individuals to complain to and seek to resolve data protection issues with the relevant organisations before complaining to the ICO.
Alongside its guidance on the right for individuals to complain to controllers, the ICO has also published a new framework on how it handles data protection complaints. However, the ICO is deluged with complaints: in 2023-24, the ICO received 39,721 complaints and, in 2024-25, that number rose to 42,881 complaints.
In its new framework, the ICO outlines its criteria for assessing whether to handle a complaint and to what extent, including level of harm, effect on individuals, alignment with ICO strategic priorities, and whether an organisation is already investigating a complaint. The ICO notes that it cannot take regulatory action on every complaint – it aims to focus resources on cases where it can have the biggest impact. However, complaint data will help it identify broader issues with an organisation's compliance and inform regulatory interventions.
The ICO will apply threshold criteria when receiving complaints about an organisation – it will record the number of complaints received, and if complaints exceed a certain threshold within a specified period (both yet to be finalised) it may analyse the available information it has about the organisation to determine whether to intervene. Reaching the threshold does not automatically trigger action; the ICO will investigate whether a breach occurred and consider the organisation's engagement. The purpose of this approach is to identify trends and intervene at an early stage before further harm occurs.
It is important for organisations to understand how the ICO deals with complaints because that may help inform their own approach to handling data protection complaints.
Osborne Clarke comment
The obligations in relation to data protection complaints do not come into effect until 19 June but there are practical actions that controllers can take now to meet the strict legal requirements relating to complaints.
- Check that individuals are informed of their right to make data protection complaints when their personal data is collected and when responding to DSARs. That means checking (and potentially amending) privacy notices and template response letters. For many organisations, privacy notices will already include information about how to make complaints.
- Ensure that data protection complaints received, via any means, are acknowledged within 30 days. For complaints received electronically, this could be as simple as setting up automated replies acknowledging receipt.
- Review and potentially amend any existing policies, procedures and staff training on handling of DSARs and other data subject requests to ensure they capture data protection complaints as well. This will ensure that complaints are picked up, investigated and responded to in accordance with the requirements.
- Ensure that contracts with processors oblige the processor to pass any data protection complaints received by it onto the controller, and to support the controller in investigating and responding to the complaint. That may be captured by existing contractual obligations dealing with data subject requests generally, though that will depend on exactly how they are drafted. It may be worth reviewing and amending any template contracts to address this point.
