New Data Protection Complaints Rules Are Coming. Are You Ready?
Posted on in Data Protection
From June 2026, organisations must facilitate the making of complaints. For many organisations, this will represent a structural shift in how data concerns are handled, escalated, recorded and resolved. For others, it will expose a gap that has existed for years but has never been tested under formal scrutiny.
This is not just another compliance update. It is a litigation and risk management issue and one that requires strategic planning now, not later.
Tozers’ trend spotting
We regularly advise organisations across a cross-section of different industries on how to navigate data protection complaints and manage data breaches. A common theme is that organisations rarely plan for complaints properly until one lands. By then, the costs are already rising – and not just financial costs. Data protection complaints can divert previous management and operational costs from your core work, and there is a potential cost to your reputation.
What’s at the core of the data protection complaints procedure?
Complaints handling will become an expected governance function, not an optional administrative process.
If your organisation processes personal data, this is a strategic planning moment. For a detailed overview of the new framework, see our earlier insight here.
What is changing in June 2026?
From June 2026, all organisations must facilitate the making of complaints … by taking steps such as providing a complaint form which can be completed electronically and by other means’ (Section 103 of the Data Use and Access Act 2025). We recommend that you have a formal, documented complaints procedure to:
- Facilitate the complaints process
- Help demonstrate compliance
- Resolve issues promptly and proportionately to reduce the risk of escalation to the ICO or litigation.
A complaints procedure will set out:
- How complaints are received
- How they are investigated
- How outcomes are communicated
- How records are kept
- How escalation decisions are made.
Can’t we handle data protection complaints as a normal customer complaint?
Data protection complaints are different from general customer complaint processes. Data protection complaints involve statutory rights, regulatory scrutiny and potential compensation claims.
Can we separate out elements of a complaint where there are data protection elements?
Absolutely – and it would be expected that you do (and clarify with the complainant where you are unsure). For example:
A customer complains to a Registered Provider of Social Housing. The complaints concerning their housing can be dealt with under the Registered Provider’s complaints procedure, where there is a right to appeal to the Housing Ombudsman. Where there are also complaints about data protection matters, the Registered Provider should ask them to confirm whether they wish to continue with a complaint under its standalone data protection complaints policy because the Housing Ombudsman has no jurisdiction over data protection matters.
Why does this matter now?
Because complaints are rarely isolated events. In our experience advising clients, a data protection complaint can often expose wider issues such as:
- Delays and failures in handling subject access requests
- Poor handling of data breaches
- Confusion over lawful processing
- Internal governance gaps
- Lack of documentation recording compliance
- Inconsistent staff training.
Once a complaint is raised, the organisation’s entire compliance posture can come under scrutiny, leading to:
- Regulatory investigation time
- Legal costs associated with taking advice and drafting correspondence to the individual/the Information Commissioner
- Internal disruption
- Potential compensation claims
- Reputational damage.
Proactive planning is almost always less expensive than reactive defence.
A recent case
In a recent case, we supported a client who had dealt with a subject access request that had escalated into a formal complaint after their internal response failed to identify all relevant documents.
By reviewing the file swiftly, identifying gaps in the original disclosure and drafting a structured and reassuring complaint response, we helped prevent the matter from being escalated to the ICO. In the process, we identified several procedural issues in the client’s internal SAR-handling approach – including document search processes and internal recordkeeping – that were causing risk. We provided practical recommendations to streamline these steps, enabling the client to respond more confidently and consistently to future SARs and reducing the likelihood of further complaints.
Our practical guidance on responding to complaints can be found here.
What’s the bottom line?
Data protection compliance is not a back-office concern; it is a frontline operational requirement. Whether you are reviewing your policies and procedures or planning for the future, staying one step ahead is the only way to protect your reputation and save you the cost of potential complaints and litigation.
Checklist
Now is a good time to get ready for the June deadline. We recommend:
- Implementing a data protection complaints policy – Ensure it’s bespoke and works for you – ripping a generic template from another website simply won’t do
- Assigning responsibility for regular review and oversight
- Auditing the personal data you process and minimise where possible
- Reviewing your SAR procedures
- Updating your marketing processes and consents
- Training your team, including volunteers
- Planning with sensitivity
- Staying informed by monitoring ICO guidance and legal developments.
For further guidance, you should review the ICO website.
Why instruct Tozers?
We pride ourselves on being more than just solicitors; we are your strategic partners. As a top firm for client satisfaction, we’ve built our reputation on listening first and talking second. We specialise in turning legalese into easily actionable and practical steps, ensuring you feel confident and informed at every step of your data protection journey.
Find out more
If you need a carefully crafted data protection complaints procedure for your organisation, speak to us today.