From 19 June 2026, UK organisations must have a clear process for handling data protection complaints.
This comes under the Data (Use and Access) Act 2025. The ICO has already published guidance. There are no exemptions. If you collect or process personal data, this applies to you.
What’s Changing?
From June 2026, organisations must:
- Give people a clear way to make a data protection complaint directly to you
- Acknowledge complaints within 30 days
- Respond without undue delay
- Keep people informed
- Tell them the outcome
That covers complaints about:
- Subject access requests
- How personal data is collected or used
- Data retention
- Inaccurate data
- Security concerns or breaches
In short, if someone thinks you have mishandled their data, you must have a formal route for them to complain to you first.
Do You Need a New Policy?
In most cases, no. You do not need a standalone “Data Protection Complaints Policy” page.
You do need:
- A clear complaints route
- A documented internal process
- A small update to your Privacy Policy
For most SMEs, this is a light-touch change – but it must be done.
What We Recommend
Keep it simple. Add a short section to your Privacy Policy. Set up a dedicated email address such as privacy@ or data@. Make sure someone internally owns the process.
Train your team to recognise a data protection complaint. It might not arrive labelled as one.
Log it. Acknowledge it within 30 days. Respond properly.
That is it.
Copy You Can Use in Your Privacy Policy
You are welcome to use or adapt the section below:
Data protection complaints
If you have any concerns about how we collect, use, store or handle your personal information, you can make a data protection complaint by contacting us using the details below:
Email: [insert email address]
Telephone: [insert telephone number]
Postal address: [insert postal address]
Please include enough information for us to understand your concern and investigate it properly. This may include your name, contact details, the nature of your complaint and any relevant correspondence or reference numbers.
We will acknowledge your complaint within 30 days of receiving it. We will then review the matter and respond without undue delay. If we need more information from you, we will let you know.
If you are not satisfied with our response, or you believe your data protection rights have not been properly handled, you also have the right to complain to the Information Commissioner’s Office.
The ICO can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Bottom Line
This is not red tape. It is about accountability and protecting your business.
If you handle personal data, you need a clear complaints route before 19 June 2026.
It is a small update, but ignoring it is not an option.
