The Information Commissioner’s Office (ICO) has reminded businesses that they must have a data protection complaints process in place before new requirements come into force on 19 June 2026.

Under the Data (Use and Access) Act 2025, all organisations are legally required to have a process for handling data protection complaints. This includes:

• Providing a way for people to make data protection complaints;
• Acknowledging receipt of complaints within 30 days of receiving them;
• Taking appropriate steps to respond to complaints without undue delay; and
• Keeping complainants informed about the complaint’s progress and informing them of its outcome without undue delay.

To help organisations prepare for the new requirements, the ICO previously published guidance setting out practical advice on how to comply. As we discussed previously here, it included suggestions on the contents of a complaints procedure to appear on the organisation’s website, how to handle complaints made by children or on social media, and what steps should be followed to ensure that a complaint is investigated without undue delay.

Commenting on the new requirements, Emily Keaney, Deputy Commissioner of Regulatory Policy at the ICO, said:

“A data protection complaint can come from any customer at any time. Having a clear process means you can respond quickly, resolve issues fairly and protect the trust your customers place in you.

We are not here to catch businesses out, we are here to help you get ready. With 19 June fast approaching, now is the time to read the guidance and make sure you’re prepared.”

To read more, click here.