Let's Talk Remote Help Network Status

How to Handle Data Protection Complaints From 19 June 2026

There is a new data protection deadline that has not made many headlines, and it lands on 19 June 2026. From that date, every UK organisation that handles personal data has to be ready to deal with complaints from individuals properly. Not the Information Commissioner. The individual, directly, to you.


We covered the wider set of changes in our guide to the GDPR changes in June 2026. This post zooms in on the part most businesses are least ready for: the new duty to receive, investigate and respond to data protection complaints. If you do not have a clear data protection complaints process by 19 June, you are non-compliant from day one.


Ask yourself:


  • If someone emailed today to complain that you had mishandled their data, who would pick it up?
  • Would they get an acknowledgement, and how quickly?
  • Is there a clear route on your website for them to raise it in the first place?
  • Could you show the ICO a record of how you handled it?



If those answers are fuzzy, you are not alone. Most businesses have a process for sales enquiries and none for data complaints.

What actually changes on 19 June 2026

The Data (Use and Access) Act 2025 inserts a new right into the Data Protection Act 2018. Individuals can now complain directly to your organisation about how you have handled their personal data, and you have a legal duty to deal with it. In practice that means three things.

  • Facilitate the complaint. You must make it easy to complain, for example a clear route on your website or a named contact, rather than burying it.
  • Acknowledge within 30 days. You must confirm you have received the complaint within 30 days. If it arrives electronically, an automated acknowledgement email is enough to meet this.
  • Respond without undue delay. You must take appropriate steps to look into it and then tell the person the outcome. There is no fixed deadline for the full response, but “without undue delay” means you cannot let it drift.

Which of those would your business struggle with most today?

What a compliant complaints process looks like

You do not need anything elaborate. You need something written down, consistent and evidenced. A workable data protection complaints process has five parts.

  • A way in. A simple route to complain, such as a short form or a clearly published email address.
  • An owner. A named person or role responsible for data complaints, so nothing lands in an inbox nobody checks.
  • An acknowledgement step. An automatic or manual reply within 30 days confirming receipt and what happens next.
  • An investigation step. A consistent way to look into what happened, put it right if needed, and decide your response.
  • A record. A log of each complaint, what you did and when, so you can show the ICO you took it seriously.

Two details businesses often miss: let people flag an urgent complaint so you can prioritise it and take swift action, and decide in advance what proof of authority you will accept if someone complains on behalf of another person.

The ICO has published its own guidance, “How do we prepare to handle data protection complaints?”, which is worth reading alongside this.

Why this matters more than it looks

A complaints duty sounds like admin, but it changes your exposure. If someone is unhappy, the new rule sends them to you first, which is your chance to resolve it before it reaches the regulator. Fumble it, or ignore it, and you have handed them a documented example of non-compliance to take to the ICO. Getting this right is far cheaper than getting it wrong, and it is exactly the kind of thing insurers and larger clients now ask about. If you are not yet registered with the ICO either, start with our ICO registration guide.

Would you rather find your gaps now, or when the first complaint lands?

Why we are flagging this

We deal with this every day. System Force IT has supported UK businesses since 2006, and we are UKAS ISO/IEC 27001:2022 Certified and Cyber Essentials Practitioners, so structured processes for handling data, requests and complaints are simply part of how we run our own business and our clients’. We would rather you walked into 19 June with a process already in place than discovered the gap the hard way.


Your 30-minute head start

Before 19 June, you can cover the basics in half an hour.


  • 1. Decide who owns data protection complaints in your business.
  • 2. Publish a simple route to complain, even just a clearly worded email address on your privacy page.
  • 3. Set up an acknowledgement, ideally automatic, that confirms receipt within 30 days.
  • 4. Create a basic log to record each complaint and how you handled it.
  • 5. Read the ICO guidance and note anything specific to your sector.


That is enough to be compliant on day one, and you can refine it from there.


To make that even easier, we have put together a free Data Protection Complaints Pack with everything you need to get started: a ready-to-use complaints policy, a complaints log, a 30-day acknowledgement email template and a readiness checklist.

Download the free pack here

Not sure where your gaps are, or would rather talk it through with a human first? We are happy to help you put a sensible process in place, without the jargon. Call us on 01452 701355 or book a free IT review, and we will help you get ready for 19 June.

Table of Contents

Would you like to know how we can help?

Get in touch

Name