Changes to UK data protection law are on the horizon that will give individuals a clearer right to complain if they believe their personal data has been mishandled. These changes are being brought in by the Data Use and Access Act 2025 (and you can see our blog on more upcoming changes here)
For organisations, this means new expectations around how complaints are acknowledged, managed, and resolved.
At present, many organisations already deal with concerns about data handling on an informal basis, through existing complaints processes or through separate policies, even though there is no explicit legal duty to operate a data protection complaints procedure. Under the proposed reforms, however, responding to complaints will no longer be optional. Instead, organisations will need to ensure they can:
- Acknowledge complaints within 30 days
- Respond without undue delay
- Keep the individual informed of progress
- Provide accessible ways to complain, such as forms on a website or other user-friendly channels
- Prepare wording for complaint responses
- Consider if your standard data protection contract clauses should be updated to cover handling complaints
For some, this won’t represent a major shift. Larger organisations, or those already subject to regulatory processes (for example, Freedom of Information reviews in the public sector), may have systems that can be adapted. For others, particularly smaller organisations, these changes may require new processes, training, and resources.
ICO Consultation on Complaints Guidance
To support organisations in preparing, the Information Commissioner’s Office (ICO) has launched a consultation on draft guidance for handling data protection complaints. The guidance sets out practical steps organisations can take in recognising, investigating and responding to complains. It also provides information on how the ICO deals with complaints.
The consultation is still ongoing, and final guidance has not yet been published. This means that while organisations can begin to take preparatory steps, the exact details of implementation, including when the new obligations will come into force, remain uncertain.
Looking Ahead
While the finer details are still being finalised, one thing is clear: the right to complain about data protection matters will become more formalised, and organisations will be expected to demonstrate they take complaints seriously. Taking steps now will not only reduce the risk of non-compliance but also build trust with individuals whose data you hold.
If you’d like to talk through what these changes could mean for your organisation please contact our team.
