New Requirement for Handling Data Protection Complaints under the
Data (Use and Access) Act 2025
What’s changing?
From 19th June 2026, the Data (Use and Access) Act 2025 introduces a new legal requirement for all UK organisations to have a clear process in place for handling data protection complaints.
This requirement is confirmed in the ICO’s Complaints Guidance for Organisations, which makes clear that:
- There are no exemptions, the duty applies to all organisations, regardless of size or sector
- The new rules apply alongside (and amend) the UK GDPR and Data Protection Act 2018, rather than replacing them
- The changes are being phased in over a 12‑month period following Royal Assent on 19th June 2025
What is a “data protection complaint”?
A data protection complaint can be raised by any individual who is unhappy with how an organisation has handled personal data; either their own, or data they are acting on behalf of someone else.
Common examples include complaints about:
- how a subject access request (SAR) was handled
- delays or failures to respond to data rights requests
- concerns following a personal data breach
- how personal data has been used, shared, stored, retained, or kept accurate
Importantly, individuals do not need to use legal language or quote legislation for something to count as a data protection complaint.
What must organisations do from 19th June 2026?
From that date, organisations will be legally required to:
- Provide a way for people to make data protection complaints
- This could be via email, online form, phone, post, or another accessible route
- Acknowledge receipt of a complaint within 30 days
- Respond without undue delay, which includes:
- making appropriate enquiries
- keeping the complainant informed about progress
- Tell the individual the outcome of their complaint without undue delay
These are statutory requirements under the Act, reflected directly in the ICO’s guidance.
Do organisations need a new complaints system?
No. The ICO is clear that:
- There is no requirement to set up a separate or standalone complaints tool
- Existing complaints or customer/HR processes can be adapted, provided they fully cover data protection complaints and allow the organisation to meet its obligations
- Organisations are free to decide what mechanism works best for them, so long as it is accessible, effective, and timely
However, organisations must still accept complaints however they are received, even if the individual does not use the “preferred” channel.
What this means in practice for schools and trusts
For schools, academies and MATs, this is unlikely to require a complete overhaul, but it does require conscious design and clarity.
Practical steps to take now
Schools and trusts should consider:
- Reviewing existing complaints procedures
- Is it obvious how a data protection complaint would be raised?
- Does the process clearly distinguish between parental complaints, grievances, and data protection complaints?
- Linking data protection complaints to privacy notices
- Parents, staff and pupils should be told how to complain about data protection issues within existing privacy information
- Training staff to spot data protection complaints
- Especially office staff, HR, IT, and senior leaders who may receive complaints informally
- Ensuring timescales are realistic
- Acknowledgement within 30 days
- Investigation and outcome without “undue delay”
- Confirming who owns the process
- DPO, central trust team, or named lead
- Clear escalation route if issues indicate wider compliance risk or ICO notification
Handled well, the new regime should help schools resolve issues directly and early, reducing the likelihood of escalation to the ICO, which is a benefit explicitly recognised in the ICO’s guidance.
Legal Connect Masterclass Series >>
Legal Connect Employment Rights Act 2025 Implementation Service >>
