Data Protection Complaints: What Controllers Must Do by 19 June 2026
Section 103 of the Data (Use and Access) Act 2025 introduces a statutory obligation for every data controller to operate a data protection complaints process. The new section 164A of the Data Protection Act 2018 takes effect on 19 June 2026. The ICO published its guidance on compliance in February 2026, confirming there are no exemptions. For regulated businesses, including telecoms operators, payment firms and e-money institutions, the obligation overlaps with existing complaints-handling requirements from Ofcom and the FCA, creating a compliance design question that the ICO guidance does not address.
The new statutory obligation under section 164A DPA 2018
Section 103 of the Data (Use and Access) Act 2025 (DUAA) inserts a new section 164A into the Data Protection Act 2018 (DPA 2018). From 19 June 2026, every controller must maintain and operate a process through which data subjects can complain about infringements of the UK GDPR or Part 3 of the DPA 2018 in connection with their personal data. The obligation applies to all controllers regardless of size, sector or processing activity.
The statutory requirements are specific. Controllers must facilitate complaints by providing an electronic form and at least one alternative route such as email or post. They must acknowledge receipt within 30 days. They must then investigate without undue delay, take appropriate steps to respond, and inform the complainant of the outcome. The ICO’s February 2026 guidance clarifies that “without undue delay” means without unjustifiable or excessive delay, assessed by reference to the circumstances and the controller in question.
A complaint under section 164A is defined broadly: any expression of dissatisfaction about a data protection matter relating to the complainant’s own personal data. It need not arrive through the designated form. Controllers must accept data protection complaints however they are received, including by telephone, social media or in person. This is a wider intake obligation than many organisations currently operate.
The DUAA also gives the Secretary of State a regulation-making power under section 164B to require controllers to report complaint volumes to the ICO. Those regulations have not yet been made, but the power signals a future direction of travel towards quantitative monitoring of complaint-handling performance.
ICO guidance on data protection complaints: practical expectations
The ICO published its guidance, “How to deal with data protection complaints,” on 12 February 2026. The guidance distinguishes between what controllers must do (statutory requirements), what they should do (ICO expectations for effective compliance), and what they could do (options and examples).
The mandatory elements mirror the statute: provide accessible complaint channels, acknowledge within 30 days, investigate without undue delay, and communicate the outcome clearly. The ICO expects controllers to tell complainants how to escalate to the ICO if they are dissatisfied with the outcome.
The guidance introduces a significant procedural change. Under the new regime, a data subject must first use the controller’s internal complaints process before complaining to the ICO, unless the ICO considers there are exceptional grounds to intervene directly. This shifts the ICO from first-line complaint handler to appellate reviewer, and places the operational burden on controllers to resolve data protection complaints at source.
The ICO also expects controllers to publicise their complaints process in their privacy notice, in responses to data subject access requests, and at the point of data collection. Privacy notices will need updating before 19 June 2026 to include information about the right to complain to the controller as well as the existing right to complain to the ICO.
Regulated sectors: overlapping data protection complaints regimes
For telecoms operators, payment firms and other regulated businesses, the DUAA data protection complaints obligation does not operate in isolation. These organisations already maintain complaints processes under sector-specific rules. The practical question is how to integrate the new data protection requirement without creating parallel processes that confuse staff and complainants alike.
Telecoms operators subject to Ofcom’s General Conditions must comply with General Condition C4, which requires them to handle customer complaints in accordance with the Ofcom Approved Complaints Code. General Condition C4 requires membership of an approved alternative dispute resolution scheme. The complaints covered by GC C4 relate to the provision of communications services. Data protection complaints may overlap, for example where a customer complains about the handling of their personal data in connection with a billing dispute, but they are not identical in scope.
Payment institutions and e-money institutions authorised by the FCA must comply with the Dispute Resolution: Complaints sourcebook (DISP). DISP requires firms to acknowledge complaints promptly, investigate and provide a final response within eight weeks, and inform complainants of their right to refer the matter to the Financial Ombudsman Service. The scope differs. DISP covers complaints about regulated activities. A data protection complaint from an employee, a job applicant or a third party whose data is processed incidentally falls outside DISP entirely but squarely within section 164A.
The key design choice for regulated businesses is whether to run a single integrated complaints process that triages all complaints by type, or to maintain separate data protection and regulatory complaints tracks. An integrated approach reduces duplication and is more likely to catch complaints that straddle both regimes. However, the acknowledgement timescales differ: DISP expects prompt acknowledgement (which the FCA interprets as within five business days for written complaints), while section 164A allows 30 days. A single process must meet the shorter deadline.
Comparison of data protection complaints handling requirements
| Requirement | DPA 2018 s.164A (ICO) | General Condition C4 (Ofcom) | DISP (FCA) |
|---|---|---|---|
| Scope | Any data protection complaint from a data subject | Customer complaints about communications services | Complaints about regulated activities from eligible complainants |
| Acknowledgement | 30 days | As set out in Approved Complaints Code | Promptly (FCA interprets as within 5 business days for written complaints) |
| Resolution deadline | Without undue delay | Resolved within 8 weeks or ADR referral offered | Final response within 8 weeks or referral to FOS |
| Escalation | ICO (after internal process exhausted) | ADR scheme (CISAS or Ombudsman Services) | Financial Ombudsman Service |
| Reporting | Secretary of State may require volume reporting (power not yet exercised) | Annual complaints data published by Ofcom | Semi-annual complaints return to FCA (unified from July 2026) |
| Privacy notice disclosure | Required | Not specifically required | Not specifically required for data protection |
What controllers should do now about data protection complaints
The 19 June 2026 deadline is 74 days away. Controllers that have not yet established a data protection complaints process should act now. The practical steps are as follows.
First, audit the current position. Identify whether a data protection complaints channel already exists, whether it is publicised, and whether it meets the section 164A requirements for electronic and alternative access. For regulated businesses, map the new requirement against the existing Ofcom or FCA complaints process and identify gaps.
Second, design or adapt the process. Decide whether to integrate the data protection complaints process into an existing complaints function or run it separately. Ensure the process covers all data subjects, not only customers. Establish triage criteria to route complaints correctly where they straddle data protection and sector-specific regulation.
Third, update the privacy notice. Section 164A requires controllers to inform data subjects of their right to complain. The ICO expects this to appear in privacy notices, in responses to subject access requests, and at the point of data collection. For most controllers this means a straightforward addition, but for those with multiple privacy notices across different products or jurisdictions the update may take time.
Fourth, train staff. Front-line teams must be able to recognise a data protection complaint when it arrives through a non-standard channel and route it into the correct process within the acknowledgement window.
Fifth, prepare for volume reporting. The Secretary of State’s power to require complaint volume reporting under section 164B has not been exercised, but the power exists. Controllers would be well advised to build complaint categorisation and volume tracking into the process from the outset rather than retrofitting it later.
Viewpoint
The ICO’s decision to require internal resolution before regulatory escalation is a sensible structural reform. It mirrors the approach taken by Ofcom under General Condition C4 and by the FCA under DISP, both of which require the regulated firm to attempt resolution before the customer can access the ombudsman. In our experience advising telecoms operators and payment firms, the organisations that handle regulatory complaints well are those that treat them as operational feedback rather than legal risk, and resource the function accordingly. The same principle applies to data protection complaints.
Controllers reviewing their complaints handling procedures ahead of the 19 June deadline should take advice on the new requirements and their enforcement exposure.
The area to watch is the interaction between the new regime and existing sector-specific obligations. The ICO guidance is silent on how controllers should handle data protection complaints that engage both data protection law and sector-specific regulation simultaneously. For a telecoms operator receiving a complaint about data handling in the context of a mis-sold broadband contract, or a payment firm facing a complaint about transaction data processing linked to an APP fraud claim, the routing decision matters. Getting it wrong could mean breaching the acknowledgement deadline under one regime while meeting it under another.
Controllers in regulated sectors should not wait for the ICO to address this overlap. The pragmatic approach is to build a single intake point with triage at the front end, apply the shortest applicable acknowledgement deadline across all regimes, and train staff to recognise where data protection complaints engage multiple regulatory frameworks. This builds on the analysis in our earlier article on the DUAA’s new ICO enforcement powers and the ICO’s revised enforcement guidance.
Key sources
- ICO guidance: How to deal with data protection complaints (12 February 2026)
- Data (Use and Access) Act 2025, section 103
- Data Protection Act 2018
- Ofcom General Conditions of Entitlement (including GC C4)
- FCA Dispute Resolution: Complaints sourcebook (DISP)
- DUAA commencement plans
If you are assessing the impact of the DUAA complaints obligation on your existing complaints framework, or need to design a compliant process for a regulated business, contact Rob Bratby at Bratby Law.
