Context
The ICO has reminded firms that businesses across the UK have until 19th June to make sure that their complaints handling procedures can meet the requirements of the new legal requirements for data protection complaints. From that date, all organisations will be legally required to handle data protection complaints under the Data (Use and Access) Act 2025. With just four weeks remaining, the ICO is urging businesses, particularly small and medium-sized enterprises, to read its guidance now and take the straightforward steps needed to comply.
In the financial services sector, UKGI’s view is that all data protection complaints are likely, in essence, about the provision of, or failure to provide, a financial service, which will bring them within FCA complaint handling requirements. The timescales are broadly similar or longer to those under current FCA regulation so firms should be able to deal with data protection complaints within their existing complaints handling procedures.
Key points to note
- All businesses must have new complaints process in place next month
- The guidance offers support to businesses to be prepared for commencement date
- Having a clear complaints process supports customer trust and good day-to-day relationships
The new law means organisations must:
- give people a clear way to raise a data protection complaint;
- acknowledge it within 30 days of receipt;
- without undue delay, take appropriate steps to investigate and keep people informed; and
- tell the complainant of the outcome.
The ICO’s guidance, published in February following a public consultation that received more than 85 responses, is already available and sets out everything organisations need to know. It explains what businesses must, should and could do to comply, and includes practical tips for each stage of the process.
UKGI’s complaint handling procedures and register will be updated to include commentary on data protection complaints, and will be available on its compliance manual by the end of May.