UK Mandatory Data Protection Complaints Handling Process: What Organisations Must Do by 19 June 2026

In less than three months, a significant new data protection compliance UK deadline takes effect for all organisations that process personal data: from 19 June, it will be mandatory to have a data protection complaints handling process in place.

For some organisations, this will mean tightening existing practices. For others, it will mean putting a formal structure in place. Either way, the deadline is now close enough that handling complaints informally is no longer enough.

This blog post explains the new requirement and what you ned to do to ensure you remain compliant with UK data protection law after 19 June.

Where does the requirement come from?

The requirement originates from the DUAA (Data (Use and Access) Act) – a 2025 law that amends the UK GDPR and DPA 2018, and the PECR (Privacy and Electronic Communications Regulations).

Section 103 of the DUAA adds a new Section 164A to the DPA, stating that data controllers must provide a way for people to make complaints about how their personal data is processed.

Who needs to comply?

Any organisation subject to UK data protection law should meet this requirement if it handles personal data. Guidance published by the ICO (Information Commissioner’s Office) states plainly that there are no exemptions to this obligation.

What’s changing in June 2026?

Under Article 77 of the UK GDPR (General Data Protection Regulation, individuals – known as data subjects – have the right to lodge a complaint with the ICO if they believe their personal data is being processed in breach of the Regulation.

Data protection complaints can cover a wide range of issues, including how an organisation collects, stores, secures or uses personal information, and how it responds to a DSAR (data subject access request).

Much like DSARs, complaints don’t need to take a specific form or arrive via a particular channel – they can reach your organisation in many different ways, such as through contact forms, social media or email, via customer-facing teams, or by other channels that might not have been designed to handle privacy issues.

The important thing to remember is that the legal obligation applies once the complaint has been made.

From 19 June, your organisations must have a process for UK GDPR complaints handling so that data subjects can exercise their rights.

What must your complaints process include?

People must have a way to complain directly, but the design of that process is open. A complaint form, email address, phone line, portal, live chat or in-person route may all be suitable, depending on the organisation.

In practical terms, the better way to approach your new obligations is to consider what a compliant complaints process should achieve:

1. People must be given a way to make data protection complaints directly to your organisation.
2. You must tell people that they can complain both to your organisation and to the ICO. This should be made clear when personal information is collected, such as in a privacy notice and when responding to a DSAR.
3. Complaints must be acknowledged within 30 days of receipt. The ICO complaints procedure guidance gives practical examples of how that acknowledgement period works.
4. Your organisation must take appropriate steps to investigate and respond without undue delay. The duty to investigate begins when the complaint is received, not when the 30-day acknowledgement period expires.
5. Complainants must be kept informed during the investigation and told the outcome without undue delay. In other words, a compliant process must enable complaints to be recognised, investigated, tracked and concluded properly.

What should you do now?

With just over two months to go until the new requirements are enforced, organisations should review their current processes now. For many, this will mean reviewing privacy notices, internal escalation routes, records and staff training.

Note that, although a mandatory complaints handling procedure isn’t introduced by the DUAA, it is nevertheless helpful to document your complaint handling activities.

A sensible starting point is to ask yourself some basic questions. For example:

• Can individuals clearly raise a data protection complaint?
• Can our staff recognise one when it arrives?
• Can our organisation acknowledge complaints within 30 days?
• Can we investigate, record, track and conclude the matter without undue delay?

A complaints process is only effective if the organisation knows who does what, when, and how the outcome will be communicated.

Risks of non-compliance

Failing to comply with the mandatory data protection complaints process requirement creates a number of risks:

Regulatory
A weak or missing process will create an avoidable compliance risk. The ICO can fine organisations up to £17.5 million or 4% of annual global turnover – whichever is greater – for breaches of the UK GDPR and DPA 2018.

Reputational
Complaints about personal information often arise when trust is already under pressure. A slow, confused or fragmented response can make that worse.

Operational
A poor process makes it harder to identify recurring failures, fix root causes and show accountability. The ICO’s guidance specifically encourages organisations to learn from complaints after the investigation has finished.

How GRC Solutions can help

If your organisation is still working out what the DUAA means in practice, now is the time to act.

GRC Solutions provides a wide range of data privacy solutions to help you assess your current arrangements, identify GDPR compliance gaps, update relevant notices and internal documentation, and put in place a complaints process that is workable, proportionate and aligned with your wider data protection obligations.