Data Protection complaints changes – are you ready?
The Data (Use and Access) Act 2025 introduced several controller-friendly changes relating to legitimate interests, cookies, and DSAR searches. However, one significant – and more onerous – addition has slipped under the radar for many organisations.
From 19 June, all organisations must:
- Facilitate the submission of data protection complaints
- Acknowledge receipt of complaints within 30 days
And, without undue delay:
- Take appropriate steps to respond (including making enquiries and updating the complainant)
- Inform the complainant of the outcome
Facilitating complaints
How can organisations facilitate the making of complaints? The legislation gives the example of providing an electronic complaint form. While this may be appropriate for large, consumer-facing organisations, it may be disproportionate for others.
In practice, organisations should, at a minimum:
- Review external privacy notices to ensure individuals are clearly informed of their right to complain and how they can do so
- Review existing complaint channels and processes to confirm they can accommodate data protection complaints or redirect them appropriately
- Consider implementing an external data protection complaints policy (referenced in privacy notices), outlining how complaints can be made and what individuals can expect
- Ensure relevant staff are trained to recognise and escalate data protection complaints, in the same way as subject access requests and other data subject rights
Handling complaints
Although the obligations relating to acknowledging and responding to complaints are less onerous than those for subject access requests, organisations should still ensure appropriate processes are in place.
Businesses should consider:
- Developing an internal complaints-handling policy, setting out a clear process for managing complaints
- Identifying a responsible person or team to investigate and oversee data protection complaints
- Preparing template acknowledgements and responses
- Updating agreements with third-party processors to require their assistance in handling relevant complaints
What next?
While there is no prescribed standard for how organisations must facilitate complaints, failing to address data protection complaints in your external privacy notice will be a clear indicator of non-compliance.
Organisations may also see an initial increase in complaints, alongside heightened expectations regarding the speed and quality of responses once these changes come into force. Having a clear, structured approach will help minimise the associated administrative burden.
If you need support reviewing your documentation or implementing data protection complaints processes, please contact our expert data protection team.