13. April 2026

Are you ready for the changes to data protection requirements that take effect on 19th June 2026?

One thing to address is a review of your data protection complaints process.

The ICO has already published clear guidance on how to deal with data protection complaints. All firms should check that their existing process covers the requirements.

⏱️Now’s the time to review your process and pull it all into one place, whether within the complaints procedure, within your information management policy, or in a separate document.

Personally, I think a separate document is the best option, otherwise it can unnecessarily complicate existing complaints procedures, and you may not wish to send a copy of your whole information management policy if a client or third party requests it. It's not compulsory, though.

However you choose to deal with it, the process must cover:
🔸 How people can make a data protection complaint to you and to the ICO
🔸 Acknowledgement of complaints within 30 days of receiving them
🔸 Without undue delay, taking appropriate steps to respond, including making appropriate enquiries, and keeping people informed
🔸 Without undue delay, telling people the outcome of their complaints

It’s helpful to consider:
❓ Will you give people a form to use to make a complaint, or an email address for them to use to send a written complaint in their own format?
❓ Can people complain over the phone? What about social media?
❓ Will you tell people about their rights in the client care letter (alongside other complaints information), or will you tell people in the privacy notice?
❓ Will you write a separate complaints procedure at all?
❓ Who is responsible for coordinating the process?
❓ How will you train your employees so they can recognise a complaint and what to do with it?

There’s still time to get things in place but it’s important to consider it now. I can help firms decide on the best process for them, how to document it, and help with drafting, so get in touch if you’d like more information.