DUAA: new ICO guidance on data protection complaints handling duties

On 12 February 2026, the Information Commissioner’s Office (“ICO”) published new guidance on “How to deal with data protection complaints” (“Guidance”). This Guidance concerns the process that controllers must establish for handling data protection complaints, which is newly introduced under the Data (Use and Access) Act (“DUAA”). While the legislative provision introduced by the DUAA itself is relatively simple and abstract, the Guidance sets out in detail what controllers must, should and could do to ensure compliance.

All controllers, with no exemptions, must have a complaints handling process in place by the time the new requirements take effect on 19 June 2026, as the rule applies to complaints received by the controller on or after that date. Whilst that will require some internal process engineering and governance there is an upside - a robust process may reduce the likelihood of individuals going to the ICO before the organisation has had a chance to resolve the issue (which the Guidance repeatedly highlights as a benefit of having the process) and may, as a result, reduce the likelihood of regulatory action.

Set out below is a summary of the key points from the Guidance and the necessary actions for organisations based on it:

What counts as a data protection complaint?

An individual can complain whenever they consider that an organisation has infringed data protection legislation in the way it has processed their personal data. In practice, this means a wide range of issues concerning data may fall within scope, including concerns about: how a subject access request or other rights request has been handled; the security measures used to store personal data (including where someone has been affected by a data breach, whether or not it is reportable to the ICO); and how personal data has been collected, used, stored, retained or kept accurate.

Preparing to handle complaints

Organisations must give people a way to complain directly to them, but have flexibility in how they do this. Options include complaint forms (online or paper), a dedicated email address, telephone complaints, an online portal, live chat with escalation to a human, or in‑person routes. Existing complaints tools can be adapted; there is no requirement for a standalone data protection complaints system. However, organisations must accept complaints made through any channel, including to any member of staff.

Organisations must also inform individuals that they can complain to the organisation and to the ICO at the point of data collection and when responding to subject access requests.

The ICO highlights several specific areas:

• Social media – Complaints can be made via social media where an organisation has an online presence. Organisations will need to review social media team engagement guidelines to ensure that teams are able to identify and escalate complaints through the proper channels. This should involve moving the conversation to a more secure channel by asking for an alternative contact method.
• Children – Children have the same rights as adults but merit specific protection. Organisations should respond in plain, clear language and assess the child’s competence to understand and exercise their rights. Where the age appropriate design code applies, organisations should provide mechanisms for children to complain, allow them to flag urgency, prioritise accordingly and act swiftly where safeguarding issues are indicated.

Organisations should also:

• put in place proportionate processes to verify a complainant’s identity and, where relevant, the authority of someone acting on another’s behalf (e.g. power of attorney or letter of authority). This will be particularly important where complaints are received through social media channels;
• consider how data protection complaint handling interacts with other legal frameworks (such as equality and discrimination law);
• ensure record keeping systems are fit for purpose so that relevant information can be located quickly and to evidence what has been done;
• train staff so they can recognise data protection complaints and know how and where to escalate them; and
• ensure that joint controller arrangements and controller–processor contracts cover complaint handling.

The ICO encourages organisations to adopt a written complaints procedure, which can be published (for example on a website) and/or used internally.

Handling complaints in practice

Once a complaint is received, organisations must acknowledge it within 30 days. The acknowledgement should confirm receipt and that the organisation will look into the matter. The method of acknowledgement can mirror the channel used by the complainant (subject to equality requirements), though social media should not be used to provide substantive information for security reasons.

The obligation to investigate arises as soon as the complaint is received. Organisations must make appropriate enquiries “without undue delay”, meaning without unjustifiable or excessive delay. The ICO expects organisations to gather relevant information, review the facts thoroughly, speak to relevant staff, compare the complaint with information held, and check compliance with internal policies and standards.

The general accountability principle under the GDPR will require organisations to create records of how they have investigated complaints and reached the final outcome and this will also be required in order to ensure that the organisation provides the necessary information to individuals on conclusion of the complaints process (see below). In doing so, organisations should also consider how and when to seek to maintain legal privilege in these records, for example by reviewing and updating evidence collection procedures, document retention and creation notices, and communication protocols to ensure the protection of legal privilege where applicable. These practices will need to be considered carefully in light of what is mandated – for example, the requirement to record “relevant conversations and documents” involved in assessing a complaint, and the ICO’s expectation that it may “ask to see this”.

Throughout the process, organisations must keep complainants informed of progress without undue delay, typically by updating them on expected timeframes and explaining any delays.

Outcomes and interaction with the ICO

Once an investigation is complete, organisations must communicate the outcome to the complainant without unjustifiable or excessive delay. The outcome should clearly explain what has been done to resolve the complaint and any actions taken. Where the organisation considers it has complied with data protection law, it should explain this in sufficient detail for the complainant to understand how the conclusion was reached.

If someone indicates they are complaining to the ICO, there is no need to notify the ICO proactively; the ICO will contact the organisation if it requires information. The ICO notes that, in most cases, if an individual complains to the ICO about how their personal data has been processed, the ICO will first ask them to raise the matter with the organisation directly.

What organisations should do now

Based on the Guidance, key preparatory steps for organisations are likely to include:

• setting up a way for individuals to complain and an internal process to handle complaints;
• drafting or updating relevant policies and procedures (including, where necessary, detailed standard operating procedures and customer service scripts);
• putting in place an appropriate record‑keeping system for complaints;
• providing training so that employees can recognise and escalate data protection complaints;
• updating the privacy notice to explain how individuals can complain to the organisation;
• updating contracts with joint controllers and processors, as necessary, to address complaint handling ; and
• updating the record of processing activities to reflect the data processing activities relating to data protection complaints.

It is key that organisations consider the detail of this preparation to ensure the process is practically workable, so that they can handle complaints without undue delay and reduce the risk of escalations to the ICO.