UK: A New Duty to Run a Data-Complaints Procedure | TLY

AI Regulation Tracker  /  Regulation in force

UK now requires every data controller to run a formal complaints procedure with a 30-day clock

A new duty under the Data (Use and Access) Act 2025 took effect on June 19, 2026. Any organization that handles UK personal data must accept, acknowledge, and investigate data-protection complaints on a fixed timetable.

UK now requires every data controller to run a formal complaints procedure with a 30-day clock regulation briefing
The Leveraged Years AI Regulation Tracker

United Kingdom data controllers face a concrete new operational duty. As of June 19, 2026, the Data (Use and Access) Act 2025 requires every controller to operate a formal procedure for handling data-protection complaints from the individuals whose data they hold. The obligation is binding law, it applies broadly, with no general exemption identified in the ICO guidance, and it applies to any complaint received on or after that date. The Information Commissioner's Office marked the date as one year since the Act began commencing.

This is distinct from the Act's better-known changes to automated decision-making. It is a workflow obligation: it tells organizations how they must receive, log, acknowledge, and investigate complaints, and on what timetable.

What the duty actually requires

The core mechanics are specific. A controller must make it straightforward for a person to complain, including through an accessible electronic route such as a form. Once a complaint arrives, under the ICO's supporting guidance the controller should acknowledge it within 30 days. The controller must then take appropriate steps to investigate the substance of the complaint without undue delay, and communicate the outcome.

The timing is not soft. According to the supporting guidance, the 30-day acknowledgement period begins the day after the complaint is received. If the final day falls on a weekend or public holiday, the acknowledgement may be sent on the next working day. In practice, that means a firm cannot rely on catching complaints during a monthly review cycle. The clock is already running by then.

The ICO set out these expectations in guidance titled "How to deal with data protection complaints," published on February 12, 2026, ahead of the June commencement. The guidance frames four steps every controller should be able to evidence: accept complaints through an accessible channel, acknowledge within 30 days, investigate without undue delay, and provide a meaningful response on the outcome.

There is one more design point worth noting. The rule applies to complaints received on or after June 19, 2026, which means the trigger is the date a complaint lands, not the date a firm happens to review its inbox. A complaint that arrives by email, by post, through a website form, or by phone all counts, so the practical task is to make sure every route into the organization feeds a single log where receipt is timestamped and the acknowledgement deadline is calculated automatically.

Who has to act

The reach is broad because the definition of a controller is broad. Any organization that decides how and why UK personal data is processed is covered, from a two-person practice to a multinational. For licensed professionals, that includes law firms, medical and dental practices, accountancy firms, insurers, brokerages, and advisory businesses. Compliance officers and data-protection leads are the people who will own the process, but the duty sits on the organization as a whole.

For most firms the honest question is not whether they receive data-protection complaints but whether they currently treat them as a defined category with its own clock. Many organizations fold such concerns into general customer service or a data-protection officer's inbox without a fixed acknowledgement timetable. The new duty makes that informal handling insufficient. A complaint about how personal data was collected, used, shared, or secured now needs to be recognized as a data-protection complaint at the point of receipt, routed into the right process, and answered on schedule.

What it does not do

The duty does not turn every organization into an ombudsman, and it does not require a particular software product or a separate complaints department. It does not create a new financial penalty regime of its own; enforcement runs through the existing data-protection framework the ICO administers. It also does not replace an individual's ability to complain directly to the ICO. What it does is set a minimum standard for how a controller must handle a complaint before it escalates, and it makes the acknowledgement timing measurable.

The cross-border angle

For a US reader, the practical point is that this binds US firms that operate in the UK or hold data on UK individuals, not only British companies. A US professional-services firm with a London office, or one that serves UK clients, is a controller for that UK personal data and inherits the same complaints-handling duty and the same 30-day acknowledgement clock. Firms that already run structured complaints processes for other regimes will find the gap is largely about documentation and timing rather than a wholesale rebuild.

The reasonable read for any covered organization is to treat complaint intake as a tracked process now. Confirm there is a clear, accessible way to submit a complaint, log the date each one arrives, and make sure acknowledgement happens well inside 30 days, with the investigation and outcome recorded.

Frequently Asked Questions

What changed for UK data controllers on June 19, 2026?

Under the Data (Use and Access) Act 2025, every UK data controller must now operate a formal data-protection complaints procedure. That means accepting complaints through an accessible channel, investigating without undue delay, and communicating the outcome; under the ICO's supporting guidance, controllers should acknowledge a complaint within 30 days. The duty applies to complaints received on or after that date and applies broadly, with no general exemption identified in the ICO guidance.

Who has to comply?

Any organization that determines how and why UK personal data is processed, regardless of size or sector. That includes law firms, medical practices, insurers, accountants, brokerages, and advisers, as well as US-based firms with UK operations or UK customers, since they are controllers for that UK data.

What does the 30-day acknowledgement actually mean?

When a data-protection complaint is received, under the ICO's supporting guidance the controller should acknowledge it within 30 days. The period starts the day after the complaint arrives. If the last day is a weekend or public holiday, the acknowledgement can be sent the next working day. Acknowledgement is separate from resolving the complaint, which must proceed without undue delay.

Where can I read the official requirements?

The ICO's commencement update is the primary reference, and the ICO's guidance "How to deal with data protection complaints," published February 12, 2026, sets out the four expected steps: accept, acknowledge within 30 days, investigate, and respond meaningfully.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.