Are You Ready for the New Right to Complain?

Are You Ready for the New Right to Complain?

This Friday, 19 June, the new right under the Data (Use and Access) Act 2025 to complain will come into force. It will give data subjects a further route for raising concerns directly with data controllers about the handling of their personal data. Currently, the recourse for disappointed data subjects is to approach the ICO. Properly implemented, this new right should be seen as an opportunity for data controllers to resolve issues earlier, improve trust and reduce the likelihood of matters escalating to the ICO.

The right to complain will sit alongside the existing data subject rights, being:

  1. Right of access;

  2. Right to rectification;

  3. Right to erasure;

  4. Right to restrict processing;

  5. Right to data portability; and

  6. Right to object.

The statistics show us that these rights are already being used extensively. Although no one can track every request made to data controllers, ICO complaint data provides a useful indicator. In 2024/25, the ICO received 42,315 data protection complaints, up from 39,721 in 2023/24. A significant proportion of these complaints related to subject access requests, underlining how frequently disputes arise in practice over the handling of individual rights. We estimate that last year the ICO received 65 complaints per working day regarding how data controllers have handled access requests.

The new right is deliberately broad. It is not subject to any materiality threshold. Data controllers must acknowledge receipt of a complaint within 30 days and, without undue delay, take appropriate steps to respond and inform the complainant of the outcome.

A data subject may make a complaint to the controller if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of the Data Protection Act 2018.

In practical terms, data controllers should now be taking three immediate steps:

  1. update privacy notices and other relevant transparency information;

  2. put in place a clear and accessible mechanism for making complaints, whether by form, or another appropriate channel; and

  3. ensure staff are trained to recognise, triage and escalate data protection complaints appropriately.

We are helping clients put in place complaint forms and processes that support effective triage. That matters because some complaints presented as data protection issues will, on closer examination, turn out to be broader customer service concerns, employment grievances or other non-data related issues. A well-designed process can help organisations identify what is, and is not, a genuine data protection complaint, route it correctly and gather the information needed to investigate it properly. We are also preparing template responses that explain the relevant processing context clearly and consistently, helping data controllers address complaints in a way that is both transparent and proportionate.

The key message is straightforward: if an organisation does not have a functioning process for handling data protection complaints, the ICO may regard that as evidence of wider compliance weaknesses. With the commencement date now imminent, data controllers should make sure their documentation, workflows and staff training are ready.

If you would like further guidance, please contact Sarah Merriott or Alexander Egerton or your usual Wallace contact.



Corporate, IP & Tech, Commercial, Commercial IP & TechKevin WilliamsSarah Merriott, Alexander Egerton