New statutory complaints duty comes into effect this week

The requirement, introduced by section 103 of the Data (Use and Access) Act 2025 (DUAA), inserts a new section 164A into the Data Protection Act 2018 (DPA 2018). It takes effect on 19 June 2026, applying to every controller processing personal data under UK GDPR or Part 3 DPA 2018, including local authorities, NHS bodies, central government departments, police forces and other public sector organisations already familiar with statutory complaints regimes under FOIA and the Environmental Information Regulations.

The Information Commissioner's Office published its final guidance, How to deal with data protection complaints, on 12 February 2026, with a minor update on 8 May 2026. Although the statutory duty does not apply until 19 June, the ICO has said the guidance represents good practice that organisations should already be following.

Section 164A creates a statutory right for individuals to complain directly to a controller about how their personal data has been handled, before escalating to the ICO. The core obligations are:

• providing a clear and accessible means for people to submit a data protection complaint, including electronically;
• acknowledging receipt of a complaint within 30 days;
• taking appropriate steps to investigate and respond "without undue delay," including making appropriate enquiries and keeping the complainant updated on progress; and
• informing the complainant of the outcome without undue delay, including their right to escalate to the ICO if dissatisfied.

The ICO has confirmed that an automated acknowledgement is sufficient for complaints submitted electronically, and a verbal acknowledgement is acceptable for complaints made by phone or in person.

Public bodies are not required to build an entirely new system. The ICO's guidance makes clear that existing complaints-handling arrangements - including those already operated alongside FOI, EIR or corporate complaints procedures - can be adapted, provided they properly capture and address data protection issues.

A communication does not need to be labelled a "data protection complaint" to fall within scope. If the substance of what someone raises concerns how their personal data has been handled (for example, dissatisfaction with the response to a subject access request, or concerns about data security) the ICO expects it to be treated as a complaint under the new regime, regardless of the channel used (email, letter, social media, or a verbal complaint made during a service interaction).

The ICO’s guidance addresses several scenarios likely to be relevant to public authorities handling high volumes of citizen contact:

• Identity verification: where a complainant's identity is in doubt, proof of ID should be requested at the earliest opportunity — but the ICO is explicit that if an authority already has enough information to be satisfied of identity, it must not ask for more.
• Third-party complaints: where someone complains on behalf of another person, authorities should check for appropriate authorisation, such as a signed letter of authority or power of attorney.
• Children and young people: the guidance asks organisations to consider how complaints from children are handled, including assessing a child's competence to exercise their own data protection rights.
• Publicising the process: while not itself a strict legal requirement, the ICO recommends publishing a complaints procedure - for instance as part of a privacy notice - explaining how to complain, what information may be requested, and the acknowledgement and response timescales that apply.

The ICO has also suggested that it may, in future, request records of how organisations have handled data protection complaints, particularly if it begins to receive a pattern of escalations suggesting complaints are being ignored or mishandled. The DUAA additionally creates a regulation-making power (new section 164B DPA 2018) allowing the Secretary of State to require controllers to proactively report complaint volumes to the Commissioner, though no timetable for such regulations has yet been announced.

Derek Bedlow

This article first appeared on Local Government Lawyer's new site for public sector information governance professionals, www.info-gov.uk.