01440 783811With the complaints-handling provisions of the Data (Use and Access) Act 2025 coming into force on 19 June 2026, organisations now have just a few months to ensure their complaints frameworks meet regulatory expectations.
The Information Commissioner’s Office (ICO) has issued detailed guidance setting out what organisations must, should, and could do when handling data protection complaints. The message is clear: complaints handling is no longer a back-office administrative function — it is a core accountability obligation.
A helpful summary of the ICO’s framework has been prepared by Daniel Millard, Privacy Partner at Cooley LLP, distilling the guidance into a practical “must / should / could” checklist.
Courtesy of Daniel Millard, Cooley LLP.
This article builds on that summary and explains what organisations should be doing now — in February 2026 — to avoid last-minute remediation.
Why This Matters Now
Mid-February means there are roughly four months until the new regime applies.
By this stage, organisations should already be beyond awareness and into implementation. Regulators will expect complaints handling processes to be:
- Operational, not theoretical
- Documented and auditable
- Embedded within governance structures
- Understood by frontline staff
Complaints handling failures will increasingly be treated as indicators of wider governance weaknesses.
The Non-Negotiables: What Organisations Must Have in Place
Before 19 June 2026, organisations should ensure they can demonstrate:
- A clear internal complaints handling procedure
- A direct and accessible route for individuals to complain
- Acceptance of complaints through any reasonable channel, including social media
- Clear information explaining that individuals may complain to both the organisation and the ICO
- Acknowledgement within 30 days
- Prompt and proportionate investigation
- Appropriate authority checks where complaints are submitted on behalf of others
- Outcomes delivered without unjustified delay
- Personal data retained only as long as necessary
These are baseline expectations. If these elements are not yet embedded, remedial action is urgent.
What Good Looks Like: ICO Best Practice Indicators
The ICO’s guidance also makes clear what it considers mature complaints governance. Organisations should:
- Recognise when correspondence constitutes a complaint, even if not labelled as such
- Maintain organised records of investigations, communications and outcomes
- Avoid unnecessary ID verification requests
- Ensure staff can recognise and escalate data protection complaints
- Provide complainants with clear explanations of findings and actions taken
- Have documented arrangements in place for joint controller or processor relationships
In short, the regulator expects complaints handling to be systematic, not reactive.
Optional Measures That Strengthen Accountability
Organisations seeking to demonstrate leadership in governance could also:
- Publish a simple, plain-English complaints procedure
- Offer multiple submission channels (email, webform, phone, live chat)
- Provide estimated completion timelines for complex cases
- Ask complainants what resolution they are seeking
- Review complaint trends to identify systemic risk
These steps are not mandatory — but they are increasingly what “good” looks like.
Practical February 2026 Action Plan
With implementation now imminent, organisations should be:
- Reviewing privacy notices and public complaints routes
- Testing whether complaints submitted via non-standard channels are captured
- Checking acknowledgement processes and timelines
- Stress-testing investigation workflows
- Ensuring governance documentation is regulator-ready
- Delivering targeted staff training where gaps exist
Waiting until Q2 to address these points may be too late.
Final Thought
The June 2026 deadline is no longer distant. Complaints handling is moving firmly into the regulator’s accountability lens, and organisations that treat it as a procedural afterthought risk unnecessary scrutiny.
Now is the time to ensure the basics are not only in place — but demonstrably effective.
Attribution
Summary framework courtesy of Daniel Millard, Cooley LLP, based on ICO guidance on complaints handling under the Data (Use and Access) Act 2025.