27/01/2026

From June 2026, local authorities will have to have a process to deal with data protection complaints, under one of the changes coming in under the Data Use and Access Act 2025. Vicki Bowles, Head of Information Law and Privacy, looks at what is required, and what might be helpful based on her experience of dealing with complaints in various contexts.

What is the requirement?

From June 2026, it will be a legal requirement to:

  • Facilitate the making of data protection complaints by individuals;
  • Acknowledge complaints within 30 days of the date of receipt;
  • Take steps to investigate and respond to the complaint without undue delay; and
  • Inform the complainant of the outcome without undue delay

What does this mean for local authorities?

Essentially this means that local authorities will need to put in place a formal process for dealing with data protection complaints. This process will need to ensure that an initial acknowledgement is sent within 30 days of the original complaint, and that an outcome is delivered within a reasonable timescale.

What complaints are covered?

The Act states that an individual can make a complaint in relation to an infringement of the UK GDPR.  This suggests that it covers any potential breach of the UK GDPR that is connected to the personal data of an individual.

This is wider than a personal data breach (which is reportable to the ICO), and covers any infringement of the regulations. This means that you could be dealing with complaints regarding a lack of a lawful basis for processing, through to a failure to deal with a DSAR. The only stipulation is that the breach must be “in connection with” the individual making the complaint. This suggests that there has to be a link between the individual and the breach complained of. If there was a complaint about privacy notice information, for example, the individual would have to show that any deficiencies related to their own personal data – rather than just a notice generally not being compliant. 

Who can make a complaint?

Neither the Act nor the ICO have yet put any restrictions on who can complain, but the wording above does indicate that the individual making the complaint must be the individual affected by the breach. It will be worth making this clear in your policy to avoid having to deal with more general complaints by aggrieved individuals looking for a means to cause disruption. 

What should a complaints process look like?

The short answer is that it is up to you. Provided you have a mechanism by which an individual can make a complaint, and it covers the need for an acknowledgment and a response, the practicalities have been left to individual organisations.

If you are looking at creating a completely new process for this type of complaint, my first suggestion would be to look at what existing complaints processes you have, and adapt something that you already know works.

Even if you have an existing process, this can be a chance to make changes to ensure that you meet the legislation, but also have a policy that works for you. It is worth noting, for example, that there is no deadline in the legislation for providing a response. Provided you are reasonable in terms of timescales, and keep individuals up to date, there is no requirement to have completed a complaint investigation by a specific time. This is likely because of the range of potential complaints that an individual could make – from a relatively simple complaint that a use of data is not included in a privacy notice, through to a more complex complaint coving a range of potential breaches. For this reason, I would recommend not providing specific deadlines, and instead setting out timescales for updates.

If you did want to give more specific timescales, then it may be helpful to triage and categorise requests and give different response times for each category.  The most important issue here will be ensuring that you provide sufficient flexibility to be able to extend deadlines where needed, and you are not holding yourself to unreasonable deadlines.

The draft ICO guidance is clear that the expectation will be that organisations will have a procedure, and that procedure will be available to the public.  It may therefore be helpful to have a “How to Complain" policy for individuals and a “Dealing with complaints” policy for staff.  

What might a complaint process look like?

  1. Complaint received – date of complaint logged and allocated for review
  2. Complaint reviewed – triaged if doing this
  3. Complaint acknowledged within 30 days of initial date of receipt
  4. Investigation begins:
    1. What additional information is needed to resolve this?  
    2. Who will have that information?
    3. Request information and give deadlines for a response
  5. Does the complainant need an update?
  6. Review information and decide on outcome of complaint
  7. Communicate outcome to individual.

What is meant by 30 days from date of receipt?

There is no definition of “date of receipt” in the amendments to the Data Protection Act 2018, so we would recommend setting out your understanding in your complaints policy to avoid disputes.  

The ICO guidance on subject access requests states that the time for calculating when a request is due starts on the actual day of receipt, even if that is a non-working day. It’s likely that if the ICO does include this in guidance on complaints, a similar position would be taken, so this is likely to be the least risky approach. However, until the ICO does set this out specifically in relation to complaints, provided you are clear in your policy, you could argue that the date of receipt is the date received if between 9 am and 5 pm on a working day, otherwise the date of receipt is deemed to be the next working day.

Tips for dealing with complaints

Be clear at the outset exactly what you are investigating, and what is out of scope.

One of the issues that arises frequently in complex complaints, is a misunderstanding between the complainant and the organisation about the scope of the complaint. Whilst this will not prevent disagreements, if you can be clear at the outset (and throughout the process if necessary) what you consider the remit of the complaint to be, it can help if matters get escalated.

Be clear on the potential remedies/outcomes.

An individual’s expectation in terms of a remedy can vary from individual to individual. Some will be looking for an acknowledgement of the issue and a reassurance that steps are being taken to remedy the issue – others will want compensation/individual accountability.  If providing a form for complaints, it can be helpful to include this as one of the questions – “What outcome are you hoping for from this complaint?” for example. If you don’t have a form, then asking this question at the outset can help to manage expectations.

Consider responding to each point raised by the complainant individually.

If you cannot provide the individual with what they are seeking as an outcome, then there is sometimes very little you can do which will resolve a complaint. When you know that an individual will not be satisfied, it can be tempting to amalgamate individual points into one, shorter, response. In some cases, this leads to the individual believing that their complaint has not been fully dealt with, which can unnecessarily prolong correspondence. Even if you end up referring back to previous points, it is clearer for the individual (and the ICO) that you have addressed all the points raised if you structure a response in that way.

Give explanations where these might help

Sometimes an individual will make a request that you cannot fulfil because of the way that information is held on your systems, or because they don’t fully understand what you do. Once you realise that there is a misunderstanding, it can be helpful to clarify this as soon as possible. For example, if you have an individual making a DSAR for their “complaint file”, but you do not store records in this way, explaining this at the outset, and setting out what additional information you need to help the individual get the information they are requesting can avoid allegations that you haven’t dealt with the request down the line.

Conclusion

The legal requirements in relation to your policy on dealing with data protection complaints are limited, and should not be overly burdensome to implement. However, since there is a requirement to have a policy in place, this is a good opportunity to design something that gives you some flexibility and works on a practical level.

The team at BB are working on a number of template documents to help organisations comply with the new requirements. Please contact Vicki Bowles if you are interested in learning more. 

Policy moves fast. Stay ahead of the trends by following our dedicated Central & Local Government page.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.