In force from today: UK Data Protection Complaint-Handling Obligations
Key takeaway
|
Who Is Affected?
Any organisation in scope of UK data protection legislation, including private sector businesses, public bodies and third-sector organisations.
What Must Be in Place
Organisations are now required to have a robust, documented data protection complaints mechanism in place. This checklist sets out the key requirements:
- Provide a clear, accessible route for individuals (or their representatives) to submit complaints directly. Consider whether to adapt existing data subject rights or customer complaints workflows or implement a standalone procedure.
- Update privacy notices, complaints policies, and relevant internal procedures that explain how individuals can complain.
- Implement a process that can distinguish data protection complaints from data subject access requests (DSARs), general customer complaints or security incidents.
- Assign ownership of the complaints process to an appropriate team.
- Establish a method for logging, tracking, and acknowledging receipt within 30 calendar days.
- Follow a clear system for investigating, information-gathering, reviewing the facts, escalating, remedying and closing complaints.
- Detail the steps required to respond to the complaint, and provide a substantive formal response, without undue delay.
- Adopt governance, training, oversight, and accountability structures for complaints-handling.
The ICO has also produced its own guidance on how to deal with data protection complaints, which emphasises accessibility, timeliness, fairness, and clear communication of outcomes.
What does this look like in practice?
A compliant data protection complaints process will cover at least the following key areas, as highlighted in our Data Complaint-Handling briefing:
| Area | What this means in practice |
| Establish your Data Protection Complaint-Handling Process | Implement a clear, accessible mechanism for receiving complaints. Use a dedicated online form, dedicated email address, or alternative route. Ensure it is easy to find and use and acknowledge receipt within 30 calendar days. |
| Refresh Policies and Notices | Review and update your privacy notice to explain how individuals can complain. Ensure your internal complaints-handling policy sets out how complaints are received, handled, and resolved. |
| Operate the Process in Practice | Put in place systems to record and track complaints, triage them appropriately, investigate them, find solutions, and clearly communicate outcomes to the complainant without undue delay. |
| Embed Governance, Training and Oversight | Provide training for staff who will receive and handle complaints. Ensure your team is briefed on the new obligations and their role in the process. Train teams to recognise data protection complaints and roll out oversight and accountability structures to manage complaints effectively and consistently. Monitor complaints to identify issues and drive governance improvements. |
What you should do now
Review your current arrangements against our checklist above, consult ICO guidance, and seek legal advice where you identify gaps.
If you do not yet have a formal data protection complaints process, establish one immediately, as the obligation is now live. Organisations that cannot demonstrate a compliant process risk regulatory scrutiny and may lose the opportunity to resolve a complaint directly, without the ICO being involved.
If you have any questions or would like to discuss any of these points further, please contact our Data Protection team or your usual Stephenson Harwood contact.
