Key takeaways:
- UK-based organisations must have a procedure to deal with data protection-related complaints.
- Companies must respond to data protection complaints within 30 days of receiving them.
- There must be no “undue delays”; complainants must be kept informed during the process.
New legal requirements came into force in June which mean that UK businesses must establish a data protection complaints process.
All organisations are now legally required to handle data protection complaints under the Data (Use and Access) Act 2025.
Prefer to listen?
This audio file was produced by AI and has been adapted from the original article for audio purposes.
The new law says organisations must:
- provide a clear way for people to raise a data-protection-related complaint;
- acknowledge the complaint within 30 days of receiving it;
- take appropriate steps to investigate all cases "without undue delay”, while keeping complainants informed; and
- inform the complainant of the outcome.
The Information Commissioner’s Office is urging small and medium-sized enterprises to refer to its guidance, published in February, and take the necessary steps to comply. It includes practical tips for each stage of the compliance process.
A data-protection complaint refers to an instance of dissatisfaction registered by an organisation’s customer or stakeholder, in which they suggest the organisation has breached data protection legislation in the way it handled their personal information (or the personal information of someone the complainant is representing).
Other feasible complaints may relate to:
- the way an organisation responded to a subject access request, or other information rights request;
- the security measures the organisation used to store their information (especially if the complainant has been impacted by a data breach); or
- how an organisation collected or used the complainant’s personal information (where it was stored, how long it was kept for, or its accuracy).
“The level of trust people have in a business is influenced by their perception of how you handle their data,” says David Gomez, ICAEW’s Senior Adviser on Ethics.
“Putting in place appropriate governance frameworks, having an accessible complaints process, and ensuring staff have the relevant training, all contribute to that trust, and are part of promoting an ethical culture within business.”