Data Protection Complaints: Are You Ready for the New Rules?
Posted on in Data Protection
The ICO’s draft guidance on handling data protection complaints is a wake-up call for organisations. With the Data (Use and Access) Act 2025 (‘DUAA’) introducing new legal duties for organisations handling data protection complaints (likely to be enshrined in law from June 2026), the question is: Are you prepared?
The most common data protection breach is surprisingly simple: sending an email to the wrong person (18% of complaints between January and March 2025). Despite sophisticated systems designed to prevent major breaches, this everyday error continues to happen daily. It’s a reminder that human error remains a significant risk. That’s why organisations should implement a robust data protection complaints procedure without delay. Not only does it help manage incidents swiftly and transparently, but it also demonstrates accountability and builds trust with stakeholders.
What does the DUAA set out to do?
The DUAA introduces a requirement for controllers to put in place a complaint-handling process, ensuring that data subjects are able to lodge complaints directly with the controller. Organisations must:
· Provide a clear route for individuals to raise data protection complaints (for example, providing a complaint form which can be completed electronically and by other means).
· Acknowledge complaints within 30 days.
· Investigate and respond without undue delay.
· Keep complainants informed and communicate outcomes clearly. Giving regular updates about the progress of the complaint is expressed in the Act.
· Record your actions and keep details of any related conversations and copies of all relevant documents from start to finish, including the reasons for the decisions you’ve made and any action taken, or not taken. It will also provide evidence of what you’ve done, which the ICO or industry bodies may need in the future.
Further, the ICO guidance sets out that organisations should review the lessons learned and consider whether there’s anything you can learn or improve on to prevent future complaints.
This isn’t just about ticking boxes. It’s about trust, transparency, and accountability, especially when it comes to subject access requests (‘SARs’), which often trigger complaints when handled poorly. The ICO has reported that it often receives complaints from individuals who have concerns that they haven’t received all their data in response to their SAR. Other common complaints involve people being unhappy about the way organisations have used their personal data (e.g., where it has been stored, how long it has been kept, or its accuracy).
It’s not unusual for clients to spend a disproportionate amount of time and resources responding to these complaints.
Why data protection complaints deserve their own lane
Unlike general service complaints, data protection complaints are legally nuanced and often involve sensitive personal information. Treating them as just another customer-facing issue risks:
· Non-compliance with the legislation.
· Reputational damage.
· Escalation to the ICO, which could have been avoided.
A dedicated process ensures proper legal assessment, clear documentation (essential if a complaint is made to the ICO), and that staff responding are trained in data rights and obligations. We are often instructed to advise clients where they do not have a standalone complaints procedure for data protection focused on complaints, and are running into difficulties when responding under their usual complaints policy.
Why is there value in proactively enforcing compliance?
1. Compliance is mandatory – Organisations processing personal data must comply with UK GDPR and related laws. Non-compliance can lead to fines, complaints, and legal action.
2. Rising cyberattacks – Cybercriminals are increasingly using AI to enhance their attacks. Organisations are accountable for breaches, as failure to implement proper security measures can result in enforcement by the ICO.
3. Prevention is cheaper than cure – The financial and operational costs of dealing with a breach far outweigh the costs of proactive compliance. Investing in preparedness can significantly reduce breach-related expenses.
4. AI use may breach data laws – Organisations are increasingly using AI, and unlawful use of AI involving personal data (especially without transparency) can expose organisations to legal risk. Clear AI policies and staff training are essential.
5. Avoid ICO complaints – Responding to ICO complaints is time-consuming and resource-intensive. Proactive compliance helps prevent complaints from arising in the first place, and keeping a record of your actions should satisfy ICO investigators were a complaint to be raised, requiring no further action.
6. Avoid litigation – Proactive compliance reduces the risk of receiving legal claims. Even weak claims can be costly to defend, and early detection helps avoid unnecessary legal expenses.
7. Avoid ICO enforcement action – The ICO has powers to issue fines, enforcement notices, and conduct inspections. Proactive measures reduce the likelihood of facing these actions.
8. Protect your reputation – ICO decisions are public and can damage trust, investor confidence, and brand reputation. Compliance helps maintain credibility and customer loyalty.
Read our insight here for more information about proactive compliance.
Should we make provisions for offering settlement in our data protection complaints procedure?
The ICO makes clear that a data protection complaint can come from anyone unhappy with how their personal data has been handled, regardless of whether the issue is formally reportable. What’s more, individuals can bring civil claims even where there’s no clear legal cause of action. The Online Money Claims Service makes this easier than ever.
You might assume that offering a settlement will resolve the issue and prevent escalation; however, we regularly see cases where individuals accept a settlement and still pursue complaints through the ICO (or encourage others to do the same). Settlements must be handled with care and legal expertise to ensure the right documentation is in place to ringfence future risk.
The solution? Proactive and thorough data protection compliance. It’s the best strategy for:
· Reducing legal and reputational risk.
· Managing complaints effectively.
· Demonstrating accountability and transparency.
· Protecting your organisation from repeat or opportunistic claims.
How can Tozers help?
At Tozers, we support organisations in:
· Reviewing and updating complaints procedures.
· Demystifying the legal landscape about ICO complaints and data protection litigation, empowering you to fully comply with the law.
· Training teams on data protection responsibilities.
· Handling SARs and related complaints with care and compliance.
· Preparing for the June 2026 deadline with confidence.
If your organisation hasn’t yet reviewed its approach to data complaints, now is the time. The ICO’s consultation is open until 19 October 2025 – a chance to shape the final guidance.
Why Tozers?
As a top firm for client satisfaction, we have built a reputation as good listeners who can help break down complex legal jargon into words you can understand and are experts at advising on your organisation’s situation.
If you require advice, speak to one of our data protection legal experts today in a no-obligation phone call.