Businesses across the UK have one month from today to put a data protection complaints process in place, before new legal requirements come into force on 19 June 2026.
From that date, all organisations will be legally required to handle data protection complaints under the Data (Use and Access) Act 2025.
With just four weeks remaining, the Information Commissioner’s Office (ICO) is urging businesses, particularly small and medium-sized enterprises, to read its guidance now and take the straightforward steps needed to comply.
The new law means organisations must:
- give people a clear way to raise a data protection complaint;
- acknowledge it within 30 days of receipt;
- without undue delay, take appropriate steps to investigate and keep people informed; and
- tell the complainant of the outcome.
The good news for businesses is that the ICO’s guidance, published in February following a public consultation that received more than 85 responses, is already available and sets out everything organisations need to know. It explains what businesses must, should and could do to comply, and includes practical tips for each stage of the process.
Emily Keaney, Deputy Commissioner, Regulatory Policy at the Information Commissioner’s Office, said:
Today marks one month to go, and I want to be clear: there is still plenty of time to act, and the ICO is here to support you.
“We know that smaller organisations are less likely to have formal complaints processes in place, and that is exactly why we have designed this guidance with you in mind: with practical steps and real examples that you’ll have encountered on a day-to-day basis.
“A data protection complaint can come from any customer at any time. Having a clear process means you can respond quickly, resolve issues fairly and protect the trust your customers place in you.
“We are not here to catch businesses out, we are here to help you get ready. With 19 June fast approaching, now is the time to read the guidance and make sure you’re prepared.”
The ICO is here to support all organisations meet these new requirements. Resolving complaints quickly and fairly benefits businesses as well as customers. It can prevent issues from escalating, protect customer trust and reduce the likelihood of regulatory involvement. Sectors where data protection complaints are most common include healthcare, financial services, technology and retail. The ICO’s message is that having a clear complaints process is not just a legal requirement, it is good for business.
Businesses are encouraged to read the guidance and take action today. Visit the ICO’s website for more tailored advice for small and medium sized businesses.
Leave a Comment