ICO publishes guidance on data protection complaints processes

The Data (Use and Access) Act 2025 (DUA Act) requires organisations to have a data protection complaints process in place from 19 June this year. What does that mean in practice for organisations and how much work will be required? The ICO has recently released detailed guidance setting out the core duties for controllers and shedding light on what the ICO expects to see, addressing both the introduction of new processes and also how existing complaints processes need to be updated for the new requirements. We take a look at five key elements below.

Provide a way to complain

Controllers need to offer a clear route for individuals to raise data protection complaints. The ICO gives organisations flexibility about how they do this, for example, they can provide an online complaints portal, a designated email address or even a complaints form that can be submitted electronically or posted. However, whichever method is chosen must be accessible and effective for the intended audience, with specific measures needed for children or vulnerable individuals. 

For organisations that already have complaints procedures in place, the ICO helpfully confirms these can be adapted to meet the DUA Act requirements. However, complainants are not obliged to use them. As such, organisations will need to ensure that staff are trained to recognise and triage data protection complaints that come in through other channels. 

Update privacy notices (and DSAR response templates)

Controllers must let individuals know that they can make data protection complaints to them, as well as to the ICO. In particular, individuals must be told of their rights to complain:

• in the organisations’ privacy notice, when personal data is obtained directly from them. Although not directly referenced in the guidance, privacy notices will also need to be updated where information has been obtained via a third party; and
• as part of the organisation’s response to data subject access requests. 

The ICO also suggests that organisations could write a public-facing complaints procedure, or update an existing complaints procedure to address the new requirements, and make this available on their website, to give individuals more information on what to expect from the process and what information will be needed from them (e.g. as supporting evidence or ID for identification purposes).

Acknowledge the complaint within 30 days

Complaints received by a controller must be acknowledged within 30 days of receipt. This is a simple acknowledgement of receipt rather than a detailed response. Where the complaint was made electronically, an auto-response confirming receipt can be used. 

Investigate without undue delay

Organisations must investigate without undue delay, which the ICO has recognised as meaning without “unjustifiable or excessive” delay from the date the complaint was received. What amounts to “unjustifiable or excessive” delay will depend on the circumstances and the organisation in question. Factors the ICO notes as relevant (but not exhaustive) include the complexity and scale of the issue, as well as whether the complainant is suffering any harm as a result of the issue being unresolved. 

For organisations looking to adapt existing complaints procedures, the ICO cautions that aligning with internally set timeframes must not cause unjustifiable or excessive delay. If data protection investigations can be done sooner – they must be. 

When conducting an investigation, controllers must ensure they can justify the level of enquiries made and should record their processes and decisions accordingly. In particular, as organisations are not required to take steps that are ‘unreasonable or disproportionate’, such decisions should be recorded. Throughout the process the complainant needs to be kept up to date with progress and expected timeframes.

Communicate the outcome

Once the investigation is complete the complainant must be informed of the outcome without undue delay, including an explanation of any action taken to remedy their complaint. The response should also include a reminder that the complainant can complain to the ICO if they are unhappy with the outcome. 

Next steps

With changes required by 19 June, organisations should act now to embed a compliant process. Whether a new complaints process is being introduced or an old one is being updated, organisations will need to take active steps, most likely including updating privacy notices, internal processes and staff training scripts.