ICO Guidance: Data Protection Complaints Process

ICO GDPR Guidance

Published June 19th, 2026

Detected February 13th, 2026

Email Set alert

Summary

The UK's Information Commissioner's Office (ICO) has published new guidance detailing requirements for organisations to establish a data protection complaints process. These requirements, stemming from the Data (Use and Access) Act 2025, will become legally effective on June 19, 2026, but are presented as good practice in the interim.

View original document View source feed page

What changed

The ICO has issued new guidance outlining mandatory requirements for organisations to implement a data protection complaints process, as mandated by the Data (Use and Access) Act 2025. Key obligations include providing a mechanism for complaints, acknowledging receipt within 30 days, investigating and responding without undue delay, and communicating the outcome. While the legal enforcement date is June 19, 2026, the ICO encourages adherence to these guidelines as good practice immediately.

Organisations must establish and maintain a process for handling data protection complaints, with no exemptions. This guidance details what organisations 'must', 'should', and 'could' do to comply. 'Must' refers to legislative requirements, while 'should' indicates expected good practice. Compliance with these requirements is crucial to avoid potential regulatory scrutiny and ensure adherence to data protection laws. The guidance provides practical advice on preparing for and managing these complaints effectively.