UK: new data protection complaint requirements

Employers should review their existing processes for handling data protection complaints in the light of new requirements in force from 19 June 2026.  The Data (Use and Access) Act (discussed in a Data Notes blog post here) provides that all data controllers, including employers, must facilitate complaints, acknowledge complaints within 30 days of receipt, respond appropriately without undue delay (including making appropriate enquiries and keeping the complainant informed), and tell the complainant the outcome without undue delay.  Although a formal complaints procedure is not mandatory, it is recommended as good practice by the Information Commissioner's Office (ICO) Guidance published here. Key points include:

• The process covers complaints about an employer's response to a subject access request (SAR), breaches of data security, or a particular use or collection of data – and individuals must be told about their right of complaint to the employer (as well as the ICO) when their data is collected and when responding to a SAR.  Employers may need to update privacy notices and SAR response templates. (This could be coordinated with any updates to privacy policies needed by employers wishing to rely on the new lawful basis permitting processing necessary for certain "recognised legitimate interests"  - see our Data Notes blog post here.) 
• There is no prescribed method for making a complaint; while employers can encourage staff to use a particular method (such as an online form, email address, chat function etc), a complaint made through a different channel must still be accepted and responded to.  It is therefore important that staff are trained to identify and action complaints coming in through other channels (such as social media, or direct contact with individual team members) and that they know where to direct the complaint.
• Complaints must be acknowledged within 30 days starting the day after the day of receipt (if the last day is on a weekend or public holiday, this is extended to the next working day). There is no prescribed method of acknowledgement.  
• The ICO interprets the requirement to investigate the complaint "without undue delay" as "without an unjustifiable or excessive delay", beginning on receipt of the complaint (and not after the 30-day acknowledgement period).  If an employer has its own timeframe for handling complaints but could complete the investigation more quickly than provided for in the timeframe, it must do that.
• Records should be kept (for an appropriate retention period) of: the date of receipt and acknowledgement (to demonstrate compliance with the 30 day requirement), any relevant conversations and documents, the outcome and any actions taken as a result.