Updated UK GDPR complaints regime takes effect

The new complaint-handling regime provided for under the Data (Use and Access) Act (DUAA) applies from Friday 19 June and applies to any form of infringement under the UK General Data Protection Regulation (GDPR), not just to things like personal data breaches.

Data protection law experts Kathryn Wynn and Malcolm Dowden of Pinsent Masons said businesses can expect their GDPR complaints handling to be tested by individuals and to be subject to scrutiny by the UK’s Information Commissioner’s Office (ICO). However, they advised organisations not to handle GDPR complaints in a silo, warning that doing so could risk non-compliance with other complaints handling obligations they face.

Wynn said: “We are expecting to see the complaints process used more extensively in relation to DSARs, so organisations need to be careful about basic procedural errors which can easily occur in high volume, complex DSARs. Organisations should also think about contractual terms to ensure that suppliers and service providers are contractually obliged to support with complaints.”

Dowden said: “The practical implications go further than simply having a procedure on paper. Organisations must ensure that their complaints handling is joined up.”

“Data protection complaints will often run alongside other mandatory complaints procedures with different requirements and deadlines. For example, a complaint relating to automated decision-making or profiling might simultaneously engage ICO oversight and, for financial services firms, FCA duties under the consumer duty and the DISP framework. A siloed approach, where data protection complaints are handled in isolation from wider customer complaints governance, is a real operational risk,” he said.

Dowden previously highlighted how the new GDPR complaints regime puts the onus on organisations to handle data protection complaints irrespective of the mechanism individuals choose to raise their complaint. This means being prepared for complaints to be submitted via a variety of channels – email, over the phone, via customer service chatbots or social media accounts – and not just any dedicated complaints form they provide, he said, highlighting how the change “could necessitate an updating of systems, privacy policies, processes and staff training”.

Dowden said: “Failure to maintain an adequate complaints procedure is itself a compliance failure under the UK data protection framework, and the ICO has made clear through recent enforcement action that procedural deficiencies in training, processes and the information provided to individuals are firmly within its sights.”

“Firms that cannot demonstrate a functioning, auditable complaints pathway will find themselves exposed not only to regulatory action from the ICO, but potentially to coordinated scrutiny from the FCA as well – 19 June 2026 should have been a trigger for action: for those who are not yet ready, that action needs to happen now,” he added.