On 19 June 2026, new data protection complaints requirements under the Data (Use and Access) Act 2025 come into force. From that date, UK organisations that act as data controllers must have a clear process for receiving and handling data protection complaints. There are no exemptions based on business size, sector or the amount of personal data you process.
If a customer, employee, job applicant or other individual believes you have mishandled their personal data and wants to raise that concern with you, you have defined obligations around how you acknowledge, investigate and respond to that complaint.
The rule is more consequential than it may first sound, for 2 reasons.
First, the scope of what can count as a data protection complaint is broad. It can include concerns about the way you handled a subject access request, how long you kept personal data, how accurate that data was, the security measures you used to protect it, or how you collected and used someone’s personal information. A data breach itself is not automatically a complaint, but someone affected by a breach can complain about the way their information was handled.
Second, the ICO expects organisations to deal with complaints properly before matters escalate. If an individual goes to the Information Commissioner’s Office, the ICO may want to understand what complaint process you had in place, how the complaint was handled, and what records you kept.
This article is informational and is not legal advice. For specific compliance questions around your business, a qualified data protection adviser is the right port of call. What this piece does is explain what the practical obligations are, why they connect to your IT and security posture, and what a sensible response looks like before 19 June.
What the Data (Use and Access) Act Actually Did
The DUAA received Royal Assent on 19 June 2025. It amends the UK GDPR, the Data Protection Act 2018 and related privacy legislation rather than replacing them. Its provisions have been brought into force in stages through commencement regulations. Most of the data protection changes came into force in February 2026, with the complaints handling requirement due to commence on 19 June 2026.
The Act also made a range of other changes worth knowing. It introduced recognised legitimate interests for certain types of processing, clarified aspects of subject access request handling, changed parts of the automated decision-making framework, updated some rules around cookies and tracking, and strengthened the ICO’s enforcement toolkit.
PECR penalties, covering areas such as direct marketing and cookies, have also been aligned with UK GDPR-level maximums of up to £17.5 million or 4% of global annual turnover, whichever is higher. That matters if you send marketing emails, run tracking technologies or rely on consent mechanisms that have not been reviewed for some time. The financial risk has materially increased.
For context on the enforcement environment, the ICO fined Capita £14 million in October 2025 for cybersecurity failures that exposed the personal data of approximately 6.6 million people. The fine was reduced from an initial £45 million, but even at £14 million it is still a serious reminder that the regulator is focused on UK GDPR security failures as well as marketing and cookie compliance. For smaller London businesses, the financial and reputational exposure of a reportable breach is real in ways it was not 5 years ago.
What Changes Specifically From 19 June 2026
Here is the practical checklist. The table below summarises the new requirements against the common SME starting point.
| New requirement | What it means in practice | Common SME starting point |
|---|---|---|
| Clear complaints process | A process for receiving, acknowledging, investigating and responding to data protection complaints | No defined process, handled ad hoc |
| Accept complaints via any channel | People can complain in any way they choose, including social media, verbal complaints and third-party submissions | Only formal written complaints acknowledged |
| 30-day acknowledgment | Receipt must be acknowledged within 30 days | No defined timeline |
| Investigate and respond without undue delay | Appropriate enquiries must be made and the outcome communicated once the investigation is complete | No defined response standard |
| Update privacy notices | People must be told they can complain to you, as well as to the ICO | Privacy notice mentions the ICO only |
| Tell people when responding to SARs | SAR responses must tell individuals about their right to complain | Not currently included in SAR responses |
| Keep internal records | A clear record should show date received, acknowledgment, investigation steps, outcome and closure | No complaint log |
| Train staff to recognise complaints | Staff need to know when a message is a data protection complaint and where to send it | Complaints sit in inboxes or social accounts without escalation |
One point deserves specific attention. Complaints submitted via social media can count. A tweet, LinkedIn message or social media comment expressing dissatisfaction with how you have handled someone’s data may be a data protection complaint. You need a way to catch and process those, not just the letters and emails.
The obligation applies to you as a data controller. If you use a third-party processor, the complaints handling obligation remains with you. Your processor may help you investigate, pass complaints to you, or provide information, but the controller remains responsible for handling the complaint.
A Relatable Example
A London-based recruitment agency processes the personal data of thousands of candidates each year. In the normal run of things, a candidate sends a direct message on X asking why they are still receiving job alerts 2 years after they asked to be removed from the database. In the past, this might have been handled informally, ignored, or referred to the ICO’s website.
From 19 June 2026, that message could be a formal data protection complaint. The agency must acknowledge it within 30 days, investigate what happened to the deletion request, communicate the outcome to the candidate, and keep a record of the interaction. If the agency does not respond adequately, the candidate can escalate to the ICO, and the ICO may ask what the agency did before deciding what to do next.
That is a material change for a business that has never thought of itself as a regulated complaints handler.
The Security Connection
Here is the link that catches most IT-focused businesses off guard. Security concerns can form the basis of a data protection complaint. If you suffer a breach and personal data is exposed, affected customers and staff may raise formal complaints about the way their information was protected and handled.
This creates a direct line between your security posture and your data protection compliance exposure. A business that suffers a ransomware event, exposes credentials through a phishing attack, or experiences unauthorised access through a misconfigured cloud account is not just dealing with an IT problem. It may also be dealing with a reportable breach, individual complaints, and regulatory scrutiny.
That is why why IT compliance matters is not a separate conversation from data protection compliance. They are the same conversation. The same incident that triggers your incident response plan may also trigger complaints from affected individuals. The same controls that prevent the incident in the first place reduce the complaint risk. IT service management is the ongoing discipline that keeps both in order.
The Capita case makes this concrete. The ICO’s investigation found that Capita failed to put appropriate technical and organisational measures in place, which contributed to an attack that exposed data relating to 6.6 million people. The penalty was rooted in data protection security obligations, not simply the fact that a cyber incident happened. Security and data protection are assessed together.
The IT Foundations That Reduce Your Exposure
A few specific controls directly reduce the data protection risk of a security event.
Credential hygiene is one of the most common starting points. The UK Government’s Cyber Security Breaches Survey 2025/2026 found that phishing remained the most prevalent type of breach or attack by far, affecting 38% of businesses and 25% of charities. A successful phish that compromises a mailbox can become a personal data breach if that mailbox holds customer or employee information. Anti-phishing controls, the foundations in anti-phishing basics, and the discipline of how to create an anti-phishing policy all sit inside your data protection posture, not outside it. Knowing how to spot a phishing email and the risks of business email compromise are directly relevant here. As an anti phishing testing new york and London businesses use, we see the same incident-to-complaint chain regularly.
Endpoint security reduces the surface area for any incident. The practical endpoint hardening steps, endpoint security for remote teams, proper device management through Microsoft Intune and modern detection through why EDR matters all reduce the chance of an incident that triggers the complaint chain. Password best practices close the credential gap.
Early warning gives you time to respond. Dark web monitoring explained and what to do if your company credentials appear on the dark web are the practical guides. Our dark web monitoring london service provides that early signal. The ICO’s 72-hour breach notification clock starts when you become aware of a notifiable personal data breach, not necessarily when the breach first happened, so early detection is directly relevant to your regulatory obligations.
Backup is the recovery mechanism when prevention fails. Microsoft 365 backup and the reasons it matters, cloud to cloud backup, and the pitfalls in common cloud backup mistakes all connect. Google Workspace teams need the same, covered in Google Workspace backup. As a microsoft 365 support services london provider, we treat data recovery capability as part of the compliance picture. Testing whether you can actually restore matters not just for continuity but for demonstrating that you take data protection seriously.
Security testing demonstrates your controls are real. Network penetration testing explained, the importance of penetration testing in cybersecurity, and how often you should run network penetration testing all give you tested evidence rather than declared evidence. The ICO has shown it investigates whether organisations had appropriate security measures in place, not just whether they had a policy saying they would. Why your business should become Cyber Essentials accredited gives you a recognised benchmark to point at.
The Complaints Process Itself: What to Write Down Before 19 June
Even for smaller businesses the required process is not complex. It should be clear, assigned to a responsible person, and easy for individuals to understand. A short written procedure is the most practical way to evidence this.
Your process should cover:
- How an individual can make a complaint, including an electronic option and acceptance of any channel, including social media.
- Who in your business receives and logs the complaint.
- How you acknowledge receipt within 30 days, including what the acknowledgment says.
- How you verify identity or authority where needed.
- How you investigate, who does it, and what they look at.
- How you keep the complainant informed if the matter takes time.
- How you communicate the outcome without undue delay.
- Where the complaint record is kept and who maintains it.
- How staff should escalate messages that may be data protection complaints.
The ICO has published guidance for organisations on the new requirements, available at ico.org.uk, and it is worth reading the source rather than relying solely on summaries. The guidance is clear that the process must help people complain to you, not simply exist as an internal document no one can find.
Cross-Border and Multi-Site Realities
If your business operates in more than one country, the DUAA applies where your processing falls under the UK GDPR. If you also process personal data under the EU GDPR through a European office or establishment, you may have overlapping regimes, different regulators and different procedural expectations. The timing is unfortunate, but the approach is similar: a clear complaints process, documented responsibilities, properly trained staff, and country-specific details reflecting the relevant supervisory authority.
We support businesses navigating this through our european support services and our multinational it support company work. Platform consolidation is often the point where data flows, retention policies and processing activities get properly inventoried, which is exactly what our platform migration services builds in. Our consulting team can help you scope the data protection picture across your estate, and our security services alongside the full range of services we offer as a managed it support services company cover the technical side. The case for handing the operational layer to a capable provider is set out in the benefits of outsourcing your IT to an MSP and why businesses should consider an MSP for their IT needs. IT compliance matters in every geography you operate in, and tips for securing your small business network covers the technical fundamentals wherever your offices are.
Frequently Asked Questions
Does the new complaints process apply to small businesses?
Yes. The ICO has confirmed there are no exemptions based on size, sector or the volume of personal data processed. Organisations that are data controllers under the UK GDPR must have a process for handling data protection complaints from 19 June 2026.
What counts as a data protection complaint?
A data protection complaint is a concern that you may have infringed data protection legislation in the way you handled someone’s personal information. This can include complaints about subject access requests, other rights requests, security measures, data accuracy, data retention, how information was collected, or how it was used. The individual does not need to quote the law or use technical legal language.
What happens if we do not have a process in place?
You risk breaching the new statutory requirement. If a complaint escalates to the ICO, the absence of a clear process, poor records, delayed acknowledgment or weak investigation is unlikely to help your position. The practical risk is not just enforcement, but also a loss of trust with customers, employees and applicants.
Does a complaint submitted via social media count?
Yes, it can. The new rules require organisations to accept complaints regardless of how they are submitted. A message on X, LinkedIn or any other platform expressing concern about data handling is potentially a formal complaint that triggers your obligations. However, you should not respond with sensitive details on social media. Ask for a secure alternative contact method instead.
Does a security breach automatically trigger the new complaints process?
Not automatically. A personal data breach may separately trigger ICO notification duties if it is likely to result in a risk to people’s rights and freedoms. However, affected individuals can also raise a data protection complaint about how their information was protected or how the incident was handled. If they do, the complaint process applies alongside any breach response obligations.
Is this a UK-only requirement or does it affect our EU operations too?
The DUAA is UK legislation and applies where UK data protection law applies. If you also have EU operations, those may sit under the EU GDPR and the relevant EU supervisory authority. The two regimes are similar in many respects, but they are not identical, so multi-site businesses should make sure their procedure reflects the correct regulator and jurisdiction.
The Sensible Next Step
Before 19 June 2026, which is 10 days away at the time of writing, you need 3 things in place. A clear data protection complaints procedure. A named person or team responsible for receiving and logging complaints. An updated privacy notice that tells people they can complain to you directly, with the channel clearly stated.
You should also make sure staff know what a data protection complaint looks like. A complaint may arrive through a sales inbox, a support ticket, a LinkedIn message, a phone call, or a conversation with HR. If staff do not recognise it, the 30-day acknowledgment clock may still be running.
If you would like help thinking through how your IT and security posture connects to your data protection exposure, or you want a conversation about what a security incident response looks like under the new complaint framework, speak to Northern Star. We cannot replace your legal adviser on the compliance side, but we can help make sure the IT foundations are solid enough that a complaint prompted by a security incident is not where this conversation ends up.
