international employment law firm alliance L&E Global
United Kingdom

UK: Data Protection: New Complaints Process

Published: © 29-05-2026

Authors:  Stephen Miller, Corinna Harris, Sophie Jackson, & Charlotte Stern

The Information Commissioner’s Office (ICO) guidance sets out how organisations should handle data protection complaints.

A data protection complaint arises where an individual believes their personal data has been mishandled (e.g. in relation to how their personal data have been collected, used or stored, or to the organisation’s response to their subject access request).

Employers must ensure they have a complaints process which is easily accessible for staff and includes:

  • Acknowledging receipt within 30 days: Complaints must be acknowledged within 30 days of receipt (starting the day after receipt). The ICO does not prescribe a specific method – in practice, this can be done via the same channel used by the complainant unless requested otherwise.
  • Investigating the complaint without undue delay: Investigations should begin when the complaint is received and must be conducted without “unjustifiable or excessive delay”. Enquiries should be appropriate to the circumstances and capable of justification. Timescales will vary depending on complexity and any ongoing impact on the complainant.
  • Providing an outcome to the complainant without undue delay: The outcome must be communicated clearly, explaining the findings and any action taken. If the complainant is unhappy with the outcome, consider providing more detail or clarifying the decision. It is also good practice to provide details about how to complain to the ICO.
  • Record-keeping: Maintain clear records of how complaints are dealt with, including the dates the complaint was received and acknowledged, and details of the investigation steps and outcomes.

Key Action Points for Human Resources and In-house Counsel

Having a well‑managed complaints process will be critical to compliance and to reducing the risk of escalation to the ICO.

Employers should also:

  • Update privacy notices so staff are aware of their right to make a complaint
  • Train staff to identify and triage data protection complaints appropriately
  • Ensure complaints are handled consistently
Contact

Did you like what you read?

And do you need more information about this subject or can we assist you in a legal matter?
Contact us