19 June 2026: Is Your Data Protection Complaints Procedure Ready?

29/05/2026

From 19 June 2026, organisations handling personal data must have an internal complaints process in place under changes introduced by the Data (Use and Access) Act 2025.

It will no longer be enough to simply direct individuals to the ICO. Organisations must be able to:

  • receive and investigate data protection complaints;
  • respond within statutory timescales; and
  • explain escalation rights.

If an individual cannot easily find:

  • how to complain,
  • who to contact,
  • expected response times, and
  • their right to escalate to the ICO,

then the organisation is likely to struggle to demonstrate compliance with the new requirements under the Data (Use and Access) Act 2025.

For most organisations, the safest approach is:

  • update the privacy notice; and
  • publish a short standalone data protection complaints procedure online.

For many organisations, this also means reviewing polices and procedures, website content and staff practices.

This is one of the quieter changes within the DUAA 2025, but potentially one of the most overlooked.

With the deadline approaching quickly, now is the time to check whether your organisation’s data protection complaints process is actually in place and whether staff know how to use it.

If you need some bespoke guidance, new policy or complaints procedure email dpo@jhdataprotection.com

Leave a comment

  • 19 June 2026: Is Your Data Protection Complaints Procedure Ready?

    Need a Data Protection Complaints Procedure in place before 19 June 2026? The deadline under the Data (Use and Access) Act 2025 is approaching fast, and many organisations still do not have a compliant process published. Email dpo@jhdataprotection.com to find out more about reviewing or implementing your data protection complaints procedure.

  • When curiosity becomes misconduct: lessons from the Nottingham NHS records scandal

    Data protection can often be dismissed as bureaucracy, policies and “tick-box exercises”. This week’s Nottingham NHS records scandal is a stark reminder that it is something far more important than that. When staff access sensitive personal data without lawful reason, the consequences are not merely regulatory, they are deeply human. Trust, dignity and confidentiality sit…

  • ARE YOU AI READY?

    AI is already regulated. Organisations just haven’t caught up 3 May 2026 There is still a perception that artificial intelligence sits ahead of regulation. From a UK GDPR perspective, it doesn’t. The legal framework is already in place. The issue for most organisations is not a lack of regulation, it is a lack of structured…

  • When data protection doesn’t protect you.

    17/04/2026 Recently, the Information Commissioner’s Office published the outcome of a criminal prosecution. The title? Just two names:Christopher Munro and William Chipoma. No explanation. No softening. No anonymity. And that, in itself, is a powerful lesson in how data protection law really works. Data protection isn’t about secrecy There’s a persistent myth that data protection…