Skip to main content
Home

How to deal with data protection complaints

Contents

Latest updates - 12 February 2026

12 February 2026 - this guidance was published

You must have a process for handling data protection complaints within your organisation - there are no exemptions to this.

This guidance provides practical advice to help you meet your legal obligations.

How to use this guidance

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legislative or legal requirements

Must refers to:

  • legislative requirements within our remit; or
  • established case law (for the laws that we regulate) that's binding.

Good practice

Should doesn't refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there's a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.

Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.

At a glance 

Data protection law says you must:

  • give people a way of making data protection complaints to you;
  • acknowledge receipt of complaints within 30 days of receiving them;
  • without undue delay, take appropriate steps to respond to complaints, including making appropriate enquiries, and keep people informed; and
  • without undue delay, tell people the outcome of their complaints.

In brief