New requirements coming into force on 19 June 2026 mean organisations must have a process for handling data protection complaints. Here's what's changing and what to do to get ready.

What's changing?

From 19 June 2026, those handling personal data need to meet new requirements for managing data protection complaints.

Individuals must be able to raise concerns directly with an organisation about how their personal data has been collected, stored, processed or shared and have them handled appropriately. For their part, organisations must ensure there is a clear process in place to try to resolve issues directly, before complaints are escalated to the Information Commissioner’s Office (ICO).

The changes are part of the Data (Use and Access) Act 2025. Read our DUAA 2025 overview for a broader summary of the changes.

Do the data protection changes affect you?

These requirements apply to all organisations that process personal data, including businesses, charities, associations, societies and public sector organisations.

If you collect personal information through your website, customer enquiries, email marketing, online forms or other day-to-day interactions, you should review your current approach.

What you need to do

If you handle personal data, your organisation needs to:

  • Give people a way of making data protection complaints to you
  • Acknowledge receipt of complaints within 30 days of receiving them
  • Investigate complaints appropriately and without undue delay
  • Tell people the outcome of their complaints in a timely manner
  • Keep a record of complaints and how they have been handled

You are required to provide a clear way to raise a data protection complaint against you. For example, this could be via an online complaint form, an email address, an online complaints portal, a live chat function or a way to complain in person or over the phone. 

The ICO has published guidance to help with preparing for these changes.

ICO Guidance

Does your website need updating?

In most cases, yes. 

Providing a way for people to raise a data protection concern through your website is one of the simplest ways to approach this requirement. 

Depending on your current systems, you may want to:

  • Update your privacy policy and cookies policy to explain how complaints can be made
  • Add information to your contact page
  • Create a dedicated complaints page
  • Add a simple online complaint form
  • Set up a mechanism so the right team receives notifications promptly

Making this process clear helps ensure concerns reach the right place quickly and shows that data protection is being taken seriously.

How online forms can help

A dedicated web form makes it easy for people to submit complaints and routes them to the correct team. It also helps ensure the right information is captured for review and provides a precise record of when the complaint was received.

For Smart Messenger users, an embedded form can be added directly to your website using a simple code snippet. With automation features enabled, form submissions can trigger acknowledgement emails and notify the relevant team for follow-up. We can help you set this up if needed.

Get Help With Forms

Final readiness check

Before 19 June 2026, check to ensure you have:

  • A documented data protection complaints procedure
  • A clear route for submitting complaints
  • A named person or team responsible
  • A system for logging and tracking complaints
  • A process for timely acknowledgement complaints
  • A process for responding to complaints 'without undue delay'

Need Help?

If you need support reviewing your website messaging or online complaint handling process, we can help.

You may also want to read our guide on the DUAA charitable soft opt-in if you are a charity handling email marketing or supporter communications.

Get in touch for advice from our friendly team.

Contact Us

Other News & Articles

DUAA 2025 Data Protection Changes Overview

DUAA 2025 Data Protection Changes Overview

An overview of DUAA and changes to how organisations collect, use and manage personal information. These include updates to data protection complaints, electronic marketing rules and website tracki...
Email Marketing Content Ideas for Small Businesses

Email Marketing Content Ideas for Small Businesses

Struggling to think of what to send? Here are simple, practical content ideas to help you create more engaging and effective campaigns for your small business.
How to Improve Email Open Rates

How to Improve Email Open Rates

You can create the best email in the world but if your contacts don’t open it, your hard work is wasted. The key is to make your emails appealing from the moment they land in the inbox.