ICAEW.com works better with JavaScript enabled.

New data protection law: do you have a complaints procedure?

Author: ICAEW Insights

Published: 01 Jul 2026

Since 19 June, all UK-based organisations are legally required to handle data protection complaints and have procedure in place to do so. Find out what you need to know.

Key takeaways:

  • UK-based organisations must have a procedure to deal with data protection-related complaints.
  • Companies must respond to data protection complaints within 30 days of receiving them.
  • There must be no “undue delays”; complainants must be kept informed during the process.

New legal requirements came into force in June which mean that UK businesses must establish a data protection complaints process.

All organisations are now legally required to handle data protection complaints under the Data (Use and Access) Act 2025.

Prefer to listen?

Allow SoundCloud audio

This audio player is provided by Soundcloud, a third-party service. We ask for your permission before anything is loaded as SoundCloud places cookies on our site. For more information on how we handle cookies, please see our privacy policy and cookies policy. To listen to this content on the website, please accept Statistics cookies and continue. Alternatively, you can access ICAEW podcasts on Spotify, Apple podcasts or YouTube.

Disclaimer

This audio file was produced by AI and has been adapted from the original article for audio purposes.

The new law says organisations must:

  • provide a clear way for people to raise a data-protection-related complaint;
  • acknowledge the complaint within 30 days of receiving it;
  • take appropriate steps to investigate all cases "without undue delay”, while keeping complainants informed; and
  • inform the complainant of the outcome.

The Information Commissioner’s Office is urging small and medium-sized enterprises to refer to its guidance, published in February, and take the necessary steps to comply. It includes practical tips for each stage of the compliance process.

A data-protection complaint refers to an instance of dissatisfaction registered by an organisation’s customer or stakeholder, in which they suggest the organisation has breached data protection legislation in the way it handled their personal information (or the personal information of someone the complainant is representing).

Other feasible complaints may relate to:

  • the way an organisation responded to a subject access request, or other information rights request;
  • the security measures the organisation used to store their information (especially if the complainant has been impacted by a data breach); or
  • how an organisation collected or used the complainant’s personal information (where it was stored, how long it was kept for, or its accuracy).

“The level of trust people have in a business is influenced by their perception of how you handle their data,” says David Gomez, ICAEW’s Senior Adviser on Ethics.

“Putting in place appropriate governance frameworks, having an accessible complaints process, and ensuring staff have the relevant training, all contribute to that trust, and are part of promoting an ethical culture within business.”

More support

Resources
A compass indicating North
ICAEW Code of Ethics

ICAEW's Code of Ethics applies to all members, students, affiliates, employees of member firms and, where applicable, member firms, in all of their professional and business activities, whether remunerated or voluntary.

Guidance Download the Code
ICAEW support
A team of people at their desks working on their laptops
Training and events

Browse upcoming and on-demand ICAEW events and webinars considering ethics and professional standards for accoutants.

Events and webinars CPD courses and more
eLearning
ICAEW's Ethics CPD course is designed to help you apply the Code of Ethics to everyday situations and uphold the highest standards of professional conduct.
ICAEW Ethics CPD course

This online course is designed to help you apply the ICAEW Code of Ethics to everyday situations and counts towards your verifiable CPD hours.

Find out more
Open AddCPD icon