Robert Bond outlines new requirements for handling complaints involving data protection

From 19 June, the requirements of the Data (Use and Access) Act 2025 (DUAA) mean that every law firm, as data controllers, must have a process for handling data protection complaints within the organisation – no exemptions. Section 103 of the DUAA mandates that organisations establish formal internal procedures for handling data protection complaints by inserting section 164A into the Data Protection Act 2018.

robert-bond-600x400

The requirements

If you are responsible, whether in a large firm or as a sole practitioner, you must:

  • provide a process for making data protection complaints to your firm
  • acknowledge receipt of complaints within 30 days of receipt
  • then, without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and
  • keep data subjects informed about the outcome of their complaints.

If a data subject considers that you’ve infringed data protection legislation because of the way you’ve handled their personal information (or the personal information of someone they’re acting on behalf of), they can complain to you. Examples of data protection issues include:

  • a data breach which impacted the data subject
  • your response to a data subject access request or other privacy rights requests
  • how long are you keeping the subject’s personal information
  • the accuracy of information you hold about them
  • security measures you have in place to protect their personal details
  • how you’ve profiled them, or
  • any other data protection-related matter.

Handling data protection complaints

Sometimes, data subjects may complain about your service or other matters while also exercising their data protection rights. This doesn’t count as a data protection complaint.

If in doubt, ask the individual to clarify if they are making a data protection complaint. Remember that the relevant laws are the Data Protection Act 2018, the UK General Data Protection Regulation, and the Privacy and Electronic Communications Regulations 2003.

To offer a suitable complaints process, you will need to:

  • provide a complaint form that can be submitted to you either electronically or in writing (such as by email or post)
  • provide an email address for the submission of complaints
  • allow people to make complaints over the phone
  • provide an online complaints portal
  • have a live chat function with the option to escalate to a human if needed, or
  • give people a way to make complaints to you in person (if you don’t have an online presence).

ICO-office-600x400

If you can still meet your obligations, you are not required to set up a separate tool for receiving complaints. You may already have an existing complaint tool that isn’t data-protection specific, and you can adapt it to include data protection complaints.

However, it is useful to keep data protection complaints as a separate procedure from the client complaints process set out in your letter of engagement. It is important to have a clear way to distinguish a data protection complaint from any other complaint.

Specific types of complaint

Complaints can also be made via social media. Consider how you’ll handle these complaints by:

  • taking a sensible approach to identifying complaints you receive through social media, and
  • considering if someone is intending to make a complaint and expecting you to respond.

In general, however, responding on social media is not a secure way of providing confidential information. You should ask for an alternative contact method instead.

If you receive complaints from children, you should respond in plain, clear language that they can understand. You should consider this at all stages of the complaints process, alongside your obligations to consider data protection by design. It’s important to note the following:

  • You must assess the competence of the child to understand and exercise their rights.
  • If your organisation falls in scope of the age-appropriate design code, you should put systems in place that help children exercise their rights and make complaints.
  • These mean allowing children to flag when a complaint or request is urgent, explain why, and ensure you have processes to respond quickly to any safeguarding concerns.

Complaints process

At the point you collect personal information and when responding to data subject rights requests, you must make it clear how people can complain both to you and to the Information Commissioner’s Office (ICO), for example by displaying this in your privacy notice and your letter of engagement. Use clear and plain language, particularly if you’re addressing a child.

When you receive a data protection complaint, you should establish that it is genuine and that the complainant is who they claim to be. It should be a requirement of your procedure that you are satisfied as to the identity of the individual or, where the complaint is lodged by a third party on behalf of the complainant, that that third party has authority to lodge the complaint.

Once it’s established that the complaint is genuine, acknowledge the complaint within the 30-day period and begin gathering the information you need. Although the law says that investigation and outcome need to be carried out without undue delay, it’s best to deal with the matter as soon as you can and keep the complainant informed.

The ICO expects organisations to keep a record of certain information which they or other industry bodies may request to see, including:

  • the date you received the data protection complaint
  • your acknowledgement of the complaint
  • any relevant conversations and documents the outcome of the complaint, and
  • any actions taken because of your investigation and lessons learned.

Consider how long you need to keep the records of the process and the outcome. This means integrating the process with your records retention policy.

When reporting the outcome of the complaint, explain clearly how you reached your decision and what the individual can do if they are unhappy with it. Tell the complainant that they can complain to the ICO. Note, however, that the ICO may not investigate a data protection complaint unless the data subject has first followed the controller’s complaints procedure.

Sample data protection complaints procedure

1. We are committed to protecting your personal data. We take all complaints regarding the handling of personal data seriously. This notice sets out our procedure for managing data protection complaints.

2. A data protection complaint is any expression of dissatisfaction regarding how we have handled personal data, including insecure data handling, failure to meet data protection rights (such as subject access requests) or unfair or unlawful processing.

3. Individuals can make a complaint by emailing [ … ] or by writing to us at: [ … ] Please include: Your name, contact details, and full details of the complaint.

4. We will acknowledge receipt of your complaint within 30 days. The complaint will be investigated by us. A substantive response will be provided without undue delay.

5. We will keep records of all data protection complaints, including the nature of the complaint and the actions taken, to help improve our services.

6. If you are dissatisfied with our response, you have the right to complain directly to the ICO, the UK’s supervisory authority: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Above is a sample procedural checkist you could adapt for your own practice.

Action points

To establish an effective process, you should:

  • get executive buy-in
  • assign responsibility for investigating and reviewing complaints
  • develop an internal process or integrate data protection complaints into your existing complaints process
  • update privacy notices to include details of how people can raise a data protection complaint
  • raise awareness and adapt relevant training to staff and partners
  • update other relevant data protection policies, procedures or guidance, and
  • check arrangements with any joint controllers and processors.

With the increased ‘weaponisation’ of subject access requests, we can expect that the complaints procedure will be used to make life difficult for compliance officers.

This may be the time to review the governance of information and personal data and ensure that policies and procedures are in good shape. At the same time, the increasing use of artificial intelligence and the risk of cyber-attacks mean it’s always good practice to assess risk management processes more generally.