ICO issues guidance on how to deal with data protection complaints

16 Feb 2026

16/02/2026

Under the Data (Use and Access) Act, organisations must have a process for handling data protection complaints within their organisation. While this requirement is not in force until 19 June 2026, the ICO issued guidance on 12 February for organisations to help them meet their legal obligations.

“Even before these requirements are in force, we think that what’s set out in this guidance represents good practice”, the ICO says.

The ICO advises that it is up to organisations themselves how they will establish a complaints function, but this must include a way for individuals to make data protection complaints directly to the organisation. For example, organisations should:

Provide a complaint form for submitting complaints either electronically or in writing (e.g. by email or post);
Provide an email address for people to submit complaints to;
Allow people to make complaints over the phone;
Provide an online complaints portal;
Have a live chat function with the option to escalate to a human if needed;
Give people a way to make complaints in person (e.g. if there is no online presence);
Acknowledge receipt of complaints within 30 days of receiving them - the 30 days start the day after you receive the complaint.

The ICO makes clear that people can make a complaint through social media where the organisation has an online presence.

See:

ICO - How to deal with data protection complaints

Back to news list

Subscribe

Looking for more detailed information and analysis? Subscribe to PL&B Reports now

50% Introductory discount available

Subscribe

ICO issues guidance on how to deal with data protection complaints

Subscribe