With new legal requirements coming into force on 19 June 2026 under the Data (Use and Access) Act 2025, businesses across the UK have just one month to ensure they have a compliant data protection complaints process in place.

We recently sat down with Leigh Payne, Senior Associate, from rradar’s Cyber, Data and Information Law (CDIL) team to talk through what this change really means in practice, and what organisations should be focusing on right now.

 

What do we need to know about the changes to data protection complaints processes?

From 19 June, every organisation that processes personal data will be required to have a formal process in place to handle data protection complaints. But, as Leigh explains, the real shift is about accountability.

Leigh is clear that, while the requirements themselves are relatively concise, the impact should not be underestimated.

This introduces a clear legal right for individuals to complain directly to organisations about how their data has been handled. That means businesses become the first line of response, rather than the ICO being the starting point.

In practical terms, that places far greater emphasis on having a process that is not only documented, but visible, accessible and capable of standing up to scrutiny.

 

The key requirements

At its core, the legal framework is built around four key requirements. Organisations must provide a clear way for individuals to:

  • make a complaint
  • acknowledge receipt within 30 days
  • investigate without undue delay while keeping individuals informed; and
  • communicate the outcome clearly.

On paper, this is straightforward. In practice, Leigh advises that the challenge lies in evidencing each step.

It is not enough to have something written down. You need to be able to demonstrate that the process works in reality, that timelines are being met, and that decisions are properly recorded.

 

Where could an organisation be vulnerable to non-compliance?

When asked where organisations are most likely to fall short, Leigh points to a familiar pattern.

In many cases, businesses already have a general complaints process. The issue is that data protection complaints are often not clearly identified within that, or they are not recognised for what they are and handled consistently.

This tends to show up in three areas: processes that are difficult to find, limited audit trails showing how complaints have been managed, and a lack of confidence among staff in recognising what actually constitutes a data protection complaint.

Crucially, complaints do not need to be labelled as a ‘complaint’ to fall within scope.

If someone is unhappy with how their personal data has been handled, whether that is a delay in responding to a subject access request or concerns about marketing use, that can be enough. You cannot rely on formal language or key words being used.

 

So how urgent is this?

Leigh’s advice is direct. This is something organisations should be acting on now.

The ICO has been very clear that there is still time to prepare, but that should not be mistaken for breathing space. This is a relatively quick win for organisations that act early, but it can quickly become a risk if left too late.

Beyond regulatory compliance, there is also a clear commercial dimension. Complaints that are handled quickly and transparently are far less likely to escalate, protecting both reputation and customer relationships.

In terms of practical next steps, Leigh encourages organisations to focus on strengthening what they already have, rather than starting from scratch.

That means reviewing existing complaints procedures to ensure data protection is clearly covered, making the process visible through websites and privacy notices, introducing consistent record‑keeping, and ensuring staff are trained to recognise and escalate issues appropriately.

Testing the process is also important. You want to know that it works in practice, not just in theory.

 

How rradar can help

This is where rradar’s CDIL team is increasingly supporting clients.

Our role is to help organisations build processes that are not only compliant, but practical and defensible” Leigh explains.

That can include reviewing and updating complaints procedures, aligning them with wider data governance and privacy frameworks, advising on record‑keeping and audit requirements, and supporting staff training.

The aim is to give clients confidence. If a complaint comes in, they know exactly how it will be handled, and they can demonstrate that clearly.

 

What to do next

Now is the time to ensure your process is compliant, workable and ready. With the June deadline fast approaching, Leigh’s final message is simple.

This is about being prepared. Organisations that act now will not only meet their legal obligations, they will be in a much stronger position to manage risk and maintain trust.