According to the latest ICO figures, data protection complaints are on the rise. And with new legislation on the horizon, UK businesses face a fundamental shift in how they’ll need to handle them, thanks to the Data (Use and Access) Act 2025.
The Numbers Tell a Story
The ICO’s latest figures paint a clear picture. In 2023/24, they received 39,721 data protection complaints. By 2024/25, that number had jumped to 42,881. Current forecasts suggest somewhere between 45,000 and 55,000 complaints if trends continue.
Two Consultations, One Message
Against this backdrop, the ICO has launched two significant consultations that every UK business should be watching closely.
The ICO’s Own Complaint Handling Overhaul
First, the ICO is fundamentally rethinking how it handles complaints. Their consultation (which closed 31 October 2025) proposes a new framework to assess which complaints warrant full investigation. With finite resources and the marked increase in complaint numbers, they’re looking to focus on cases with the biggest impact—those involving harm and systemic issues.
The regulator is clear that the current volume is “impacting our ability to respond quickly and effectively.” They’re proposing new reporting mechanisms to track complaint volumes across sectors and identify trends that might need regulatory action beyond individual case handling.
The DUAA Game-Changer
But here’s where it gets really interesting for UK businesses. The second consultation addresses the Data (Use and Access) Act 2025’s introduction of mandatory complaint handling processes for organisations.
Starting June 2026, every organisation will be legally required to have a formal data protection complaints process in place.
What the DUAA Complaints Process Means in Practice
The new requirements fundamentally change the complaints landscape. Under current rules, individuals can take their complaints straight to the ICO. From June 2026, they must first raise their concerns with the data controller.
This means organisations must:
- Provide accessible complaint channels – whether that’s electronic forms, phone lines, live chat, or postal options. The key is making it straightforward for people to complain.
- Acknowledge complaints within 30 days – starting the day after receipt.
- Investigate without undue delay – “as soon as possible” is the standard. You need to gather facts, speak to relevant staff, and keep the complainant informed throughout.
- Provide outcomes promptly – explaining your investigation, conclusions, and any actions taken. If they’re still unhappy, you must signpost them to the ICO.
Why This Matters Now
There’s a strategic element at play here. The ICO expects that more complaints will be resolved directly by organisations once the DUAA provisions take effect. This should theoretically reduce the ICO’s caseload while improving outcomes for individuals.
But for businesses, this represents a significant new compliance responsibility. You’re not just handling complaints as good practice anymore—you’re legally obliged to have robust processes in place.
The timing of these consultations isn’t coincidental. The ICO is preparing organisations for a future where they handle the first line of complaint resolution, while the regulator focuses on systemic issues and cases involving genuine harm.
Getting Ahead of the Curve
Whilst the guidance from the ICO is still in draft, and therefore could change, with the June 2026 deadline approaching, organisations start thinking about:
- Auditing current processes – many businesses already have general complaints procedures, but data protection complaints have specific requirements. Can your existing process be adapted, or do you need something purpose-built?
- Training staff – just like for subject rights and data breaches, everyone needs to recognise a data protection complaint and know where to direct it. This isn’t just for your DPO or privacy team.
- Building tracking systems – you’ll need to record receipt dates, acknowledgements, investigation progress, and outcomes. This will be about evidencing your accountability.
Looking Beyond June 2026
It’s worth remembering that this isn’t the final chapter in the evolution of UK data protection regulation. The DUAA represents one piece of a much larger regulatory puzzle, and businesses should expect further developments as the government continues to refine its approach to data governance.
The ICO’s consultations themselves hint at this ongoing evolution. As the regulator shifts its focus toward systemic issues and strategic enforcement, we’re likely to see additional guidance, updated codes of practice, and potentially further legislative tweaks as the practical realities of implementation become clear.
Your Thoughts?
As someone working with organisations on their data protection compliance, I’m keen to hear how others are approaching this. Are you already building out complaint handling processes, or waiting for final guidance? Do you think the 30-day acknowledgement deadline is realistic for smaller organisations?
