Our Expert in United Kingdom
No results available
Understanding how to deal with data protection complaints is now a statutory obligation for every UK controller. The Data (Use and Access) Act (DUAA) inserted Section 164A into the Data Protection Act 2018, and this provision came into force on 19 June 2026. It creates a formal, enforceable duty requiring organisations to operate an accessible complaints process, acknowledge complaints within a defined timeframe, investigate them properly, and communicate outcomes to data subjects. This guide gives data protection officers, general counsel, compliance managers and operational teams the concrete steps, timelines, specimen wording and templates needed to build a compliant data protection complaints process from scratch, or pressure-test an existing one against the new requirements.
Effective date: 19 June 2026
Legislation: Data Protection Act 2018, Section 164A (inserted by the Data (Use and Access) Act)
Regulator guidance: ICO, “How to deal with data protection complaints”
TL;DR, Six-step data protection complaints process
The UK General Data Protection Regulation (UK GDPR) has long required controllers to facilitate the exercise of data subject rights, and Article 77 of the UK GDPR preserves every data subject’s right to lodge a complaint with the Information Commissioner’s Office (ICO). What Section 164A of the Data Protection Act 2018 adds is a new, explicit obligation directed at controllers themselves: they must provide and operate a complaints procedure that data subjects can use before, or instead of, approaching the regulator. This “controller-first” route aligns with ICO expectations set out in its published guidance on handling data protection complaints.
Section 164A of the Data Protection Act 2018 imposes three core duties on controllers:
The duty in Section 164A applies to any person or organisation that determines the purposes and means of the processing of personal data, in other words, any “controller” as defined in UK GDPR Article 4(7). This covers private companies, sole traders, charities, public authorities and any other body that acts as a controller. Processors (those processing data on behalf of a controller) are not directly subject to Section 164A, although, as discussed below, contractual data processing agreements (DPAs) should allocate complaints-handling responsibilities clearly between controller and processor.
Before drafting procedures, every organisation should answer one question: Can we demonstrate that we can receive, investigate, respond to and record data protection complaints in line with Section 164A within the required timelines? If the answer is no, or uncertain, use the following decision checklist to identify gaps.
If any of these items is missing, the step-by-step process below will address each gap in sequence.
This core section operationalises the data protection complaints process required by Section 164A. Each step includes practical guidance and specimen wording that can be adapted for your organisation.
Section 164A requires controllers to provide an accessible way for data subjects to complain. The ICO’s guidance recommends offering multiple channels wherever practicable. At a minimum, organisations should provide:
Evidence capture begins the moment a complaint arrives. Assign each complaint a unique reference number, record the date and time of receipt, the channel used, the identity of the complainant (verified where necessary), and the category of complaint (e.g., subject access request delay, marketing objection, data accuracy, unlawful disclosure). This log forms the foundation of your audit trail.
The 30-day acknowledgement window is the headline compliance obligation under Section 164A. The ICO’s guidance confirms that controllers should send a written acknowledgement within this period. Industry observers expect the ICO to treat the 30-day window as a hard ceiling rather than a target, so best practice is to acknowledge far sooner, ideally within 5 working days.
Specimen acknowledgement, short form (automated):
Dear [Name],
Thank you for your complaint dated [date], received on [date received]. Your reference number is [REF-XXXX]. We are reviewing your concerns and will provide a substantive response without undue delay. If you have further information to add, please reply to this email quoting your reference number.
Yours sincerely,
[Organisation] Privacy Team
Specimen acknowledgement, extended form (manual, for complex matters):
Dear [Name],
We acknowledge receipt of your data protection complaint dated [date] (reference [REF-XXXX]). We understand your complaint relates to [brief summary of issue]. Our Data Protection Officer will oversee the investigation. We aim to provide you with a full written outcome within [target, e.g., 45 calendar days]. If the investigation requires longer, we will update you at least every [14/21] days. In the meantime, please do not hesitate to contact us at [email/phone] if you have additional information.
Yours sincerely,
[DPO name / Privacy Team]
Once acknowledged, the complaint must be investigated thoroughly. The ICO expects controllers to examine the relevant facts, assess whether their processing complied with UK GDPR principles, and document each investigative step. A practical investigation checklist includes:
For investigations that extend beyond the initial target in your acknowledgement letter, the ICO’s step-by-step guide recommends keeping the complainant informed. Good practice is to provide written updates at intervals of 14 to 21 days during prolonged investigations. Each update should briefly describe what stage the investigation has reached, explain any reason for delay, and restate the expected timeline for a final outcome.
The outcome letter is the single most important document in the data protection complaints process. It must explain what the organisation found, what action (if any) it will take, and what the complainant can do next. Tailor the letter to one of three outcomes:
Every outcome letter must include the following escalation wording (or its substantive equivalent):
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can do so via the ICO website at ico.org.uk, by telephone on 0303 123 1113, or by post to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
Closing a complaint does not end the compliance obligation. Record the final outcome and remediation actions in the complaints log. Schedule a review to confirm that any promised changes (updated privacy notice, revised data retention schedule, additional staff training) have been implemented. Where complaints reveal a systemic issue, for example, repeated failures to respond to subject access requests within the statutory timeframe, escalate to senior management and update relevant policies. This continuous-improvement loop is central to demonstrating UK GDPR complaints handling maturity if the ICO audits your organisation.
| Role | Responsibility in complaints process |
|---|---|
| Front-line staff / customer services | Receive complaints, log them, issue automated acknowledgement, escalate to DPO within 2 working days. |
| Data Protection Officer (DPO) | Triage complaint, assign to relevant business unit, oversee investigation, draft or approve outcome letter, maintain complaints register. |
| Legal / compliance | Advise on lawful basis, assess regulatory risk, review outcome letters for complex or high-risk complaints, liaise with external counsel where necessary. |
| IT / information security | Provide technical evidence (access logs, system configurations, breach forensics), support data retrieval for investigations. |
| HR | Handle employee-related complaints (workplace monitoring, recruitment data), manage disciplinary aspects where staff conduct caused the complaint. |
| Senior management / board | Receive quarterly complaints summary, approve policy changes arising from systemic findings, allocate resources for remediation. |
Where a controller uses processors, the data processing agreement should include clauses that address complaints cooperation. Recommended provisions include:
Where an investigation reveals that a staff member deliberately or recklessly caused a data protection breach that prompted the complaint, the matter should be escalated through your organisation’s disciplinary procedure. Ensure this process is documented and that the complaints log records the escalation, this demonstrates to the ICO that your organisation takes complaints seriously and acts on root causes.
Getting timelines right is essential to compliant UK GDPR complaints handling. The table below maps each obligation to a responsible party and a recommended timeframe, drawing on Section 164A of the Data Protection Act 2018 and ICO guidance.
| Obligation / task | Who is generally responsible | Recommended target / timeframe |
|---|---|---|
| Acknowledgement of complaint | Controller (front-line or automated system) | Within 30 days of receipt (statutory acknowledgement window). Best practice: within 5 working days. |
| Investigation and evidence gathering | Controller (DPO + relevant business unit); coordinate with processors | Start immediately upon acknowledgement. Substantive reply without undue delay. Recommend interim updates every 14–21 days for prolonged matters. Target full outcome within 45–60 calendar days for complex complaints. |
| Outcome letter | Controller (DPO or legal, depending on complexity) | As soon as investigation concludes. Include ICO escalation wording. |
| Recordkeeping and logging | Controller (compliance / risk) | Log on receipt: date received, channel, complaint category, investigation steps, outcome, outcome send date. Retain for audit, recommended 3–6 years depending on organisation’s retention schedule. |
A note on breach reporting vs complaints handling: The obligation to report a personal data breach to the ICO within 72 hours (under UK GDPR Article 33) is separate from the complaints-handling duty in Section 164A. A complaint may reveal a breach that triggers reporting obligations, but the two processes run in parallel, do not conflate their timelines.
Your complaints log should capture, at a minimum, the following fields: unique reference number, date of receipt, complainant name and contact details, channel used, complaint category, assigned investigator, key investigation dates, outcome (upheld / partially upheld / not upheld), date outcome sent, remediation actions, and date the matter was closed.
Section 164A makes little practical sense if data subjects do not know the complaints route exists. Privacy notice updates for 2026 should include clear wording directing individuals to the controller’s complaints process. The ICO expects this information to sit prominently within your privacy notice, not buried in a footnote.
Specimen privacy notice wording, short form (website footer or contact page):
If you have a complaint about how we handle your personal data, please contact our Privacy Team at [email] or use our online complaints form. We will acknowledge your complaint within 30 days and investigate it promptly. If you are not satisfied with our response, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk.
Specimen privacy notice wording, long form (full privacy policy):
How to complain. You have the right to make a complaint about our processing of your personal data. To do so, please contact our Data Protection Officer at [email / postal address / online form URL]. We will acknowledge your complaint within 30 days and aim to provide a full written response without undue delay. Our complaints procedure is set out in our Data Protection Complaints Policy [link]. If you remain dissatisfied after we have investigated your complaint, you have the right to lodge a complaint with the Information Commissioner’s Office: ico.org.uk | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
Review contract terms and third-party-facing documents (employment contracts, supplier terms, patient information leaflets) to ensure they also reference the complaints route where relevant.
While the core data protection complaints process is the same for all controllers, certain sectors face specific operational challenges:
The controller-first complaints route introduced by Section 164A does not remove the data subject’s UK GDPR right to complain directly to the ICO. However, the ICO’s published process indicates that it generally expects individuals to approach the controller first. Controllers should inform complainants of this route and of their right to escalate.
From the controller’s perspective, the ICO may become involved in two ways: (1) a dissatisfied complainant lodges a complaint with the ICO after exhausting your internal process, or (2) the ICO initiates an investigation or audit. In either case, the ICO will typically request your complaints log, copies of correspondence, evidence of investigation steps, and your current privacy notice. Maintaining meticulous records is therefore both a legal obligation and a practical defence.
The likely practical effect of Section 164A on enforcement is that the ICO will treat the absence of a complaints process, or persistent failure to acknowledge complaints within 30 days, as an aggravating factor when assessing enforcement action. Industry observers expect that organisations demonstrating a mature, documented complaints procedure will receive more favourable treatment in regulatory interactions.
Knowing how to deal with data protection complaints is no longer simply good practice, it is a statutory duty under Section 164A of the Data Protection Act 2018, effective since 19 June 2026. Every UK controller must now operate an accessible complaints process, acknowledge complaints within 30 days, investigate and respond substantively, and maintain records for audit. The six-step process outlined in this guide, receive, acknowledge, investigate, update, respond and record, provides a framework that satisfies both the letter of the law and ICO expectations. Organisations that build this process into their governance now will not only reduce regulatory risk but also strengthen trust with the individuals whose data they process.
This article was produced by Global Law Experts. For specialist advice on this topic, contact Nigel Miller at Fox Williams LLP, a member of the Global Law Experts network.
posted 3 minutes ago
posted 3 minutes ago
posted 3 minutes ago
posted 3 minutes ago
posted 3 minutes ago
posted 3 minutes ago
posted 3 minutes ago
posted 3 minutes ago
posted 3 minutes ago
posted 3 minutes ago
posted 4 minutes ago
posted 4 minutes ago
No results available
Find the right Legal Expert for your business
Sign up for the latest legal briefings and news within Global Law Experts’ community, as well as a whole host of features, editorial and conference updates direct to your email inbox.
Naturally you can unsubscribe at any time.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Global Law Experts is dedicated to providing exceptional legal services to clients around the world. With a vast network of highly skilled and experienced lawyers, we are committed to delivering innovative and tailored solutions to meet the diverse needs of our clients in various jurisdictions.
Send welcome message