Skip to main content
All
February 17, 2026

ICO Publishes Guidance on How To Deal With Data Protection Complaints

Advisory
By

On February 12, the Information Commissioner’s Office (ICO) published its guidance on how to deal with data protection complaints, a new requirement introduced by the Data (Use and Access) Act 2025 (DUAA). As we previously reported, most of the reforms introduced by Part 5 of the DUAA took effect on February 5; however, the requirement for controllers to implement and maintain a complaints handling process does not come into force until June 19, 2026.

The ICO guidance is intended to assist controllers in ensuring that they are ready for the changes when they take effect and makes it clear that even though the new requirements are not yet in force, the ICO considers following the guidance to be good practice. Organizations should therefore take steps to implement a data protection complaints process before the requirements become binding in four months’ time.

Background

The requirement to implement and maintain a data protection complaints process is a new obligation under S.164(A) of the Data Protection Act 2018 (DPA). S. 164(A) DPA was inserted by Part 5, DUAA, which was granted Royal Assent on June 19, 2025. However, unlike most of the provisions of Part 5 DUAA, which became binding on February 5, S.164(A) does not take effect until June 19.

Requirements of the DPA 2018

S.164(A) DPA requires that controllers take the following steps:

  1. Uphold data subjects’ right to complain directly to the controller if they consider that their personal data has been handled in a manner which infringes the UK GDPR or Part 3 of the DPA (which deals with law enforcement processing).
  2. Provide data subjects with a means of making data protection complaints, such as providing a complaint form.
  3. Acknowledge receipt of any data protection complaint within thirty (30) days.
  4. Respond to the complaint and inform the data subject of the outcome without undue delay (which includes making appropriate inquiries into the subject matter of the complaint and informing the data subject of the progress of the complaint).

ICO Guidance 

S. 103 DUAA does not take effect until June 19, so the requirements under S.164(A) DPA have not yet come into force. However, the ICO indicates in its guidance that organizations are expected to be ready when the provisions become binding, and that it is still good practice to follow the guidance before the changes become mandatory obligations.

The ICO provides the following guidance:

Data protection law says you must:   

  • give people a way of making data protection complaints to you;
  • acknowledge receipt of complaints within 30 days of receiving them;
  • without undue delay, take appropriate steps to respond to complaints, including making appropriate inquiries, and keep people informed; and
  • without undue delay, tell people the outcome of their complaints.

A complaint may relate to any aspect of how an individual’s personal data has been handled, and the guidance provides as follows:

“If someone considers that you've infringed data protection legislation because of the way you've handled their personal information (or the personal information of someone they're acting on behalf of), they can complain to you.”

The guidance states that controllers must provide a means for data subjects to make complaints, which may be via a complaint form (on- or offline), email address, telephone number, online portal, live chat, social media, or in person. This does not need to be a separate tool, and controllers must still respond to complaints received from data subjects by any means other than the set process.

Practical Compliance

The requirement to implement and maintain a data protection complaints handling process is one of the few new data protection obligations introduced by the generally business-friendly DUAA. The requirement will not become binding for another 4 months, intended to give organizations sufficient time to update their policies and procedures. However, the clock is ticking.

The new obligations are unlikely to require wholesale changes to controllers’ data protection processes and policies; however, these will need to be reviewed and amended to accommodate the new provisions. Disgruntled data subjects, whether customers or employees, are frequently motivated to escalate their complaints to negotiate a favorable settlement with a controller. An organization that has failed to implement an appropriate complaints process risks becoming the subject of a complaint to the ICO, for which they would be prima facie in breach of the DPA; valuable ammunition for a disgruntled data subject. Conversely, an organization that has already updated its processes to accommodate S.164(A) DPA is likely to be looked upon favorably in the event of an ICO investigation. Accordingly, businesses would be prudent to implement a robust data protection complaints handling process as soon as reasonably possible. In practice, they should be able to achieve this by updating their existing subject access request (DSAR) process and their website/employee privacy notices.

© Arnold & Porter Kaye Scholer LLP 2026 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

Find more content tagged:

Key Contacts

James Castro-Edwards
James Castro-Edwards
Counsel
London
+44 (0)20 7786 6198

Related Services