What Happens if You Don’t Have a Data Protection Complaints Policy? banner

Insights

Articles

Home / Insights / Articles / What Happens if You Don’t Have a Data Protection Complaints Policy?

What Happens if You Don’t Have a Data Protection Complaints Policy?

Posted on in Data Protection

What Happens if You Don’t Have a Data Protection Complaints Policy?

The Data Use and Access Act 2025 (“the Act”) has signalled a new wave of data protection compliance in the UK, including a requirement for all data controllers to provide data subjects with a way of making data protection complaints. From June 2026, complaints handling will no longer be an optional administrative process but will become a strict legal requirement. 

For more information on the new data protection complaints rules, please see our insight here.

This insight breaks down the implications for your organisation should you fail to put in place a data protection complaints policy, including setting out the regulatory enforcement powers of the Information Commissioners Office (“ICO), as well as the legal, reputational, and financial risks to your organisation.

Quick recap: What is changing in June 2026?

From June 2026, all organisations ‘must facilitate the making of complaints … by taking steps such as providing a complaint form which can be completed electronically and by other means’ (Section 103 of the Act).

The ICO has provided guidance on the new rules, explaining that data controllers must:

  1. Provide a clear channel for individuals to data protection complaints
  2. Acknowledge receipt of complaints within 30 days
  3. Act without undue delay to take appropriate steps, including making necessary enquiries and keeping the individual informed of progress
  4. Communicate the outcome to the individual without undue delay.

Whilst this provides organisations with a degree of flexibility in how you choose to handle data protection complaints, we recommend that you have a formal, standalone and documented complaints policy to:

  1. Facilitate the complaints process
  2. Help demonstrate compliance with the new rules
  3. Resolve issues promptly and proportionately to reduce the risk of escalation to the ICO or litigation.

What happens if you do not have a data protection complaints policy?

The law is clear: from June 2026, all organisations must have a process for handling data protection complaints – with no exemptions. Failure to do so carries significant consequences for your organisation, including:

1.Exposure to ICO enforcement powers

Because it will become a legal obligation to implement an appropriate complaints policy, failure to comply will not be treated as merely poor practice but as a breach of data protection law. This exposes your organisation to the ICO’s full enforcement toolkit, who have various powers to penalise non-compliance.

Tools at their disposal include:

  1. Issuing information notices requiring you to explain your data protection processes
  2. Issuing assessment notices to inspect your policies and practices
  3. Serving enforcement notices requiring you to implement a data protection complaints policy
  4. Imposing monetary penalty notices (of up to £500,000) for non-compliance

Conversely, a robust process may reduce the likelihood of individuals prematurely escalating matters to the ICO before you have had an opportunity to resolve the issue (a benefit the guidance repeatedly highlights) and may, therefore, serve to reduce regulatory action.

2.Litigation exposure

Without a clear internal complaints route, individuals are far more likely to seek external redress through legal action.

This risk is significantly heightened in light of Farley v Paymaster. In this case, the Court of Appeal rejected the respondent’s assertion that it was “entirely irrational” for data subjects to experience anxiety, alarm and distress at the possibility of their personal data coming into the hands of a third party. Crucially, the Court of Appeal moved away from a strict 'threshold of seriousness', where it was previously perceived that trivial data protection claims could be struck out at an early stage.

Consequently, data subjects may bring data breach claims, even where potential compensation is modest.

By resolving concerns early, organisations can prevent issues from escalating into formal claims and reduce the risk of becoming embroiled in costly, time consuming litigation.

3.Reputational damage

A clear and well organised complaints process can also act as a shield for your organisation’s reputation. Whilst regulatory penalties can be significant, the damage caused by appearing careless with individuals’ personal data is often far more detrimental.

In a digital age, individuals are far more diligent as to how their data is being handled and ensure it is protected. One only has to consider recent data breaches and the significant reputational risk that has been afforded to businesses on a national scale. Anyone can access ICO enforcement action decisions – they are all published online: https://ico.org.uk/action-weve-taken/enforcement/.

Implementing a formal procedure creates a mutual relationship of trust and confidence, demonstrating to clients, employees, and regulators that your organisation treats data protection accountability and transparency seriously.

4.Cost of responding reactively

Proactive planning is almost always less costly than responding to a data protection complaint reactively. In our experience, responding to a complaint without a formal policy often leads to:

  1. Inconsistent outcomes that invite further scrutiny
  2. Wasted management time “reinventing the wheel” for every query
  3. Increased legal fees should a data subject decide to formally escalate a complaint

By establishing a clear framework, your organisation shifts from a defensive, emergency response footing to a controlled, predictable model of managing data protection complaints.

Conclusion

A complaints procedure will soon become an essential component of data protection compliance in the UK. However, implementing a data protection complaints policy should not be viewed as another administrative burden, but as a strategic investment. A robust policy can help you avoid costly claims, reduce complaints being raised with the ICO, protect your reputation, and build trust with customers in an era where data is both an asset and a liability.

Why instruct Tozers?

At Tozers, we understand the complexities of data protection and the importance of staying ahead of regulatory changes. We pride ourselves on being more than just solicitors; we are your strategic partners. As a top firm for client satisfaction, we’ve built our reputation on listening first and talking second. We specialise in turning legalese into easily actionable and practical steps, ensuring you feel confident and informed at every step of your data protection journey.

Contact our legal experts

Jack Matthews
Posted by
Jack Matthews
Solicitor
What Happens if You Don’t Have a Data Protection Complaints Policy?

    Talk to us

    By clicking ‘send enquiry’ you are giving permission for our team to get in touch with you via phone or email. For more information on how we use and store data, please refer to our privacy policy

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Related Posts