The Information Commissioner (ICO) has launched a consultation on draft guidance for organisations on how to comply with new obligations to have processes in place to handle data protection complaints.

The recently-enacted Data (Use and Access) Act 2025 imposes new requirements on data controllers to, among other things, (i) facilitate the making of complaints by data subjects, (ii) acknowledge receipt of a complaint within 30 days, (iii) take appropriate steps to respond to the complaint ‘without undue delay’, and (iv) keep the complainant informed about its progress and its outcome.

In the draft guidance, the ICO takes organisations through what this might look like in practice, setting out everything from what they need to do in advance of receiving a complaint, to what to do once it is received, and finally what needs to happen after an investigation is completed.

Before anything else, organisations are advised to write a complaints procedure and publish it on their website. It should set out in plain language how complaints can be made and what steps will be taken to address them. If complaints are likely to be received from children, additional recommendations are provided, and organisations are advised to ensure that children are addressed in plain, clear language. The ICO also recommends that organisations develop a system for asking for more evidence of supporting information, that staff are adequately trained about data protection complaints, and that the record keeping system is fit for purpose.

Once a complaint is received, the draft guidance provides examples of how an acknowledgement can be sent within the requisite 30 days, before proceeding to set out how the complaint should be investigated. This includes conducting an information gathering exercise without undue delay, taking records, and keeping the complainant informed along the way. Once it has been completed, the draft guidance states that complainants must be informed of the outcome – again without undue delay – and that organisations must be able to justify why they handled the complaint in the way that they did. Complainants should also be provided with the ICO’s details if they are unhappy with the outcome.

Finally, at the end of any process, the ICO recommends that there should be a review to consider what lessons might be learned and how processes might be improved to prevent future complaints of a similar nature.

The consultation is open until 19 October 2025, and can be read in full here.