[codicts-css-switcher id=”346″]

Global Law Experts Logo
how to deal with data protection complaints

Our Expert in United Kingdom

How to Deal with Data Protection Complaints (UK), DUAA Section 164A Compliance

By Global Law Experts
– posted 1 hour ago

Understanding how to deal with data protection complaints is now a statutory obligation for every UK controller. The Data (Use and Access) Act (DUAA) inserted Section 164A into the Data Protection Act 2018, and this provision came into force on 19 June 2026. It creates a formal, enforceable duty requiring organisations to operate an accessible complaints process, acknowledge complaints within a defined timeframe, investigate them properly, and communicate outcomes to data subjects. This guide gives data protection officers, general counsel, compliance managers and operational teams the concrete steps, timelines, specimen wording and templates needed to build a compliant data protection complaints process from scratch, or pressure-test an existing one against the new requirements.

Effective date: 19 June 2026

Legislation: Data Protection Act 2018, Section 164A (inserted by the Data (Use and Access) Act)

Regulator guidance: ICO, “How to deal with data protection complaints”

TL;DR, Six-step data protection complaints process

  1. Receive, Provide accessible channels (online form, email, post) and log every complaint on receipt.
  2. Acknowledge, Confirm receipt to the complainant within 30 days.
  3. Investigate, Gather evidence, coordinate with processors, assess against UK GDPR obligations.
  4. Update, Keep the complainant informed at regular intervals during prolonged investigations.
  5. Respond, Issue a written outcome (upheld, partially upheld or refused) with reasons and remediation.
  6. Record & learn, Log all steps, update policies and inform the complainant of their right to escalate to the ICO.

Legal Background: DUAA, Section 164A and UK GDPR Context

The UK General Data Protection Regulation (UK GDPR) has long required controllers to facilitate the exercise of data subject rights, and Article 77 of the UK GDPR preserves every data subject’s right to lodge a complaint with the Information Commissioner’s Office (ICO). What Section 164A of the Data Protection Act 2018 adds is a new, explicit obligation directed at controllers themselves: they must provide and operate a complaints procedure that data subjects can use before, or instead of, approaching the regulator. This “controller-first” route aligns with ICO expectations set out in its published guidance on handling data protection complaints.

What Section 164A Requires in Plain English

Section 164A of the Data Protection Act 2018 imposes three core duties on controllers:

  • Accessibility: Controllers must make available an accessible means for data subjects to raise complaints about the processing of their personal data. This includes electronic channels, a web form or dedicated email address, for example, and must not create unnecessary barriers.
  • Acknowledgement: Complaints must be acknowledged within 30 days of receipt. The ICO’s guidance on how to deal with data protection complaints confirms this timeframe.
  • Substantive response: Controllers must investigate the complaint and provide the complainant with an outcome, together with information about their right to complain to the ICO if dissatisfied.

Who Is a “Controller” Under This Duty?

The duty in Section 164A applies to any person or organisation that determines the purposes and means of the processing of personal data, in other words, any “controller” as defined in UK GDPR Article 4(7). This covers private companies, sole traders, charities, public authorities and any other body that acts as a controller. Processors (those processing data on behalf of a controller) are not directly subject to Section 164A, although, as discussed below, contractual data processing agreements (DPAs) should allocate complaints-handling responsibilities clearly between controller and processor.

The Principle Compliance Decision

Before drafting procedures, every organisation should answer one question: Can we demonstrate that we can receive, investigate, respond to and record data protection complaints in line with Section 164A within the required timelines? If the answer is no, or uncertain, use the following decision checklist to identify gaps.

  • Do we have at least one accessible complaints channel published in our privacy notice?
  • Is there an automated or manual acknowledgement workflow that meets the 30-day statutory window?
  • Have we assigned clear internal roles (front line, DPO, legal, IT, HR) for investigating complaints?
  • Do our processor contracts require cooperation on complaints investigations?
  • Do we have a complaints log with minimum required fields and a defined retention period?
  • Does our outcome letter template include ICO escalation wording?

If any of these items is missing, the step-by-step process below will address each gap in sequence.

Step-by-Step Data Protection Complaints Handling Process

This core section operationalises the data protection complaints process required by Section 164A. Each step includes practical guidance and specimen wording that can be adapted for your organisation.

Step 1, How to Receive Complaints

Section 164A requires controllers to provide an accessible way for data subjects to complain. The ICO’s guidance recommends offering multiple channels wherever practicable. At a minimum, organisations should provide:

  • Online form: A dedicated complaints form on the privacy or contact page of your website. Include fields for the complainant’s name, contact details, a description of the issue, the approximate dates of the processing complained about, and any previous correspondence reference.
  • Email: A monitored, published email address (e.g., privacy-complaints@[yourdomain].co.uk) separate from general enquiries.
  • Post: A physical address for written complaints, essential for accessibility and for individuals who may not have reliable internet access.

Evidence capture begins the moment a complaint arrives. Assign each complaint a unique reference number, record the date and time of receipt, the channel used, the identity of the complainant (verified where necessary), and the category of complaint (e.g., subject access request delay, marketing objection, data accuracy, unlawful disclosure). This log forms the foundation of your audit trail.

Step 2, Acknowledgement

The 30-day acknowledgement window is the headline compliance obligation under Section 164A. The ICO’s guidance confirms that controllers should send a written acknowledgement within this period. Industry observers expect the ICO to treat the 30-day window as a hard ceiling rather than a target, so best practice is to acknowledge far sooner, ideally within 5 working days.

Specimen acknowledgement, short form (automated):

Dear [Name],

Thank you for your complaint dated [date], received on [date received]. Your reference number is [REF-XXXX]. We are reviewing your concerns and will provide a substantive response without undue delay. If you have further information to add, please reply to this email quoting your reference number.

Yours sincerely,
[Organisation] Privacy Team

Specimen acknowledgement, extended form (manual, for complex matters):

Dear [Name],

We acknowledge receipt of your data protection complaint dated [date] (reference [REF-XXXX]). We understand your complaint relates to [brief summary of issue]. Our Data Protection Officer will oversee the investigation. We aim to provide you with a full written outcome within [target, e.g., 45 calendar days]. If the investigation requires longer, we will update you at least every [14/21] days. In the meantime, please do not hesitate to contact us at [email/phone] if you have additional information.

Yours sincerely,
[DPO name / Privacy Team]

Step 3, Investigation

Once acknowledged, the complaint must be investigated thoroughly. The ICO expects controllers to examine the relevant facts, assess whether their processing complied with UK GDPR principles, and document each investigative step. A practical investigation checklist includes:

  1. Identify the personal data and processing activities at issue.
  2. Determine the lawful basis relied upon for the processing.
  3. Review internal records: consent logs, privacy notices in force at the time, DPIAs, correspondence.
  4. If a processor is involved, request relevant information under the data processing agreement, DPA cooperation clauses should require the processor to respond within a specified timeframe (typically 10 working days).
  5. Interview relevant staff members where necessary and document statements.
  6. Assess whether a personal data breach occurred and, if so, whether it was reported appropriately.
  7. Prepare a written investigation summary for the DPO or decision-maker.

Step 4, Keeping the Complainant Updated

For investigations that extend beyond the initial target in your acknowledgement letter, the ICO’s step-by-step guide recommends keeping the complainant informed. Good practice is to provide written updates at intervals of 14 to 21 days during prolonged investigations. Each update should briefly describe what stage the investigation has reached, explain any reason for delay, and restate the expected timeline for a final outcome.

Step 5, Outcome Letter

The outcome letter is the single most important document in the data protection complaints process. It must explain what the organisation found, what action (if any) it will take, and what the complainant can do next. Tailor the letter to one of three outcomes:

  • Complaint upheld: Acknowledge the failing, describe the remediation (deletion of data, correction, staff retraining, updated procedures), apologise where appropriate, and confirm the timeline for remediation.
  • Complaint partially upheld: Identify which aspects were substantiated and which were not. Describe remediation for the upheld elements and explain reasoning for the rejected elements.
  • Complaint not upheld: Provide a clear, evidence-based explanation of why the processing was lawful and proportionate. Avoid generic or dismissive language.

Every outcome letter must include the following escalation wording (or its substantive equivalent):

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can do so via the ICO website at ico.org.uk, by telephone on 0303 123 1113, or by post to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Step 6, Lessons Learned and Remediation Logs

Closing a complaint does not end the compliance obligation. Record the final outcome and remediation actions in the complaints log. Schedule a review to confirm that any promised changes (updated privacy notice, revised data retention schedule, additional staff training) have been implemented. Where complaints reveal a systemic issue, for example, repeated failures to respond to subject access requests within the statutory timeframe, escalate to senior management and update relevant policies. This continuous-improvement loop is central to demonstrating UK GDPR complaints handling maturity if the ICO audits your organisation.

Roles, Responsibilities and Internal Governance

Roles Matrix

Role Responsibility in complaints process
Front-line staff / customer services Receive complaints, log them, issue automated acknowledgement, escalate to DPO within 2 working days.
Data Protection Officer (DPO) Triage complaint, assign to relevant business unit, oversee investigation, draft or approve outcome letter, maintain complaints register.
Legal / compliance Advise on lawful basis, assess regulatory risk, review outcome letters for complex or high-risk complaints, liaise with external counsel where necessary.
IT / information security Provide technical evidence (access logs, system configurations, breach forensics), support data retrieval for investigations.
HR Handle employee-related complaints (workplace monitoring, recruitment data), manage disciplinary aspects where staff conduct caused the complaint.
Senior management / board Receive quarterly complaints summary, approve policy changes arising from systemic findings, allocate resources for remediation.

Controller vs Processor, Contractual Allocation

Where a controller uses processors, the data processing agreement should include clauses that address complaints cooperation. Recommended provisions include:

  • The processor must notify the controller of any complaint received directly from a data subject within 48 hours and redirect the complainant to the controller’s published complaints route.
  • The processor must provide all information reasonably required by the controller to investigate a complaint within 10 working days of a written request.
  • The processor must preserve relevant records (access logs, processing records) for the duration of the investigation and for an agreed retention period thereafter.
  • The controller retains sole responsibility for issuing acknowledgement and outcome letters to the complainant.

Escalation and Disciplinary Considerations

Where an investigation reveals that a staff member deliberately or recklessly caused a data protection breach that prompted the complaint, the matter should be escalated through your organisation’s disciplinary procedure. Ensure this process is documented and that the complaints log records the escalation, this demonstrates to the ICO that your organisation takes complaints seriously and acts on root causes.

Timelines, SLAs and Required Records for Data Protection Complaints

Getting timelines right is essential to compliant UK GDPR complaints handling. The table below maps each obligation to a responsible party and a recommended timeframe, drawing on Section 164A of the Data Protection Act 2018 and ICO guidance.

Obligation / task Who is generally responsible Recommended target / timeframe
Acknowledgement of complaint Controller (front-line or automated system) Within 30 days of receipt (statutory acknowledgement window). Best practice: within 5 working days.
Investigation and evidence gathering Controller (DPO + relevant business unit); coordinate with processors Start immediately upon acknowledgement. Substantive reply without undue delay. Recommend interim updates every 14–21 days for prolonged matters. Target full outcome within 45–60 calendar days for complex complaints.
Outcome letter Controller (DPO or legal, depending on complexity) As soon as investigation concludes. Include ICO escalation wording.
Recordkeeping and logging Controller (compliance / risk) Log on receipt: date received, channel, complaint category, investigation steps, outcome, outcome send date. Retain for audit, recommended 3–6 years depending on organisation’s retention schedule.

A note on breach reporting vs complaints handling: The obligation to report a personal data breach to the ICO within 72 hours (under UK GDPR Article 33) is separate from the complaints-handling duty in Section 164A. A complaint may reveal a breach that triggers reporting obligations, but the two processes run in parallel, do not conflate their timelines.

Your complaints log should capture, at a minimum, the following fields: unique reference number, date of receipt, complainant name and contact details, channel used, complaint category, assigned investigator, key investigation dates, outcome (upheld / partially upheld / not upheld), date outcome sent, remediation actions, and date the matter was closed.

Privacy Notice and Public-Facing Wording Updates

Section 164A makes little practical sense if data subjects do not know the complaints route exists. Privacy notice updates for 2026 should include clear wording directing individuals to the controller’s complaints process. The ICO expects this information to sit prominently within your privacy notice, not buried in a footnote.

Specimen privacy notice wording, short form (website footer or contact page):

If you have a complaint about how we handle your personal data, please contact our Privacy Team at [email] or use our online complaints form. We will acknowledge your complaint within 30 days and investigate it promptly. If you are not satisfied with our response, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

Specimen privacy notice wording, long form (full privacy policy):

How to complain. You have the right to make a complaint about our processing of your personal data. To do so, please contact our Data Protection Officer at [email / postal address / online form URL]. We will acknowledge your complaint within 30 days and aim to provide a full written response without undue delay. Our complaints procedure is set out in our Data Protection Complaints Policy [link]. If you remain dissatisfied after we have investigated your complaint, you have the right to lodge a complaint with the Information Commissioner’s Office: ico.org.uk | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, SK9 5AF.

Review contract terms and third-party-facing documents (employment contracts, supplier terms, patient information leaflets) to ensure they also reference the complaints route where relevant.

Sector-Specific Notes and Practical Examples

While the core data protection complaints process is the same for all controllers, certain sectors face specific operational challenges:

  • SaaS and technology companies (multi-tenant, cross-border): Where a SaaS provider acts as processor for multiple controllers, ensure that the DPA clearly states the processor’s obligation to redirect complaints to the relevant controller. For cross-border operations, confirm which entity is the UK controller and ensure complaints are routed to it, not to a non-UK parent company, to satisfy Section 164A.
  • HR and employment: Employee complaints about workplace monitoring, recruitment data handling, or subject access request delays are common. Keep the complaints process separate from the workplace grievance procedure and ensure HR and the DPO coordinate on investigations without compromising either process.
  • Healthcare: Patient data complaints may overlap with clinical complaint procedures (e.g., NHS complaints under the NHS Constitution). Organisations should operate a clear triage process that identifies whether the complaint relates to data protection (route to DPO), clinical care (route to clinical governance), or both.
  • Local government and public bodies: Public authorities often face high complaint volumes and freedom-of-information crossover. Consider a centralised information governance team that handles both FOI and data protection complaints, with separate logging and outcome templates for each.

When to Involve the ICO and Enforcement Risk

The controller-first complaints route introduced by Section 164A does not remove the data subject’s UK GDPR right to complain directly to the ICO. However, the ICO’s published process indicates that it generally expects individuals to approach the controller first. Controllers should inform complainants of this route and of their right to escalate.

From the controller’s perspective, the ICO may become involved in two ways: (1) a dissatisfied complainant lodges a complaint with the ICO after exhausting your internal process, or (2) the ICO initiates an investigation or audit. In either case, the ICO will typically request your complaints log, copies of correspondence, evidence of investigation steps, and your current privacy notice. Maintaining meticulous records is therefore both a legal obligation and a practical defence.

The likely practical effect of Section 164A on enforcement is that the ICO will treat the absence of a complaints process, or persistent failure to acknowledge complaints within 30 days, as an aggravating factor when assessing enforcement action. Industry observers expect that organisations demonstrating a mature, documented complaints procedure will receive more favourable treatment in regulatory interactions.

Conclusion

Knowing how to deal with data protection complaints is no longer simply good practice, it is a statutory duty under Section 164A of the Data Protection Act 2018, effective since 19 June 2026. Every UK controller must now operate an accessible complaints process, acknowledge complaints within 30 days, investigate and respond substantively, and maintain records for audit. The six-step process outlined in this guide, receive, acknowledge, investigate, update, respond and record, provides a framework that satisfies both the letter of the law and ICO expectations. Organisations that build this process into their governance now will not only reduce regulatory risk but also strengthen trust with the individuals whose data they process.

Need Legal Advice?

This article was produced by Global Law Experts. For specialist advice on this topic, contact Nigel Miller at Fox Williams LLP, a member of the Global Law Experts network.

Sources

  1. Information Commissioner’s Office, How to deal with data protection complaints
  2. Information Commissioner’s Office, Handling complaints, a step by step guide
  3. GOV.UK, Data protection complaints process
  4. Legislation.gov.uk, Data Protection Act 2018

FAQs

Is GDPR changing in 2026?
The UK GDPR itself has not been replaced, but the Data (Use and Access) Act (DUAA) introduced significant supplementary provisions. The most notable for complaints is Section 164A of the Data Protection Act 2018, effective 19 June 2026, which creates a statutory duty for controllers to operate a formal data protection complaints process. This complements rather than replaces existing UK GDPR obligations.
Section 164A of the Data Protection Act 2018 gives data subjects an explicit right to make complaints about the processing of their personal data directly to the controller. The controller must provide accessible channels, acknowledge complaints within 30 days, investigate them, communicate an outcome, and inform the complainant of their right to escalate to the ICO.
If you are a data subject, start by contacting the organisation (the controller) that holds your data. Use the complaints channel listed in their privacy notice, typically an online form, email address or postal address. Allow the controller time to investigate and respond. If you are dissatisfied with the outcome, you can escalate your complaint to the Information Commissioner’s Office (ICO).
Under Section 164A of the Data Protection Act 2018, controllers must acknowledge complaints within 30 days of receipt. Best practice is to acknowledge far sooner, ideally within 5 working days, using an automated or manual acknowledgement process that provides the complainant with a reference number and expected timeline.
Yes. The UK retained the GDPR in domestic law as the “UK GDPR” following Brexit. The Data Protection Act 2018 supplements it. The DUAA and Section 164A sit alongside these existing frameworks, adding to, not replacing, the obligations controllers already owe under UK data protection law.
The complaints-handling process under Section 164A is separate from breach-reporting obligations. You must notify the ICO of a personal data breach within 72 hours under UK GDPR Article 33 if it is likely to result in a risk to individuals. Complaints are handled through the controller’s own process first; the data subject may escalate to the ICO if dissatisfied with the outcome.
If the ICO investigates, it will typically request your complaints register (including dates, categories and outcomes), copies of acknowledgement and outcome letters, evidence of investigation steps taken, your published privacy notice, your data protection complaints policy, and records of any remediation actions implemented as a result of complaints.
An acknowledgement letter should confirm the date the complaint was received, provide a unique reference number, briefly summarise the issue as understood, name or identify the person or team handling the investigation, state the expected timeline for a substantive response, and provide contact details for follow-up queries.
You may provide a preferred form or online portal, but you should not refuse to accept complaints submitted by other reasonable means such as email or letter. Section 164A requires the process to be accessible, and the ICO’s guidance emphasises that controllers should not create unnecessary barriers to making a complaint.
By Awatif Al Khouri

posted 3 minutes ago

By ILIA ETL GLOBAL

posted 3 minutes ago

By ILIA ETL GLOBAL

posted 4 minutes ago

Find the right Legal Expert for your business

The premier guide to leading legal professionals throughout the world

Specialism
Country
Practice Area
LAWYERS RECOGNIZED
0
EVALUATIONS OF LAWYERS BY THEIR PEERS
0 m+
PRACTICE AREAS
0
COUNTRIES AROUND THE WORLD
0
Join
who are already getting the benefits
0

Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.

Naturally you can unsubscribe at any time.

About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Global Law Experts App

Now Available on the App & Google Play Stores.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Contact Us

Stay Informed

Join Mailing List
About Us

Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.

Social Posts
[wp_social_ninja id="50714" platform="instagram"]
[codicts-social-feeds platform="instagram" url="https://www.instagram.com/globallawexperts/" template="carousel" results_limit="10" header="false" column_count="1"]

See More:

Global Law Experts App

Now Available on the App & Google Play Stores.

Contact Us

Stay Informed

GLE

Lawyer Profile Page - Lead Capture
GLE-Logo-White
Lawyer Profile Page - Lead Capture

How to Deal with Data Protection Complaints (UK), DUAA Section 164A Compliance

Send welcome message

Custom Message