Context
The ICO has published its new guidance in relation to handling data protection complaints, which explains what data controllers and processors need to do to meet the new requirement to have a data protection complaints process, as set out in the Data (Use and Access) Act. Although these requirements are not in force until 19 June 2026, the ICO has published the guidance now so that firms are ready for the changes.
Key points to note
- Data controllers and processors must have a process for handling data protection complaints – there are no exemptions to this.
- For FCA authorised firms, the requirements sit comfortably within the existing requirements for handling financial services complaints.
Data protection law says that firms must:
- give people a way of making data protection complaints;
- acknowledge receipt of complaints within 30 days of receiving them;
- without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; and
- without undue delay, tell people the outcome of their complaints.
The Guidance is made up of the following sections: