New Rules on Data Protection Complaints
The Data Protection Act 2018 (“DPA”) is a cornerstone legislation which, together with the UK GDPR, provides the foundation of the UK’s legal framework for data protection.
Unlike the UK GDPR, which sets out the fundamental rules on data protection many businesses will be familiar with, the DPA sets out somewhat esoteric rules you won’t come across unless you get into the weeds of data protection, so many businesses may not be familiar with the DPA.
However, the DPA was amended last year to introduce a new set of rules concerning the handling of data protection complaints, which come into force on 19 June 2026[1], and this is something all businesses will need to be aware of.
-
What are these new rules on data protection complaints?
The new rules are set out in Section 164A of the DPA and give individuals the right to complain about the way in which their personal data is handled by businesses. In a nutshell, businesses have to: (a) provide individuals with channels through which they can complain; (b) acknowledge complaints within 30 days of receipt; and (c) deal with complaints and inform the complainants of the outcome without undue delay. Basically, you must have a process for dealing with data protection complaints.
-
How do these new rules differ from what the UK GDPR says in terms of rights of individuals?
The UK GDPR already grants individuals the right to complain to the ICO about infringement of the UKGDPR. The new rules supplement the UK GDPR by giving individuals the right to complain to businesses if they feel that their rights have been infringed. The new rules can be seen as the UK government’s attempt to encourage individuals to complain to the relevant businesses first before they complain to the ICO.[2]
-
The rules seem straightforward enough, and we have existing processes for dealing with customer complaints and employee grievances; do we need to do anything extra?
If you have already put in place processes for dealing with customer complaints and employee grievances, you might be able to piggyback on them to comply with the new rules, but you will want to make sure that your existing processes are fit for this purpose.
For example, if a customer complains about UK GDPR infringement through your normal complaints channel, you will need to make sure that the complaint is acknowledged within 30 days and escalated appropriately so you address the complaint and respond to the customer without making the customer wait too long.
If your existing complaints process does not account for the need to involve your internal team that deals with data protection (e.g. your legal department or compliance department), you will want to update the process and provide additional training so that your customer service team can recognise data protection complaints and distinguish them from other complaints, e.g. those about your products/services.
-
As part of our GDPR implementation, we have put in place a process for dealing with data subject requests; surely that’s enough?
If you already have a GDPR-compliant process for handling data subject requests, you probably won’t have to do much to comply with the new rules, but you will still want to make sure that your existing process complies with the new rules.
Currently, there is no mandatory legal requirement to acknowledge a data subject request and if your existing process for the handling of data subject requests does not provide for acknowledgement, you will want to update it.
Additionally, if your existing process focuses on certain types of data subject request (such as access/deletion request), it may not provide enough clarity around how a data protection complaint should be identified, routed, and resolved. If that’s the case, you might want to update your process.
-
You mentioned “channels through which they can complain” but do these channels have to take any particular form?
Section 164A(2) of the DPA states that businesses must “facilitate the making of complaints… by taking steps such as providing a complaint form which can be completed electronically and by other means”, so online complaints form is one option, but it is by no means the only option. Other channels which the ICO suggests as being acceptable include email, telephone, online portal, and live chat.
-
You mentioned the ICO; have they said anything about these new rules?
Yes, the ICO has produce a helpful guidance on how to deal with data protection complaints.
Conclusion
Businesses have to put in place a process for dealing with data protection complaints. Most businesses likely need minimal adjustment and some may already be compliant, but it’s still worth reviewing your processes.
If you need help with this topic, feel free to get in touch.
[1] It is worth noting that the introduction of the rules on data protection complaints is only one of the many changes to the UK GDPR and the DPA introduced by the Data (Use and Access) Act 2025 (“DUAA”). For an overview of the changes introduced by the DUAA, refer to this summary produced by the ICO.
[2] This is a bit like individuals aggrieved by financial services providers being told to complain directly to the providers first before they complain to the Financial Ombudsman Service, although unlike financial services complaints, direct complaint to the business is not a prerequisite for complaining to the ICO about infringement of UK GDPR, at least not yet!
Written by Masayuki Negishi
Specialist at My Inhouse Lawyer
One of our values (Growth) is, in many ways, all about cultivating a growth mindset. We are passionate about learning, improving and evolving. We learn from each other, use the best know-how tools in the market and constantly look for ways to simplify. Lawskool is our way of sharing with you. It isn’t intended to be legal advice, rather to enlighten you to make smart business decisions day to day with the benefit of some of our insight. We hope you enjoy the experience. There are some really good ideas and tips coming from some of the best inhouse lawyers. Easy to read and practical. If there’s something you’d like us to write about or some feedback you wish to share, feel free to drop us a note. Equally, if it’s legal advice you’re after, then just give us a call on 0207 939 3959.
Like what you see? Book a discovery call
How it works
1
You
It starts with a conversation about you. What you want and the experience you’re looking for
2
Us
We design something that works for you whether it’s monthly, flex, solo, multi-team or includes legal tech
3
Together
We use Workplans to map out the work to be done and when. We are responsive and transparent
Like to know more? Book a discovery call
Freedom to choose & change
MONTHLY
A responsive inhouse experience delivered via a rolling monthly engagement that can be scaled up or down by you. Monthly Workplans capture scope, timings and budget for transparency and control
FLEX
A more reactive yet still responsive inhouse experience for legal and compliance needs as they arise. Our Workplans capture scope, timings and budget putting you in control
PROJECT
For those one-off projects such as M&A or compliance yet delivered the My Inhouse Lawyer way. We agree scope, timings and budget before each piece of work begins
Ready to get started? Book a discovery call
How we can help
