UK GDPR Complaints: 2026 Update
From 19th June 2026, any organisation which controls data, must have in place a data protection complaints process. Failure to do so, is likely to result in a complaint to the Information Commissioners Office who have the power to fine for noncompliance. What does all this mean for organisations.
What is a data protection complaint?
Any complaint to an organisation about anything concerning that individual’s data. This is most likely to be about things such as:
- How the data has been handled,
- How the data is secure,
- The way in which a subject access request has been responded to,
- Breach of any data rights.
How is the complaint to be made to you?
It is up to you to decide how that complaint is to be made to you. You could have a paper or an online report form; an email may be sufficient or an online portal, or you could deal with it by telephone. Whatever way you choose, it must be readily available to those who would make a complaint. This would best be set out in any privacy notice which you provide individuals with or within an existing complaints policy which you may already publish on your website.
However, despite all this, anyone who is making a complaint does not have to use that procedure! They can complain in any way that they wish and that includes posting a request on your social media page, so make sure you have a procedure in place to check any posts that are made and that they can be promptly escalated.
Do not forget, any employee whose data you hold, will also have a right to complain to you and you may wish to consider a separate complaints procedure for them. It is always worth considering a separate internal privacy statement too.
Whenever a complaint is made, do take reasonable steps to check the identity of the complainant – something which is especially important if it is made online.
What are the time periods for dealing with the complaint?
Whilst you must acknowledge any complaint, however received, within 30 days of receiving it, you must complete your enquiries and respond, “without delay”. There is no guidance as to how long this critical time period actually is. However, on the basis that subject access requests must be complied with “without undue delay” and, at the latest, within one calendar month of receipt, I think that ICO will in simple cases be looking at a similar time period of a month. It is incumbent on you to justify how long you take and the key here is to bear in mind that you are not required to take any steps which are “unreasonable” or “disproportionate” and that depends amongst other factors on the complexity of the complaint and the amount of data held. You will need to update the complainant as to how long it is going to take and any changes that occur to the estimate.
Its always a good idea to keep notes about the steps you take to investigate the complaint and any problems you encounter, so that should there be an issue with the time period, you can produce evidence showing what cause the delay.
The result of the complaint
Your response to the complaint should give an explanation of any action taken by you to remedy the complaint and must include a reminder that the complainant can take the matter to ICO if they remain unhappy with the outcome.
What you should be doing now:
- If you have not got a complaints policy and procedure in place yet, then start to do so now. Do not forget that it needs to include a way to check the complainant’s identity.
- Train staff to deal with queries or oral complaints, so they know where to redirect them. Don’t forget that these complaint’s can be made via social media, so have someone who can spot them.
- Consider if you need a different policy or privacy statement for your employees.
- Publish your complaint procedures by amending your privacy statement and/or adding to an existing complaints procedure. Always best to ensure these are easily available and can be found on your website or sent out with any terms of business.
If you have any questions about these changes, please contact John.Grace@mogersdrewett.com
